Klarna Docs - Access token validation

Access token validation

Before using access token integrators should verify their validity. Validating an OAuth 2.0 token using a JWKS (JSON Web Key Set) endpoint, such as the one provided by Klarna at https://login.klarna.com/eu/lp/idp/.well-known/jwks.json, involves several steps. Here's an outline of how you might proceed.

1. Retrieve JWKS

Make an HTTP GET request to the JWKS endpoint to retrieve the public keys. The response should be a JSON object containing a keys array.

curl https://login.klarna.com/eu/lp/idp/.well-known/jwks.json 

Parse the JSON response to extract the keys, which will be in JWK (JSON Web Key) format. You might use a library in your programming environment to help with this.

3. Decode Access Token

Decode the access token to obtain the header, which contains the Key ID or kid, which identifies the key within the JWKS that was used to sign the token. You can use a library like jsonwebtoken in Node.js or an equivalent in your programming environment.

const jwt = require('jsonwebtoken'); 
const decodedToken = jwt.decode(access_token, { complete: true }); 
const kid = decodedToken.header.kid; 

4. Find the Signing Key

Use the kid from token's header to find the corresponding key in JWKS.

const jsonWebKey = jwks.keys.find(key => key.kid === kid); 

5. Verify the Signature

Use the public key to verify the signature of the access token. This usually requires using a library that supports JWT and the necessary cryptographic algorithms.

const jwkToPem = require('jwk-to-pem');
const publicKey = jwkToPem(jsonWebKey); // Convert JWK to PEM format 
const verifiedToken = jwt.verify(access_token, publicKey); 

6. Check Claims

If the signature is valid, check the claims in the verified token to ensure they meet your requirements (e.g. check the issuer, expiration date, scopes)

if (verifiedToken.iss !== expectedIssuer || verifiedToken.exp <= Date.now()) { // Token validation failed }