0

This question is in regards to the jose4j JWT library. I am planning to create a single JwtConsumerBuilder instance for processing all incoming requests. I read here on stackoverflow and in release notes that JwtConsumerBuilder is multi-thread safe. I also plan to use the setVerificationKey method to validate the signature. When the key expires, I assume I will get an exception. Which type of exception will be returned: InvalidJwtSignatureException or InvalidKeyException?

When such an exception occurs, my plan is to update my global instance of the JwtConsumerBuilder with a new instance after retrieving the updated key through the class HttpsJwksVerificationKeyResolver. Is this a sound approach or does the resolver take care of this for me.

toddcscar
  • 1,115
  • 9
  • 12
  • In reading the code in `resolveKey` of class `HttpsJwksVerificationKeyResolver` it looks like this scenario is handled. So the extra coding is not needed. `theChosenOne = verificationJwkSelector.select(jws, jsonWebKeys); if (theChosenOne == null) { httpsJkws.refresh(); ` – toddcscar Jun 25 '16 at 18:56
  • Yes, HttpsJwksVerificationKeyResolver is intended to handle rotation of the keys at the JWKS endpoint (based on the Key ID in the header of the JWT). – Brian Campbell Jun 29 '16 at 11:52

0 Answers0