<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] requires that the [OAuth Client] [MUST] validate the [Id_token] in the [OAuth Token Response]. 

If any of the [Verification] procedures defined fail, any operations requiring the information that failed to correctly validate [MUST] be aborted and the information that failed to validate [MUST NOT] be used.

The [OAuth Client] can split the [Id_token] at the period (&quot;.&quot;) characters, take the second segment, and [base64url] decode it to obtain a [JSON Object] containing the 
[Identity Token Claims], which [MUST] be validated as follows:
* Verify the [JWS] [Digital Signature] of the [JWT] [id_token]
* [nonce] - This [MUST] be the [nonce] value you sent in your [Authentication Request]
* [iss] - The Issuer Identifier for the [OpenID Connect Provider], which is typically obtained from [Openid-configuration] [MUST] exactly match the value of the [iss] ([issuer]) [Claim].
* [aud] - The Client [MUST] validate that the [aud] (audience) [Claim] contains its [client_id] value registered at the [OpenID Connect Provider] identified by the [iss] (issuer) Claim as an audience. The [Id_token] [MUST] be rejected if the [Id_token] does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
* [azp] - If the azp contains multiple [Aud] values, the Client [SHOULD] verify that an [azp] Claim is present. If an [azp] ([authorized party]) [Claim] is present, the Client [SHOULD] verify that its [client_id] is the [Claim] Value.
* [exp] - The current time [MUST] be before the time represented by the [exp] Claim (possibly allowing for some small leeway to account for [clock skew]).
* [iat] - The [iat] Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that [nonces] need to be stored to prevent attacks. The acceptable range is Client specific.
* [acr] - If the [acr] [Claim] was requested, the Client [SHOULD] check that the asserted Claim Value is appropriate. 
* [Max_age] - When a [max_age] request is made, the Client [SHOULD] check the [auth_time] Claim value and request re-authentication if it determines too much time has elapsed since the last [End-User] [authentication].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

</pre>