JSON Web Key (JWK) selectors
OpenID Connect servers and clients that use public / private key cryptography publish their JWKs in a JSON file that the relying party needs to process in order to extract the relevant key(s). For example, a client that needs to verify an RSA-signed ID token will have to get the server’s JWK set and find the matching public key used for the signature.
The following utility class can help you with that:
It supports key selection by:
- Any, unspecified, one or more key types (kty).
- Any, unspecified, one or more key uses (use).
- Any, unspecified, one or more key operations (key_ops).
- Any, unspecified, one or more key algorithms (alg).
- Any, unspecified, one or more key identifiers (kid).
- Private only key.
- Public only key.
- Minimum, maximum or exact key sizes (in bits).
- Any, unspecified, one or more curves for EC keys (crv).
Example code: selecting an RSA public key that matches the key ID "123456":
import java.util.*; import com.nimbusds.jose.jwk.*; List<JWK> matches = new JWKSelector( new JWKMatcher.Builder() .keyType(KeyType.RSA) .keyID("123456") .build() ).select(jwkSet); System.out.println("Found " + matches.size() + " matching JWKs");
The complete configuration options of the JWK selector can be found in the JavaDocs.