Validate IAM token

Token validation steps

The token needs to be validated before it can be trusted.

Following steps is needed in token validation.

1. Check the issuer of the token - iss
2. Ensure that token is not yet expired - exp
3. Check the token's signature to ensire it has not been tampered with
   • Retrieve the JWK from Akkess (can be cached)
   • Use the JWK tp validate the JWT's signature

Pseudocode example

// JWT IAM token example
// eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImM0YjMwM2FmOThkZGU2OWQxNWJmMDlhZGU3OWM2NDA0IiwiY3R5IjoidDEifQ.eyJqdGkiOiI1YmVhNjkxYi05MjY2LTRmYWMtYWI1ZC00MmVmMzZkZjBiZjEiLCJpc3MiOiJodHRwczovL2FwaS5ha2tlc3MuaW8vYXV0aG9yaXphdGlvbi92MSIsInN1YiI6IjY2NGUyYmU3YmU0MTNkMDkwNThiNDM4ZSIsImF1ZCI6InRlbmFudC02NjQ3M2VlZTNjNDk1NDMzYzAzYWI2MDYiLCJleHAiOjIyMjg5ODM2MzgsImlhdCI6MTcyODk4MDAzOCwiYWNjIjoiYWNjb3VudC02M2M2NWRlZTgzYWJkNDFiZTlmNjExMDQiLCJhcHAiOiJhcHAtNjY0NzNlYjYyYzYyZDQ2M2YyNjJiOTgyIiwidGlkIjoidGVuYW50LTY2NDczZWVlM2M0OTU0MzNjMDNhYjYwNiIsImFycyI6W3siciI6WyJEUklWRVIiXSwiYyI6WyJWSU49VklOLTEyMzQ1Njc4OTAiXX1dfQ.e6TsoqbvLtC8aNChCHoHWs7qSt4quckGDQgtevMuQk_8qNI9LqXMHDuMiVfUBYgzuJa4U9h0GOC5Od1Otj6aAEIpWyz4_Jptq7qTTklZio9o10NmkbmSpQDfrGCyLxdtWH6UzORUDlcX36Zl-B_utUqklk-jnb5dt0J8g1yu2v2Ck5odExMKLpYdPchrAjyD_o09OtBbAavO__L6dgmHwbx2bsD4CSxY9Xh-jyCvJlDyzukDdUYYpGBRKr19C2ooFIRN8JmAQNieWiTAx9FOEqPMQqdoVZ7wYGxb16xpE4YO9G6AiJxJ4SgiNAN536144L06N9klykL2Ln64IQUxrZxoGRuSx-bXwvMRd-RG8nRjt3kXlY3g9N4dBE0JnkMsmpUPqdKMFGu483fWA_ygW-j1EwIHqt2qQgeWCtlRxZTw-dr7eX0NFf1DaegKpgjj9h7DwRTyp68JUAQShA6wjauiGDKu1j29AjWfYJiVD1cyEvf4W2u9kSiH7Tdp0hTM

const verifyTokenAndReturnTokenBody = async iamToken => {
  // Decode token
  const tokenHeader = decodeHeader(iamToken);
  const tokenBody = decodeBody(iamToken);

  // Check issuer - note that issuer is defined by each system
  if (tokenBody.iss !== 'https://api.akkess.io/authorization/v1') {
    throw new Error('Invalid issuer');
  }

  // Ensure token is not expired
  if (tokenBody.exp < nowUnixTimeSecs) {
    throw new Error('Token expired');
  }

  // Fetch jwks and open id config (this should be cached)
  const jwksResponse = await fetch('https://api.akkess.io/authorization/v1/.well-known/jwks.json');
  const jwks = await jwksResponse.json();
  const optionsResponse = await fetch('https://api.akkess.io/authorization/v1/.well-known/openid-configuration');
  const options = await optionsResponse.json();

  // Based on the kid in the token header, find the JWK
  const jwk = jwks.keys.find(key => key.kid === tokenHeader.kid);
  if (!jwk) {
    throw new Error('Faulty Jwk');
  }
  const pem = jwkToPem(jwk);

  // Verify token - throw error if not valid
  verifyToken(token, pem, options);
};

JWK - JSON Web Key

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. JWK is used to represent a public key in a JSON structure. The JWK format is used to represent a cryptographic key in a JSON structure.

A JWK Set is a JSON object that represents a set of JWKs. The JSON object MUST have a "keys" member, with its value being an array of JWKs.