multipaz-records-server/org.multipaz.records.data/validateJwt

validateJwt

suspend fun validateJwt(jwt: String, jwtName: String, publicKey: EcPublicKey?, algorithm: Algorithm? = publicKey?.curve?.defaultSigningAlgorithmFullySpecified, checks: Map<JwtCheck, String> = mapOf(), maxValidity: Duration = 10.hours, clock: Clock = Clock.System): JsonObject

General-purpose JWT jwt validation using a set of built-in required checks (expiration and signature validity) and a set of optional checks specified in checks parameter.

JWT signature is verified either using a supplied publicKey and algorithm or using a trusted key (JwtCheck.TRUST check must be specified in this case).

Most of the optional checks just validate that a particular field in the JWT header or body has certain value. Special optional checks are:

JwtCheck.JTI checks that jti value is fresh and was not used in any not-yet-unexpired JWT that was validated before. The value that should be provided with this check id determines JWT "jti namespace". Two identical jti values that belong to distinct namespaces are not considered to be in conflict.

JwtCheck.TRUST specifies that the signature must be checked against a known trusted key (directly or through the certificate chain specified in x5c'). The value provided with this check id determines the path for the resource that holds trusted key. The name of the key is derived either from the X509 top certificate subject common name, from kidparameter in JWT header or iss` value in the JWT body. Once the path and the name are determined, a certificate with the trusted key is extracted from the server resource (see Resources) "trust/

$path/$

name.pem" or, failing that, key is loaded from "trust/

$path/$

name.jwk".

maxValidity determines expiration time for JWTs that have iat, but not exp parameter un their body and clock determines current time to check for expiration.