After verifying and extracting the payloads from the token, but before returning the object representation of the payload to the user, library authors may wish to add the ability for their token parsers to automatically validate the token against some basic constraints.
This is not strictly required, but validation support is highly recommended.
Some examples of validation rules that libraries may wish to provide include:
ForAudiencewhich compares the payload-providedaudclaim with an expected value.IdentifiedBywhich compares the payload-providedjticlaim with an expected value.IssuedBywhich compares the payload-providedissclaim with an expected value.NotExpiredwhich verifies that the current time is less than or equal to the DateTime stored in theexpclaim.Subjectwhich compares the payload-providedsubclaim with an expected value.ValidAtwhich verifies all of the following:- The current time is less than or equal to the DateTime stored in the
expclaim. - The current time is greater than or equal to the DateTime stored in the
iatclaim. - The current time is greater than or equal to the DateTime stored in the
nbfclaim.
- The current time is less than or equal to the DateTime stored in the
Example implementations of these validators are included in the PHP implementation.
Validation should fail-closed by default (e.g., if invalid data is provided).