After compactly-serialized ID tokens have been parsed into structs representing the header and the payload, they need to be validated in order to determine whether or not authentication can proceed. This will involve the following steps:

1. Split the compact serialization into 2 components: the message (Base64URLEncoded(Header).Base64URLEncoded(Payload)) and the signature (Base64URLEncoded(Signature)).
2. Check that the header's typ is JWT and alg is RS256.
3. Base64URLDecode the signature.
4. Retrieve the keyId from the JWTHeader and then retrieve the corresponding RsaPublicKey from the AsymmetricKeyManager.
5. Construct an instance of the AsymmetricKeySignatureVerifier using the RsaPublicKey and then verify the signature by passing in the message, signature, and SHA-256 as the requested message digest.
6. If the signature verifies, then check that the claims in the JWTPayload include an iss matching the idpIdentifier server parameter, an aud matching the clientId server parameter, and an exp set in the future.
7. If all of these checks pass, add and authorize the user to the Client's AuthorizationSession and return an OK status so that SASL can complete with successful authentication.

A unit test should be written that asserts the validator's ability to correctly distinguish between properly signed JWTs with valid claims, improperly signed JWTs, and properly signed JWTs with invalid claims.

More details are available here.