Verifying a token

After base64 decoding the token, you should verify the contents have not been tampered with using the signature. The method used for verifying a token will depend upon the algorithm used for signing it.

The algorithm used is detailed in the header section - this will either be HS256 or RSA256.

Example JWT header:

{
  "typ": "JWT",
  "alg": "HS256"
}

HS256

Use the client_secret to verify the token.

RSA256

In order to verify a token signed with RSA256, you must first fetch the public key from CXM. You can retrieve this programmatically from the JWKS endpoint. You will need a valid access token in order to use this end point.

Example request to JWKS endpoint:

curl -X GET https://cxm.example.com/q/jwks \
     -H "Authorization: Bearer YTkxZjgwMWM3M2YxNzgzZjY5MmE2NDA1M2MxODdmZWE2NWZkMzFlYzhmMmM2YzA5NDVlMmFkZjczZThkYTJkMg"

Example response:

{
    "keys": [
        {
            "kty": "RSA",
            "n": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
            "kid": "1234567890",
            "alg": "RS256",
            "e": "AQAB"
        }
    ]
}

If there are multiple keys returned, you should check for one where the kid value matches with the same property on the id token being verified.

Once you have the public key, you can then use it to verify the token.

Note

The RSA public key value is unlikely to change frequently, it is recommended that you retrieve the key and cache it for a period of time (say 24 hours) then only request the key again if the cached version fails to verify a token. This will improve performance by reducing the number of requests to CXM for each authentication.

results matching ""

    No results matching ""