Let's understand how we can verify whether a token (say ID Token) is valid and not tampered.
Different ways to parse and validate JWT Tokens
1. Manual Parsing and Validation
In this approach, we have to manually parse the JWT token by splitting it into its three components (header, payload, and signature) using a base64 decoding mechanism. Once split, we have to inspect the token's claims and validate the signature using the token's signing algorithm and the corresponding key. We have to write the logic by ourselves with the help of RFC 7519: JSON Web Token (JWT)
2. JWT Libraries
Utilize JWT libraries available in your programming language or framework. These libraries provide built-in methods to parse and validate JWT tokens, making the process easier and more robust. Libraries for different framework/language is available at JWT.IO - JSON Web Tokens Libraries
3. Identity Provider SDKs
Many identity providers offer SDKs that handle JWT parsing and validation as part of their authentication libraries. For example, libraries like Auth0 SDKs, Okta SDKs, or Azure AD libraries often include methods to validate JWT tokens issued by their respective identity providers.
4. Framework Integration
Some web frameworks have built-in support for JWT token handling and validation. These frameworks provide middleware or modules that handle the parsing, validation, and authentication of JWT tokens automatically.
5. Online Validation Tools
Use online JWT validation tools or libraries to perform validation checks without writing code. For example using this site - JWT.IO
Example using Java JWT Library: Nimbus-JOSE-JWT
We will be using Java JWT Library - Nimbus-JOSE-JWT Bitbucket and a
sample Spring Boot project to verify ID Token Signature of a Valid and Forged Token.
