JSON Web Key (JWK) selectors

OpenID Connect servers and clients that use public / private key cryptography publish their JWKs in a JSON file that the relying party needs to process in order to extract the relevant key(s). For example, a client that needs to verify an RSA-signed ID token will have to get the server’s JWK set and find the matching public key used for the signature.

The following utility class can help you with that:

com.nimbusds.jose.jwk.JWKSelector

It supports key selection by:

  • Any, unspecified, one or more key types (kty).
  • Any, unspecified, one or more key uses (use).
  • Any, unspecified, one or more key operations (key_ops).
  • Any, unspecified, one or more key algorithms (alg).
  • Any, unspecified, one or more key identifiers (kid).
  • Private only key.
  • Public only key.
  • Minimum, maximum or exact key sizes (in bits).
  • Any, unspecified, one or more curves for EC keys (crv).

Example code: selecting an RSA public key that matches the key ID "123456":

import java.util.*;
import com.nimbusds.jose.jwk.*;

List<JWK> matches = new JWKSelector(
    new JWKMatcher.Builder()
        .keyType(KeyType.RSA)
        .keyID("123456")
        .build()
    ).select(jwkSet);

System.out.println("Found " + matches.size() + " matching JWKs");

The complete configuration options of the JWK selector can be found in the JavaDocs.