Skip to content
Connect2id
JOSE

JSON Web Key (JWK) selectors

Release 2.21 of the Nimbus Java library for encoding and decoding JSON Web Tokens (JWT) includes a handy selector for matching one or more JSON Web Keys (JWK) from a set according to chosen criteria.

OpenID Connect servers and clients that use public / private key cryptography publish their JWKs in a JSON file that the other party needs to process in order to extract the relevant key(s). For example, a client that needs to verify an RSA-signed ID token will have to get the server’s JWK set and find the matching public key used for the signature. The new utility class can help you with just that.

It is called com.nimbusds.jose.jwk.JWKSelector and supports key selection by:

  • Any, unspecified, one or more key types (kty).
  • Any, unspecified, one or more key uses (use).
  • Any, unspecified, one or more key algorithms (alg).
  • Any, unspecified, one or more key identifiers (kid).
  • Private only key.
  • Public only key.

Example usage:

// Create a new JWK selector and configure it
JWKSelector selector = new JWKSelector();

// Select public keys only
selector.setPublicOnly(true);

// RSA keys only
selector.setKeyType(KeyType.RSA);

// No key use specified or signature
selector.setKeyUses(Use.SIGNATURE, null);

// Apply selector to JWK set
List matches = selector.select(jwkSet);

The complete configuration options of the JWK selector can be found in the JavaDocs.

The latest version of the Nimbus JOSE+JWT library is available in Maven Central.

<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>2.21</version>
</dependency>