JWS verification
Hi,
I have jws key and I'm trying to verfy it. You have some examples in
https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples
However there are some points which I don't understand what I should use it. In
PublicKey publicKey = ExampleEcKeysFromJws.PUBLIC_256;
I can't find the ExampleEcKeysFromJws...I suppose it's an ENUM or something like that.
In
https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples#markdown-header-jws-verification-using-a-jwk
what's the variable jsonWebKeySetJson . Is it the decoded version of the access token I have?
Thanks in advance
Comments (8)
-
-
reporter Hi Brian,
Sorry I didn't explain myself clear. When I say I can't find ExampleEcKeysFromJws, I get an error in the IDE that ExampleEcKeysFromJws cannot be found.
I've read the introduction you sent me, but I still cannot understand what I should put in jsonWebKeySetJson. For instance, if I have the following key:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.POstGetfAytaZS82wHcjoTyoqhMyxXiWdR7Nn7A29DNSl0EiXLdwJ6xC6AfgZWF1bOsS_TuYI3OG85AmiExREkrS6tDfTQ2B3WXlrr-wp5AokiRbz3_oB4OxG-W9KcEEbDRcZc0nH3L7LzYptiy1PtAylQGxHTWZXtGz4ht0bAecBgmpdgXMguEIcoqPJ1n3pIWk_dUZegpqx0Lka21H6XxUTxiy8OcaarA8zdnPUnV6AmNP3ecFawIFYdvJB_cm-GvpCSbr8G8y_Mllj8f4x9nBH8pQux89_6gUY618iYv7tuPWBFfEbLxtF2pZS6YC1aSfLQxeNe8djT9YjpvRZA
The first part is the header, the 2nd the payload and the 3rd the signature. What should I use in jsonWebKeySetJson?
Finally, I came to your library through auth0. So I'm trying to set up this service.
Thanks in advance
-
That isn't a key. That's the token, which is a JWT/JWS. You need the verification key to verify the signature. The token issuer should provide the verification key somehow.
Since your trying to validate a JWT, the JWT api would be more appropriate: https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
But before that, like I said, this is security related stuff and you really should be careful with it. You need some understanding of the fundamentals before just coding something. Please educate yourself or look for paid professional assistance.
-
-
-
reporter Thanks Brian for the links.
I have managed to verify the jwt token using a jwk trhough the example described in https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples#markdown-header-jws-verification-using-a-jwk
However I would like also to verify the Token expiration (exp), Token issuer (iss) and Token audience (aud) which exist in my payload data. In https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples you have an example how to do it. Though, you're using
RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);
Is this related to JWK described in the verification. Actually in .setVerificationKey(rsaJsonWebKey.getKey())
you're using this rsaJsonWebKey.
Thanks
-
repo owner Yes it's related. A verification key is need to verify the signature. https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples has and describes several examples of setting the verification key or verification key resolver for the JWT consuming process.
-
repo owner - changed status to invalid
- Log in to comment
jsonWebKeySetJson has the public key to verify the signature on the token. Which I try to explain in the comments with the example code. ExampleEcKeysFromJws.PUBLIC_256 is also explained in the comments.
You might want to make sure you're familiar with the basics via something like https://jwt.io/introduction/ or many other resources on the web. This is security related stuff so needs to be undertaken with some care. A commercial solution is something to consider as well https://docs.pingidentity.com/bundle/pa_m_PingAccessOverview_pa42/page/pa_c_WhatIsPingAccess.html