Certs
GEThttps://auth.uber.com/oauth/v2/certs¶ Overview
In this doc we will cover how to validate the ID Token provided with Uber OAuth server (based on OIDC Core 1.0 specification)
¶ Prerequisite
We assume you have already done the following when you are reading this page
- registered an account and created Uber developer application at https://developer.uber.com
- requested OAuth scopes for your application(if not please contact your Uber Partner Engineer or Account Executive)
- have an id_token from User ID Token
¶ Validate ID Token - Manual integration
It’s encouraged to conduct manual test before programmatically integrating with your production system. This section provides step-by-step guide to manually generate access token with the asymmetric key.
¶ Step 1: Validating token headers
The example below retrive the JWK from Uber, this is required to validate the the id_token emission using the kid from the JWK and the kid header from the id_token.
THE kid header from /certs is rotated periodically.
# request
curl -X GET "https://auth.uber.com/oauth/v2/certs"
# response
```json
{
"keys": [
{
"kid": "kid",
"kty": "kty",
"alg": "RS256",
"use": "sig",
"e": "AQAB",
"n": "n"
}
]
}
Verify each key in the response keys list for a matching kid on the id_token header, visit Validating the ID Token to learn more about the security reasons for validating the id_token.
Below is a snippet on how to transform the JWK into a public key which will validate the id_token signature.
const jwt = require("jwt");
const jwkToPEM = require("jwk-to-pem")
UberAPI.auth.requestTokens().then((response, error) => {
if (error) {
throw error
}
const decodedToken = jwt.decode(response.access_token, {complete: true})
const kid = decodedToken.headers.kid
const response = await fetch('https://auth.uber.com/oauth/v2/certs');
const jwkResponse = await response.json()
const signatureKey = null
for (key of jwkResponse.keys) {
if (key.kid === kid) {
signatureKey = key
break
}
}
if (!signatureKey) {
throw new Error();
}
const publicKey = jwkToPEM(signatureKey)
try {
const decoded = jwt.verify(token, publicKey);
console.log(decoded)
} catch (e) {
throw new Error();
}
})
Besides verifying the token signature, it’s important to check if all the obrigatory claims are correct, following the list:
iss: The Client ID of the application;sub: The Client ID of the application;aud: auth.uber.com;exp: The expiration time of the JWT;jti: An unique identifier for the JWT;iat: The time at which the JWT was issued.
And the following headers:
alg: RS256;typ: JWT;kid: Key UUID from key file.
¶ Step 2: Validating nonce claims
After successfully receiving the ID Token and validating its header (e.g., signature, algorithm), the next critical step for the client is to validate the nonce claim from the token payload.
¶ Step 2.1: Validation Process
The client must securely store the nonce it generated and sent in the initial authorization request (e.g., in a session cookie or local storage, strictly bound to the user’s session).
¶ Step 2.2: Comparison
Compare the extracted nonce from the ID Token payload with the nonce originally sent by the client.
If the nonces match: The validation is successful. This confirms that the ID Token was issued in response to the specific authentication request made by this client for this session, significantly mitigating replay attacks. The client can proceed to process the ID Token and establish the user’s session.
If the nonces do not match: The validation fails. The client must reject the ID Token and abort the authentication process. This indicates a potential security concern, such as a replay attack or token tampering.
¶ Error Code
This section covers possible error code and message
| Type | Code | Description | type |
|---|---|---|---|
server_error |
405 | http method not allowed | text/plain |
server_error |
500 | server error | text/plain |