OpenID Connect behavior

Document ID : KB000121501
Last Modified Date : 29/11/2018
Show Technical Document Details
Question:
We'd like to know if the following token issued by CA Single Sign-On
is a JWT Signed Token.

The first part of the decripted token doesn't have the "typ" header 
and as such we'd like you to confirm that this token is a JWT. 


kid: "65804645-989e-4833-8dd7-f17c7782ea00", 
alg: "RS256" 
}. 

sub: "CN=myname,OU=myuser,O=myorganization", 
aud: "c11d5f88-3bba-4a66-8faf-58d6bbb8547z", 
mail: "myname@test.com", 
auth_time: 1540223760, 
iss: "https:\/\/mymachine.mydomain.com:9443", 
exp: 1540227660, 
permisos: "Rol2^Rol1", 
iat: 1540223760, 
nonce: "5zugzYdnoOoIKAxbxwqHmVoxFvtlLoeo8i8Hluvzsiie", 
nombre: "Name of myname" 
}. 
[signature] 
Answer:
At first glance, the "typ" header is optional. 

JSON Web Token (JWT) 

"Use of this Header Parameter is OPTIONAL." 

https://tools.ietf.org/html/rfc7519#page-11 

The section : 


kid: "65804645-989e-4833-8dd7-f17c7782ea00", 
alg: "RS256" 
}. 

is the jws header parameters given by CA Single Sign-On. 

CA SSO 12.8 is an Certified OpenID Connect 
implementation. Please refer below link for information. 

https://openid.net/certification/ 

So CA SSO 12.8 is an Certified OpenID Connect implementation, as 
OpenID Connect 1.0 RFC already set that the ID Token confirm the JWT 
Signed and Encrypted contents in the Token.