Validating the Limited Login OIDC Token

A successful login in Limited Login returns an AuthenticationToken instance. This is a JSON web token (JWT) containing your nonce, if you provided one, a signature, and other pieces of information. Your app should validate the token to make sure it is authentic.

In particular, your app should check the following:

  1. That the JWT is well formed
  2. The signature
  3. The standard claims

Your app should accept only tokens that have passed all three checks.

Check That the JWT is Well Formed

  1. Check that the JWT consists of three Base64Url-encoded parts separated by periods:
    1. Header
    2. Payload
    3. Signature
  2. Parse the JWT to extract the three parts.
  3. Decode the payload and verify that it is a valid JSON object.

Check the Signature

The signature is created with the encoded header and payload of the JTW, a signing algorithm, and a secret or public key, depending on the chosen signing algorithm, which is specified in the header. You check the signature by generating a new Base64url-encoded signature using using the public key (RS256)and checking that the signature you generate matches the signature in the JWT.

  1. Retrieve the public key from the JSON web key set (JWKS) by calling the token's JWKS endpoint.

  2. Use the signing algorith specified in the header on the concatenated original Base64url-encoded header and original Base64url-encoded payload of the JWT (Base64url-encoded header + "." + Base64url-encoded payload), and run them through the cryptographic algorithm specified in the header.

  3. Base64url-encode the result and check that it matches the signature in the JWT.

Check the Standard Claims

The standard claims are part of the JWT payload.

  1. 1. Retrieve the following standard claims from the decoded payload:
    1. Token expiration (exp: Unix timestamp)
    2. Token issuer (iss: string)
    3. Audience (aud: string)
    4. Nonce
  2. Check that the expiration is later than the current date and time. Tokens are short-lived.
  3. Check that your issuing authority matches the issuing authority (issuer).
  4. Check that the audience matches your app ID.
  5. Check that the nonce matches the nonce you provided.