oidc v0.1.0 OIDC.IDToken View Source

ID Token validation

Link to this section Summary

Types

The ID token claims, for instance

The serialized ID Token, for instance

Data needed to verify an ID Token

Functions

Verifies an hash-claim of an ID token

Verifies an hash-claim of an ID token, if present in the ID token

Link to this section Types

Link to this type

claims()

View Source
claims() :: %{optional(String.t()) => any()}

The ID token claims, for instance:

%{
   "aud" => "client_1",
   "exp" => 1588689766,
   "iat" => 1588689736,
   "iss" => "https://example.com",
   "sub" => "user_1"
 }
Link to this type

serialized()

View Source
serialized() :: String.t()

The serialized ID Token, for instance:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Link to this type

verification_data()

View Source
verification_data() :: %{
  :client_id => OIDC.client_id(),
  :issuer => OIDC.issuer(),
  optional(:auth_time_required) => boolean(),
  optional(:id_token_iat_max_time_gap) => non_neg_integer(),
  optional(:mandatory_acrs) => [OIDC.acr()],
  optional(:nonce) => OIDC.nonce(),
  optional(:oauth2_metadata_updater_opts) => Keyword.t(),
  optional(:server_metadata) => OIDC.server_metadata(),
  optional(atom()) => any()
}

Data needed to verify an ID Token

Link to this section Functions

Link to this function

verify(serialized_id_token, client_conf, verification_data)

View Source

Verifies an ID Token

This function verifies:

  • the signature of the ID Token
  • the standard claims against their validation rules and validation data:

    • "iss"
    • "aud"
    • "azp"
    • "exp"
    • "iat"
    • "nonce"
    • "acr"
    • "auth_time"

It does not verifies the "c_hash" and "at_hash" claims. See verify_hash/4 and verify_hash_if_present/4 for this.

Link to this function

verify_hash(token_hash_name, token, claims, jwk)

View Source
verify_hash(String.t(), String.t(), claims(), JOSEUtils.JWK.t()) ::
  :ok | {:error, Exception.t()}

Verifies an hash-claim of an ID token

The token hash name is one of:

  • "c_hash"
  • "at_hash"

The JWK to be passed as a parameter is the JWK that has been used to validate the ID token signature.

Link to this function

verify_hash_if_present(token_hash_name, token, claims, jwk)

View Source
verify_hash_if_present(String.t(), String.t(), claims(), JOSEUtils.JWK.t()) ::
  :ok | {:error, Exception.t()}

Verifies an hash-claim of an ID token, if present in the ID token

The token hash name is one of:

  • "c_hash"
  • "at_hash"

The JWK to be passed as a parameter is the JWK that has been used to validate the ID token signature.