1

Based on this documentation: https://www.ibm.com/support/knowledgecenter/de/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_json.html it is possible to add the verification key to the keystore or hardcode it during design time. The problem I have is that I get the verification key during runtime via a Cloud Foundry service binding. So I would have to extract this key at runtime from my VCAPs. Any idea where I should look into?

Inkvine
  • 129
  • 7
  • 1
    First you might see if the vcaps support jwk, which is retrieval of the key from a public url. If they do, mp-jwt will retrieve it for you once you add the jwksuri to your configuration, like `jwksUri="https://example.com/api/jwk` – Bruce T. Aug 07 '19 at 13:20
  • For integration with spring framework you must set the property spring.security.oauth2.resourceserver.jwt.jwk-set-uri={jwk_token_keys_url} – Johannes Staehlin Aug 08 '19 at 08:44

1 Answers1

1

If the key can be retrieved via jwks, then mp-jwt will do it for you, given the jwks url to fetch it from. Otherwise, your code can retrieve it and set one of these as an environment variable or system property: mp.jwt.verify.publickey - specify the key in PEM format as a string. mp.jwt.verify.publickey.location - specify the text file that contains the key in PEM format.

Bruce T.
  • 992
  • 4
  • 5
  • Thank you so much! – Inkvine Aug 08 '19 at 15:05
  • Just an additional question and remark. What I face the whole time (coming from Spring Boot - OpenLiberty and MicroProfile is a feasibility project right now) is the lack of having properties that are bound to the VCAPS. Is there a good approach of how to inject these variables as custom variables into the server.xml configuration? I mean we would just have to parse the JSON and extract some values out of it. Thanks once again for your support! @bruce-t – Inkvine Aug 08 '19 at 15:25