Token Verification

The steps required to securely validate a JWS Token (like ID Token):

  1. Extract the key information from the JWS Token header: kid, alg
  2. Retrieve all JWK entries that BankID exposes from the JWKs endpoint.
  3. Keys used for signing can be filtered by the use attribute on each JWK. This value should be sig.
  4. Find the key used to sign the JWS Token by matching the kid and alg from (1) with the JWK entries.
  5. Extract the public key and certificate chain (x5c) from the JWK entry.
  6. Validate the origin of the key by verifying it's complete certificate chain (x5c) with our published root certificate.
  7. Validate the JWS token using the key.

Note

Using a secure and community provided library to validate JWS tokens is highly recommended.