Tokens

About tokens

In general a token is just some piece of data. In the Unit4 Identity Services (U4IDS) tokens are used for authentication and authorization.

The token contains enough information to identify the user or the resource and is used to prove identity. You can think of it as a set of attributes/claims about a resource (see also claims). This requires that a token must be protected so that the token cannot be altered by unauthorized people. A token can have different formats and there are different types to serve different purposes.

The client does not need to know anything about the content or structure of the token itself. However, there is still a large amount of metadata that may be attached to a token, such as its current validity, approved scopes, and information about the context in which the token was issued. These pieces of information are often vital to the client to make authorization decisions based on the tokens being presented and for validation of the token.

When the client gets a token from U4IDS it can come in two forms:

Token type Explanation
Self-contained JWT token: Sometimes also referred to as a value token, the self-contained token contains the intrinsic value.
Reference token: Reference tokens are just identifiers for a token.

For more information about token types used in U4IDS, see OpenID Connect.

Example of a self-contained JSON Web Token (JWT)

The token issued by U4IDS has three parts

Token part Content
Header: Contains information used to validate the token, such as the token type, signature algorithm, and signature key.
Payload: The attributes/claims connected to a user or resource.
Signature: The signature is a hashed value of the header and payload. The signature is used to validate the authenticity and integrity of the token. The token is signed with an X509 certificate.

A representation of a JWT access token is shown below. The token will be a base64 encoded string. The three parts are separated with a period (.).

Example of a JWT access token

The encoded token string: 

"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkcteHQ2czRvQ3pGTmZ1S2pzNlhOdGVJZ2Y0YyIsImtpZCI6IkcteHQ2czRvQ3pGTmZ1S2pzNlhOdGVJZ2Y0YyJ9.
eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdC9yZXNvdXJjZXMiLCJleHAiOjE0NTY5MjM3MDcsIm5iZiI6MTQ1NjkyMDEwNywiY2xpZW50X2lkIjoiaW1wbGljaXRDbGllbnQiLCJzY29wZSI6InJlc291cmNlc2NvcGUiLCJzdWIiOiJuaW5qYUB0dXJ0bGUuY29tIiwiYXV0aF90aW1lIjoxNDU2OTIwMTA3LCJpZHAiOiJpZHNydi5leHRlcm5hbCIsInVuaXQ0Y2xhaW10eXBlIjoiZnJvbSB1c2VyIHByb2ZpbGUiLCJ1bml0NF9pZCI6Ik5pbmphIFR1cnRsZSIsImFtciI6WyJleHRlcm5hbCJdfQ.
OsYpmq4wdMLNw5wmZ2l3qvk_I7S6oWMmtuiOpDhq-UJJJA2qlR44zFFp9nq9d41Y4MFdGrBZcPZpTOodb6_zwBaNS6yVg2DZsxDdYO_TLP_vlaR13AqGNAOrlAkMzE66W9h3swErE-hnnY50iO0-F9VNN5xXrq6GA_qF4yfvy-euppAC77ricY_OI197JeJMGzGXLLurx8LnCXziqSioosEAYZTFxp8CEIHkH4QJyekMRHIEet9aYQ0rcMxmadn0Zhcj07YxE3YvKYlU7H8HV-oiVutZeZdCH-qXdRowRq3n03Vv28mE7A5buRJGuN4QuaxlwHO-1dSr59bJAqbTwg";


The decoded token string:
// The header
{
    "typ":"JWT",
    "alg":"RS256",
    "x5t":"G-xt6s4oCzFNfuKjs6XNteIgf4c",
    "kid":"G-xt6s4oCzFNfuKjs6XNteIgf4c"
}
// The payload
{
    "iss":"http://unit4.identityserver.com",
    "aud":"http://unit4.identityserver.com/resource", // for ID Token this value will be the clientId
    "exp":1456923707,
    "nbf":1456920107,
    "client_id":"implicitClient",
    "scope":"openid resourcescope",
    "sub":"the.user@domain.com",
    "auth_time":1456920107,
    "idp":"idsrv.external",
    "unit4_id":"the user name",
    "amr":["external"]
}
// The signature
:�)��0t��Ü&giw��?#���c&�莤8j�BI$
��8�Qi�z�w�X��]�Yp�iL�o����K���`ٳ�`��,�u�
�4��    �N�[�w�+�g��t��>�M7�W������'��箦���q��#_{%�L1�,�����    |�(���