Questions tagged [jose4j]

The jose4j library is an open source (Apache 2.0) implementation of JWT and the JOSE specification suite. It is written in Java and relies solely on the JCA APIs for cryptography.

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWT is the identity token format in OpenID Connect and it is also widely used in OAuth 2.0 and many other contexts that require compact message security.

JOSE is short for Javascript Object Signing and Encryption, which is the IETF Working Group that developed the JSON Web Signature (JWS), JSON Web Encryption (JWE) and JSON Web Key (JWK) specifications. JWS and JWE use JSON and base64url encoding to secure messages in a (relatively) simple, compact and web safe format while JWK defines a JSON representation of cryptographic keys. The actual algorithms for JWS, JWE and JWK are defined in JSON Web Algorithms (JWA). The library supports the JWS/JWE compact serializations with the complete suite of JOSE algorithms.

The homepage for jose4j is at: https://bitbucket.org/b_c/jose4j/wiki/Home

84 questions

votes

1 answer

jose4j: how to set full serialization input?

Is there a way to set a JWE full serialization input with jose4j? For example, what goes in the TODO below? public String decryptJWE(PrivateKey privateKey, String payload, boolean compact) throws JoseException { JsonWebEncryption jwe = new…

jwe jose4j

asked Nov 21 '19 at 00:55

Kevin

votes

1 answer

Quarkus MicroProfile JWT auth via JWKS

I'm attempting to use a JWKS endpoint to supply a public key for verifying a JWT signature. In my application.properties, I've set the following: mp.jwt.verify.publickey.location = http://localhost:1080/jwks It appears that this is indeed being…

jwt quarkus microprofile jose4j

asked Aug 18 '19 at 00:41

Jim Wharton

1,375
3
18
41

votes

1 answer

Does jose4j take care of Azure Signing Key rollover automatically?

I am implementing jose4j in my Java application to verify the signature of the access token issued by Azure. The application works fine, however, I came across this documentation about Signing Key rollover. Does jose4j take care of it automatically…

java azure azure-active-directory jose4j

asked Jul 05 '19 at 03:49

rakhi4110

9,253
2
30
49

votes

0 answers

Quarkus Microprofile JWT - Alternate quarkus.smallrye-jwt.auth-mechanism

I'm trying out the Quarkus JWT quickstart. But when I use the token that I normally use in my Spring application. I get the following error. rejected due to invalid claims. Additional details: [[17] Unexpected exception thrown from validator…

oauth jwt quarkus microprofile jose4j

asked Jun 24 '19 at 13:45

Antho Christen

1,369
1
10
21

votes

1 answer

wso2am-2.6.0 invalid jwt signature

Enabling JWT signature for backend services in WSO2AM-2.6.0 (6.x branch) true X-JWT-Assertion …

wso2 jwt wso2-api-manager jose4j jose

asked Dec 04 '18 at 10:39

gusto2

11,210
2
17
36

votes

1 answer

Verifying JWT using jsonwebtoken in node.js with a token generated by jose4j HMAC_SHA256

OK, so I have a Back-end Java service that is generating JWTs using the jose4j library. This is already in production and we have several other Java services that are verifying these tokens and it all works just fine. I'm now trying to create a…

node.js jwt jose4j

asked Oct 16 '18 at 16:33

Jacob Miles

votes

2 answers

How to convert String to Private Key and set it to JsonWebSignature

I already have a private key stored in a database as varchar2 and stored in a variable named Key as shown in code. Below is my piece of code to set this private key to JsonWebSignature but I am getting an error like The method setKey(Key) in the…

java jwt jose4j

asked Sep 26 '18 at 08:42

rahul kumar

votes

0 answers

Why is my Azure Access Token JWT failing java signature validation?

I'm having trouble validating an access token I receive from Azure in my Java web app. The jose4j library's signature.verifySignature() is simply returning false. Could someone please help me understand what I'm doing wrong? I have successfully…

java oauth-2.0 jwt azure-active-directory jose4j

asked Jun 04 '18 at 17:43

SnoopDougg

1,467
2
19
35

votes

1 answer

jose4j algorithm mismatch between signed JWT and JWK

During unit testing I noticed some expected behavior regarding the. I used your code to generate a RsaJsonWebKey keypair. Once created I set the algorithm to RS512. I created a public JWK based off of that. At that point, the keypair and the JWK…

jose4j

asked May 25 '18 at 15:03

obertja

votes

0 answers

jose4j the reverse of the JSONAware

I have used the brilliant JSONAware interface (with the method toJSONString) on jose4j so that I can add a complex JSON structure under a single claim - it generates just what I wanted the JWT to look like. However now I'm trying to extract the same…

jose4j

asked May 18 '18 at 14:55

Rob

votes

1 answer

How can I publish and consume keys from a URL?

I want to expose public keys on a URL, I think something like this: return keySet.toJson(OutputControlLevel.PUBLIC_ONLY); but when I try to consume from the URL: HttpsJwks keyUrl = new…

jose4j

asked Oct 24 '17 at 19:52

adrian

votes

1 answer

Does Jose4J handle an HTTP Status 307 (temporarily redirect)

I was wondering whether Jose4J handles the redirect http status codes (e.g. 307) when retrieving the JWKS from the OpenID Connect Endpoint. I myself now do the retrieval and pass on the JWKS to Jose4J so called out of band. Now when i switched…

jose4j http-status-code-307

asked Aug 07 '17 at 23:26

JB007

votes

1 answer

Jose RSAPrivateKey and JsonWebKey Database Storage

I am trying to use Jose (https://bitbucket.org/b_c/jose4j/wiki/Home) to generate a signed JsonWebToken. I am running into a problem creating the RsaKeyPairs that I need to use in the signature of the token. This is the code I am using to generate…

security serialization key-pair jose4j

asked Jul 11 '17 at 12:20

daoud175

votes

1 answer

Is there a page maintained on Jose4J vulnerabilities if any posted on bitbucket?

I am looking for a vulnerabilities list for JOSE4J if any. We want to apply the library in our product to validate Azure AD tokens and generate so called entitlement tokens which contain more product related data, we like the library a lot, but the…

jose4j

asked Jul 06 '17 at 15:32

JB007

votes

1 answer

How do I disable jose4j log messages through my log4j config?

I am using jose4j in a java application that I am working on. It is a json web token library, and I've found that putting the package name inside my log4j config file does nothing to quiet the (many) debug logging messages that I am seeing from this…

java logging log4j slf4j jose4j

asked Jun 21 '17 at 13:25

Zack

13,454
24
75
113

Prev 1 2 3 4

6 Next