andreseloysv
commented
9 months ago A solution could involve passing a function as a parameter to the verify method, specifically for validating the token payload. This function should be executed before the signature verification step, ensuring that the signature is validated only if the payload passes this preliminary validation.
georgejmx
Describe the problem you'd like to have solved
Be able to verify an already decoded token.
We sometimes decode the token before verification to check if certain claims are present. For example tenant claim of the token is used to determine which jwksuri to use for verification. Also the kid is in the header of the decoded token and is needed to fetch correct key for verification.
Today the verify() function first call decode() internally and then continues to do the actual verification. I would be nice if verify() only did the actual verification and let the caller do the decode().
Describe the ideal solution
verify() function would take a decoded token as argument, or a new function verifyDecoded() could be introduced if overloading is not wanted.
Alternatives and current work-arounds
We could decode the token to get the pre-verify claims and then call verify which then again decodes the token. This works but puts overhead on every request as we always verify the token.