I am trying to implement my server side JWT access token validation (in java) into my API code using a restful service filter. I have my authorization bearer access_token for my audience and I have my signing certificate string from the client-advanced-setting-certificate in the auth0 UI (or from the downloaded .PEM file)
If I put the token and the certificate into jwt.io if all looks good and the certificate validates the jwt
for the time being I am just trying to get it to execute once in the API to see it work with the String object called cert in the code
if I call my url https://myclient.auth0.com/.well-known/jwks.json to I get the json and the “x5c”: claim and I take that text and put it into a the string variable cert in my java code (or I take the string from the PEM file and either strip the header and footer or not)
byte keyBytes = Base64.decode(cert); X509EncodedKeySpec spec = new X509EncodedKeySpec(keyBytes); KeyFactory kf = KeyFactory.getInstance("RSA"); PublicKey publicKey = kf.generatePublic(spec);
this generates this exception :
java.security.InvalidKeyException: IOException: ObjectIdentifier() – data isn’t an object ID (tag = -96)
I am trying to get the public key because I need it to validate the signature using the jjwt java library
which I chose over the Auth0 library because github indicated the latest build for java-jwt is failing ?
although I had some difficulty integrating the jjwt library into my eclipse projects as well.
I assume I will need the public key from the cert even if I switch to the auth0 library
Also I have run some test code from github that executes the same process, a diff pair of token and cert strings it executes fine, but not the ones I need to work with (and that work in jwt.io)
What am I doing wrong or understanding incorrectly ???
Is there any sample code in Java showing the extraction of the cert and public key from the /jwks.json endpoint and then converting the x5c to the java objects needed to perform the validation and signature verification ?
I looked all over and couldn’t find much