Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
▸ validateJwtAccessToken(as, request, expectedAudience, options?): Promise<JWTAccessTokenClaims>
Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given Request as per RFC 6750, RFC 9068, and RFC 9449.
The only supported means of sending access tokens is via the Authorization Request Header Field method.
This does validate the presence and type of all required claims as well as the values of the
iss, exp,
aud claims.
This does NOT validate the sub,
jti, and client_id
claims beyond just checking that they're present and that their type is a string. If you need to
validate these values further you would do so after this function's execution.
This does NOT validate the DPoP Proof JWT nonce. If your server indicates RS-provided nonces to clients you would check these after this function's execution.
This does NOT validate authorization claims such as scope either, you would do so after this
function's execution.
| Parameter | Type | Description |
|---|---|---|
as |
AuthorizationServer |
Authorization Server to accept JWT Access Tokens from. |
request |
Request |
|
expectedAudience |
string |
Audience identifier the resource server expects for itself. |
options? |
ValidateJWTAccessTokenOptions |