Validation of a nested JWT

Is there a way for Canton to validate the JWT if it is nested, for example:

{
   “param1”: “value1”,
   “param2”: “value2”,
   “nestedJWT”:
     {
          "aud": "someParticipantId",
          "sub": "someUserId",
          "exp": 1300819380
     }
}

Or to extract the aud and sub from other tags that are not called aud and sub?

No, that’s currently not possible. In what context would this be useful to you?

The aud and sub fields are already used in our system in the JWT format we currently use, which means we can’t use these fields for something else (aka, our Daml app). We also have limited ability to customise our IAM to add new tags in the parent scope of the JWT payload solely for the purpose of the Daml application we’re working on - the IAM generates one single JWT format that’s currently used across all systems that integrate with the IAM. Adding new fields just for our application in the parent scope is not an option, but in the nested scope as a bit of a compromise, could be an option, for example:

{
   “aud”: “already in use”,
   “sub”: “already in use”,
   “our_project”:
     {
          "our_project_aud": "someParticipantId",
          "our_project_sub": "someUserId",
          "our_project_exp": 1300819380
     }
}

What is stopping you from allocating Daml users that match the already existing sub fields your IAM produces instead of introducing a separate daml-specific sub?