-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify JWT with JWKS #663
Comments
Not directly, but it’s pretty easy to add a custom key resolver to do it. (Mobile, sorry for the brief response) |
Thanks for the quick response! How is the access token then verified? |
You can use JJWT to validate an JWT access token, but each IdP will have different guidelines as to which additional claims to validate. Which IdP are you using? Note: any recommendations from an IdP would always be in addition the standard JWT validation (which JJWT does automatically) |
Just a note: this will be easier when #113 is complete as JWK support is required for JWE. |
This issue has been automatically marked as stale due to inactivity for 60 or more days. It will be closed in 7 days if no further activity occurs. |
@EPilz when you created this issue, how specifically were you expecting to verify JWTs with JWKs? Do you mean like @bdemers suggested? If not, what is the use case (or usage paradigm) you wanted to support? JWKs are fully supported in the |
I'm using 0.12.1 and unclear what fully supported means. I'm expecting to be able to do something like this:
This doesn't work, and I can't figure out from the voluminous readme what I'm supposed to do with the Jwk object once I have it. I can see how I could parse it myself and then write a key locator that digs for the right |
@jkellyinsf Jwts.parser().verifyWith(jwk.toKey())... Or return There might be a chance in a future version for Does that help? I'm happy to clarify anything that we might be missing, and then add that to the README, because odds are high that if you have questions, others will as well :) |
Thanks @lhazlewood, I'm struggling with that. I can get it to compile if I cast jwk.toKey() to either PublicKey or SecretKey. But regardless the Jwk parse fails with "JWK is missing required 'kty' (Key Type) parameter," I presume because the jwks.json follows this structure and contains more than one key. |
@jkellyinsf that's because what what you linked to is not a Jwks.setParser().build().parse(jwkSetJson); |
Ah, that makes sense. So that leaves me with a |
@jkellyinsf I think that makes sense. FWIW, depending on the size of the @Override // extends from LocatorAdapter<Key>
protected Key locate(ProtectedHeader header) {
Jwk<?> jwk = keyMap.get(header.getKeyId());
return jwk.toKey();
} which makes key location/lookups a constant-time operation. Just to be careful however, if it were me, I would assert that the key being referenced in the header is allowed to be used for that particular JWS or JWE. For example, if the header is a We're going to automate these additional kinds of checks in a future release, but we didn't have time to automate that for the |
Thanks, that's a good idea. For the benefit of future readers and GPT spiders, here's what I got to work:
I appreciate the help, @lhazlewood! |
@jkellyinsf don't forget that all JJWT Jwks.setParser().build().parse(httpBody.getInputStream()).getKeys().collect... I dunno how Methanol works or if that's possible, but food for thought. |
Also, if you are confident that the // Upon receiving a token
Claims claims = jwtParser.parseSignedClaims(token); // alias for parse(token).accept(Jws.CLAIMS); |
UPDATE: Please disregard, I found what I needed in https://github.com/jwtk/jjwt#jwk-private-topub. If you have a JWKS with both the private and public key pair and use the above, you end up with the following exception:
The JWKS itself looks something like this (redacted) bit of JSON: {
"keys": [
{
"p": "…",
"kty": "…",
"q": "…",
"d": "…",
"e": "…",
"use": "…",
"kid": "…",
"qi": "…",
"dp": "…",
"alg": "…",
"dq": "…",
"n": "…"
}
]
} Is there a way to convert the PrivateKey down to a PublicKey for verification? Is this a silly/unsafe thing to do with JWKS/JWT (I'm new to using these things)? This application both generates and validates JWS if that makes a difference to the answer. |
Is there a way to verify a JWT with JWKS?
The text was updated successfully, but these errors were encountered: