❔ ASP.NET CALLBACK

This assumes that the JWKS has been cached. Extract the "kid" field from the JOSE Header of the signature. Compare the extracted "kid" with the cached "kid" in the JWKS. If there is a match, jump to step 3. If they do not match, jump to step 4. Use the cached JWK to verify the signature using your preferred library (for java the standard is jose4j) making sure that: ->> The following critical headers are set: "https://payconiq.com/iat", "https://payconiq.com/jti", "https://payconiq.com/path", "https://payconiq.com/iss", "https://payconiq.com/sub". Refresh the JWKS cached by downloading the latest JWKS. Extract the "kid" field from the JOSE Header of the signature to retrieve the corresponding JWK. Used the cached JWK to verify the signature using your preferred library (for java the standard is jose4j) making sure that: ->> The following critical headers are set: "https://payconiq.com/iat", "https://payconiq.com/jti", "https://payconiq.com/path", "https://payconiq.com/iss", "https://payconiq.com/sub". This assumes that the public key certificate has not been cached. Extract the "kid" field from the JOSE Header of the signature. Download the JWK which matches the key id ("kid") field in the JOSE Header of the signature. Use the downloaded JWK to verify the signature using your preferred library (for java the standard is jose4j) making sure that: ->> The following critical headers are set: "https://payconiq.com/iat", "https://payconiq.com/jti", "https://payconiq.com/path", "https://payconiq.com/iss", "https://payconiq.com/sub". It is important to confirm that the signature is valid before processing the callback. This is to ensure that the payment data returned has not been tampered with and has been processed by Payconiq.