How do I handle parsing JWT tokens using JWKS in Java (Scala)

Help
1

I have the following in my express app

import bearer from "express-oauth2-jwt-bearer";

// Authorization middleware. When used, the Access Token must
// exist and be verified against the Auth0 JSON Web Key Set.
const checkJwt = bearer.auth({
  audience: "https://earth-838.me.dev/node",
  issuerBaseURL: "https://auth.me.dev",
});

const checkScopes = bearer.requiredScopes("access:node");

export {checkJwt, checkScopes};

I am looking for the equivilent in Scala and I came across this basic setup…

    val jwkStore = new JwkStore("{JWKS_FILE_HOST}")
    val keyProvider = new RSAKeyProvider {
      override def getPublicKeyById(s: String): RSAPublicKey = {

      }

      override def getPrivateKey: RSAPrivateKey = {

      }

      override def getPrivateKeyId: String = {

      }
    }

    try {
      val algorithm = Algorithm.RSA256(keyProvider)
      val verifier = JWT.require(algorithm).withIssuer("auth0").build //Reusable verifier instance
      val jwt = verifier.verify(token)
      System.out.println(jwt.getPayload)
    } catch {
      case exception: JWTVerificationException =>

      //Invalid signature/claims
    }

But I am not sure where JwksStore comes from and I am not sure how to handle things. Can someone provide an example?

2

The JWKs, (JSON Web Keys) are found at /.well-known/jwks.json of your auth0 tenant. They are public values and you do not need authorization to request them.

3

Sorry I know what it is and where it is but I dont know how to reference it in the jwt module provided

4

Hi can I know that is there a way to read the jks key store and read the public key from it and use that to verify the token instead of calling the endpoint and getting the public key?
Thanks a lot

6

Hey @cumaranathunga welcome to the community!

There isn’t a standard alternative method for fetching JWKS. The use of the JWKS endpoint is the recommended and secure way to obtain the necessary keys for token validation. This approach ensures that the keys are always up-to-date and valid, aligning with best practices in OAuth 2.0 and OpenID Connect protocols.