How to obtain JWKs and use them in JWT signing?

java authentication jwt jwk

11,081

every open id server has to provide the tenant an endpoint like this :

  https://--YOUR DOMAIN----/.well-known/jwks.json

if you visit this endpoint you will see this in json format

{
  keys: [
    {
      alg: 'RS256',
      kty: 'RSA',
      use: 'sig',
      n: 'tTMpnrc4dYlD8MtmPnW3xZNbLxkaGCUwTqeKB4dfLg11dEpMyQEc4JRxUvRzp9tz00r6lkZ1ixcvIiuB_eMVckU8VyFSFWBSAxp5duBk6lRpYk-QjK3kEdPxYLxyW84gNzwMi-XW8zxJbsOa-cRM9sCb62Qz2yfWoQfimoFXsCnVHq496kizO7gZ972JefvTce1_n9dd_1p0K6c14qcCXtF6hbA_gQ0N7h3IyloBqiusKyTsV-ZrMZDldZkI-4v7s49TdcRZgEOvSapMz5YyoDvAWzuWGEiljkjkCOo0Mr5Sioi2x0dBm6nJ2WVYfZrwEF5J',
      e: 'AQAB',
      kid: 'NTY2MjBCNzQ1RTLPQzk3NzczRRTMQ0E4NzE2MjcwOUFCRkUwRTUxNA',
      x5t: 'NTY2MjBCNzQ1RTJPLzk3NzczRUNPO0E4NzE2MjcwOUFCRkUwRTUxNA',
      x5c: [Array]
    }
  ]
}

What is x5c?

The "x5c" (X.509 certificate chain) Header Parameter contains the X.509 public key certificate or certificate chain [RFC5280] corresponding to the key used to digitally sign the JWS. The certificate or certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (not base64url-encoded) DER [ITU.X690.2008] PKIX certificate value. The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The recipient MUST validatethe certificate chain according to RFC 5280 [RFC5280] and consider the certificate or certificate chain to be invalid if any validation failure occurs. Use of this Header Parameter is OPTIONAL.

if you check the x5c array, you will see very long string. You have to take this value and separate them for each 64 values. it is very simple. here is an example:

So when you start your verification process:

//you get the token
//you decode the token
//you compare the kid which is in the header of the token

//jwk.kid the one that you get when you visit the /.well-known url above
if (jwk.kid === decodedToken.header.kid){
// in verification process you have to use the decoded code and the certificate 
// to verify the signature

}

this process is specific to 'RS256' algorithm. RS256 generates an asymmetric signature, which means a private key must be used to sign the JWT and a different public key must be used to verify the signature. Unlike symmetric algorithms, using RS256 offers assurances that Auth0 is the signer of a JWT since Auth0 is the only party with the private key. For verifying the symmetric algorithms, you have to use private key.

11,081

Author by

Ihor M.

Updated on June 08, 2022

Comments

Ihor M. almost 2 years
I am reading this blog about JWTs and how you can use the signature part of it to verify that the token was actually issued by the trusted party.

https://hackernoon.com/json-web-tokens-jwt-demystified-f7e202249640

The JSON Web Key (JWK) is a JSON object that contains a well-known public key which can be be used to validate the signature of a signed JWT.

If the issuer of your JWT used an asymmetric key to sign the JWT, it will likely host a file called a JSON Web Key Set (JWKS). The JWKS is a JSON object that contains the property keys, which in turn holds an array of JWK objects.

Here is java code snippet from my codebase that generates JWT for me:
```
new JwtBuilder().setClaims(claims).setExpiration(expiration).signWith(signatureAlgorithm, sharedSecret).compact();
```
I do not quite understand how I obtain JWKs and how do I use them for signing? I haven't found any examples on the web.

Any help will be greatly appreciated.