Token validation

Signed JWTs (JWS) are crucial to the OpenID Connect specification in order to ensure the authenticity and integrity of data exchanged between parties.

When integrating BankID over OpenID Connect you must always validate Tokens that are issued.

Validation of Signed Tokens

Following well established OpenID Connect standards, BankID will sign all Tokens issued:

• ID Tokens
• Access Tokens
• Refresh Tokens
• Userinfo

You must validate JWT signatures and ensure that the signing key certificate was issued by the officially published root certificates.

Important

• ensure that tokens are not tampered with after being issued by the OIDC Provider from BankID.
• guarantee that the origin of the Tokens are in fact BankID, and not a potential "man-in-the-middle" actor.

Keys used for signing are marked with

{
  "use": "sig"
}

Steps to validate tokens

The steps required to securely validate a JWS Token are found here.