Closed afandian closed 7 years ago
lbalmaceda
commented
7 years ago Hi @afandian. We don't provide verification for custom header claims. However, once decoded/verified the token you can:
JWT jwt = //verify/decode token
String expectedJku = "public-key-value";
Claim jkuClaim = jwt.getHeaderClaim("jku");
if (!expectedJku.equals(jkuClaim.asString())){
//invalid jku
}Cheers.
afandian
commented
7 years ago Thanks! jku isn't a custom claim, it's part of the specification.
Your step 1 is:
JWTVerifier verifier = JWT.require(Algorithm.RSA256(key))This requires the public key. However, the jku claim specifies which key to use.
Does this library require extra steps to implement RFC7515?
hzalaz
commented
7 years ago @afandian this library implements the RFC 7519 not RFC 7515 as stated in the README. If you need to handle jwks you can use this library https://github.com/auth0/jwks-rsa-java as long the jwk is served in the same folder pattern and you use RSA to validate it.
I'd be careful on using that value without a proper validation or whitelisting the domain where you download the keys since anyone can sign a token, host the keys somewhere and send you the token that will be deemed if no validation of jku is performed before hand.
afandian
commented
7 years ago Thanks for your replies. Sorry, I assumed that because the JWT spec includes JWS, that rfc7519 would entail rfc7515.
Yes, I'm aware of the pitfalls of using jku, thanks for the warning!
I have a JWT that uses a JWK in the
jkuheader to indicate a public key. I can't find any mention of how to do this. Is it possible?