# Verify Token

‌JWT Token is the only credential after the user logs in. There are five methods to verify the legitimacy of the Token and the user’s login status:‌

  1. ​[Local verification HS256 algorithm signature IdToken](#Use application key verification-token)​
  2. ​[Local verification of the IdToken signed by the RS256 algorithm](#Using the application public key verification-rs256-algorithm-signed-idtoken)
  3. ​[Online Verification OIDC AccessToken](# Online Verification-oidc-accesstoken)
  4. ​[Online Verification OIDC IdToken](# Online Verification-oidc-idtoken)
  5. ​Online Verification OAuth2 AccessToken

Please select the method to verify the token based on the following information:

  1. If you directly call the login method (loginByEmail, loginByPhone, loginByUsername) or use OIDC authorization or want to verify the token field in the user information, please first look for the signature algorithm configuration of your application during authentication. If it is HS256, select The first way to verify, if it is RS256, choose the second way to verify;
  2. If you use the OIDC protocol to access other SaaS, and the SaaS wants to verify the token through the API, please use the third method;
  3. If you use the OIDC protocol and do not want to study how to verify the IdToken locally, please use the fourth method;
  4. If you use the OAuth 2.0 protocol, please use the fifth method;

# Use application key to verify Token

If you directly call the login method (loginByEmail, loginByPhone, loginByUsername) or use OIDC authorization, and the IdToken signature algorithm type is set to HS256, please use this method to verify Token. ‌

The key can be obtained in the application details in the console, as shown in the following figure:

The following verification code takes Node as an example (you need to install jsonwebtoken).

const jwt = require('jsonwebtoken');
try {
  let decoded = jwt.verify('JSON Web Token from client', 'your_secret'),
    expired = Date.parse(new Date()) / 1000 > decoded.exp;
  if (expired) {
    // expired
  } else {
    // Legal and not expired, normal release
  }
} catch (error) {
  // illegal
}

To avoid exposing the application key on the client, it is recommended to verify the validity of id_token through the application key on the server. ‌

If you don't know how to handle the callback of OIDC authorized login on the backend, please refer to the sample code on Github: oidc-demo (opens new window). ‌

# Use the application public key to verify the IdToken signed by the RS256 algorithm

If you use the RS256 signature algorithm, you need to use the public key to verify the signature. Authing will use the application's private key to sign. Please use the public key in https://<application domain name>.authing.cn/oidc/.well-known/jwks.json to verify the signature. Both access_token and id_token issued by Authing can be verified with the above public key.

If you use javascript, you can use the jose library to verify the RS256 signature:

