HomeCustomer PortalBook a Demo

Validation and Parsing

Note: Parsing and validation of the JWS should happen only in your backend. Doing the parsing on the client side defeats the purpose of our digital signature

JWS structure

The result is a string representing a JWS Compact Serialization, a representation of the JWS as a compact, URL-safe string, see https://tools.ietf.org/html/rfc7515 for details. The decoded JWS is composed of a header that defines the algorithm and the token type and the payload that contains the data.

Header example:

{
  "kid": "e49b9f971574455ba969b20697a2c7b6",
  "alg": "RS256"
}

The “kid” attribute contains the key identifier that is needed to retrieve the public key to validate the JWS signature, see JWS validation and parsing for details.

Enrollment payload example

{
  "aud": "clientid",
  "data": {
    "documents": [
      {
        "face": {
          "auditTrailImageId": "5f290764076cff0e3f7b3a2f",
          "matchLevel": 2,
          "match": true
        },
        "documentType": "PASSPORT",
        "scan": {
          "faceImageId": "5e9960242d35cc7ca0328729",
          "frontImageId": "5e9960232d35cc7ca0328725",
          "back": {},
          "front": {
            "documentCode": "P<",
            "dateOfExpiry": "220315",
            "secondaryId": "MARIO",
            "nationality": "ITA",
            "documentNumber": "YAXXXXXX",
            "mrzVerified": true,
            "sex": "M",
            "dateOfBirth": "800825",
            "opt1": "<<<<<<<<<<<<<<",
            "primaryId": "CASOLA",
            "mrzText": "P<ITACASOLA<<MARIO<<<<<<<<<<<<<<<<<<<<<<<<<<\nYAXXXXXX52ITA8008253M2203159<<<<<<<<<<<<<<00",
            "issuer": "ITA"
          },
          "backImageId": null
        },
        "reading": {
          "data": {
            "mrz": {
              "documentCode": "P",
              "dateOfExpiry": "220315",
              "optionalData2": null,
              "gender": "MALE",
              "nationality": "ITA",
              "documentNumber": "YAXXXXXX",
              "dateOfBirth": "800825",
              "issuingState": "ITA",
              "secondaryIdentifier": "MARIO",
              "primaryIdentifier": "CASOLA",
              "optionalData1": "<<<<<<<<<<<<<<0"
            },
            "countrySigningCertificate": {
              "serialNumber": "1",
              "publicKeyAlgorithm": "RSA",
              "subject": "C=IT,O=MINISTERO DELL'INTERNO,OU=PE,CN=CERTIFICATION AUTHORITY 01",
              "certificateThumbprint": "9cb8d31734faa68009d1f7fef68a5cc802cb8a2e",
              "validFrom": "2011-12-14T10:29:04.000+0000",
              "signatureAlgorithm": "SHA1WITHRSA",
              "issuer": "C=IT,O=MINISTERO DELL'INTERNO,OU=PE,CN=CERTIFICATION AUTHORITY 01",
              "validTo": "2027-03-10T10:29:04.000+0000"
            },
            "ldsVersion": null,
            "documentSigningCertificate": {
              "serialNumber": "464",
              "publicKeyAlgorithm": "RSA",
              "subject": "C=IT,O=MINISTERO DELL'INTERNO,OU=PE,CN=DOCUMENT SIGNER.24",
              "certificateThumbprint": "3f0b7bac9adde63916a2c4ebd0e3f38c916a3a97",
              "validFrom": "2012-03-14T11:02:41.000+0000",
              "signatureAlgorithm": "SHA1WITHRSA",
              "issuer": "C=IT,O=MINISTERO DELL'INTERNO,OU=PE,CN=CERTIFICATION AUTHORITY 01",
              "validTo": "2022-06-15T11:02:41.000+0000"
            },
            "photo": "",
            "dataGroupHashes": [
              {
                "computedHash": "86525f4741b3504765f4100f2ddf9bf1f17380ef",
                "dataGroupNumber": 1,
                "storedHash": "86525f4741b3504765f4100f2ddf9bf1f17380ef",
                "match": true
              },
              {
                "computedHash": "b01c95fc9d381f6a7f5fd9f3fae767ea0d9fd2a0",
                "dataGroupNumber": 2,
                "storedHash": "b01c95fc9d381f6a7f5fd9f3fae767ea0d9fd2a0",
                "match": true
              }
            ],
            "photoMimeType": "image/jp2",
            "validity": {
              "dataGroupHashesSucceeded": true,
              "documentSignerSucceeded": true,
              "countrySignerSucceeded": true,
              "sodSignerSucceeded": true
            }
          }
        }
      }
    ],
    "nonce": ""
  },
  "iss": "https://id.uqudo.io",
  "exp": 1587111760,
  "iat": 1587109960,
  "jti": "5a5cb56b-ef3d-434c-9f86-5ab24c4953ec"
}

Face Session payload example

JWS validation and parsing

Note: Parsing and validation of the JWS should happen only in your backend. Doing the parsing on the client side defeats the purpose of our digital signature

The JWS can be validated using the list of public keys available on https://id.uqudo.io/api/.well-known/jwks.json. It is a public endpoint:

The kid in the JWS header is used to identify the key in the list above.

Note: Check https://jwt.io/libraries for the best library you can use according to your environment and programming language. Make sure the libary you choose supports JWKs through URL and make sure it caches the list of keys in memory and refresh the cache only if the kid is not found.

Below you can find an example on how to parse and validate the JWS using io.jsonwebtoken:

Below you can find an example on how to parse and validate the JWS using com.auth0:

PreviousSDK resultNextData Structure

Last updated

Was this helpful?