Get User Info from ID Token
After the user logs in successfully, the user identity token id_token is returned to the application. The application can directly obtain user information through the user identity token. The application first obtains the identity token signature key, then verifies the JWT signature of the identity token, and finally parses the user information in the identity token.
Obtain the Identity Token Signature Key
Visit the platform's jwk_uri address: https://{your_domain}/api/v1/oauth2/keys to obtain the identity token signature key.
Add the following to the pom file:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>5.7</version> <!-- Use the latest version -->
</dependency>Code example:
private List<RSAKey> getPublicKeys() throws Exception {
List<RSAKey> rsaKeyList = new ArrayList();
Request request = Request.Get("https://{your_domain)/api/v1/oauth2/keys");
HttpResponse httpResponse = request.execute().returnResponse();
if(httpResponse.getStatusLine().getStatusCode()==200){
JSONObject jsonObject = JSONObject.parseObject(EntityUtils.toString(httpResponse.getEntity()));
JSONArray keys = jsonObject.getJSONArray("keys");
for (Object object:keys) {
RSAKey rsaKey = RSAKey.parse(JSONObject.toJSONString(object));
rsaKeyList.add(rsaKey);
}
return rsaKeyList;
}else{
logger.info("Failed to obtain identity token signature secret key!");
throw new AuthenticationException(httpResponse.toString());
}
}Verify Identity Token Signature
The identity token issued by the platform is a signed JWT with signature algorithm RS256 of the JWS standard. When the application requests user information, it must first verify the identity token, including the following:
Verify signature: verify the authenticity and integrity of the identity token.
Add the following to the pom file:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>5.7</version> <!-- Use the latest version -->
</dependency>Code example:
public boolean verifySignature(String id_token) {
try {
JWT jwtToken = JWTParser.parse(id_token);
SignedJWT jwt = (SignedJWT)jwtToken;
List<RSAKey> publicKeyList = getPublicKeys();
RSAKey rsaKey = null;
for (RSAKey key : publicKeyList) {
if (jwt.getHeader().getKeyID().equals(key.getKeyID())) {
rsaKey = key;
}
}
if (rsaKey != null) {
RSASSAVerifier verifier = new RSASSAVerifier(rsaKey.toRSAPublicKey());
return jwt.verify(verifier);
}else {
logger.info("Can't verify signature for id token");
return false;
}
} catch (Exception e) {
logger.error("Failed to verify user token signature!",e.getMessage());
return false;
}
}Parse User Information from Identity Token
After the application verifies that the identity token signature is valid, it decodes the HEADER and PAYLOAD parts of the identity token through base64. It is recommended that the application verify other information of the identity token itself (such as whether the current time exceeds the expiration time, whether the token audience is this application, etc.). The parameter information is as follows:
HEADER
Response example:
{
"kid": "14a0b7d31d5d284c549f9e3565fb136a",
"alg": "RS256"
}Response parameters:
| Parameter | Description |
|---|---|
| kid | Key id used when verifying the identity token signature |
| alg | Signature algorithm |
PAYLOAD
Response example:
{
"iss": "https://{your_domain}/api/v1/oauth2",
"aud": "XCNofcDPkSXFuBBgdgxNus5SO3Kiwka8",
"exp": 1655779413,
"jti": "B6P99VAWZQZBGNa4avp29s",
"iat": 1655779293,
"nbf": 1655779173,
"sub": "subject",
"name": "Zhang San",
"mobile": "+86-18310131134",
"id": "20220616180055613-6F86-406AB6155",
"userName": "zhangsan",
"email": "18310131134@126.com"
}Response parameters:
| Parameter | Description |
|---|---|
| iss | Token issuer |
| aud | Token audience, the application's clientId |
| exp | Token expiration time |
| jti | Token id |
| iat | Token issuance time |
| sub | Fixed as subject |
| name | User full name |
| mobile | User mobile number |
| id | User id |
| userName | Username |
| User email |