In my previous article, we looked at how to get an access token and use it to access a protected resource, in Kotlin. Now we’re going to take a look at the other side of the story: how to validate an access token (in this case a structured JWT) before allowing access to the protected resource.
For token verification we’re going to:
- Get available public keys from a JWKS endpoint
- Parse the public key used to sign the receive JWT
- Verify the access token signature, issuer, and audience. This will also verify that the token hasn’t expired (the
expclaim), that it was issued in the past (the
iatclaim), and that the token is allowed to be used (the
We’ll then use this logic to protect an API endpoint running on Ktor.Read more