This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Page Comparison - Verifying OpenID Connect ID Token Signatures (v.1 vs v.2) - Identity Server 5.0.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

The WSO2 Identity Server provides signed ID Tokens to address some security vulnerabilities in the production environment.

  • Unsigned ID tokens can contain only two portions separated by "."

    Code Block

    The following is an example where unsigned ID tokens contain only two portions separated by "."

    Code Block
  • Signed ID Tokens containing three portions separated by "."

    Code Block

    The following is an example where the signed ID token contains three portions separated by "."

    Code Block

If you want to see exact JSON values, you can do Base64 decode for <header>.<body> values.

The following is a simple Java program to validate ID token signature against default wso2carbon.jks public key in WSO2 products.

Code Block
package org.sample;


import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;

public class ValidateRSASignature {

    public static void main(String[] args) throws Exception {
        RSAPublicKey publicKey = null;
        InputStream file = ClassLoader
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        keystore.load(file, "wso2carbon".toCharArray());

        String alias = "wso2carbon";

        // Get certificate of public key
        Certificate cert = keystore.getCertificate(alias);
        // Get public key
        publicKey = (RSAPublicKey) cert.getPublicKey();

        // Enter JWT String here
        String signedJWTAsString = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0d";

        SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString);

        JWSVerifier verifier = new RSASSAVerifier(publicKey);

        if (signedJWT.verify(verifier)) {
            System.out.println("Signature is Valid");
        } else {
            System.out.println("Signature is NOT Valid");

Configuration to switch between signed and unsigned ID tokens. With default configurations, the ID token is always signed. If you want to switch off ID token signing, make the following configuration changes in the <IS_HOME>/repository/conf/identity/identity.xml file.

Code Block

Note: By default WSO2 products ship with wso2carbon.jks. In the wso2carbon.jks keystore, the password is "wso2carbon" and the certificate alias also "wso2carbon". In a production environment we recommend that you change those values.