Java Auth0 OpenID Connect JWT Signature Verification

1. What is OpenID Connect?
2. Create OpenID Client Application using Auth0
3. A Basic Java Web Application to Understand OpenID Connect using Auth0
4. What is JWT?
5. Java Auth0 OpenID Connect JWT Signature Verification - You Are Here!

The RS256 algorithm is used in this application for the JSON Web Token (JWT) signature. To identify what the algorithm is used in the JWT signature for the client application, navigate to Advanced Settings in the Application Settings section and select OAuth tab.

The RS256 signature algorithm uses SHA-256 algorithm for hashing and uses server’s private key for encryption. Hence, we need the server’s public key to decrypt the signature during the validation process. For this purpose, the identity server issues its’ certificate for the client application. Navigate to Advanced Settings in the Application Settings section and select Certificates tab to download the certificate of the authorization server.

I downloaded the certificate in CER format. But the libraries which I used for the validation process require it to be a JKS (Java Key Store) file. Hence to convert CER file to JKS format,

keytool –import –trustcacerts  –alias oidc-app –file downloaded.cer –keystore keystore.jks –storepass changeit

Type yes and enter if it asks to trust the certificate. As the result, the keystore.jks will be created at the current directory.

Take a note of the alias (oidc-app), key store file name (keystore.jks) and the key store password (changeit) since those are required to extract the public key of the authorization server from this certificate.

The method validateJWTSignature verifies the given JWT using the certificate added to Java Key Store and returns true/false stating whether it is verified or not.

RSAPublicKey publicKey = null;

String keyfile  = "keystore.jks";

String storepass = "changeit";

String alias = "oidc-app";

InputStream file = this.getClass().getClassLoader().getResourceAsStream(keyfile);

KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());

keystore.load(file, storepass.toCharArray());

   

// Get certificate of public key

Certificate cert = keystore.getCertificate(alias);

           

// Get public key

publicKey = (RSAPublicKey) cert.getPublicKey();

           

// Received JWT

String signedJWTAsString = jwt;

   

SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString);

   

JWSVerifier verifier = new RSASSAVerifier(publicKey);

   

return signedJWT.verify(verifier);