Receiving a HTI launch
Requirements
The application created an
ActivityDefinition
.
When the application does not use Token Introspection:
The application must be able to map the
issuer
to its corresponding JWKS endpoint.
Verify the JWT
Incoming HTI launches have a launch
parameter. This value represents the signed JWT (see Compose a launch)
Token Introspection
The easiest and safest way to verify the JWT is to use Token Introspection. This way, the application itself does not have to verify all the security checks on the incoming JWT. The token can simply be forwarded to the authentication server and it will perform all the required checks.
Verify the JWT yourself
Using the issuer and the JWKS endpoint, the application can validate whether the JWT is actually signed by the private key of the asymmetric key pair. The JWK can be found using the kid (key id) field from the JWT Header section. For example:
This can be mapped to JWK objects from the JWKS endpoint:
The JWK represents the public key that can be used to validate the signature.
Other important checks
In addition to verifying the signature, the JWT payload contains fields that are important to validate.
Last updated