Nexmo
Feature: validate a JWT locally
Background
The CLI currently has a very useful feature to create a JWT using the nexmo jwt:generate command.
It would be similarly useful for developers to be able to validate a JWT that they have created, for instance in these scenarios:
- They have received an authentication error when calling a Nexmo API using a JWT provided to them
- They have their own custom code to create a JWT, rather than using a Nexmo-provided component, and the JWTs created with it don't seem to work
Syntax
The command structure could look like this (with optional parameters in square brackets):
nexmo jwt:validate path/to/public.key path/to/jwt [sub=myname] [application_id=1234-5678]
The validation would check:
- Is the structure of the JWT valid? i.e. three period-separated blocks
- Is the signature valid?
- Is the signature algorithm valid?
- Does the signature algorithm match the key type?
Probably good to validate + output the decoded header / body. Especially for cases where a call is rejected, and you want to make sure the right subject, applciation_id, etc was passed.
Another useful feature would be to validate the timestamps and returning human readable timestamps (in GMT) Bonus points for being able to test if a JWT is currently valid eg the iat is in the past and the exp is in the future
In terms of validating against public keys it would be better to fetch the public key from the API for applications rather than asking the user to specify it, this is a nice way then to check that the user hasn't got their keys mixed up between what they have locally and what nexmo has stored for that app id Just spent about 30mins helping a user with that problem!