Tech Study Guide
Identity Examples
Practical OAuth, OIDC, JWKS, and JWT examples for identity troubleshooting and API validation.
Identity Examples
These examples complement Identity and Access and IdP, SAML, JWT, OAuth, and OIDC.
Identity OAuth and JWT Examples
OAuth authorization-code token exchange with PKCE:
curl -sS https://idp.example.com/oauth/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d grant_type=authorization_code \
-d client_id=example-web \
-d code="$AUTHORIZATION_CODE" \
-d redirect_uri=https://app.example.com/callback \
-d code_verifier="$PKCE_VERIFIER"
JWKS key discovery and safe local inspection:
curl -sS https://idp.example.com/.well-known/openid-configuration
curl -sS https://idp.example.com/.well-known/jwks.json | jq '.keys[] | {kid, kty, alg, use}'
JWT claim checks an API should enforce after signature verification:
{
"iss": "https://idp.example.com/",
"aud": "https://api.example.com/",
"scope": "orders:read orders:write",
"exp": 1779570000,
"nbf": 1779566400
}
Study Cards
Why does PKCE include a code_verifier in the token exchange?
It proves the token requester owns the secret derived from the original authorization request.
Why fetch JWKS during JWT troubleshooting?
The API needs the issuer's current public signing keys to verify token signatures.
Which JWT claims are commonly checked by APIs?
Issuer, audience, expiration, not-before time, subject, and scopes or roles.