View Source OIDC.IDToken (oidc v0.5.0)
ID Token validation
Link to this section Summary
Types
The ID token claims, for instance
The serialized ID Token, for instance
Data needed to verify an ID Token
Functions
Verifies an ID Token
Verifies an hash-claim of an ID token
Verifies an hash-claim of an ID token, if present in the ID token
Link to this section Types
Specs
The ID token claims, for instance:
%{
"aud" => "client_1",
"exp" => 1588689766,
"iat" => 1588689736,
"iss" => "https://example.com",
"sub" => "user_1"
}
Specs
serialized() :: String.t()
The serialized ID Token, for instance:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Specs
verification_data() :: %{ :client_id => OIDC.client_id(), :issuer => OIDC.issuer(), optional(:auth_time_required) => boolean(), optional(:id_token_iat_max_time_gap) => non_neg_integer(), optional(:jti_register) => module(), optional(:mandatory_acrs) => [OIDC.acr()], optional(:nonce) => OIDC.nonce(), optional(:oauth2_metadata_updater_opts) => Keyword.t(), optional(:server_metadata) => OIDC.server_metadata(), optional(atom()) => any() }
Data needed to verify an ID Token
Link to this section Functions
Specs
verify(serialized(), OIDC.ClientConfig.t(), verification_data()) :: {:ok, {claims(), JOSEUtils.JWK.t()}} | {:error, Exception.t()}
Verifies an ID Token
This function verifies:
- the signature of the ID Token
- the standard claims against their validation rules and validation data:
"iss"
"aud"
"azp"
"exp"
"iat"
"nonce"
"acr"
"auth_time"
It also decrypts the ID token if it is encrypted.
It does not verifies the "c_hash"
and "at_hash"
claims. See verify_hash/4
and
verify_hash_if_present/4
for this.
Specs
verify_hash(String.t(), String.t(), claims(), JOSEUtils.JWK.t()) :: :ok | {:error, Exception.t()}
Verifies an hash-claim of an ID token
The token hash name is one of:
"c_hash"
"at_hash"
The JWK to be passed as a parameter is the JWK that has been used to validate the ID token signature.
Specs
verify_hash_if_present(String.t(), String.t(), claims(), JOSEUtils.JWK.t()) :: :ok | {:error, Exception.t()}
Verifies an hash-claim of an ID token, if present in the ID token
The token hash name is one of:
"c_hash"
"at_hash"
The JWK to be passed as a parameter is the JWK that has been used to validate the ID token signature.