How can I validate an openId id_token in javascript

2
votes

I am using identityserver v3 to authenticate my users in an angularjs based web application. therefor I request an id_token from the authorize endpoint that returns me what i want (id_token and access_token...). The openid specification states that the id_token must be validated by the client. How can I achieve this in javascript. I could find some implementation in .net or java, but couldn't find any in javascript.

could someone provide me a library that does the job in javascript ?

the best would be a method that takes the token as param and validate it : sthg like : 

 mylib.validate(id_token);

some server offer an endpoint to validate it, but I really would like to validate it on the client

1
angularjsopenidthinktecture-ident-serveropenid-connect
I just found this library from thinktecture and think it does what I want. But wonder if it's ok to use it even if we use another openid connect server : raw.githubusercontent.com/IdentityServer/…Cedric Dumont
Does this help? I found it on openid connect website under list of libraries.pepo

1 Answers

0
votes

Here is what I did:

we need to use JSWS

download the libraries from here : JSJWS. I’ve downloaded version 3.0.2.

in your index.html, you must reference the jws-3.0.js, the json-sans-eval.js file that you downloaded above (json-sans-eval is located in [jsjws-3.0.2\ext] directory. (more info on it can be found here json-sans-eval site)

if you run the code, you will get the following exception : b64utohex is not defined

you need to reference another library. in fact I found the related project jsrsasign having the required libraries. you can download a release here : https://github.com/kjur/jsrsasign/tags/ I downloaded the version 4.7.0 and took out the jsrsasign-4.7.0-all-min.js file and added in referencing scripts.

Now you have all the necessary files to get it done using the following code :

function validateToken(id_token, cert) {
    var jws = new KJUR.jws.JWS();
    var result = 0;
    result = jws.verifyJWSByPemX509Cert(id_token, cert);
    if (result) {
        result = JSON.parse(jws.parsedJWS.payloadS);
    } else {
        result = 'unable to verify token';
    }
    return result;
}

the long story of this can be found here