com.google.crypto.tink.jwt

Interface JwtPublicKeyVerifyInternal

@Immutable
public interface JwtPublicKeyVerifyInternal

Interface for verifying a signed JWT, as described in RFC 7519 and RFC 7515.

Security guarantees: similar to PublicKeyVerify.

Method Summary

Modifier and Type	Method and Description
VerifiedJwt	verifyAndDecodeWithKid(String compact, JwtValidator validator, Optional<String> kid) Verifies and decodes a JWT in the JWS compact serialization format.

Method Detail

verifyAndDecodeWithKid

VerifiedJwt verifyAndDecodeWithKid(String compact,
                                   JwtValidator validator,
                                   Optional<String> kid)
                            throws GeneralSecurityException

Verifies and decodes a JWT in the JWS compact serialization format.

The JWT is validated against the rules in validator. That is, every claim in validator must also be present in the JWT. For example, if validator contains an iss claim, the JWT must contain an identical claim. The JWT can contain claims that are NOT in the validator. However, if the JWT contains a list of audiences, the validator must also contain an audience in the list.

If the JWT contains timestamp claims such as exp, iat or nbf, they will also be validated. validator allows to set a clock skew, to deal with small clock differences among different machines.

Additionally, it verifies that the correct kid header is present if a kid is provided.

Throws:

GeneralSecurityException - when the signature of the token could not be verified, the token contains an invalid claim or header, the token has been expired or can't be used yet