1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

Consider enabling key selection by JWT

Issue #312 resolved
Former user created an issue

JWSKeySelector takes a JWSHeader, which is enough to do key selection in most cases.

However, it's tricky in the multi-tenant situation, where an application has several issuer endpoints to select from.

Several Spring Security users have requested this feature of being able to determine the key set based on the "iss" claim. If the list of issuers is whitelisted by the recipient, then I don't believe this presents a security issue.

If there were a way for the Nimbus API to change and allow a configuration point that accepted the entire JWT instead of just the JWSHeader, offering this feature would be greatly simplified.

For example, an application could then easily do something like:

public class IssuerBasedJWTKeySelector implements JWTKeySelector {
    Map<String, JWSKeySelector> selectors;

    List<? extends Key> selectKeys(final JWT jwt, final C context) {
        String issuer = jwt.getClaimsSet().getIssuer();
        JWSKeySelector selector = selectors.get(issuer);
        return selector.selectJWSKeys(jwt.getHeader(), context);
    }
}

Some requesters of this feature have thousands of tenants, so likely their solution would not be in-memory like this, but my point is that taking the JWT instead of just the JWSHeader would enable this kind of flexibility.

The existing method is already GA, and it's nice that it's compatible with lambdas, so I'd suggest introducing a new interface called JWTKeySelector. DefaultJWTProcessor could take a JWTKeySelector, the default implementation being that it would call down to the configured JWSKeySelector:

private JWSKeySelector jwsKeySelector;
private JWTKeySelector signedJWTKeySelector = new JWTKeySelector() {
    public List<? extends Key> selectKeys(final JWT jwt, ...) {
        // ...
        return jwsKeySelector.selectJWSKeys(jwt.getHeader() ...
    }
}

void setSignedJWTKeySelector(JWTKeySelector selector) ...

If this makes sense, then I'd be happy to provide a PR to implement it.

I personally don't see a lot of value in doing the same thing for JWE tokens, but I'd be happy to include that in the PR, if you think it's important.

Comments (3)

  4. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
resolved
Component
JOSE Core
Milestone
Votes
0
Watchers
None
Jira: the preferred issue tracker for Bitbucket. Join the team!