I am using identityserver v3 to authenticate my users in an angularjs based web application. therefor I request an id_token from the authorize endpoint that returns me what i want (id_token and access_token...). The openid specification states that the id_token must be validated by the client. How can I achieve this in javascript. I could find some implementation in .net or java, but couldn't find any in javascript.
could someone provide me a library that does the job in javascript ?
the best would be a method that takes the token as param and validate it : sthg like :
mylib.validate(id_token);
some server offer an endpoint to validate it, but I really would like to validate it on the client
Here is what I did:
we need to use JSWS
download the libraries from here : JSJWS. I’ve downloaded version 3.0.2.
in your index.html, you must reference the jws-3.0.js, the json-sans-eval.js file that you downloaded above (json-sans-eval is located in [jsjws-3.0.2\ext] directory. (more info on it can be found here json-sans-eval site)
if you run the code, you will get the following exception : b64utohex is not defined
you need to reference another library. in fact I found the related project jsrsasign having the required libraries. you can download a release here : https://github.com/kjur/jsrsasign/tags/ I downloaded the version 4.7.0 and took out the jsrsasign-4.7.0-all-min.js file and added in referencing scripts.
Now you have all the necessary files to get it done using the following code :
function validateToken(id_token, cert) {
var jws = new KJUR.jws.JWS();
var result = 0;
result = jws.verifyJWSByPemX509Cert(id_token, cert);
if (result) {
result = JSON.parse(jws.parsedJWS.payloadS);
} else {
result = 'unable to verify token';
}
return result;
}
the long story of this can be found here