The token signature should be validated using Nets’ public key to check that this token is signed by Nets. The consent should be validated before giving access to the API, for instance by checking the identity of the person giving consent, the third party name, consent scope and timestamp.
Here is an example how:
// Get Nets' public key
URL jwksURL = discoveryResponse.get("jwks_uri");
HTTPResponse response = new HTTPRequest(HTTPRequest.Method.GET, jwksURL).send();
JSONObject jwks = new JSONObject(response.getContentAsJSONObject().toString());
JSONObject key = jwksJsonObject.getJSONArray("keys").getJSONObject(0);
String kty = key.get("kty").toString();
if (!"RSA".equals(kty)) {
// RSA key does not exist
}
String n = key.get("n").toString();
String e = key.get("e").toString();
Base64 b64 = new Base64();
BigInteger modulus = new BigInteger(1, b64.decode(n.getBytes("UTF-8")));
BigInteger publicExponent = new BigInteger(1, b64.decode(e.getBytes("UTF-8")));
RSAPublicKey publicKey = (RSAPublicKey) KeyFactory.getInstance(kty).generatePublic(new RSAPublicKeySpec(modulus, publicExponent));
WSVerifier verifier = new RSASSAVerifier(publicKey);
JWSObject jwt = JWSObject.parse(token);
// Verify that the token is signed by Nets
if (!jwt.verify(verifier)) {
// Access to API not approved
}
// Get more data from the token and use it to approve access to API
JWTClaimsSet jwtClaimsSet = signedJWT.getJWTClaimsSet();
String personId = jwtClaimsSet.getSubject();
String thirdparty = jwtClaimsSet.getStringClaim("thirdparty");
String scope = jwtClaimsSet.getStringClaim("scope");
Date issueTime = jwtClaimsSet.getIssueTime();
Continue to overview
