JOSE4J takes the jwks_uri as its starting point for JWT validation and I wondered whether it would be possible to support the Discovery Document as the starting point and JOSE4J would pick up the jwks_uri from there and then go the the JWKS key document to pick the public key matching the JWT at had through the kid. This way I only have to hardcode the discovery document uri in my code, as I worry a bit whether the jwks_uri might change without notice, the wellknow discovery document is to my knowledge fixed.
This is how it works now:
// The HttpsJwksVerificationKeyResolver uses JWKs obtained from the HttpsJwks and will select the
// most appropriate one to use for verification based on the Key ID and other factors provided
// in the header of the JWS/JWT.
HttpsJwksVerificationKeyResolver httpsJwksKeyResolver =
new HttpsJwksVerificationKeyResolver(https_jwks);
Maybe it would be nice to have the resolver recognize whether the discovery document uri is passed in or not and behave accordingly.
Thanks!
Jan
There's no direct support for it but you could implement your own VerificationKeyResolver with that logic (would likely use HttpsJwksVerificationKeyResolver internally). Or the application code could (periodically) pull the jwks_uri value from discovery document and use it to create the HttpsJwksVerificationKeyResolver.