Steps to validate a JWT
| Step | Validation | Expected result (by environments) | ||||
|---|---|---|---|---|---|---|
| Signature Verification | ||||||
| 1 | Decode the JWT. The header and the payload are encoded and separated by "." (period) | |||||
| 2 | Read the header section and look for "jku" and "kid" claims | |||||
| 3 | Verify the url against whitelisted JWKS urls | |||||
| 4 | Download the JWKS from the url provided in the "jku" claim | |||||
| 5 | Read the "n" attribute for the given "kid" claim | |||||
| 6 | Check the algorithm used to sign the payload using the "alg" claim from the header section | |||||
| 7 | Use the "n" value from the JWKS to validate the signature of the JWT payload. Proceed to next step if signature is valid | Integrity of the token is intact | ||||
| Additional Security Validations (JWT validation beyond signatures) | ||||||
| 8 | verify subject (sub) | subject must match the subject provided during token request | ||||
| 9 | verify nonce | nonce must match the nonce provided during token request | ||||
| 10 | verify issuer (iss) | Issuer must match the below listed issuers by environment
|
||||
| 11 | verify expiry (exp) | current time should be prior to the value in the expiry (exp) claim. | ||||
| 12 | verify audience (aud) | (aud) claim will contain API key. (aud) must match API key provided during token request | ||||