Before using access token integrators should verify their validity. Validating an OAuth 2.0 token using a JWKS (JSON Web Key Set) endpoint, such as the one provided by Klarna at https://login.klarna.com/eu/lp/idp/.well-known/jwks.json, involves several steps. Here's an outline of how you might proceed.
Make an HTTP GET request to the JWKS endpoint to retrieve the public keys. The response should be a JSON object containing a keys array.
curl https://login.klarna.com/eu/lp/idp/.well-known/jwks.json Parse the JSON response to extract the keys, which will be in JWK (JSON Web Key) format. You might use a library in your programming environment to help with this.
Decode the access token to obtain the header, which contains the Key ID or kid, which identifies the key within the JWKS that was used to sign the token. You can use a library like jsonwebtoken in Node.js or an equivalent in your programming environment.
const jwt = require('jsonwebtoken');
const decodedToken = jwt.decode(access_token, { complete: true });
const kid = decodedToken.header.kid; Use the kid from token's header to find the corresponding key in JWKS.
const jsonWebKey = jwks.keys.find(key => key.kid === kid); Use the public key to verify the signature of the access token. This usually requires using a library that supports JWT and the necessary cryptographic algorithms.
const jwkToPem = require('jwk-to-pem');
const publicKey = jwkToPem(jsonWebKey); // Convert JWK to PEM format
const verifiedToken = jwt.verify(access_token, publicKey); If the signature is valid, check the claims in the verified token to ensure they meet your requirements (e.g. check the issuer, expiration date, scopes)
if (verifiedToken.iss !== expectedIssuer || verifiedToken.exp <= Date.now()) { // Token validation failed }