Overview
This node verifies a JSON Web Token (JWT) using a remote JSON Web Key Set (JWKS) URL. It is useful in scenarios where you need to validate JWTs issued by external identity providers or authorization servers that publish their public keys via JWKS endpoints, such as AWS Cognito, Auth0, or other OAuth/OpenID Connect providers.
Practical examples include:
- Validating access tokens received from clients before granting access to protected resources.
- Ensuring the integrity and authenticity of JWTs in API workflows.
- Decoding and extracting claims from verified JWTs for further processing.
Properties
| Name | Meaning |
|---|---|
| JWT | The JSON Web Token string that needs to be verified. |
| JWKS URL | The URL pointing to the remote JWKS endpoint containing public keys used to verify JWTs. |
Output
The node outputs an array of items where each item contains a json object representing the decoded payload of the verified JWT. This payload includes all the claims present in the token, such as issuer, subject, expiration, and any custom claims.
If verification fails, the node throws an error and does not produce output for that input.
Dependencies
- Requires access to the remote JWKS URL over the network.
- Uses the
joselibrary internally to perform JWT verification. - No special environment variables are needed beyond providing the JWKS URL and JWT string as inputs.
Troubleshooting
Common issues:
- Invalid or malformed JWT string will cause verification to fail.
- Incorrect or unreachable JWKS URL will result in errors fetching the key set.
- Tokens signed with keys not present in the JWKS will fail verification.
- Network connectivity problems can prevent retrieving the JWKS.
Error messages:
- Errors thrown during verification typically indicate invalid tokens or key retrieval failures.
- To resolve, ensure the JWT is correctly formatted and the JWKS URL is accessible and correct.
- Verify that the JWKS endpoint publishes keys compatible with the JWT's signing algorithm.