JWS kid header needed before reading JWS headers with JJWT

Question

the API I am building receives JWS tokens. I want to ask from clients to set the kid header so I can provide for key rotation. However, JJWT understandably doesn't allow me to read the kid header before I provide the public key for validation:

A signing key must be specified if the specified JWT is digitally signed

But I need the kid header to select the right 'signing' key in the first place. Bit of a chicken and egg problem. How should I approach this? Do I just ask my clients to provide the kid value both in the JWS header and as a normal HTTP header?

score 1 · Answer 1 · answered Jun 02 '19 at 23:02

Ah, heck, already found it. JJWT uses a SigningKeyResolver for this particular case. It allows programmers to inspect headers or claims if these are needed to determine the right key to use. More here:

https://github.com/jwtk/jjwt#jws-read-key-resolver

JWS kid header needed before reading JWS headers with JJWT

1 Answers1