Steps to validate a JWT
| Step | Validation | Expected result (by environments) |
|---|---|---|
| Signature Verification | ||
| 1 | Decode the JWT. The header and the payload are encoded and separated by "." (period) | |
| 2 | Read the header section and look for "jku" and "kid" claims | |
| 3 | Download the JWKS from the url provided in the "jku" claim | |
| 4 | Read the "n" attribute for the given "kid" claim | |
| 5 | Check the algorithm used to sign the payload using the "alg" claim from the header section | |
| 6 | Use the "n" value from the JWKS to validate the signature of the JWT payload. Proceed to next step if signature is valid | Integrity of the token is intact |
| Additional Security Validations (JWT validation beyond signatures) | ||
| 7 | verify nonce | nonce must match the nonce provided during token request |
| 8 | verify expiry (exp) | Current time should be prior to the value in the expiry (exp) claim. |