const jose = require('jose');
// The following parameter content is to copy the content returned from https://<application domain name>.authing.cn/oidc/.well-known/jwks.json intact
const keystore = jose.JWKS.asKeyStore({
  keys: [
    {
      e: 'AQAB',
      n:
        'o8iCY52uBPOCnBSRCr3YtlZ0UTuQQ4NCeVMzV7JBtH-7Vuv0hwGJTb_hG-BeYOPz8i6YG_o367smV2r2mnXbC1cz_tBfHD4hA5vnJ1eCpKRWX-l6fYuS0UMti-Bmg0Su2IZxXF9T1Cu-AOlpgXFC1LlPABL4E0haHO8OwQ6QyEfiUIs0byAdf5zeEHFHseVHLjsM2pzWOvh5e_xt9NOJY4vB6iLtD5EIak04i1ND_O0Lz0OYbuV0KjluxaxoiexJ8kGo9W1SNza_2TqUAR6hsPkeOwwh-oHnNwZg8OEnwXFmNg-bW4KiBrQEG4yUVdFGENW6vAQaRa2bJX7obn4xCw',
      kty: 'RSA',
      alg: 'RS256',
      use: 'sig',
      kid: 'TfLOt3Lbn8_a8pRMuessamqj-o3DBCs1-owHLQ-VMqQ',
    },
  ],
});
// The content of issuer in the option is https://<application domain name>.authing.cn/oidc, and the content of audience is the application ID
// id_token is very long, please swipe right ->
const res = jose.JWT.IdToken.verify(
  'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW93SExRLVZNcVEifQ.eyJzdWIiOiI1ZjcxOTk0NjUyNGVlMTA5OTIyOTQ5NmIiLCJiaXJ0aGRhdGUiOm51bGwsImZhbWlseV9uYW1lIjpudWxsLCJnZW5kZXIiOiJVIiwiZ2l2ZW5fbmFtZSI6bnVsbCwibG9jYWxlIjpudWxsLCJtaWRkbGVfbmFtZSI6bnVsbCwibmFtZSI6bnVsbCwibmlja25hbWUiOm51bGwsInBpY3R1cmUiOiJodHRwczovL2ZpbGVzLmF1dGhpbmcuY28vdXNlci1jb250ZW50cy9waG90b3MvOWE5ZGM0ZDctZTc1Ni00NWIxLTgxZDgtMDk1YTI4ZTQ3NmM2LmpwZyIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QxIiwicHJvZmlsZSI6bnVsbCwidXBkYXRlZF9hdCI6IjIwMjAtMDktMzBUMDc6MTI6MTkuNDAxWiIsIndlYnNpdGUiOm51bGwsInpvbmVpbmZvIjpudWxsLCJlbWFpbCI6InRlc3QxQDEyMy5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInBob25lX251bWJlciI6bnVsbCwicGhvbmVfbnVtYmVyX3ZlcmlmaWVkIjpmYWxzZSwibm9uY2UiOiJFNjViMVFvVVl0IiwiYXRfaGFzaCI6IkIzSWdPWUREYTBQejh2MV85cVpyQXciLCJhdWQiOiI1ZjE3YTUyOWY2NGZiMDA5Yjc5NGEyZmYiLCJleHAiOjE2MDE0NTM1NTgsImlhdCI6MTYwMTQ0OTk1OSwiaXNzIjoiaHR0cHM6Ly9vaWRjMS5hdXRoaW5nLmNuL29pZGMifQ.Z0TweYr9bCdYNJREVdvbJYcjXSfSsSNHBMqxTJeW-bnza0IIpBpEEVxlDG0Res6FZbcVzsQZzfJ9pj_nFgLjZxUUxv7Tpd13Sq_Ykg2JKepPf3-uoFqbORym07QEj4Uln0Quuh094MTb7z6bZZBEOYBac46zuj4uVp4vqk5HtCUSB4ASOAxwi7CeB1tKghISHz6PDcf6XJe_btHdzX1dparxtML-KvPxjpcHlt5emN88lpTAOX7Iq0EhsVE3PKrIDfCkG8XlL5y9TIW2Dz2iekcZ5PV17M35G6Dg2Q07Y_Apr18_oowOiQM5m_EbI90ist8CiqO9kBKreCOLMzub4Q',
  keystore,
  {
    issuer: 'https://oidc1.authing.cn/oidc',
    audience: '5f17a529f64fb009b794a2ff',
  }
);
console.log(res);

Output result:

{
  sub: '5f719946524ee1099229496b',
  birthdate: null,
  family_name: null,
  gender: 'U',
  given_name: null,
  locale: null,
  middle_name: null,
  name: null,
  nickname: null,
  picture: 'https://files.authing.co/user-contents/photos/9a9dc4d7-e756-45b1-81d8-095a28e476c6.jpg',
  preferred_username: 'test1',
  profile: null,
  updated_at: '2020-09-30T07:12:19.401Z',
  website: null,
  zoneinfo: null,
  email: 'test1@123.com',
  email_verified: false,
  phone_number: null,
  phone_number_verified: false,
  nonce: 'E65b1QoUYt',
  at_hash: 'B3IgOYDDa0Pz8v1_9qZrAw',
  aud: '5f17a529f64fb009b794a2ff',
  exp: 1601453558,
  iat: 1601449959,
  iss: 'https://oidc1.authing.cn/oidc'
}

# Online verification OIDC AccessToken

POST
https://{YOUR_APP_DOMAIN}.authing.cn/oidc/token/introspection

Check token status

Only access_token and refresh_token can be checked status, id_token cannot be checked.

