Validating Standard ID Token Claims
Learn the mandatory validation steps for the iss, aud, exp, iat, and nonce claims of an OpenID Connect ID token.
Signature Is Not Enough
Verifying an ID token's signature proves it came from the provider, but you must also validate its claims to ensure it was meant for you, right now, and is still valid. A valid signature on a token meant for another app is still dangerous.
Validate iss (Issuer)
The iss claim must exactly equal the issuer identifier of your trusted provider, as published in its discovery document. Reject anything else.
if (claims.iss !== 'https://op.example.com') reject();All lessons in this course
- ID Token Structure & Signature
- JWS and JWK Sets
- Token Revocation & Introspection
- Validating Standard ID Token Claims