validateJwt

General-purpose JWT jwt validation using a set of built-in required checks (expiration and signature validity) and a set of optional checks specified in checks parameter, mostly aim to simplify server-side code.

JWT signature is verified either using a supplied publicKey and algorithm or using a trusted key (JwtCheck.TRUST check must be specified in this case).

Most of the optional checks just validate that a particular field in the JWT header or body has certain value. Special optional checks are:

JwtCheck.JTI checks that jti value is fresh and was not used in any not-yet-unexpired JWT that was validated before. The value that should be provided with this check id determines JWT "jti namespace". Two identical jti values that belong to distinct namespaces are not considered to be in conflict.

JwtCheck.TRUST specifies that the signature must be checked against a known trusted key (directly or through the certificate chain specified in x5c). The value provided with this check id determines Configuration name that holds JSON-formatted object that maps the name to the trusted key as either JWK or Base64-encode CA certificate. The name of the key in the map is derived either from the X509 top certificate subject common name, from kid parameter in JWT header or iss value in the JWT body.

JwtCheck.CHALLENGE defines the nonce/challenge check using the value of the specified property. The value given to this key in checks map is used as a property name in the body part of the JWT. That property must exist. Its value is passed to Challenge.validateAndConsume method.

maxValidity determines expiration time for JWTs that have iat, but not exp parameter un their body and clock determines current time to check for expiration.

Throws