Step 3
When the third party sends requests to the API and the request contains the consent token, then the consent should be validated.
The token signature should be validated using IN Groupe’ public key to check that this token is signed by IN Groupe. The consent should be validated before giving access to the API, for instance by checking the identity of the person giving consent, the third party name, consent scope and timestamp.
Here is an example how:
Copy to clipboard
JAVA
CODE
// Get ING' public key
URL jwksURL = discoveryResponse.get("jwks_uri");
HTTPResponse response = new HTTPRequest(HTTPRequest.Method.GET, jwksURL).send();
JSONObject jwks = new JSONObject(response.getContentAsJSONObject().toString());
JSONObject key = jwksJsonObject.getJSONArray("keys").getJSONObject(0);
String kty = key.get("kty").toString();
if (!"RSA".equals(kty)) {
// RSA key does not exist
}
String n = key.get("n").toString();
String e = key.get("e").toString();
Base64 b64 = new Base64();
BigInteger modulus = new BigInteger(1, b64.decode(n.getBytes("UTF-8")));
BigInteger publicExponent = new BigInteger(1, b64.decode(e.getBytes("UTF-8")));
RSAPublicKey publicKey = (RSAPublicKey) KeyFactory.getInstance(kty).generatePublic(new RSAPublicKeySpec(modulus, publicExponent));
WSVerifier verifier = new RSASSAVerifier(publicKey);
JWSObject jwt = JWSObject.parse(token);
// Verify that the token is signed by Nets
if (!jwt.verify(verifier)) {
// Access to API not approved
}
// Get more data from the token and use it to approve access to API
JWTClaimsSet jwtClaimsSet = signedJWT.getJWTClaimsSet();
String personId = jwtClaimsSet.getSubject();
String thirdparty = jwtClaimsSet.getStringClaim("thirdparty");
String scope = jwtClaimsSet.getStringClaim("scope");
Date issueTime = jwtClaimsSet.getIssueTime();