The ID Token

The result of a successful OpenID Connect flow is the ID Token, which is built using the industry standard JSON Web Token (JWT) format (https://tools.ietf.org/html/rfc7519.) JSON Web Tokens consist of three parts separated by dots (.), which are:
• Header
• Payload
• Signature

Therefore, a JWT typically looks like the following.

{ "id_token" : "xxx.yyy.zzz" }

Header

The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used. The AXN uses RS256 for token signatures.

For example:

{
  "alg": "RS256",
  "typ": "JWT"
}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload

The second part of the token is the payload, which contains all information related to the transaction. The key field in this output is the policyDecision, which summarizes if the user was approved or denied in the verification attempt. A more detailed look at the federated gateway ID Token output can be found here.

{
    "at_hash": "udfkrvnPivU4uE0BYeUcXA",
    "sub": "[email protected]",
    "aud": "18976aa43dca4b4e",
    "endpoint": {
      "status": "success",
      "errorCode": "",
      "errorDescription": "",
      "credential": "[email protected]",
      "credentialCreationDate": "02/08/2022 21:09:35 UTC",
      "mbun": "f3f2a548-6c67-4155-8e30-bb1a28c84647",
      "maxToken": "EnMbLwzgyefV3dndx9d5r1C-iEyZ8PpRhuIeIFlGpIE",
      "endpointInstanceList": [
          //details of each step (api key) in verification workflow
        ]
    },
    "policyDecision": "approve",
    "idwRiskScore": "100",
    "iss": "https://preprod1.iddataweb.com/preprod-axn",
    "idwTrustScore": "100",
    "exp": 1644355218,
    "iat": 1644354618,
    "jti": "008ab766-a58d-4489-b4cd-85188d2562d0"
  }

The payload is then Base64Url encoded to form the second part of the JSON Web Token.

Signature

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. ID DataWeb signs all tokens with the RSA256 algorithm, which is an example of asymmetric cryptography. This means that to verify the signature, you will need to use a public key, and the appropriate signature verification algorithm.

Verifying the JWT Signature

It is highly recommended that your application verifies the signature of the JSON Web Token before trusting any of the data it contains.

The AXN provides it's signing keys in industry standard JWK format at the following URL: https://preprod1.iddataweb.com/preprod-axn/axn/oauth2/jwks.json

{
	"keys": [{
		"kty": "RSA",
		"alg": "RS256",
		"use": "sig",
		"kid": "1",
		"n": "n5H8ZKqOqW-4cL0x1JlfyVZTyhplaOQLslbsPFr_cub_KELYKt8_eZ5PsuIhpENmU1TrM082PFO4rEut1et6mDr_ia34qmkKJAqv4VI95agNArA23UoIDYPnBGvmXEJI0JIxp514N5X8NcRBVjK9DPaYW-f-S4kFO-xSJvSKh0-RUo3jnL29rZBlhXrw0YTFrY5cJ9haXJfQsvzMlXcHNX7hN_EMJI4pg12A65o8QgEyp7ZZ_izDH-IRCQmsgj6ZYq2aKHDsms5jgR_Zryno_G7oyuTFl1yJjLgfmK002D-ZWWiCQDKj4P1qzXX2TzKHiJw-ak755rQCrdH8IqSFUw",
		"e": "AQAB",
		"value": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn5H8ZKqOqW+4cL0x1JlfyVZTyhplaOQLslbsPFr/cub/KELYKt8/eZ5PsuIhpENmU1TrM082PFO4rEut1et6mDr/ia34qmkKJAqv4VI95agNArA23UoIDYPnBGvmXEJI0JIxp514N5X8NcRBVjK9DPaYW+f+S4kFO+xSJvSKh0+RUo3jnL29rZBlhXrw0YTFrY5cJ9haXJfQsvzMlXcHNX7hN/EMJI4pg12A65o8QgEyp7ZZ/izDH+IRCQmsgj6ZYq2aKHDsms5jgR/Zryno/G7oyuTFl1yJjLgfmK002D+ZWWiCQDKj4P1qzXX2TzKHiJw+ak755rQCrdH8IqSFUwIDAQAB\n-----END PUBLIC KEY-----"
	}]
}

Using the data from this URL, your application must construct a PEM format public key using the Modulus / exponent values (P & E.) Once you have constructed the PEM, you'll need to verify the signature of the JSON Web Token.

-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAn5H8ZKqOqW+4cL0x1JlfyVZTyhplaOQLslbsPFr/cub/KELYKt8/
eZ5PsuIhpENmU1TrM082PFO4rEut1et6mDr/ia34qmkKJAqv4VI95agNArA23UoI
DYPnBGvmXEJI0JIxp514N5X8NcRBVjK9DPaYW+f+S4kFO+xSJvSKh0+RUo3jnL29
rZBlhXrw0YTFrY5cJ9haXJfQsvzMlXcHNX7hN/EMJI4pg12A65o8QgEyp7ZZ/izD
H+IRCQmsgj6ZYq2aKHDsms5jgR/Zryno/G7oyuTFl1yJjLgfmK002D+ZWWiCQDKj
4P1qzXX2TzKHiJw+ak755rQCrdH8IqSFUwIDAQAB
-----END RSA PUBLIC KEY-----

📘

Use Open Source Libraries!

It is highly recommended that you do not write your own cryptographic libraries. Instead, there are many excellent open source libraries available to assist with both constructing the RS256 public key in PEM format from ID DataWeb's JWK, and using it to verify the signature of the JWT:
JWK Libraires: http://openid.net/developers/jwt/
JWT Signature verification libraries: https://jwt.io/#libraries-io

Putting all together
The output is three Base64 strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.