ID Token Validation

The client must validate the ID Token before using it. This validation ensures the authenticity and integrity of the token.

Required Validations

1. Audience (aud) Validation

The client must validate that the aud Claim contains their own client_id.

const claims = decodeJWT(idToken);
if (claims.aud !== yourClientId) {
  throw new Error('Token was not issued for this client');
}

2. Issuer (iss) Validation

Must ensure that iss is fanbase.

if (claims.iss !== 'fanbase') {
  throw new Error('Token was not issued by the system');
}

3. Expiration (exp) Validation

The JWT needs to pass validity verification. The token should not be accepted after the expiration date.

const now = Math.floor(Date.now() / 1000);
if (claims.exp < now) {
  throw new Error('Token expired');
}

4. Signature Validation

The signature must be checked using the client_secret. This is the most important validation, as it ensures the token has not been altered.

const jwt = require('jsonwebtoken');

try {
  const decoded = jwt.verify(idToken, clientSecret, {
    issuer: 'fanbase',
    audience: clientId
  });
  console.log('Valid token:', decoded);
} catch (error) {
  console.error('Invalid token:', error.message);
}

5. Nonce Validation (if applicable)

If you included the nonce parameter in the authentication request, you must verify that the nonce Claim value in the ID Token equals the sent value.

if (sentNonce && claims.nonce !== sentNonce) {
  throw new Error('Nonce does not match');
}

Complete Validation Example

const jwt = require('jsonwebtoken');

function validateIdToken(idToken, clientId, clientSecret, expectedNonce) {
  try {
    const decoded = jwt.verify(idToken, clientSecret, {
      issuer: 'fanbase',
      audience: clientId,
      algorithms: ['HS256']
    });

    if (expectedNonce && decoded.nonce !== expectedNonce) {
      throw new Error('Nonce does not match');
    }

    return decoded;
  } catch (error) {
    if (error.name === 'TokenExpiredError') {
      throw new Error('Token expired');
    } else if (error.name === 'JsonWebTokenError') {
      throw new Error('Invalid token');
    } else {
      throw error;
    }
  }
}

Recommended Libraries

• Node.js: jsonwebtoken or jose
• Python: PyJWT
• PHP: firebase/php-jwt
• Java: java-jwt or jjwt

Next Steps

After validating the ID Token, you can:

• Extract user information from claims
• Use the token to authenticate requests
• Access user information endpoints