Questions tagged [jose4j]

The jose4j library is an open source (Apache 2.0) implementation of JWT and the JOSE specification suite. It is written in Java and relies solely on the JCA APIs for cryptography.

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWT is the identity token format in OpenID Connect and it is also widely used in OAuth 2.0 and many other contexts that require compact message security.

JOSE is short for Javascript Object Signing and Encryption, which is the IETF Working Group that developed the JSON Web Signature (JWS), JSON Web Encryption (JWE) and JSON Web Key (JWK) specifications. JWS and JWE use JSON and base64url encoding to secure messages in a (relatively) simple, compact and web safe format while JWK defines a JSON representation of cryptographic keys. The actual algorithms for JWS, JWE and JWK are defined in JSON Web Algorithms (JWA). The library supports the JWS/JWE compact serializations with the complete suite of JOSE algorithms.

The homepage for jose4j is at: https://bitbucket.org/b_c/jose4j/wiki/Home

84 questions

vote

1 answer

Jose4j: Unable to find a suitable verification key for JWS w/ header

The verification fails because key_ops does not meet the criteria of the SimpleJwkFilter created from static method filterForInboundSigned(JsonWebSignature jws) in SelectorSupport. The public key looks something like this: { "kid": "xxx", "use":…

jose4j

asked Aug 17 '18 at 15:49

Daniel

vote

1 answer

Validate expired oidc token with jose4j

On our endpoint, we get an OIDC token and a refresh token. When the OIDC token has expired, we want to refresh the token using the provided refresh token. Currently, except for disabling all default validators, I see no way to only exclude expiry…

openid-connect jose4j

asked Jul 16 '18 at 09:00

LG87

vote

1 answer

Jose4j: HttpsJwks thread safe?

Anyone know if HttpsJwks usage is thread safe? We got about 60 - 100 calls per second in an application where we are going to use HttpsJwks, but I don't see any locking when it comes to refreshing Jwks. Also, HttpsJwksVerificationKeyResolver…

jwt jose4j

asked Jan 06 '18 at 09:28

Kenneth Gunnerud

vote

2 answers

How to Decode JWT RS256 token using .cer file Provided?

I converting Certificate to publickey and passing to JwtConsumer using below Code: jwt =…

java ssl-certificate jwt x509certificate jose4j

asked Oct 31 '17 at 05:48

Balu mallisetty

vote

1 answer

jose4j JWT's claims set's attribute type other than string object

I have been using jose4j version 0.6.0 for Json Web Token(JWT) generation. All is good up-till token generation, token verification . JWT's claims payload can have number of elements like version, tokenId, issuer,permissions etc. I'm passing…

jwt jose4j onem2m

asked Oct 26 '17 at 08:33

Chaitan Yadav

vote

1 answer

JOSE4J: How to create a RsaJsonWebKey object from a JSON representation of RsaJsonWebKey

I want to save with JOSE4J the JSON representation of a RsaJsonWebKey object in JSON format and then recreate a RsaJsonWebKey object from it again. I have the marshalling part: RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048); String…

json unmarshalling jose4j

asked Jun 04 '17 at 23:49

JB007

vote

2 answers

Why does my Jose4j JSON Web Key cause this InvalidKeyException?

I am using Jose4j to perform the encryption of a JSON Web Token in Java. I create a key as a String in JSON format to pass to the JsonWebKey.Factory.newJwk method, thus: String jwkJson = "{\"kty\":\"oct\",\"k\":\"5uP3r53cR37k3yPW\"}"; I pass it…

java json encryption jwt jose4j

asked May 03 '17 at 10:38

MrRed

vote

1 answer

How to set proxy server for Json Web Keys

I'm trying to build JWKS object for google JSON web keys to verify the signature of JWT token received from google. Inside our corporate environment, we need to set the proxy server to reach out external one. Below code runs outside the corporate…

json jwt jose4j jwk

asked Jul 01 '16 at 06:43

Ashok

vote

1 answer

Identifying the user using jwt token authentication

I am using jersey rest webservice along with JWT with RSA signature token feature for authentication. I was able to successfully create and send token to the front-end. Now after I have achieved this far I am confused about verifying token and also…

java angularjs jersey jwt jose4j

asked Jan 01 '16 at 20:11

kittu

6,662
21
91
185

vote

1 answer

Using JWT with Google App Engine

I'm trying to adapt this example to use with GAE: https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples Above example requires a private key (secret) to sign JWT header + payload. AppIdentityService provides a way to sign arbitrary bytes but it does…

java google-app-engine x509certificate jwt jose4j

asked Aug 02 '15 at 16:11

tj-recess

1,781
11
15

votes

2 answers

How to decrypt a JWE using JOSE4J using public key

Feel kind of out of my depth here. I have a message that I'm trying to encrypt on a react front end using a public key and the jose library. Then that message will be sent to the java back end and needs to be decrypted by the same public key so that…

java encryption jwt jwe jose4j

asked Aug 21 '23 at 16:00

stor314

votes

1 answer

PlayIntegrity response decryption got javax.crypto.AEADBadTagException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT

I am trying to decode the response from Google Play Integrity in Android client. I followed the steps from here. Decoding from server works however decoding locally results in this exception: stackTrace = {StackTraceElement[18]@28628} 0 =…

android jwe jose4j google-play-integrity-api

asked Jul 15 '23 at 19:55

rysv

2,416
7
30
48

votes

1 answer

Significance of setRelaxVerificationKeyValidation() in JwtConsumerBuilder() while validating the JWT

val jwtConsumer = JwtConsumerBuilder() .setVerificationKey(getPublicKeyFromPEMString(publicKeyAuth)) // verify the signature with the public key .setRelaxVerificationKeyValidation() // needed if the key is smaller than 256 bits …

java jwt fusionauth jose4j secp256k1

asked Feb 21 '23 at 13:26

Benjamin

votes

0 answers

How to include Request Body in JWT signature

How do I add request Json body in JWT Signature? JWT authorization header is only used for security purpose which means basically claims are security related information or requester details. how can I include post request body in JWT signature…

jwt digital-signature jwk jose4j seckeyref

asked Dec 02 '22 at 21:05

VJ496

votes

2 answers

How to customize jwt parsing in Quarkus?

I'm using smallrye.jwt as authorization tool. My quarkus app does not generate jwt tokens, but verifies them having secret key. Problem is that incoming tokens have sub claim of non-string type, but parser expects java.lang.String (I receive 45…

jwt quarkus smallrye jose4j

asked Nov 03 '22 at 08:29

E. Dn

Prev 1 2

4 5 6 Next