I am trying to validate incoming request that has authorization token (jwt) via Java JWT api. I was able to decode header and payload via that API but having trouble to validate the token. Little I know of this area, I thought I have to add jwks-rs-java api to my test project in order to handle validation part so I imported and ran following statements based on the documentation I read.

JwkProvider provider = new UrlJwkProvider("oauth_Server"); Jwk jwk = provider.get("keyId");

Then I got SingingKeyNotFoundException but caused by javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am trying to understand the problem itself and how to rectify it. Did I provide wrong key id? Do I need to import a certificate of the remote "oauth_server" into my local box in where I build/execute project in IDE?

I'd appreciate your advice and input on this matter. Thank you!

Describe the problem you'd like to have solved

Hi there in UrlJwkProvider a SigningKeyNotFoundException is thrown in the method "Jwk get(String keyId)" for two different reasons:

1. If in getAll()-> getJwks() the connection to the location of the JWK fails. Which is an serious issue for operation of the service, as most likely all token could not be verified)
2. If the KeyId in the token could not be found. (most likely if an attacker sets an arbitrary key id in the token)

Describe the ideal solution

Please make it possible to distinct between these two cases with a proper exception being thrown. To not break any existing code, which is calling the methods, the new exception should be a child class of SigningKeyNotFoundException or a RuntimeException.

Alternatives and current work-arounds

A current workaround will be to look at the cause of the exception, which is a fragile, as one has to know which specific connection issues could occur and that there is no other place, where such an exception could be thrown.

An alternative of the approach above will be to change the return type of "Jwk get(String keyId)" to "Optional get(String keyId)" that there is a distinction between the the more common case, where a key with the wrong keyId is requested an an exceptional connection problem. This will involve more rework.

Thank you for considering this change.

Changes

• Added methods to UrlJwkProvider and JwkProviderBuilder
• Careful not to modify existing method signatures or remove methods - change is backwards compatible
• We are using this library in an isolated network setting where some calls must go through an HTTP/HTTPS proxy, and other calls must not.
• This change is needed for use cases such as ours where we want to send this HTTP/HTTPS call through a proxy, but we don't want to set the global System Properties (which would impact other HTTP/HTTPS calls that we do not want to go through the same proxy as these calls must).

References

I have recreated PR #91 - I totally messed up my branch and wanted to start with a clear PR so I wouldn't be pushing this change as a bunch of garbage commits, and instead keep the file history simple and clean.

Testing

To test, simply invoke the new builder method and supply a proxy server. It can be as simple as: new java.net.Proxy(java.net.Proxy.Type.HTTP, new java.net.InetSocketAddress("proxy.mydomain.com", 8080))

• [X] This change adds test coverage
• [ ] This change has been tested on the latest version of Java or why not
• [X] This change has been developed on Amazon Corretto 8, and uses a fairly simple Java API that has been around since Java 5

Checklist

• [X] I have read the Auth0 general contribution guidelines
• [X] I have read the Auth0 Code of Conduct
• [X] All existing and new tests complete without errors

Changes

• Added methods to UrlJwkProvider and JwkProviderBuilder
• Careful not to modify existing method signatures or remove methods - change is backwards compatible
• We are using this library in an isolated network setting where some calls must go through an HTTP/HTTPS proxy, and other calls must not.
• This change is needed for use cases such as ours where we want to send this HTTP/HTTPS call through a proxy, but we don't want to set the global System Properties (which would impact other HTTP/HTTPS calls that we do not want to go through the same proxy as these calls must).

References

I am not aware of any references. We identified this as a need for our projects and have been working around the proxy limitation locally, but we wanted to contribute this change back rather than maintain it as our own "side fix/enhancement" for the issue.

Testing

To test, simply invoke the new builder method and supply a proxy server. It can be as simple as: new java.net.Proxy(java.net.Proxy.Type.HTTP, new java.net.InetSocketAddress("proxy.mydomain.com", 8080))

• [ ] This change adds test coverage
• [ ] This change has been tested on the latest version of Java or why not
• [X] This change has been developed on Amazon Corretto 8, and uses a fairly simple Java API that has been around since Java 5

Checklist

• [X] I have read the Auth0 general contribution guidelines
• [X] I have read the Auth0 Code of Conduct
• [X] All existing and new tests complete without errors

Use of GuavaCachedJwkProvider together with UrlJwkProvider could be improved.

As an URL can contain several sertificates (UrlJwkProvider.getAll()), the whole cache can be refreshed rather than one key at a time.

Lets imagine that some tokens are issued for certificate A. Something happens and the certificate owner invalidates certificate A and and issues certificate B. Then the cache will continue to validate tokens signed with certificate A even after visiting the URL for getting certificate B.

Description

Signing JWT tokens will become easier if the Jwk class were to have a createPrivateKey method, similar to its getPublicKey method. The returned private key could be used in a KeyProvider, which in turn can be used to create an algorithm with the capability to sign JWT tokens.

Like you already used for the public key, the RFC states which parameters should be used for creating its private counterpart. I would expect the method to raise an error if the jwk does not contain the correct parameters to create a private key.

Prerequisites

• [x] I have checked the Auth0 Community for related posts.
• [x] I have checked for related or duplicate Issues and PRs.
• [x] I have read the Auth0 general contribution guidelines.
• [x] I have read the Auth0 Code of Conduct.

