Skip to content

Commit 3072d96

Browse files
committed
docs: update API wording to OpenAPI, add practical ID token validation guide
Replace "swagger documentation" with "OpenAPI specification" on the REST API page and expand the OIDC best-practices ID token validation section with JWKS URL, concrete validation steps, and library hints.
1 parent 62bff91 commit 3072d96

2 files changed

Lines changed: 22 additions & 2 deletions

File tree

docs/oidc-integration-guide/best-practices.md

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,27 @@ Validate the ID Token and verify scopes.
119119

120120
### Validate ID token
121121

122-
Relying Party must validate ID Tokens.
122+
Relying Parties must validate ID Tokens. The Mobile ID OP signs ID Tokens with **RS256** by default. To verify the signature, fetch the public key from the JWKS endpoint:
123+
124+
| Resource | URL |
125+
|----------|-----|
126+
| Discovery | https://openid.mobileid.ch/.well-known/openid-configuration |
127+
| JWKS | https://openid.mobileid.ch/jwks.json |
128+
129+
**Practical validation steps:**
130+
131+
1. Decode the JWT header and extract the `kid` (Key ID).
132+
2. Fetch the matching public key from the [JWKS endpoint](https://openid.mobileid.ch/jwks.json) (cache the key set and refresh when an unknown `kid` appears).
133+
3. Verify the RS256 signature using the public key.
134+
4. Validate the standard claims:
135+
- `iss` must equal `https://openid.mobileid.ch`
136+
- `aud` must contain your `client_id`
137+
- `exp` must not be in the past
138+
- `nonce` must match the value you sent in the authorization request
139+
140+
::: tip
141+
Most OIDC client libraries (e.g. `openid-client` for Node.js, `authlib` for Python, Spring Security for Java) handle JWKS fetching and ID Token validation automatically when configured with the discovery URL. It is strongly recommended to rely on a well-maintained library rather than implementing token validation manually.
142+
:::
123143

124144
- [OIDC Core — IDTokenValidation](http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
125145

docs/rest-api-guide/mobile-id-api.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
The Mobile ID service exposes a web API available via both SOAP and RESTful (JSON) interfaces.
44
Refer to [Application Provider Client Integration](/rest-api-guide/app-provider-client-integration) for a detailed description of these interfaces, including download links for the corresponding WSDL and YAML files that describe the service definitions.
55

6-
For your convenience, the RESTful API swagger documentation is also available here:
6+
The OpenAPI specification for the RESTful API is also available here:
77
[API Specification](/api-reference/api)
88

99

0 commit comments

Comments
 (0)