Let see how we can get the ID Token and decode the token to get the information.
5. Use the Curl command or a REST Client to get the ID Token as follows.
i) Using OAuth Client Key and Client Secret
Use –user tag as follows.
–user <Client Key>:<Client Secret>
curl --user Hj7ljkzkxXAfv2_qAfbbnDBNVXsa:ZSLvf_7GnErNiYwKup0KzlTrp_ga -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
ii) Using Authorization Header
Using OAuth Client Key and Client Secret we can generate the token.
<Client Key>:<Client Secret>
Note: Make sure you have a colon (:) in between the client key and client secret. Encoded value will be the token.
curl -H "Authorization: Basic SGo3bGpremt4WEFmdjJfcUFmYmJuREJOVlhzYTpaU0x2Zl83R25Fck5pWXdLdXAwS3psVHJwX2dh" -H "Content-Type: application/x-www-form-urlencoded" -k -d "grant_type=password&username=admin&password=admin&scope=openid" https://localhost:9443/oauth2/token
You will get a json as the response for the curl command.
{ "scope": "openid", "token_type": "Bearer", "expires_in": 1351, "refresh_token": "f433167d3e5349e6bcf7dbea39cb14b7", "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NTk2MTg5MTQsImV4cCI6MTQ1OTYyNDQ2MywiYXpwIjoiSGo3bGpremt4WEFmdjJfcUFmYmJuREJOVlhzYSIsImF0X2hhc2giOiJDbk1kQk93eTVrLU5zR1R3VzNxdVdBIiwiYXVkIjpbIkhqN2xqa3preFhBZnYyX3FBZmJibkRCTlZYc2EiXSwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiaWF0IjoxNDU5NjIwODYzfQ.g5DvV1TZfgo6mNwSx4A1W7h-89JpKgSd5eduivmidY_vxoCrW-4uKdyejWF9YcKbHn3aAxfayN6yqGnoiYlBNu78sfYLX4SK_aOUWanoMhkbaqSbfKit-7M5ZCC2Y-9VLrq4MrBIJ4PNsxplsMjfQbk5YfV-QhqZ2r02j7_6SUo", "access_token": "af1c041244126ccd40c9deb6bbb96bf4" }
Using REST Client you can get the same response.
6. Decode the ID token using https://www.base64encode.orgYou need to decode only the text in between full stops (.) in the ID Token.
"id_token": "eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NTk2MTg5MTQsImV4cCI6MTQ1OTYyNDQ2MywiYXpwIjoiSGo3bGpremt4WEFmdjJfcUFmYmJuREJOVlhzYSIsImF0X2hhc2giOiJDbk1kQk93eTVrLU5zR1R3VzNxdVdBIiwiYXVkIjpbIkhqN2xqa3preFhBZnYyX3FBZmJibkRCTlZYc2EiXSwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiaWF0IjoxNDU5NjIwODYzfQ.g5DvV1TZfgo6mNwSx4A1W7h-89JpKgSd5eduivmidY_vxoCrW-4uKdyejWF9YcKbHn3aAxfayN6yqGnoiYlBNu78sfYLX4SK_aOUWanoMhkbaqSbfKit-7M5ZCC2Y-9VLrq4MrBIJ4PNsxplsMjfQbk5YfV-QhqZ2r02j7_6SUo",
Note: If you use the curl command, you may have \r\n values in the ID Token as well. You need to remove those before you decode the ID Token.Decoded json will have the following information.
{ "auth_time": 1459618914, "exp": 1459624463, "azp": "Hj7ljkzkxXAfv2_qAfbbnDBNVXsa", "at_hash": "CnMdBOwy5k-NsGTwW3quWA", "aud": ["Hj7ljkzkxXAfv2_qAfbbnDBNVXsa"], "iss": "https:\/\/localhost:9443\/oauth2\/token", "iat": 1459620863 }
Lets find the meanings of these.
- auth_time – Access Token Authorized time (Display in Unix time – Use http://www.unixtimestamp.com to convert the time)
- exp – Token expiry time (Display in Unix time)
- azp – Authorized Party (OAuth Client Key)
- at_hash – Hash value based on the MessageDigest Algorithm – https://docs.oracle.com/javase/7/docs/api/java/security/MessageDigest.html
- aud – Audience (OAuth Client Key)
- iss – Issuer of the token
- iat – Issue time
References