Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for JWK #115

Closed
dsingh13 opened this issue Apr 21, 2016 · 12 comments
Closed

Support for JWK #115

dsingh13 opened this issue Apr 21, 2016 · 12 comments
Labels
duplicate
Milestone
0.12.0

Comments

@dsingh13
Copy link

Do JJWT have support for JWK? How can I verify the JWT using JWK?
Please provide any example.

Thanks,
DSingh13
@lhazlewood
Copy link
Contributor

Not currently, but it will be implemented before 1.0 final for sure. We're currently working on JWE, and that will likely need JWK concepts, so we might get to JWK at the same time - we'll see. Stay tuned!

(PRs always welcome too! ;) ).

@dsingh13
Copy link
Author

Thanks! Will wait for it.

@lhazlewood
Copy link
Contributor

Out of curiosity, can you please explain your particular use case so we have an understanding of what is going on so we can prioritize accordingly?

@dsingh13
Copy link
Author

In our case, we don’t have cert or secret key for validation. We will get the JWK set from the OAuth 2.0 server, published at a well-known URL. We want to use it and get our JWT validate.
Using this pattern we can also gracefully handle key-rollover. Hope this provide you some insight what we are looking for.

@lhazlewood
Copy link
Contributor

So let me see if my understanding is correct:

  • You probably use an API Key (or similar HTTP Authorization header-based mechanism) to authenticate with an OAuth 2.0 server when requesting a well-known URL.
  • The response to that request contains a JWK that reflects the signing key that you should use for validating future messages that come from the OAuth 2.0 server.
  • When you receive a signed JWT (JWS) from that OAuth 2.0 server, you use the key in the JWK to validate that the message legitimately came from the OAuth 2.0 server.

Is this correct? I just want to ensure that I actually understand the use case. If this isn't the case, please correct me :) Thanks!

@dsingh13
Copy link
Author

Yes,this is the correct use case.

Thanks!

@lhazlewood
Copy link
Contributor

👍

@lhazlewood
Copy link
Contributor

Note: closing this as a duplicate of #113 since the jwe branch has Jwk interfaces.

@ummershervani
Copy link

@lhazlewood, is the support for jwk out yet? Here is what I am trying to achieve..

    HttpsJwks httpsJkws = null;
        httpsJkws = new HttpsJwks("https://ummer.com/jwks");


    httpsJkws.setRetainCacheOnErrorDuration(300);
    HttpsJwksVerificationKeyResolver httpsJwksKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJkws);


    JwtConsumer jwtValidator = new JwtConsumerBuilder()
            .setAllowedClockSkewInSeconds(60)
            .setExpectedIssuer("https://ummer.com")
            .setVerificationKeyResolver(httpsJwksKeyResolver)
            .setExpectedAudience("*")
            .build();

Just wanted to grab the JKS using https and then get the claims from JWT.

@alejandro-perez
Copy link

I'm also interested on knowing if you have support for this.

@edeandrea
Copy link

+1 for this as well. We've switched to a different parsing library that supports it.

@jakub-bochenski
Copy link

Yeah, just use jose4j and save yourself some time

@lhazlewood lhazlewood added this to the 0.12.0 milestone Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
0.12.0
Development

No branches or pull requests
6 participants
@lhazlewood @edeandrea @alejandro-perez @jakub-bochenski @ummershervani @dsingh13