Skip to content
Connect2id
JOSE

Nimbus JOSE + JWT 4.1 adds support for JWK thumbprints

The latest 4.1 release of the Nimbus JOSE + JWT library library adds support for computing JSON Web Key (JWK) thumbprints as specified in RFC 7638.

JWK thumbprints are intended to provide unique hashes of RSA, EC and shared secret key material. These may for example be used as key ID (kid) header parameters in JWS and JWE objects. OpenID Connect also uses them for self-issued identity providers.

Example usage:

// Create or parse RSA JWK
RSAKey rsaJWK = new RSAKey.Builder(...).build();

// SHA-256 is the default hash for JWK thumbprints
Base64URL thumbprintSHA256 = rsaJWK.computeThumbprint();

// The hash algorithm may be specified explicitly
Base64URL thumbprintSHA1 = rsaJWK.computeThumbprint("SHA-1");

The thumbprints are returned as a BASE64URL encoded byte array.

To get the string representation of the BASE64URL:

String b64URLString = thumbprintSHA256.toString();

To get the underlying byte array:

byte[] bytes = thumbprintSHA256.decode();

To get the thumbprint as a big integer:

BigInteger bigInt = thumbprintSHA256.decodeToBigInteger();

Download

Update 2015-09-21 The original thumbprint routine for octet sequence keys contained a bug which was fixed in 4.1.1. Thanks to Brian Campbell for spotting this.

The Maven Dependency for the 4.1.1 release:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>4.1.1</version>
</dependency>

For other methods check out the downloads page.

Feedback

Leave your comments below or contact Connect2id support.