Client-Side Token Validation

From IdS release 12.6(2), IdS issues access tokens that are signed and validated using assymetric key pair. So, the public key of the key pair can be used to validate the access tokens. If the clients have the IdS public key, they can validate the access tokens by themselves without the help of IdS. The following APIs are available to access the public key:

  • https://<IdSFQDN>/ids/v1/keys/token/public—Gets the public key that is used to validate the token.

  • https:/<IdSFQDN>/ids/v1/keys/token/public/csr—Gets the Certificate Signing Request (CSR) that is used to get a signed certificate from a CA.

  • https://<IdSFQDN>/ids/v1/keys/token/public/x509—Gets x509 token certificate.

Prerequisite

  • Clients should have the same Coordinated Universal Time (UTC) time as that of the IdS server.

Use this API at the client side to obtain the public key from the IdS server to validate the access tokens issued by IdS. For more information about token validation using public key, refer to https://jwt.io.

URIs:

https://<IdSFQDN>/ids/v1/keys/token/public

https://<IdSFQDN>/ids/v1/keys/token/public/csr

https://<IdSFQDN>/ids/v1/keys/token/public/x509

Example URI:

https://ids.autobot.cvp:8553/ids/v1/keys/token/public

Security Constraints:

Admin or client credentials protected.

HTTP Method:

GET

Content Type:

text/plain

Request Parameter:

download=true (Optional)

HTTP Response:

200: Success

401: Unauthorized (for example, the user is not authenticated in the Web Session)

500: Internal Server Error

Example Response to get public key:
Code Snippet
Copy
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAne/nKLjtdYzzMKGli9jh
+8STNUFYi2A1la2Aeor8hR6rpI11F0M01/B7F1bJ7orpaNK5gnqBuZ2g2Jx2WhQ1
vJePos0s+pl+2KAiR2f+fS+rDF2YkTlLEB36YomRUSK3H6sfkS0TliBZe+kEPVjR
OZmvGX/soIxJc1pYJ//wss9D7/TWyeSKTvpk7ASJmEoqLTsYsgRCSuSBFsh2PvF+
3w97qMIGEtyqXQLlINPJdXHvKPPdU7hs0M8lBZObMPL184r/nGJ1jT7YRjB0jwrS
WT3Qm5lcR/bwBPWmmkHZLpEhX2VLGnWYmp+UfinaGu0r11KV+nrEop+x+nNdpS8X
qQIDAQAB
-----END PUBLIC KEY-----

Example Response to get Certificate Signing Request (CSR):
Code Snippet
Copy
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICnzCCAYcCAQAwGjEYMBYGA1UEAxMPaWRzLmF1dG9ib3QuY3ZwMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAne/nKLjtdYzzMKGli9jh+8STNUFYi2A1
la2Aeor8hR6rpI11F0M01/B7F1bJ7orpaNK5gnqBuZ2g2Jx2WhQ1vJePos0s+pl+
2KAiR2f+fS+rDF2YkTlLEB36YomRUSK3H6sfkS0TliBZe+kEPVjROZmvGX/soIxJ
c1pYJ//wss9D7/TWyeSKTvpk7ASJmEoqLTsYsgRCSuSBFsh2PvF+3w97qMIGEtyq
XQLlINPJdXHvKPPdU7hs0M8lBZObMPL184r/nGJ1jT7YRjB0jwrSWT3Qm5lcR/bw
BPWmmkHZLpEhX2VLGnWYmp+UfinaGu0r11KV+nrEop+x+nNdpS8XqQIDAQABoEAw
PgYJKoZIhvcNAQkOMTEwLzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFMXQzzvb
q3SeCkGc2JDLk/OpMbOLMA0GCSqGSIb3DQEBCwUAA4IBAQA+cg3xmhd9ayRww8pB
btaUp0DSwuceu0ZDPZldpsARPTBNdST2MmgYvaFtwwlO9+hLxiHV1Cnyyyv/mK8e
UMzEXKAtts6KxOFriEa4L9PJ4E3nZtlZm53y/7vgAEWgdTpBzhPlqsTIGIi+/vhJ
fHbh+5KztPhdYzbhEI6M2uaRQAbsOkSyfVbDkEUfidExBx4iBmMMPBjZkOemrqLZ
ltLEZfx1uued7DcLxEKB6oOFCm51uFCn6mbrybiGMP6xcrp9fA/SGetBwGgw7kZO
4c0c7S0RhCoSqdQZtV5Nyu/WIinLZMtgvQwfFO4pJk8LG0KbtncRxizF+cZ8WGU2
IkBI
-----END NEW CERTIFICATE REQUEST-----

Example Response to get x509 token certificate:
Code Snippet
Copy
-----BEGIN CERTIFICATE-----
MIIC4zCCAcugAwIBAgIEcy54tTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9p
ZHMuYXV0b2JvdC5jdnAwHhcNMjMwMTI3MTQ1NTA0WhcNMjYwMTI2MTQ1NTA0WjAa
MRgwFgYDVQQDEw9pZHMuYXV0b2JvdC5jdnAwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCd7+couO11jPMwoaWL2OH7xJM1QViLYDWVrYB6ivyFHqukjXUX
QzTX8HsXVsnuiulo0rmCeoG5naDYnHZaFDW8l4+izSz6mX7YoCJHZ/59L6sMXZiR
OUsQHfpiiZFRIrcfqx+RLROWIFl76QQ9WNE5ma8Zf+ygjElzWlgn//Cyz0Pv9NbJ
5IpO+mTsBImYSiotOxiyBEJK5IEWyHY+8X7fD3uowgYS3KpdAuUg08l1ce8o891T
uGzQzyUFk5sw8vXziv+cYnWNPthGMHSPCtJZPdCbmVxH9vAE9aaaQdkukSFfZUsa
dZian5R+Kdoa7SvXUpX6esSin7H6c12lLxepAgMBAAGjMTAvMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHQ4EFgQUxdDPO9urdJ4KQZzYkMuT86kxs4swDQYJKoZIhvcNAQEL
BQADggEBAAFi8RUY4MvlxET6Q390fzYmqP5Xj3FW/ixUQYA6/LcB5kdzD1ZeQmlO
eRfCp+6aYGvgtRdI4J1dVEPG/jgSEj1mWvh3MR7mG2vOcBqgKpLCzbOqLewL0KKy
kGc8YDDm3Cvs1b4w2srni5+8XnWPLCOcI92KkHmZOb3BA0HVUdkEJg6nBxtXIg0V
2BiURBu5Qpc2LZ6lFduf+aPlRu0Z4FnWLsGDcK80LCveYze3u1SVFxLarzpLwA7K
bbpnU00c/vvFK6+rB5jrkB4+qElJsHQhVyo/1SSu7/abWbtzwCYumE9bQpcXL/80
si/KjWWAreJ/KJ86/KTWTeZIs1lQ9go=
-----END CERTIFICATE-----