This showed up as a notification due to the upvote. Here’s how I solved it.
- The endpoint coded in the app that I am supposed to authenticate with prepares the token.
- The token has to be in the specified format.
- It then should be base 64 encoded and hash encrypted.
- The
wp_inithandler should be used to handle the POST request sent by the endpoint, to extract the token. - The key will be shared via some other way, used for decryption.
- Once the token is extracted, compare it against a locally generated token with the same information.
- Store it in a cookie, and check it on every page access. You can expire it after a while or keep on increasing the time slice on every page access.
The endpoint could be in any language. Also this is the general flow of it, you can use it anywhere you want.