Retrieve User Information Based on id_token
After a user successfully logs in, the user identity token id_token is returned to the application. The application can directly obtain user information through this identity token. The application should first obtain the identity token signature key, then verify the JWT signature of the identity token, and finally parse the user information from the identity token.
# Obtain the Identity Token Signature Key
Access the jwk_uri address provided by the platform: https://{your_domain}/api/v1/oauth2/keys to obtain the identity token signature key.
Add the following to the pom file:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>5.7</version> <!-- Use the latest version -->
</dependency>
2
3
4
5
Code example:
private List<RSAKey> getPublicKeys() throws Exception {
List<RSAKey> rsaKeyList = new ArrayList();
Request request = Request.Get("https://{your_domain)/api/v1/oauth2/keys");
HttpResponse httpResponse = request.execute().returnResponse();
if(httpResponse.getStatusLine().getStatusCode()==200){
JSONObject jsonObject = JSONObject.parseObject(EntityUtils.toString(httpResponse.getEntity()));
JSONArray keys = jsonObject.getJSONArray("keys");
for (Object object:keys) {
RSAKey rsaKey = RSAKey.parse(JSONObject.toJSONString(object));
rsaKeyList.add(rsaKey);
}
return rsaKeyList;
}else{
logger.info("Failed to obtain identity token signature secret key!");
throw new AuthenticationException(httpResponse.toString());
}
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Verify the Identity Token Signature
The identity token issued by the platform is a JWT with a signature, using the JWS standard RS256 algorithm. When an application requests to obtain user information, it must first verify the identity token, which includes the following aspects:
Verify the signature: Confirm the authenticity and integrity of the identity token.
Add the following to the pom file:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>5.7</version> <!-- Use the latest version -->
</dependency>
2
3
4
5
Code example:
public boolean verifySignature(String id_token) {
try {
JWT jwtToken = JWTParser.parse(id_token);
SignedJWT jwt = (SignedJWT)jwtToken;
List<RSAKey> publicKeyList = getPublicKeys();
RSAKey rsaKey = null;
for (RSAKey key : publicKeyList) {
if (jwt.getHeader().getKeyID().equals(key.getKeyID())) {
rsaKey = key;
}
}
if (rsaKey != null) {
RSASSAVerifier verifier = new RSASSAVerifier(rsaKey.toRSAPublicKey());
return jwt.verify(verifier);
}else {
logger.info("Can't verify signature for id token");
return false;
}
} catch (Exception e) {
logger.error("Failed to verify user token signature!",e.getMessage());
return false;
}
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Parsing User Information from Identity Token
After the application verifies that the identity token signature is valid, it decodes the HEADER and PAYLOAD parts of the identity token via base64. It is recommended that the application itself verifies other information in the identity token (such as whether the current time exceeds the expiration time, whether the token recipient is this application, etc.). The parameter information is as follows:
# HEADER Part
Response Example:
{
"kid": "14a0b7d31d5d284c549f9e3565fb136a",
"alg": "RS256"
}
2
3
4
Response Parameters:
| Parameter Name | Description |
|---|---|
| kid | The key ID used for verifying the identity token signature |
| alg | Signature algorithm |
# PAYLOAD Part
Response Example:
{
"iss": "https://{your_domain}/api/v1/oauth2",
"aud": "XCNofcDPkSXFuBBgdgxNus5SO3Kiwka8",
"exp": 1655779413,
"jti": "B6P99VAWZQZBGNa4avp29s",
"iat": 1655779293,
"nbf": 1655779173,
"sub": "subject",
"name": "Zhang San",
"mobile": "+86-18310131134",
"id": "20220616180055613-6F86-406AB6155",
"userName": "zhangsan",
"email": "18310131134@126.com"
}
2
3
4
5
6
7
8
9
10
11
12
13
14
Response Parameters:
| Parameter Name | Description |
|---|---|
| iss | Token issuer |
| aud | Token recipient, the application's clientId |
| exp | Token expiration time |
| jti | Token ID |
| iat | Token issuance time |
| sub | Fixed as "subject" |
| name | User's name |
| mobile | User's mobile number |
| id | User's ID |
| userName | Username |
| User's email |