How to verify (non jwt) access_token?

The access token received from the oauth2 end points aren't jwt and common oidc libraries won't / can't validate them.

they instead appear to be of the format `{expiry}.{service-id}.{user-id}.{scopes};{kid}.{signature}` but i can't actually get the signature to verify. There's no mention of the non-standard token in the docs. If this token is to be used to access a service how can that service verify the signature?

4 comments
Comment actions Permalink
Official comment

Unfortunately, this format appeared before the JWT became a thing. 

An endpoint `GET {Hub Service URL}/api/rest/oauth2/auth/key` returns public DSA key in a format "{version}.{base 64(public DSA key)}"

If you're interested I can share with you Java JARs that we use to parse and verify Hub access token.

Comment actions Permalink

Yes please, any resource would be a help :)

0
Comment actions Permalink

As it's not possible to share the files here, I've asked our support engineer to reach you out by other means.  We also are going to publish the client library to Maven Central to make it available for everybody. Right now it lives in our internal Maven repository.

Here is the related issue: https://youtrack.jetbrains.com/issue/JPS-9539

0
Comment actions Permalink

Wow,Nazarene nice

0

Please sign in to leave a comment.