ID Token JSON Web Token (JWT) [JWT] that contains Claims about the Authentication event. An identity token represents the outcome of an authentication process.
The ID Token consists of three period-separated, Base64 URL-encoded JSON segments: a header, the payload, and the signature.
The ID tokens are in JSON Web Token (JWT) format, the specification for which can be found here: https://tools.ietf.org/html/rfc7519. They are signed using private JSON Web Keys (JWK), the specification for which you can find here: https://tools.ietf.org/html/rfc7517.
The high-level overview of validating an ID token looks like this:
- Retrieve and parse your JSON Web Keys (JWK), which should be checked periodically and cached by your application.
- Decode the ID token, which is in JSON Web Token format
- Verify the signature used to sign the ID token
- You verify the Access or ID token's signature by matching the key that was used to sign in with one of the keys that you retrieved from your Authorization Server's JWK endpoint. Specifically, each public key is identified by a
kidattribute, which corresponds with the
kidclaim in the Access or ID token header. If the
kidclaim doesn't match, it's possible that the signing keys have changed. Check the
jwks_urivalue in the Authorization Server metadata and try retrieving the keys again from MobilePay.
- Verify the claims found inside the ID token
iss(issuer) claim matches the identifier of your MobilePay Authorization Server.
aud(audience) claim should match the Client ID that you used to request the ID Token.
iat(issued at time) claim indicates when this ID token was issued, expressed in Unix time.
exp(expiry time) claim is the time at which this token will expire., expressed in Unix time.
nonceclaim value should match whatever was passed when you requested the ID token.