I thought it was something merely simple but I’m having a hard time understanding what I should do.
So I’m working on a website/service where the users can only register via twitch : it is important that their twitch username is the same in my database. So I dig into OIDC flow. So far so good :
I have a “register with twitch button”,
I click i’m redirected to twitch that asks to login and/or permission if i’m not authenticated
then when i approve, i’m redirected to the redirect URI i gave.
but the infos are in the hash (#)
What If i retrieve said data in JS but sends the data in an hidden form ? Does it break some kind of rule ?
Also when I decode the id_token, it is actually several json concatenated together, and i don’t see why in the documentation
Becuase OIDC returns a JWT, and a JWT is exactly that, three sections seperated by a . where each section is base64 decodable
4) We respond with a JSON-encoded access token and an ID token. The payload of the JWT that is returned includes several default claims about the OIDC ID token, plus any additional claims you requested:
iss – Token issuer (Twitch)
sub – Subject or end-user identifier
aud – Audience or OAuth 2.0 client that is the intended recipient of the token
exp – Expiration time (note that when the JWT ID tokens expire, they cannot be refreshed)
iat – Issuance time
nonce – Value optionally specified in the request
So I’m progressing and managed to retrieve claims using said flow, (still encrypted). I’d like to do it the proper way and I’m concerned with security and authenticity.
I understood “state” parameter purpose.
In your example, you don’t seem to use nonce. Is it “optional” ? I can’t exactly how in the usage is it different from state. (which seems to be : Generating a random TOKEN-A and checking at some point of the process that returned value equals TOKEN-A)
I’m also curious to why we use a post request on an uri that contains query parameters ?