Skip to content

Using SDK for signature validation

We recommend starting with our SDK section for authentication for any SDK trying to connect to Identity v4. We recommend the following libraries for token signing/verification.

You can fetch the JWK’s public URI from our well-known configurations here:

  • Production: https://id.trimble.com/.well-known/openid-configuration
  • Staging: https://stage.id.trimblecloud.com/.well-known/openid-configuration

See more information in our JWT Validation section.

Section titled “Recommended libraries for authorizing using an SDK”
  • Getting Started with Javascript and the SDK

  • Node JS example is from node-webjson

  • For Identity v4, we recommend Authorization with PKCE instead of an implicit grant flow, but if you using an implicit grant, we recommend using a certified OIDC client. Do check their sample section.

// Validate token with a public RSA key published by the IDP as a list of JSON Web Keys (JWK)
// step 0: you've read the keys from the jwks_uri URL found in http://<IDP authority URL>/.well-known/openid-configuration endpoint
Dictionary<string, JObject> keys = GetKeysFromIdp();
// step 1a: get headers info
var headers = Jose.JWT.Headers(token);
// step 1b: lookup validation key based on header info
var jwk = keys[headers["kid"]];
// step 1c: load the JWK data into an RSA key
RSACryptoServiceProvider key = new RSACryptoServiceProvider();
key.ImportParameters(new RSAParameters
{
    Modulus = Base64Url.Decode((string)jwk["n"]),
    Exponent = Base64Url.Decode((string)jwk["e"])
});
// step 2: perform actual token validation
var payload = Jose.JWT.Decode(token, key);
if (!(string)payload["iss"].Equals("https://identity.trimble.com"))   // http://<IDP authority URL>
    throw new Exception("Unknown issuer");
if (payload.ContainsKey("iat") && (long)payload["iat"] > (now - 300)) // allow for 5min skew
    throw new Exception("Token is issued in the future");
if (payload.ContainsKey("nbf") && (long)payload["nbf"] > (now - 300)) // allow for 5min skew
    throw new Exception("Token is not yet valid");
if (payload.ContainsKey("exp") && (long)payload["exp"] < (now + 300)) // allow for 5min skew
    throw new Exception("Token has expired");