Does Jose4J handle an HTTP Status 307 (temporarily redirect)

Question

I was wondering whether Jose4J handles the redirect http status codes (e.g. 307) when retrieving the JWKS from the OpenID Connect Endpoint.

I myself now do the retrieval and pass on the JWKS to Jose4J so called out of band. Now when i switched network i got a lot of 307's and wonder if it's wise to let Jose4J do the JWKS retrieval when it supports 307 and the other redirect statusses

        HttpURLConnection.HTTP_MOVED_TEMP
        HttpURLConnection.HTTP_MOVED_PERM
        HttpURLConnection.HTTP_SEE_OTHER

Thanks!

Jan

score 0 · Accepted Answer · answered Aug 23 '17 at 12:28

Yes, it will follow redirects when making requests to a JWKS endpoint. org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver uses org.jose4j.jwk.HttpsJwks that by default uses org.jose4j.http.Get which in turn uses java's HttpsURLConnection that will follow redirects unless the behaviour has been changed at the class level:
https://docs.oracle.com/javase/8/docs/api/java/net/HttpURLConnection.html#setFollowRedirects-boolean-

Does Jose4J handle an HTTP Status 307 (temporarily redirect)

1 Answers1