Sharing a JJWT Signature Between Web Services

Question

I've successfully set up JJWT to be used in the authentication process across a series of web services. The problem is that they're created in one web service, but authenticated across multiple services. How can I successfully and safely use the signature while also assuring that all my web services use the same signature to validate incoming JWT?

// We need a signing key, so we'll create one just for this example. Usually
// the key would be read from your application configuration instead.
Key key = MacProvider.generateKey();

String compactJws = Jwts.builder()
  .setSubject("Joe")
  .signWith(SignatureAlgorithm.HS512, key)
  .compact();

I know that I can use a plain old string to .signWith(Algorithm,String) however I've been made aware that using a standard Java String (literally) isn't secure enough. I was using something akin to:

String compactJws = Jwts.builder()
  .setSubject("Joe")
  .signWith(SignatureAlgorithm.HS512, "shared complex passphrase")
  .compact();

Answer 1

According to RFC 7518 - JSON Web Algorithms (JWA):

A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm. (This requirement is based on Section 5.3.4 (Security Effect of the HMAC Key) of NIST SP 800-117 (sic) [NIST.800-107], which states that the effective security strength is the minimum of the security strength of the key and two times the size of the internal hash value.)

You must use a key of at least 512 bits with HS512.

Keys needs to be chosen at random. You can generate the key with MacProvider.generateKey(); or other random generator and distribute it to your servers (for example encoded in base64)

An alternative is using a RSA key pair. You use the private key to sign the token and the public key to verify. The public key can be safely published and used by all services

See also https://security.stackexchange.com/questions/95972/what-are-requirements-for-hmac-secret-key