Posted on

ID Token in OpenID in WSO2 Identity Server 5.1.0

Scroll down to see more content
ID Token is a JSON Web Token (JWT) which has introduced by OpenID Connect. OAuth does not communicate the identity information of the end user. Due to this OpenID uses ID Token to communicate the end user information. You can read more on ID Token in [1].

Let see how we can get the ID Token and decode the token to get the information.

1. Create a Service Provider as below.

2. Configure OAuth/OpenID connect configuration in Inbound Authentication.
Click on Configure in OAuth/OpenID Connect Configuration.
3. Provide a Callback URL and register a new application as follows.
Note: Callback URL is the redirection URL for an authorized user.
4. You can find the OAuth Client Key and Client Secret as follows.

5. Use the Curl command or a REST Client to get the ID Token as follows.

i) Using OAuth Client Key and Client Secret

Use –user tag as follows.
–user <Client Key>:<Client Secret>

curl --user Hj7ljkzkxXAfv2_qAfbbnDBNVXsa:ZSLvf_7GnErNiYwKup0KzlTrp_ga  -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

ii) Using Authorization Header

Using OAuth Client Key and Client Secret we can generate the token.

Go to https://www.base64encode.org and Encode the Client Key and Client Secret.

<Client Key>:<Client Secret>

Note: Make sure you have a colon (:) in between the client key and client secret. Encoded value will be the token.

curl -H "Authorization: Basic SGo3bGpremt4WEFmdjJfcUFmYmJuREJOVlhzYTpaU0x2Zl83R25Fck5pWXdLdXAwS3psVHJwX2dh" -H "Content-Type: application/x-www-form-urlencoded" -k -d "grant_type=password&username=admin&password=admin&scope=openid" https://localhost:9443/oauth2/token

 

You will get a json as the response for the curl command.

{
 "scope": "openid",
 "token_type": "Bearer",
 "expires_in": 1351,
 "refresh_token": "f433167d3e5349e6bcf7dbea39cb14b7",
 "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NTk2MTg5MTQsImV4cCI6MTQ1OTYyNDQ2MywiYXpwIjoiSGo3bGpremt4WEFmdjJfcUFmYmJuREJOVlhzYSIsImF0X2hhc2giOiJDbk1kQk93eTVrLU5zR1R3VzNxdVdBIiwiYXVkIjpbIkhqN2xqa3preFhBZnYyX3FBZmJibkRCTlZYc2EiXSwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiaWF0IjoxNDU5NjIwODYzfQ.g5DvV1TZfgo6mNwSx4A1W7h-89JpKgSd5eduivmidY_vxoCrW-4uKdyejWF9YcKbHn3aAxfayN6yqGnoiYlBNu78sfYLX4SK_aOUWanoMhkbaqSbfKit-7M5ZCC2Y-9VLrq4MrBIJ4PNsxplsMjfQbk5YfV-QhqZ2r02j7_6SUo",
 "access_token": "af1c041244126ccd40c9deb6bbb96bf4"
}

 

Using REST Client you can get the same response.

6. Decode the ID token using https://www.base64encode.orgYou need to decode only the text in between full stops (.) in the ID Token.

"id_token": "eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NTk2MTg5MTQsImV4cCI6MTQ1OTYyNDQ2MywiYXpwIjoiSGo3bGpremt4WEFmdjJfcUFmYmJuREJOVlhzYSIsImF0X2hhc2giOiJDbk1kQk93eTVrLU5zR1R3VzNxdVdBIiwiYXVkIjpbIkhqN2xqa3preFhBZnYyX3FBZmJibkRCTlZYc2EiXSwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiaWF0IjoxNDU5NjIwODYzfQ.g5DvV1TZfgo6mNwSx4A1W7h-89JpKgSd5eduivmidY_vxoCrW-4uKdyejWF9YcKbHn3aAxfayN6yqGnoiYlBNu78sfYLX4SK_aOUWanoMhkbaqSbfKit-7M5ZCC2Y-9VLrq4MrBIJ4PNsxplsMjfQbk5YfV-QhqZ2r02j7_6SUo",

Note: If you use the curl command, you may have \r\n values in the ID Token as well. You need to remove those before you decode the ID Token.Decoded json will have the following information.

{
 "auth_time": 1459618914,
 "exp": 1459624463,
 "azp": "Hj7ljkzkxXAfv2_qAfbbnDBNVXsa",
 "at_hash": "CnMdBOwy5k-NsGTwW3quWA",
 "aud": ["Hj7ljkzkxXAfv2_qAfbbnDBNVXsa"],
 "iss": "https:\/\/localhost:9443\/oauth2\/token",
 "iat": 1459620863
}

Lets find the meanings of these.

References

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s