openid-connect
Verify a signature in JWT.IO
jwt.io says to enter the key Public Key or Certificate. Enter it in plain text only if you want to verify a token so I have converted the JSON Web Key to a PEM format guessing it would need a base64 format, and it works!. This is the public key built from modulus and exponent …
Clarification on id_token vs access_token
I like this Medium post about the difference, all cred to this author. https://medium.com/@nilasini/id-token-vs-access-token-17e7dd622084 If you are using Azure AD B2C like I am you can read more here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect ID Token You will get id token if you are using scope as openid. Id token is specific to openid scope. With openid scope you …
Login to Keycloak using API
You are effectively asking your users to trust that Application1 will manage their keycloak credentials securely. This is not recommended because better security is achieved if the user is redirected to keycloak to enter their credentials. In an ideal world no client application should be handling or have access to user credentials. It defeats the …
IdentityServer Flows
I faced the same Issue, currently the work still in progress. when I finish the documentation, I might post it here. for time being: please check the draft: Enrich IdentityServer Documentation with OIDC and OAuth2 Flows section #73 Update: OIDC and OAuth2 Flows
How to specify refresh tokens lifespan in Keycloak
As pointed out in the comments by @Kuba Šimonovský the accepted answer is missing other important factors: Actually, it is much much much more complicated. TL;DR One can infer that the refresh token lifespan will be equal to the smallest value among (SSO Session Idle, Client Session Idle, SSO Session Max, and Client Session Max). …
Verifying JWT signed with the RS256 algorithm using public key in C#
Thanks to jwilleke, I have got a solution. To verify the RS256 signature of a JWT, it is needed to use the RSAPKCS1SignatureDeformatter class and its VerifySignature method. Here is the exact code for my sample data: string tokenStr = “eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAsCiAiY19oYXNoIjogIkxEa3RLZG9RYWszUGswY25YeENsdEEiCn0.XW6uhdrkBgcGx6zVIrCiROpWURs-4goO1sKA4m9jhJIImiGg5muPUcNegx6sSv43c5DSn37sxCRrDZZm4ZPBKKgtYASMcE20SDgvYJdJS0cyuFw7Ijp_7WnIjcrl6B5cmoM6ylCvsLMwkoQAxVublMwH10oAxjzD6NEFsu9nipkszWhsPePf_rM4eMpkmCbTzume-fzZIi5VjdWGGEmzTg32h3jiex-r5WTHbj-u5HL7u_KP3rmbdYNzlzd1xWRYTUs4E8nOTgzAUwvwXkIQhOh5TPcSMBYy6X3E7-_gr9Ue6n4ND7hTFhtjYs3cjNKIA08qm5cpVYFMFMG6PkhzLQ”; string[] tokenParts = tokenStr.Split(‘.’); RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); rsa.ImportParameters( new RSAParameters() { Modulus …
What is intent of ID Token expiry time in OpenID Connect?
I’m answering my own question as have discovered that some of the assumptions behind my question were wrong, so easier to clarify here, rather than re-write the question. An ID token is meant for proving to a Client that the user has authenticated, and who they are as a result. When a Client receives an …
.NET Core Identity Server 4 Authentication VS Identity Authentication
TL;DR IdentityServer = token encryption and validation services via OAuth 2.0/OpenId-Connect ASP.NET Identity = current Identity Management strategy in ASP.NET How can I authenticate similar to the way done in previous version’s of .Net does the old way still work or is there a newer version. I see no reason why you couldn’t achieve the …
Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
State and nonce seem to be similar. But if you dig deep, you will find that they serve different purposes. State is there to protect the end user from cross site request forgery(CSRF) attacks. It is introduced from OAuth 2.0 protocol RFC6749. Protocol states that, Once authorization has been obtained from the end-user, the authorization …