Overview#
Identity Token Validation requires that the OAuth Client MUST validate the Id_token in the OAuth Token Response.If any of the Verification procedures defined fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.
The OAuth Client can split the Id_token at the period (".") characters, take the second segment, and base64url decode it to obtain a JSON Object containing the Identity Token Claims, which MUST be validated as follows:
- Verify the JWS Digital Signature of the JWT id_token
- nonce - This MUST be the nonce value you sent in your Authentication Request
- iss - The Issuer Identifier for the OpenID Connect Provider, which is typically obtained from Openid-configuration MUST exactly match the value of the iss (issuer) Claim.
- aud - The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the OpenID Connect Provider identified by the iss (issuer) Claim as an audience. The Id_token MUST be rejected if the Id_token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
- azp - If the azp contains multiple Aud values, the Client SHOULD verify that an azp Claim is present. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
- exp - The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
- iat - The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.
- acr - If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.
- Max_age - When a max_age request is made, the Client SHOULD check the auth_time Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication.