OIDC’s ID Token Verification

Hello,

We are planning to use OIDC as verification, so I read document below,

“OIDC authorization code flow”

and I came up with two question, could anyone give me an advice?

Question1 Is this my understanding correct?

our server received the GET request by client’s redirect,
then start validating the ID token,

  1. if the ID token validation sucseeded,
    • server responds the access_token through the URL where client redirected.
    • client launches the application with access_token.
  2. if the ID token validation failed,
    • server responds the result that failed to validate ID token through the URL where client redirected.
    • client stops launghing the application.

Question2 ID token verification is not done on client throuout whole trasaction?

  1. No. With Twitch OIDC both a OIDC Token and an access token are returned at the same time.

Most OIDC applications only utilise the OIDC token, the access token is an “extra” thing Twitch has.

If you OIDC with extra scopes other than the OIDC scope. The scopes are applied to the access token for calling the “regular” Twitch API with, rather than just the ODIC token on the OIDC endpoints

Depending on which OIDC flow you use will depend on what happens and what you do.

If you use “regular” OIDC auth,

  • the user is sent to Twitch
  • they accept (or decline) the link
  • they get redirected to your site
  • you get a ?code query paramter to exchange for a OIDC token (+ access token).
  1. I don’t understand what you mean with this question.

As per this example twitch_misc/authentication/oidc_authentication at main · BarryCarlyon/twitch_misc · GitHub

OIDC validation involes grabbing data from the configuration - https://id.twitch.tv/oauth2/.well-known/openid-configuration and the keys from the https://id.twitch.tv/oauth2/keys URL’s (the keys URL is defined in the configuration)

Sure you could do this validation client side, but then the client could spoof this validation. Granted that would be unlikely to have the right data in the token in the first place :smiley:

However to truly validate you’d grab the access token and call the userinfo endpoint with it anyway Getting Tokens: OIDC | Twitch Developers if using “regular” OIDC

By Regular I mean Getting Tokens: OIDC | Twitch Developers
As apposed to implicit Getting Tokens: OIDC | Twitch Developers