Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Process JWT token using JWKs Endpoint

Tags:

jwt

jose4j

I receive two JWTs: an OpenID Connect ID token (id_token) and an Access Token (access_token). The situation with OpenID is more or less clear - I can validate it using a JWKS Endpoint: https://smth.com/JWKS.

as in example (https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples):

HttpsJwks httpsJkws = new HttpsJwks("https://smth.com/JWKS");
HttpsJwksVerificationKeyResolver httpsJwksKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJkws);
jwtConsumer = new JwtConsumerBuilder()
    .setVerificationKeyResolver(httpsJwksKeyResolver)
    .setExpectedAudience(...)
    .setExpectedIssuer(...)
    .build();

The question is how to proceed with the Access Token. I can extract from it the userId and userDetails, but I guess I need also to validate it?

If I try to validate the Access Token the same as for the ID Token, I am getting this error:

UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg" : "RS256", "kid":"1"}

And indeed there is no key for "kid" : "1", Also this value "1" seems kind of strange?

Am I doing something totally wrong?

like image 882
Petr Averyanov Avatar asked Aug 26 '15 18:08

Petr Averyanov

People also ask

How does JWT and JWKS work?

The JSON Web Key Set (JWKS) is a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by the Authorization Server and signed using the RS256 signing algorithm. When creating applications and APIs in Auth0, two algorithms are supported for signing JWTs : RS256 and HS256.

1 Answers

It sounds like you are implementing the role of OpenID Connect client or Relying Party. The two tokens, ID token and access token, serve different purposes and should be handled differently by the client. The ID token is intended for the client and enables authentication of the end-user at the client. The client must validate the ID token (verify the signature and validate claims like exp and aud, etc.) before allowing the end-user in. The access token, however, is for the client to use to access resources or APIs but is not directly intended for the client to consume or validate. The access token is opaque to the client and the client shouldn't care or know about its details. In fact, access tokens aren't always JWTs. In OpenID Connect, the access token is used to call the user info endpoint (with the HTTP header, Authorization: Bearer [access token]) to get more claims/info about the end-user.

The value of "1" for the kid is totally legal but it is referring to a key that the AS/OP and the user info endpoint know about somehow. It is not a key at the OpenID Connect JWKS endpoint. "1" isn't a key that the client needs to know about because the client isn't supposed to directly verify the access token.

like image 107
Brian Campbell Avatar answered Sep 21 '22 12:09

Brian Campbell
Sign in to Comment

Related questions

Django Rest Framework JWT: How to change the token expiration time when logged in
How to invalidate tokens after password change
How to get token expiration with `jsonwebtoken` using typescript
JWTGenerateCommand::handle() does not exist
How to secure fastapi API endpoint with JWT Token based authorization?
How to Validate JWT token generated from one app in another?
What's the best way to mix passport-facebook and passport-jwt?
Lazy load components requiring authentication with react-redux
Laravel 5.3 - Social login doubts
Authorization for JWT bearer in Swashbuckle .NET Core 2
Partial JWT token at token refresh
JWT Validation in HAProxy
Which JWT Refresh Strategy is safer?
HttpOnly cookies not sent by request
Keycloak add extra claims from database / external source
Save jwt to local storage
Angularjs and slim framework JWT authentication and token refresh flow

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!