Add ability to resolve signing key based on Jws embedded values before its signature is verified
josebarrueta opened this issue · 3 comments
Sometimes the signature key is embedded either in the JWT header or body, and therefore is useful to parse the JWT skipping the signature verification. Of course the verification must happen after getting the signature key.
If this is a valid approach the client is responsible of checking the signature after getting the values they need from the Jws.
A second approach would be to have a callback interface that if set will be called before the signature verification happens.
For example:
public interface JwsSignatureKeyResolver {
Key resolveSignatureKey(JwsHeader header, Claims claims);
}Probably can be call it if key is null and a implementation of the interface is specified when built a Jws Parser.
I wonder if the signing key could be resolved from some knowledge in the Claims...
The JWS spec states that a kid header param can be used to identify the key used to sign the request, so maybe that is all that is required.
However, I wonder if some business-specific logic related to Claims inspection could also be used, and potentially more efficient. For example, maybe based on data that is already in the claims payload, one could infer/know the signing key. If this is true, the kid property/value would not be necessary (thereby reducing the size of the JWS, which can be good for storage/transmission.
Thoughts?
Yeah, I was debating whether to include the Claims or not, latest version showed without the Claims, because I was thinking in using the kid header parameter only, but I do see benefits of allowing access to the Claims objects as well, so I will put it back in the interface.
Also, since the the SignatureAlgorithm is already determined and asserted to be a valid one, I'll change the signature of the interface to return the signingKey as a byte[] to take advantage of all the processing that the Parser already did.
Final version:
public interface JwsSigningKeyResolver {
byte[] resolveSigningKey(JwsHeader header, Claims claims);
}Release notes updated and ready to go - closing this to release 0.4.