Verify Signed JWT using JWK and Node JS

Not sure why, but this took me some head scratching and research. I am sure someone right now will be screaming out: “thats simple”!

The scenario:

Signature validation required for an OAuth2 JWT token (access_token or OpenId token).

The setup:

I am using IdentityServer4 as the Security Token Service (STS).

The STS has a well-known configuration URL at: http://host:port/.well-known/openid-configuration/

Note: Your STS setup may have this URL at another location. Check the documentation.

The jwks url contains a json document. The json document lists an array of json web keys (jwk). The jwk’s describe the cryptography used to sign and/or encrypt tokens.

The jwk may also contain a certificate used to sign and/or encrypt the tokens and/or various other fields.

The ‘use’ field within a jwk gives the appropriate use of the key. In the case of signature verification, the ‘use’ field will have a value of ‘sig’.

I have done a very bare minimum walk through using node for validating an access_token using the keys supplied as part of the jwks URL.

See the code here.