Validating Access Tokens
There are a number of steps that need to be considered while validating the access token.
- Check that the JWT is well-formed, such as JWT contains three segments, Header, Payload and Signature, separated by period (‘.’) characters. Each segment is Base64url encoded.
- Verify the Signature, using the issuer’s public key, to ensure the token has not been tampered with. In event the issuer public key is not known, fetch the missing public key via the token
issclaim as specified in RFC 8414 section 3, and temporarily respond with an HTTP 503 code in order to avoid blocking the incoming authorized request.
- Check the registered claims, such as token expiration
expand token audience
- Check the private claims, to verify whether it has permission for accessing the API.
If any of these steps fail, then the associated request is not valid.
JWT.io has provided a number of third-party libraries which support the JWT validation for most of the steps described above. However, even using these libraries, the extra step for private claims validation is still necessary for checking the NMOS private claims.