Skip to content

SECValidateAccessToken

Function : User Registration
SECValidateAccessToken - Validates a signed JWT access token.
#include <bsafe.h>
STATUS LNPUBLIC  SECValidateAccessToken(

    const char  *pszAccessToken,
    const char  *pszProviderURL,
    const char  *pszRequiredScope,
    const char  *pszResourceURL,
    DWORD  dwFlags,
    void  *vpOptionalParams,
    DWORD  dwMaxEmailSize,
    char  *retszEmail,
    DWORD  *retdwDurationSec);

Description :

Validates a signed JWT access token that was generated by a trusted OIDC provider. Intended to be called by multiple different server tasks, including external code.

Parameters : Input : *pszAccessToken - Points to the B64url encoded signed JWT to validate.

*pszProviderURL - Base URL of trusted OIDC provider for this connection.

*pszRequiredScope - "Domino.user.all" or equivalent

*pszResourceURL - Expected value in audience (aud) claim, such as https://www.example.com.

dwFlags - Modify behavior from defaults. See fJWT_validate_* below.

*vpOptionalParams - Value can be filled with using structure JWT_VALIDATE_OPTIONAL_PARAMS. Please refer this JWT_VALIDATE_OPTIONAL_PARAMS.

dwMaxEmailSize - Maximum length of email buffer size.

*retszEmail - Points to buffer to receive output.

*retdwDurationSec - Optional. Points to DWORD to receive output.

Output : (routine) - Common return values: * ERR_BSAFE_NULLPARAM - Invalid NULL inputs or no trusted OIDC providers * ERR_BSAFE_NON_EXISTENT - OIDC Provider not initialized or cannot be used for bearerAuth * ERR_BSAFE_TOOSMALL - Email address larger than dwMaxEmailSize * ERR_BSAFE_BAD_ATTRIBUTES - JWT lacking mandatory attributes or issuer/aud/scope/azp not matching * ERR_BSAFE_CERT_VALIDITY - JWT issued in the future * ERR_SECURE_EXPIRED_CERT - JWT expired in the past * ERR_BSAFE_BAD_SIGNATURE - Invalid signature on JWT * ERR_BSAFE_BAD_OPCODE - Unsupported combination of signing algorithm and key

*retszEmail - On success, filled in with email address from JWT.

*retdwDurationSec - Optional. On success, filled in with seconds left before expiration.

See Also : SECTokenFree SECTokenFreeInfo SECTokenValidate SECTokenListGenerate