DT's access token format #335
AxelNennker
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
For those interested, the following is DT's access token format.
It is a JWS following RFC9068:
Example claims:
{ "iss": "https://auth.api.telekom.com/realms/mace", "sub": "eyJlbmMiOiJB....9BRVAtMjU2In0.O01BFr......dNn-fZ0xoA.ln7IYZDF9TdBIK6i.ZhQ3Q5TY827.....QiY5m8yc.5KKhrgg...JaT0g", "aud": "https://dev.api.telekom.com/senf/number-verification/v2/device-phone-number", "exp": 1751968306, "iat": 1751968006, "jti": "258d059a-4776-4cba-9237-01fff64ec0ca", "client_id": "080b8bb8-bb8c-4dcc-bfef-1be9524e5ea4", "scope": "dpv:FraudPreventionAndDetection number-verification:device-phone-number:read" }The aud value can be an array.
Edit: removed "openid" from the scope. The scope is in CIBA and OIDC ACF flow requests but not in the access token.
To check the signature, you could use the jwks found through the openid/oauth2 server metadata at
${"iss"}.appendPath(".well-known/openid-configuration")
https://auth.api.telekom.com/realms/mace/.well-known/openid-configuration"jwks_uri": "https://auth.api.telekom.com/realms/mace/protocol/openid-connect/certs"If you ever see some field in the DT access token that is not required or recommended in RFC9068 then that is violating the requirements.
"scope" is a SHOULD.
The access token must not contain unneeded fields and never PII.
All PII is in the JWE value of sub, which is encrypted to the public key of the RS.
Beta Was this translation helpful? Give feedback.
All reactions