You could also use jwks-rsa-java library to retrieve public key at run time. Here is a complete sample. You need to get accessToken JWT from the request and add your own tenant url to make it work
public static void main( String[] args )
{
String token = "YOUR_JWT_TOKEN";
JwkProvider provider = new UrlJwkProvider("https://YOUR_TENANT.auth0.com/");
try {
DecodedJWT jwt = JWT.decode(token);
// Get the kid from received JWT token
Jwk jwk = provider.get(jwt.getKeyId());
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer("https://YOUR_TENANT.auth0.com/")
.build();
jwt = verifier.verify(token);
} catch (JWTVerificationException e){
//Invalid signature/claims
e.printStackTrace();
} catch (JwkException e) {
// invalid JWT token
e.printStackTrace();
}
}
Note: You should also consider caching of public key so you are not calling the JWKS endpoint for every single time you are verifying the JWT.
Here is a working sample if you prefer simply downloading and running it yourself GitHub - ashishdasnurkar/javajwtsample: Simple sample to demo JWT Verification
Make sure though you are also performing further checks such as permissions, standard claims etc. Code above only does JWT format check and signature check. Reference here Validate Access Tokens