About OIDC's ID Token Verification


I would like to perform an ID token verification for OIDC.
We are using ASP.netCore.

We use OIDC authorization code flow.
I am able to get the ID token.
I would like to know how I can validate it.

I don’t want to use paid plug-ins if possible.

Thank you.

To quote the documentation

5) Validate the ID token. This is an important security measure to ensure the authenticity of the token and guard against any tampering.

To verify the signature of our ID tokens, we host a public JSON Web Key (JWK) here. For details on how to use our JWK in validating ID tokens, see How to validate an OpenID Connect ID token.

Alternatively rather than writing your own, you can use an existing library.

The website for JWT information https://jwt.io/ will list .net compatible libraries, click libraries at the top and change the filter paremter. Microsoft itself even provides one.

Thank you.
It was helpful and I’m almost ready to complete the verification.
I would like to know how I can get the Certificate for RS256.

var json = JwtBuilder.Create()
                     .WithAlgorithm(new RS256Algorithm(certificate)) // asymmetric

Or I want to know how to generate a public key.
How can I generate a public key from this?

In my node example twitch_misc/server.js at main · BarryCarlyon/twitch_misc · GitHub it’s all handled by the libraries I use for it. So you might be able to follow the depenacies backwards.

Following it back leads me to node-jwks-rsa/utils.js at 4e221406c256d2b34ced4e11498fa85ab3cd4a23 · auth0/node-jwks-rsa · GitHub

Where the library I use will grab the keys[0]->n (well the keys from the key file as a whole) from https://id.twitch.tv/oauth2/keys and then attempt to convert that to a PEM to then be used.

I don’t know what the .net equivalent is for this.

I was able to do some research and get ID token verification.

I guess this is a follow-up question.
How often are the following KEYS updated?

That information is not documented.

To my knowledge the key hasn’t been changed ever.

So you can either recache the keys periodically or whenever someone tries to login.

Thank you.
My current questions have been answered.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.