A successful login in Limited Login returns an
AuthenticationToken instance. This is a JSON web token (JWT) containing your nonce, if you provided one, a signature, and other pieces of information. Your app should validate the token to make sure it is authentic.
In particular, your app should check the following:
Your app should accept only tokens that have passed all three checks.
The signature is created with the encoded header and payload of the JTW, a signing algorithm, and a secret or public key, depending on the chosen signing algorithm, which is specified in the header. You check the signature by generating a new Base64url-encoded signature using using the public key (RS256)and checking that the signature you generate matches the signature in the JWT.
Retrieve the public key from the JSON web key set (JWKS) by calling the token's JWKS endpoint.
Use the signing algorith specified in the header on the concatenated original Base64url-encoded header and original Base64url-encoded payload of the JWT (
Base64url-encoded header + "." + Base64url-encoded payload), and run them through the cryptographic algorithm specified in the header.
Base64url-encode the result and check that it matches the signature in the JWT.
The standard claims are part of the JWT payload.
exp: Unix timestamp)