-
assigned issue to
Core - Example A.2 - Add full ID Token validation example
Current example only describes the payload.
For developers, a full example explaining what to be expected in the JWS header and how they should be treated would be very useful.
For example, see http://stackoverflow.com/questions/20159782/how-can-i-decode-a-google-oauth-2-0-jwt-in-a-node-app
IMHO, the header should also include the "kid" to indicate how to deal with "kid" and x5u or jku.
Comments (4)
-
-
reporter Current text goes:
Verifying and decoding the ID Token will yield the following Claims:
Change to:
The value of id_token is the ID Token, which is a JWS signed JWT with three segments separated by a period '.'. The first segment is the JWS header. Base64url decoding it will result in the following:
{"kid":"1e9gdk7","alg":"RS256"}
The value of "alg" represents the algorithm identifier that is defined in JWA used to sign: in this case RS256. The value of "kid" represents the key identifier of the key used for signing. If the value of the kid is unknown to the client, the client needs to fetch a new key file.
The second segment represents the claims included in the ID Token. Verifying and decoding the ID Token will yield the following Claims:
-
reporter - changed status to open
-
- changed status to resolved
Fixed
#905- Added a complete ID Token validation example.→ <<cset c4b6b375003f>>
- Log in to comment
Nat will propose specific text