Menu
I am using Kotlin with Vertx at the Backend and the frontend forwards me a JWT token after getting authenticated from One Login. Now, I want to make sure that the Token is valid not fake(made up). If I follow following link, it says that I need a public key to be able to create a JWTAuth object which I can use to call authenticate for validation. https://vertx.io/docs/vertx-auth-jwt/kotlin/
I need to know where can I get public key?
802
jsonwebtoken allows you to provide a certificate that will be used to verify JWTs, once you fetch a JWK to use (as explained above) you can then convert it to a key string by using a library or an online service (since this is a public key there is no risk in using an online service).
The JSON Web Key Set (JWKS) is a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm. When creating applications and APIs in Auth0, two algorithms are supported for signing JWTs: RS256 and HS256.
Go to Dashboard > Applications. Go to the Settings view, and open Advanced Settings. Go to the Certificates view, locate the Signed Certificate field, and copy the Public Key. Navigate to the JWT.io website, locate the Algorithm dropdown, and select RS256.
I don't know about OneLogin but from their documentation I can see that they are a SAML/OpenId Connect provider, so the public key can easily retrieved from their configuration. According to their docs you can locate your instance config from:
https://<subdomain>.onelogin.com/oidc/.well-known/openid-configuration
From this file you should look up the key jwks_uri which will hold a value like: https://acme.onelogin.com/oidc/certs. If you get this URL you'll have a JSON similar to this:
{
"keys": [
{
"kty": "RSA",
"kid": "JRcO4nxs5jgc8YdN7I2hLO4V_ql1bdoiMXmcYgHm4Hs",
"n": "z8fZsz...GHSTAoQw",
"e": "AQAB"
}
]
}
This file is a JSON Web Key (chain) This JSON can be feed to JWTAuth to load the key and do the validation you need. As a side note for 3.6 The will be proper OpenId Connect Discovery support in the module OAuth2 which means you don't need to fiddle with this anymore and just pass the URL if your provider and everything will be properly configured.
50
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
