JwkStore

[dunkboy]

hello: what the JwkStore to do?I do not find the class JwkStore in the JWT jar

[lbalmaceda]

There's no such class called JwkStore on this SDK

[dunkboy]

ok，I want to know Algorithm algorithm = Algorithm.RSA256(keyProvider) and the keyProvider means that one PrivateKey to many publicKey.They are dynamic changes?

[lbalmaceda]

If I understand correctly, you want to implement the KeyProvider interface. In there you need to override all 3 methods:

• getPublicKeyById(keyId): Provides a public key to verify using JWT.require(algorithm) an already signed token that has the given kid value on the header
• getPrivateKey(): Provides a private key used to sign a token you are creating with JWT.create()
• getPrivateKeyId(): Provides the kid value to include in the header of that signed token ☝️

More here.

If you are always signing the token with the same private key on your server side, then your getPublicKeyById method will always return the same public key (you definitely still want to check the kid before handling that key instance)

How you read / create those keys is up to you and it's outside of this library's scope.

[dunkboy]

I understand, thanks to you anyway.

[ghost]

If I understand correctly, you want to implement the KeyProvider interface. In there you need to override all 3 methods:

• getPublicKeyById(keyId): Provides a public key to verify using JWT.require(algorithm) an already signed token that has the given kid value on the header
• getPrivateKey(): Provides a private key used to sign a token you are creating with JWT.create()
• getPrivateKeyId(): Provides the kid value to include in the header of that signed token ☝️

More here.

If you are always signing the token with the same private key on your server side, then your getPublicKeyById method will always return the same public key (you definitely still want to check the kid before handling that key instance)

How you read / create those keys is up to you and it's outside of this library's scope.

What should happen if the get() method in the JWKS library throws an exception? The only option inside getPublicKeyById() is to return null which will result in an IllegalStateException being thrown. Perhaps there should be something like a KeyProviderException that the methods of KeyProvider could throw?

[lbalmaceda]

@martinoconnor Indeed, there's lack of exception handling on the current interface definition.. I think we can change the signature adding a RuntimeException without breaking people by making it throw a RuntimeException subclass. KeyProviderException sounds good.

[ghost]

There is no need to make it a RuntimeException since existing implementations will not need to be modified to throw said exception. It could extend JWTVerificationException so that existing logic could handle it. This would seem like the most backwards compatible and elegant change you could make here.