jjwt v0.4 Release Notes
-
- Issue 8: Add ability to find signing key by inspecting the JWS values before verifying the signature.
📜 This is a handy little feature. If you need to parse a signed JWT (a JWS) and you don't know which signing key was used to sign it, you can now use the new
SigningKeyResolver
concept.A
SigningKeyresolver
can inspect the JWS header and body (Claims or String) before the JWS signature is verified. By inspecting the data, you can find the key and return it, and the parser will use the returned key to validate the signature. For example:SigningKeyResolver resolver = new MySigningKeyResolver(); Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(resolver).parseClaimsJws(compact);
👀 The signature is still validated, and the JWT instance will still not be returned if the jwt string is invalid, as expected. You just get to 'see' the JWT data for key discovery before the parser validates. Nice.
This of course requires that you put some sort of information in the JWS when you create it so that your
SigningKeyResolver
implementation can look at it later and look up the key. The standard way to do this is to use the JWSkid
('key id') field, for example:Jwts.builder().setHeaderParam("kid", your_signing_key_id_NOT_THE_SECRET).build();
0️⃣ You could of course set any other header parameter or claims parameter instead of setting
kid
if you want - that's just the default field reserved for signing key identification. If you can locate the signing key based on other information in the header or claims, you don't need to set thekid
field - just make sure your resolver implementation knows how to look up the key.Finally, a nice
SigningKeyResolverAdapter
is provided to allow you to write quick and simple subclasses or anonymous classes instead of having to implement theSigningKeyResolver
interface directly. For example:Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() { @Override public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) { //inspect the header or claims, lookup and return the signing key String keyId = header.getKeyId(); //or any other field that you need to inspect return getSigningKey(keyId); //implement me }}) .parseClaimsJws(compact);