Based on this documentation: https://www.ibm.com/support/knowledgecenter/de/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_json.html it is possible to add the verification key to the keystore or hardcode it during design time. The problem I have is that I get the verification key during runtime via a Cloud Foundry service binding. So I would have to extract this key at runtime from my VCAPs. Any idea where I should look into?
If the key can be retrieved via jwks, then mp-jwt will do it for you, given the jwks url to fetch it from. Otherwise, your code can retrieve it and set one of these as an environment variable or system property: mp.jwt.verify.publickey - specify the key in PEM format as a string. mp.jwt.verify.publickey.location - specify the text file that contains the key in PEM format.