TsgcHTTP_JWT_Server › Events › OnJWTAfterValidateToken

OnJWTAfterValidateToken Event

Fired after the signature and claim validations run; inspect Header, Payload and Error, and flip the Valid flag to accept or reject the token.

Syntax

property OnJWTAfterValidateToken: TsgcHTTPJWTAfterValidateTokenEvent;
// TsgcHTTPJWTAfterValidateTokenEvent = procedure(Sender: TObject; aConnection: TsgcWSConnection; aToken, aHeader, aPayload, aError: string; var Valid: Boolean) of object

Default Value

Unassigned — the built-in Valid result (signature + claim validations) is returned as-is.

Remarks

Last event of the validation pipeline. Fires after the signature has been verified and the JWTOptions.Validations claim checks have run, regardless of outcome. Parameters:

• aToken – the raw encoded JWT.
• aHeader, aPayload – decoded JSON strings; use TsgcJSON to extract custom claims, Issuer, Audience, subject, roles, etc.
• aError – accumulated error text (empty when everything passed).
• Valid – in/out flag pre-set to the signature + claim result. Flip to False to reject an otherwise valid token (unknown Issuer, missing role, revoked jti) or to True to accept it anyway.

Example

procedure TMyForm.sgcJWTAfterValidateToken(Sender: TObject;
  aConnection: TsgcWSConnection; aToken, aHeader, aPayload, aError: string;
  var Valid: Boolean);
var
  oJSON: TsgcJSON;
begin
  if not Valid then Exit;
  // extra business check: Issuer must be our auth server
  oJSON := TsgcJSON.Create(nil);
  try
    oJSON.Read(aPayload);
    Valid := (oJSON.Node['iss'] <> nil) and
             (oJSON.Node['iss'].Value = 'https://auth.example.com');
  finally
    oJSON.Free;
  end;
end;

Back to Events