TsgcHTTP_JWT_Server › Properties › JWTOptions
Server-side validator configuration: enabled signing algorithms (HS/RS/ES) with their Secret or PublicKey, plus registered-claim validations (iat, nbf, exp).
property JWTOptions: TsgcHTTP_JWT_Server_Options read FJWTOptions write SetJWTOptions;All three algorithm families enabled (HS.Enabled, RS.Enabled, ES.Enabled = True); HS.Secret empty, RS.PublicKey and ES.PublicKey empty; Validations.Expiration, Validations.Issued, Validations.NotBefore = True.
Mirror of TsgcHTTP_JWT_Client.JWTOptions from the validator perspective — instead of signing material, it holds the verification material and the checks to apply to an incoming token. Sub-objects:
Enabled flag; setting Enabled = False causes tokens with that alg header to be rejected with "[family] Algorithm not supported".
HS.Secret – shared secret used to verify HS256/384/512 signatures.RS.PublicKey – PEM-encoded RSA public key (TStringList) used to verify RS256/384/512 signatures.ES.PublicKey – PEM-encoded ECDSA public key (TStringList) used to verify ES256/384/512 signatures.Expiration – reject the token when exp is in the past.Issued – reject the token when iat is in the future.NotBefore – reject the token when nbf is in the future.Issuer, Audience and any other custom claims are not validated automatically; subscribe to OnJWTAfterValidateToken to inspect the decoded Payload and flip the Valid flag based on your own business rules.
// Accept only RS256 tokens signed by a known authority
oJWT.JWTOptions.Algorithms.HS.Enabled := False;
oJWT.JWTOptions.Algorithms.ES.Enabled := False;
oJWT.JWTOptions.Algorithms.RS.Enabled := True;
oJWT.JWTOptions.Algorithms.RS.PublicKey.Text :=
'-----BEGIN PUBLIC KEY-----' + sLineBreak +
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...' + sLineBreak +
'-----END PUBLIC KEY-----';
// Standard claim checks
oJWT.JWTOptions.Validations.Expiration := True;
oJWT.JWTOptions.Validations.Issued := True;
oJWT.JWTOptions.Validations.NotBefore := True;