Hello,
I am attempting to learn the Auth0 developed java-jwt
and jwks-rsa-java
Java APIs with the eventual goal of implementing them within multiple server applications intended to act as resource owners.
We wish to use RSA256
and dinamicaly recover the the JSON Web Key Set (JWKS
) from a remote authorisation server end-point as a means of validating a tokent’s signature.
To this end, I am writing a very simple java application that does the following:
- Decode and read a supplied
access_token
- Retrieve
JWKS
from our test tenant (https://{tenant.url}/.well-known/jwks.json) usingjwks-rsa-java
. - Use the JWKS to validate the signature within the
access_token
.
I am struggling with the last part.
For the purposes of this thread, lets assume the token is initially stored within a java.lang.String
object called authZ_token
.
Because I’m using RSA256
, the first thing I’m going to need to do is retrieve the JWKS key ID
(kid
).
DecodedJWT decodedJwt = JWT.decode(authZ_token);
String kid = decodedJwt.getKeyId());
The above code also provides me with a DecodedJWT
, so I can also use it to look at the payload and validate claims if need be.
Here is my code for retrieving the JWKS (simple enough):
JwkProvider jwkProvider = new UrlJwkProvider("https://{tenant.url.auth0.com}/");
Jwk jwk;
List<String> x5cArray;
String x5cString;
try {
jwk = jwkProvider.get(kid);
x5cArray = jwk.getCertificateChain();
x5cString = x5cArray.get(0);
System.out.println("x5c: " + x5cString);
} catch (JwkException e) {
e.printStackTrace();
throw new ServletException(e.getMessage());
}
So far so good, but here is where I run into trouble as I still have not validated the access_token
signature.
The java-jwt
readme indicates that I need to instantiate a JWTVerifier
using a RSAAlgorithm
as indicated below:
RSAPublicKey publicKey = //Get the key instance
RSAPrivateKey privateKey = //Get the key instance
try {
Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer("auth0")
.build(); //Reusable verifier instance
DecodedJWT jwt = verifier.verify(access_token);
} catch (JWTVerificationException exception){
//Invalid signature/claims
}
My difficulty is in instantiating this JWTVerifier
object using the data recovered in the JWKS
rather than using a public/private key pair as indicated in the example above as I wish to avoid placing private keys on our resource servers.
Any help would be appreciated.
Kind regards,
Aitzol
Sources: