V1NodesJWT Validate
JWT Validate
V1

JWT Validate

Use the JWT Validate Node to validate token claims and return the raw contents of the token.

Revision History

1.0.0.0 Initial Release
1.0.0.1 Run from Cloud for supported Sites.
1.0.0.3 Strengthened validation of Base64 payloads.
1.0.1.0 Added a SigningKeys property to the node properties.
1.0.1.2 Added IssuerValidationMode and JwksUri properties to the Connection.
1.0.2.0 Updated discovery URL Connection property to use OIDC metadata URL.

Properties

Connection

Type: Connection Input
The Connection Property

SigningKeys
Type: Multiline Text
The Connection property signing keys used to validate the JWT token's signature.
See Signing Key Rules for more information.

ClockSkewInMinutes
Type: Int32
Optional, Default = 5 minutes
ClockSkew allows you to account for time drift when validating the token's lifetime.

ValidateIfTokenIsSigned
Type: Boolean
Default = True
When True, the token must be signed.

ValidateExpiration
Type: Boolean
Default = True
Validates whether the token has expired.

ValidateLifetime
Type: Boolean
Default = True
Validates whether the token has exceeded its lifetime.

ValidateAudience
Type: Boolean
Default = True
Validates whether the audience in the token matches the value provided for the Audience property.

Audience
Type: String
Optional
The intended audience for the token.

e.g. 95dc2824-ccb4-4859-836b-7857a705bf31

ValidateIssuer
Type: Boolean
Default = True
Validates whether the issuer in the token matches the value provided for the Issuer property.

Issuer
Type: Multiline Text
Optional
The expected issuer of the token.

e.g. https://login.microsoftonline.com/{tenant-id}/v2.0

IssuerValidationMode
Type: List
Optional, Default = ExactMatch
Controls how the value in Issuer is validated when ValidateIssuer is True.
Supported values:

  • ExactMatch - The token issuer must exactly match the value in Issuer (case-insensitive).
  • StartsWith - The token issuer must start with the value in Issuer (case-insensitive).
  • AnyOf - The token issuer must match one issuer in Issuer. Provide multiple issuers as comma-separated values or on separate lines.

OidcMetadataUrl
Type: String
Optional
The OpenID Connect discovery endpoint used to automatically retrieve configuration and signing keys when explicit signing keys are not provided.

SigningKeys

Type: Multiline Text
The node property signing keys are used to validate the JWT token's signature.
See Signing Key Rules for more information.

JwtToken

Type: Multiline Text Input
The JwtToken Property
The segmented JWT Token, at least 3 segments must be provided.

EnableValidation

Type: Boolean
Default = True
When set to False, ignores all JWT token validation. Use this only to inspect JWT payloads without providing validation parameters.

TokenHeader

Type: Multiline Text Output
The TokenHeader Property
The raw token header information.

TokenBody

Type: Multiline Text Output
The TokenBody Property
The raw token body including the claims.

TokenSignature

Type: Multiline Text Output
The TokenSignature Property
The token signature.

Signing Key Rules

The node prioritizes signing keys in this order:

  • SigningKeys on the Node property.
  • SigningKeys on the Connection property.
  • JwksUri on the Connection property (loads keys from the JWKS endpoint).

If no keys can be loaded from any of the options above, validation fails.

Provide signing keys one per line. Each line should contain the Base64 value of a public certificate.

signingkeybase641==
signingkeybase64===

Do not wrap keys with ----BEGIN CERTIFICATE---- and ----END CERTIFICATE----.

The keys should be provided by the issuer. For example, some Microsoft signing keys can be found here. This returns a JSON document where the x5c elements contain the public keys used in SigningKeys.