MMMothIDToken

Simple parser for ID Tokens, which are non-encrypted JSON Web Tokens.

In the context of MMMoth library we are only interested in expiration time field, just to know when to refresh the token. We are not concerned with verification, it’s something for the backend accepting the tokens. We don’t want support for generic JWTs either and thus can require some of the fields avoiding optionals.

  • The raw value of the token.

Required Claims

  • “Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.”

  • “Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4.”

  • “Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.”

  • “Expiration time on or after which the ID Token MUST NOT be accepted for processing.”

  • “Time at which the JWT was issued.”

  • “String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token.”

    Note that this is required depending on the flow it was obtained through.

Some of the Standard Claims

  • “End-User’s full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User’s locale and preferences.”

  • “URL of the End-User’s profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image.”

    Note that Facebook would not put a URL here but a piece of JSON instead, so we try to extract the URL from it.

  • “End-User’s preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.”

  • “Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.”

  • “Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.”

  • A raw payload dictionary in case the client needs to read something we have not covered.

  • A raw header dictionary, for diagnostics.

Codable

CustomStringConvertible

Equatable