Headers
Content-Type
REQUIRED
string

application/x-www-form-urlencoded

Authorization
OPTIONAL
string

It is required when configuring the verification token authentication method in the console as client_secret_basic, in the form of Basic base64 (application ID +':' + application Secret)

Form Data Parameters
token
REQUIRED
string

Token value to be checked.

token_type_hint
OPTIONAL
string

The token type to be checked, the optional values are access_token, refresh_token

client_id
OPTIONAL
string

Application ID, which is required when the authentication method of the verification token in the console configuration is client_secret_post and none

client_secret
OPTIONAL
string

Apply Secret, it is required when the authentication method of verification token is client_secret_post in the console configuration

200: OK

When the token is valid, the following format content is returned

{
  "active": true,
  "sub": "5f623f30d85f84c58f141777",
  "client_id": "5d01e389985f81c6c1dd31de",
  "exp": 1600634105,
  "iat": 1600274405,
  "iss": "https://oidc1.authing.cn",
  "jti": "hoV44FPNR-_EfxTP7s7vw",
  "scope": "openid profile email phone offline_access",
  "token_type": "Bearer"
}

When the token is invalid (expired, error, withdrawn), the following format content is returned

{
  "active": false
}

# Online verification OIDC IdToken

GET
https://{YOUR_APP_DOMAIN}.authing.cn/api/v2/oidc/validate_token

Verify the validity of access_token / id_token online

Authing provides an interface to directly verify the validity of access_token or id_token online.

Path Paramter
access_token
OPTIONAL
string

The value is access_token

id_token
OPTIONAL
string

The value is id_token

200: OK

When verifying access_token or id_token, the following results will be returned

// When access_token or id_token is legal, return the decoded content of access_token / id_token

// Return result after access_token check:
{
    "jti": "K5TYewNhvdGBdHiRifMyW",
    "sub": "5f64afd1ad501364e3b43c1e",
    "iat": 1601456894,
    "exp": 1601460494,
    "scope": "openid profile email phone",
    "iss": "https://oidc1.authing.cn/oidc",
    "aud": "5f17a529f64fb009b794a2ff"
}

// The returned result after id_token verification:
{
    "sub": "5f64afd1ad501364e3b43c1e",
    "birthdate": null,
    "family_name": null,
    "gender": "U",
    "given_name": null,
    "locale": null,
    "middle_name": null,
    "name": null,
    "nickname": null,
    "picture": "https://usercontents.authing.cn/authing-avatar.png",
    "preferred_username": "test1",
    "profile": null,
    "updated_at": "2020-09-27T06:06:29.853Z",
    "website": null,
    "zoneinfo": null,
    "email": "test1@123.com",
    "email_verified": false,
    "phone_number": null,
    "phone_number_verified": false,
    "nonce": "CQsguqUdl7",
    "at_hash": "10iOtwuTNtyQLzlNYXAHeg",
    "aud": "5f17a529f64fb009b794a2ff",
    "exp": 1601460494,
    "iat": 1601456894,
    "iss": "https://oidc1.authing.cn/oidc",
}

// When access_token or id_token is illegal, the following error message will be returned
{
  code: 400,
  message: 'id_token 不合法',
}

{
  code: 400,
  message: 'access_token 不合法',
}

# Online verification OAuth2 AccessToken

POST
https://{YOUR_APP_DOMAIN}.authing.cn/oauth/token/introspection

Check token status

You can check the status of access_token.

Headers
Content-Type
REQUIRED
string

application/x-www-form-urlencoded

Authorization
OPTIONAL
string

In the console application configuration details, in the "Configure OAuth2.0 Identity Provider" tab, the configuration verification token authentication method is required when client_secret_basic is configured, in the form: Basic base64 (application ID +':' + application Secret)

Form Data Parameters
token
REQUIRED
string

Token value to be tested

token_type_hint
OPTIONAL
string

The token type to be checked, the optional value is access_token.

client_id
OPTIONAL
string

Application ID. In the console application configuration details, in the "Configure OAuth2.0 Identity Provider" tab, it is required to configure the verification token authentication method as client_secret_post and none

client_secret
OPTIONAL
string

Application Secret, in the console application configuration details, in the "Configure OAuth2.0 Identity Provider" tab, it is required when configuring the verification token authentication method as client_secret_post

200: OK

When the token is valid, the following format content is returned

{
  "active": true,
  "sub": "5dc10851ebafee30ce3fd5e9",
  "client_id": "5cded22b4efab31716fa665f",
  "exp": 1602423020,
  "iat": 1602419420,
  "iss": "https://core.authing.cn/oauth",
  "jti": "SaPg48dbO66T77xkT8wy0",
  "scope": "user",
  "token_type": "Bearer"
}

When the token is invalid (expired, error, withdrawn), the following format content is returned

{
  "active": false
}