For example, you can show their name on the UI, or display a "best wishes" message on their birthday. But what can you do with an ID token?įirst, it demonstrates that the user has been authenticated by an entity you trust (the OpenID provider) and so you can trust the claims about their identity.Īlso, your application can personalize the user’s experience by using the claims about the user that are included in the ID token. You can verify these things by using the issuer's public key.Ĭool! Now you know what an ID token is. This guarantees you the origin of the token and ensures that it has not been tampered with. The ID token may have additional information about the user, such as their email address, picture, birthday, and so on.įinally, maybe the most important thing: the ID token is signed by the issuer with its private key. Remember this small detail about the audience claim because it will help you better understand what its correct use is later on. In the case of the ID token, its value is the client ID of the application that should consume the token. This claim defines the audience of the token, i.e., the web application that is meant to be the final recipient of the token. In its minimal structure, it has no data about the user just info about the authentication operation. The claims about the user define the user’s identity.Īctually, the OpenID Connect specifications don't require the ID token to have user's claims. These JSON properties are called claims, and they are declarations about the user and the token itself. Without going deeper into the details, the relevant information carried by the ID token above looks like the following: You can use one of the many available libraries to decode it, or you can examine it yourself with the jwt.io debugger. By the way, the ID token is not encrypted but just Base 64 encoded. Of course, this isn't readable to the human eye, so you have to decode it to see what content the JWT holds. bql -jxlG9B_bielkqOnjTY9Di9FillFb6IMQINXoYsw eyJpc3MiOiJodHRwOi8vbXktZG9tYWluLmF1dGgwLmNvbSIsInN1YiI6ImF1dGgwfDEyMzQ1NiIsImF1ZCI6IjEyMzRhYmNkZWYiLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3MCwibmFtZSI6IkphbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9. To put it simply, an example of ID token looks like this: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. If you want to learn more about JWTs, check out The JWT Handbook. Let’s see some other details.Īn ID token is encoded as a JSON Web Token (JWT), a standard format that allows your application to easily inspect its content, and make sure it comes from the expected issuer and that no one else changed it. This provides a very basic idea of what an ID token is: proof of the user's authentication. The result of that authentication process based on OpenID Connect is the ID token, which is passed to the application as proof that the user has been authenticated. Here, a user with their browser authenticates against an OpenID provider and gets access to a web application. Let's take a quick look at the problem OIDC wants to resolve. Check out this document for more details on OpenID Connect. It was introduced by OpenID Connect (OIDC), an open standard for authentication used by many identity providers such as Google, Facebook, and, of course, Auth0. An ID token is an artifact that proves that the user has been authenticated.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |