Popularity
3.5
Stable
Activity
1.9
-
195
15
73

Programming language: Java
License: MIT License
Tags: Security     Projects    
Latest version: v0.21.2

Jwks RSA alternatives and similar libraries

Based on the "Security" category.
Alternatively, view Jwks RSA alternatives based on common mentions on social networks and blogs.

  • Tink

    DISCONTINUED. Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
  • DependencyCheck

    OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
  • Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
    Promo coderabbit.ai
    CodeRabbit Logo
  • OpenAM

    OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
  • Topaz

    Cloud-native authorization for modern applications and APIs
  • SSLContext-Kickstart

    ๐Ÿ” A lightweight high level library for configuring a http client or server based on SSLContext or other properties such as TrustManager, KeyManager or Trusted Certificates to communicate over SSL TLS for one way authentication or two way authentication provided by the SSLFactory. Support for Java, Scala and Kotlin based clients with examples. Available client examples are: Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, Vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k Kohttp and Ktor. Also gRPC, WebSocket and ElasticSearch examples are included
  • Passay

    Password policy enforcement for Java.
  • Password4j

    Java cryptographic library that supports Argon2, bcrypt, scrypt and PBKDF2 aimed to protect passwords in databases. Easy to use by design, highly customizable, secure and portable. All the implementations follow the standards and have been reviewed to perform better in the JVM.
  • Kalium

    DISCONTINUED. Java binding to the Networking and Cryptography (NaCl) library with the awesomeness of libsodium
  • OTP-Java

    A small and easy-to-use one-time password generator library for Java implementing RFC 4226 (HOTP) and RFC 6238 (TOTP).
  • SecurityBuilder

    Fluent builders with typesafe API for the JCA
  • JObfuscator

    JObfuscator is a source code obfuscator for the Java language. Protect Java source code & algorithms from hacking, cracking, reverse engineering, decompilation & technology theft.
  • jwt-java

    JSON Web Token implementation for Java according to RFC 7519. Easily create, parse and validate JSON Web Tokens using a fluent API.

Do you think we are missing an alternative of Jwks RSA or a related project?

Add another 'Security' Library

README

A Java library for obtaining JSON Web Keys from a JWKS (JSON Web Key Set) endpoint.

CircleCI Coverage Status License Maven Central javadoc

:books: Documentation - :rocket: Getting Started - :computer: API Reference :speech_balloon: Feedback

Documentation

  • [Examples](./EXAMPLES.md) - code samples for common jwks-rsa-java scenarios.
  • Docs site - explore our docs site and learn more about Auth0.

Getting Started

Requirements

Java 8 or above.

Installation

Add the dependency via Maven:

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>jwks-rsa</artifactId>
  <version>0.21.2</version>
</dependency>

or Gradle:

implementation 'com.auth0:jwks-rsa:0.21.2'

Usage

The JSON Web Tokens you obtain from an authorization server include a key id header parameter ("kid"), used to uniquely identify the Key used to sign the token.

Given the following JWT:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlJrSTVNakk1T1VZNU9EYzFOMFE0UXpNME9VWXpOa1ZHTVRKRE9VRXpRa0ZDT1RVM05qRTJSZyJ9.eyJpc3MiOiJodHRwczovL3NhbmRyaW5vLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1NjMyNTAxZjQ2OGYwZjE3NTZmNGNhYjAiLCJhdWQiOiJQN2JhQnRTc3JmQlhPY3A5bHlsMUZEZVh0ZmFKUzRyViIsImV4cCI6MTQ2ODk2NDkyNiwiaWF0IjoxNDY4OTI4OTI2fQ.NaNeRSDCNu522u4hcVhV65plQOiGPStgSzVW4vR0liZYQBlZ_3OKqCmHXsu28NwVHW7_KfVgOz4m3BK6eMDZk50dAKf9LQzHhiG8acZLzm5bNMU3iobSAJdRhweRht544ZJkzJ-scS1fyI4gaPS5aD3SaLRYWR0Xsb6N1HU86trnbn-XSYSspNqzIUeJjduEpPwC53V8E2r1WZXbqEHwM9_BGEeNTQ8X9NqCUvbQtnylgYR3mfJRL14JsCWNFmmamgNNHAI0uAJo84mu_03I25eVuCK0VYStLPd0XFEyMVFpk48Bg9KNWLMZ7OUGTB_uv_1u19wKYtqeTbt9m1YcPMQ

Decode it using a JWT library or tool like jwt.io and extract the kid parameter from the Header claims.

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg"
}

The kid value can then be used to obtain the JWK using a JwkProvider.

Create a JWKProvider using the domain from which to fetch the JWK. The provider will use the domain to build the URL https:{your-domain}/.well-known/jwks.json:

JwkProvider provider = new JwkProviderBuilder("https://samples.auth0.com/")
    .build();

A Jwk can be obtained using the get(String keyId) method:

java Jwk jwk = provider.get("{kid of the signing key}"); // throws Exception when not found or can't get one

The provider can be configured to cache JWKs to avoid unnecessary network requests, as well as only fetch the JWKs within a defined rate limit:

JwkProvider provider = new JwkProviderBuilder("https://samples.auth0.com/")
        // up to 10 JWKs will be cached for up to 24 hours
        .cached(10, 24, TimeUnit.HOURS)
        // up to 10 JWKs can be retrieved within one minute
        .rateLimited(10, 1, TimeUnit.MINUTES)
        .build();

See the [examples](./EXAMPLES.md) for additional configurations.

API Reference

Feedback

Contributing

We appreciate feedback and contribution to this repo! Before you get started, please see the following:

Raise an issue

To provide feedback or report a bug, please raise an issue on our issue tracker.

Vulnerability Reporting

Please do not report security vulnerabilities on the public Github issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.


Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0? This project is licensed under the MIT license. See the LICENSE file for more info.


*Note that all licence references and agreements mentioned in the Jwks RSA README section above are relevant to that project's source code only.