{"id":22268091,"url":"https://github.com/curityio/java-software-statement-validation","last_synced_at":"2025-03-25T14:45:00.367Z","repository":{"id":74437533,"uuid":"380935051","full_name":"curityio/java-software-statement-validation","owner":"curityio","description":"An example showing how to validate a JWT using jose4j and jwks","archived":false,"fork":false,"pushed_at":"2021-06-30T12:59:23.000Z","size":36,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-01-30T13:29:19.437Z","etag":null,"topics":["api","dynamic-client-registration","financial-grade","open-banking","software-statement","use-case"],"latest_commit_sha":null,"homepage":"https://curity.io/resources/learn/dcr-validation-in-pre-processing-procedure/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-28T06:54:24.000Z","updated_at":"2023-04-27T10:07:15.000Z","dependencies_parsed_at":"2023-02-26T18:15:55.942Z","dependency_job_id":null,"html_url":"https://github.com/curityio/java-software-statement-validation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fjava-software-statement-validation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fjava-software-statement-validation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fjava-software-statement-validation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fjava-software-statement-validation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/java-software-statement-validation/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245485723,"owners_count":20623237,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","dynamic-client-registration","financial-grade","open-banking","software-statement","use-case"],"created_at":"2024-12-03T11:11:04.859Z","updated_at":"2025-03-25T14:44:55.346Z","avatar_url":"https://github.com/curityio.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Software Statement Validation with Java\n\n[![Quality](https://img.shields.io/badge/quality-experiment-red.svg)](https://curity.io/resources/code-examples/status/)\n[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)\n \n\n## Overview\n\nThis example shows how to validate a software statement with java using [jose4j](https://bitbucket.org/b_c/jose4j). A simple service is created that accepts a JWT, loads the verification key from a JWKS endpoint and validates the signature of the token. In addition, the example also checks that `PS256` (RSASSA-PSS) was used to generate the signature and that the JWT aka the software statement does not exceed the lifetime of 5 minutes. Such requirements are, for example, part of the software statement defined in [Open Banking Brasil Financial-grade API Dynamic Client Registration Profile 1.0](https://github.com/OpenBanking-Brasil/specs-seguranca).\n\nTo enable quick testing two mocking endpoints have been added: `/jwks` for the public keys of the \"Regulatory Body\" that issues the JWT at `/softwarestatement`. In the Open Banking scenario a regulatory authority will issue the software statement out of band and publish its keys in form of a JWKS file at a secure endpoint. Just change the values for `jwt.issuer.jwks_uri` and `jwt.issuer` to adapt the example for a different authority.\n\n## Running the JWT Validation Service\n\n### Prerequisites\n* Java SDK 11\n* Maven\n\n### Getting Started\nStart the service with the following command:\n\n```shell\nmvn spring-boot:run\n```\nThe service is listening on port 8080.\n\nRetrieve a software statement for testing:\n\n```shell\ncurl http://localhost:8080/softwarestatement \u003e softwarestatement.txt\n```\n\nValidate the token:\n\n```shell\ncurl -X POST -H \"Content-Type: text/plain\" -d @softwarestatement.txt http://localhost:8080/validate -v\n```\n\nThe token is valid if the server returns `HTTP/1.1 204 No Content`.\n\nTo change the issuer export environment variables with the corresponding values before starting the service:\n\n```shell\nexport jwt_issuer=\"Authority\"\nexport jwt_issuer_jwks_uri=\"https://some-very-trusted-server/authority.jwks\"\n./mvn spring-boot:run\n```\n\n## More Information\nThis example implements a simple, reactive web service using Spring Boot. Check out [the reference documentation for WebFlux](https://spring.getdocs.org/en-US/spring-framework-docs/docs/spring-web-reactive/webflux/webflux.html) for further details.\n \nThe goal is to show how to implement the validation of a software statement that is a simple JWT without the overhead of a full OAuth 2.0 or OpenID Connect flow. Therefore, this example uses [jose4j](https://bitbucket.org/b_c/jose4j) for parsing and validating the token. For information about how to protect an API with access tokens using OAuth 2.0 or OpenID Connect in Spring Boot checkout [OAuth 2.0 for WebFlux (Spring Security)](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-resource-server) and have a look at the example [Securing a Spring Boot API with JWTs](https://curity.io/resources/learn/spring-boot-api/).\n\n## Licensing\n\nThis software is copyright (C) 2021 Curity AB. It is open source software that is licensed under the [Apache 2](LICENSE).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fjava-software-statement-validation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Fjava-software-statement-validation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fjava-software-statement-validation/lists"}