Now that we have all the pieces in place for JWT, we can now register the JWT validator as our validator of choice: JwtAuthValidator@cbsecurity.
The validator will inspect the incoming requests for valid JWT authorization headers. It will verify their expiration, their required claims, and the user it represents. Once done, it goes in the same rule/annotation security flow that cbsecurity leverages.
Each module can also override its validator via its configuration setting cbsecurity.validator. So if the global validator is something other than JWT but your module REQUIRES JWT validation, then add it in your ModuleConfig.cfc
JWT Token Discovery
The JWT validator will discover the incoming JWT token from 3 sources:
authorization header using the bearer token approach
Custom header configured in your settings: cbsecurity.customAuthHeader
Incoming rc variable with the same name as cbsecurity.customAuthHeader
Token Scopes & Permissions
If your rules have the permissions element or your secure annotations have context, then we will treat those as the scopes/permissions to check the user/token must have at validation.