About OIDC's ID Token Verification

aki0000922222 · November 8, 2021, 8:53am

Hello.

I would like to perform an ID token verification for OIDC.
We are using ASP.netCore.

We use OIDC authorization code flow.
I am able to get the ID token.
I would like to know how I can validate it.

I don’t want to use paid plug-ins if possible.

Thank you.

BarryCarlyon · November 8, 2021, 11:40am

To quote the documentation

5) Validate the ID token. This is an important security measure to ensure the authenticity of the token and guard against any tampering.

To verify the signature of our ID tokens, we host a public JSON Web Key (JWK) here. For details on how to use our JWK in validating ID tokens, see How to validate an OpenID Connect ID token.

Alternatively rather than writing your own, you can use an existing library.

The website for JWT information https://jwt.io/ will list .net compatible libraries, click libraries at the top and change the filter paremter. Microsoft itself even provides one.

aki0000922222 · November 9, 2021, 7:25am

Thank you.
It was helpful and I’m almost ready to complete the verification.
I would like to know how I can get the Certificate for RS256.

var json = JwtBuilder.Create()
                     .WithAlgorithm(new RS256Algorithm(certificate)) // asymmetric
                     .MustVerifySignature()
                     .Decode(token);                    
Console.WriteLine(json);

Or I want to know how to generate a public key.
https://id.twitch.tv/oauth2/keys
How can I generate a public key from this?

BarryCarlyon · November 9, 2021, 12:27pm

In my node example twitch_misc/server.js at main · BarryCarlyon/twitch_misc · GitHub it’s all handled by the libraries I use for it. So you might be able to follow the depenacies backwards.

Following it back leads me to node-jwks-rsa/utils.js at 4e221406c256d2b34ced4e11498fa85ab3cd4a23 · auth0/node-jwks-rsa · GitHub

Where the library I use will grab the keys[0]->n (well the keys from the key file as a whole) from https://id.twitch.tv/oauth2/keys and then attempt to convert that to a PEM to then be used.

I don’t know what the .net equivalent is for this.

aki0000922222 · November 11, 2021, 1:55am

Thanks.
I was able to do some research and get ID token verification.

I guess this is a follow-up question.
How often are the following KEYS updated?
https://id.twitch.tv/oauth2/keys

BarryCarlyon · November 11, 2021, 12:29pm

That information is not documented.

To my knowledge the key hasn’t been changed ever.

So you can either recache the keys periodically or whenever someone tries to login.

aki0000922222 · November 15, 2021, 3:08am

Thank you.
My current questions have been answered.

system · December 15, 2021, 3:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.