Environment

Please provide the following:

• Version of this library used: 0.7.0
• Version of Java used: 11
• Additional libraries that might be affecting your instance: -

Hi,

would it not be useful if the constructor of the convenience class JwkProviderBuilder would also accept a URL? Currently it is unusable for situations where the URL differs from the standard pattern (ending with "/.well-known/jwks.json"). It assumes, that the given string is only the domain-name and "/.well-known/jwks.json" is appended.

PS: I thought I write a feature request before implementing it myself and starting a pull request.

Cheers and thanks for your work, Dobo

BucketImpl is not public so I cannot use rate limiting without using JwkProviderBuilder. (Also I cannot set a connect and read timeout with JwkProviderBuilder, otherwise I would have just used it).

e.g. this is impossible:

JwkProvider url = new UrlJwkProvider("https://samples.auth0.com/"); Bucket bucket = new Bucket(10, 1, TimeUnit.MINUTES); JwkProvider provider = new RateLimitJwkProvider(url, bucket);

• URL constructor added to JwkProviderBuilder, which allows to customize the url to get JWKS. Before, it could only be <domain>/.well-known/jwks.json, now it can be <domain>/sub/path/.well-known/jwks.json
• In case url is null IllegalStateException is thrown, so the behavior is similar to the String constructor
• Unfortunately, I didn't find a good way to move JwkProviderBuilder.normalizeDomain to UrlJwkProvider keeping the same behavior
• Slight fixes for JavaDocs
• Please, let me know if more tests required

Even when using a cached JwkProvider, the com.auth0.jwk.Jwk#getPublicKey method will reconstruct a public key object in memory on every call.

Although the caching prevents remote calls, at high volumes (eg thousands requests/sec, each requiring JWT verification) this amount of object allocation creates a measureable overhead.

Describe the problem you'd like to have solved

Using this library deterministicly as an dependency in a JDK 9+ project; fixing the module name.

Describe the ideal solution

Multi-release jar.

Alternatives and current work-arounds

Automatic-Module-Name goes a long way.

Describe the problem

As per: examples we should be able to catch NetworkException when getting JWK using cached JwkProviderBuilder. But in here that error is caught and replaced with SigningKeyNotFoundException (as ExecutionException includes NetworkException):

@Override
public Jwk get(final String keyId) throws JwkException {
    try {
        String cacheKey = keyId == null ? NULL_KID_KEY : keyId;
        return cache.get(cacheKey, new Callable<Jwk>() {
            @Override
            public Jwk call() throws Exception {
                return provider.get(keyId);
            }
        });
    } catch (ExecutionException e) {
        throw new SigningKeyNotFoundException("Failed to get key with kid " + keyId, e);
    }
}

This basically recreates the issue: #79.

What was the expected behavior?

NetworkException being thrown directly from: JwkProviderBuilder(URL(...)).cached(...).build().get(...) method when unable to connect to the url.

Reproduction

• Create cached provider for some urlPath of an offline server: val provider = JwkProviderBuilder(URL(urlPath)).cached(10, 1, TimeUnit.MINUTES).build()
• Try to access the JWK for some keyId: provider.get(keyId)
• Get the SigningKeyNotFoundException: Failed to get key with kid ****
• Only able to trace exception.cause: java.util.concurrent.ExecutionException: com.auth0.jwk.NetworkException: Cannot obtain jwks from url ****

Environment

• Version of this library used: 0.21.2
• Version of Java used: 11 (Kotlin 1.3.72)
• Other modules/plugins/libraries that might be involved:
• Any other relevant information you think would be useful:

Changes

Correcting the code example for provider.get in README.md by using a code block highlighted as Java, as was probably intended.

I apologize if this PR is unnecessary and nitpicky, but I do believe that the change is benefitting to the first impression of the repo.

Testing

• [ ] This change adds test coverage
• [ ] ~This change has been tested on the latest version of Java or why not~ This PR does not change code.

Checklist

• [x] I have read the Auth0 general contribution guidelines
• [x] I have read the Auth0 Code of Conduct
• [ ] ~All existing and new tests complete without errors~ This PR does not change code.

Hello, I'm encountering the issue "com.auth0.jwk.NetworkException: Cannot obtain jwks from url"

I'm trying to get the jwks from microsoft. But encountering the below issue

com.auth0.jwk.NetworkException: Cannot obtain jwks from url https://login.microsoftonline.com/common/discovery/v2.0/keys
        at com.auth0.jwk.UrlJwkProvider.getJwks(UrlJwkProvider.java:139) ~[jwks-rsa-0.21.2.jar:0.21.2]
        at com.auth0.jwk.UrlJwkProvider.getAll(UrlJwkProvider.java:145) ~[jwks-rsa-0.21.2.jar:0.21.2]
        at com.auth0.jwk.UrlJwkProvider.get(UrlJwkProvider.java:163) ~[jwks-rsa-0.21.2.jar:0.21.2]

What was the expected behavior?

Successfully obtain jwks from the specified url

Reproduction

--

Environment

• Version of this library used:0.21.2
• Version of Java used:14
• Other modules/plugins/libraries that might be involved:--
• Any other relevant information you think would be useful:--