Category Archives: security

openId id_token validation in javascript (an angular service)

This post is related to the following stackoverflow question :
How can I validate an openId id_token in javascript.

The Short story

we need to use JSWS.

  1. download the libraries from here. I’ve downloaded version 3.0.2.
  2. in your index.html,reference the jws-3.0.js, the json-sans-eval.js file that you downloaded above
    (json-sans-eval is located in [jsjws-3.0.2\ext] directory. (more info on it can be found here
    json-sans-eval site)
  3. if you run the code, you will get the following exception : b64utohex is not defined
  4. you need to reference another library. in fact I found the related project jsrsasign having the required libraries.
    you can download a release here :
    I downloaded the version 4.7.0 and took out the jsrsasign-4.7.0-all-min.js file and added in referencing scripts.

Now you have all the necessary files to get it done using the following code :

  function validateToken(id_token, cert) {
        var jws = new KJUR.jws.JWS();
        var result = 0;
        result = jws.verifyJWSByPemX509Cert(id_token, cert);
        if (result) {
            result = JSON.parse(jws.parsedJWS.payloadS);
        } else {
            result = 'unable to verify token';
        return result;

Token validation coming from an openid endpoint will also be part fo my angular-toolkit project : check it here

Read more to get the Long story …

Continue reading openId id_token validation in javascript (an angular service)

selfhosted IdentityServer v3 and WebApi running in the same process

This article walks through creating a project in visual studio to run Identity Server V3 as self-hosted, so we won’t required IIS and we will use this installation to test some of angular-toolkit functionalities.

For more in depth information, this article is based on this post : Creating the simplest OAuth2 Authorization Server, Client and API. The difference here is that we will put everything in one selfhosted project. (we will host multiple server in one process)

the code is available here :

Continue reading selfhosted IdentityServer v3 and WebApi running in the same process

Tomcat Mutual ssl configuration

Lately I had to configure tomcat for mutual SSL. I ran into some problems and here is what helped me.

In fact, My problem was not having the correct certification path in my keystore.
I had the following certificate :

"SERIALNUMBER=2010,CN=Government CA,C=BE" 

and the certificate sended by the client was certified by the intermediary :

"SERIALNUMBER=2011,CN=Government CA,C=BE". 

=> the only difference is 2010 => 2011. The problem was solved after adding the correct certificate to my keystore.
Continue reading Tomcat Mutual ssl configuration