Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/curityio/java-software-statement-validation

An example showing how to validate a JWT using jose4j and jwks
https://github.com/curityio/java-software-statement-validation

api dynamic-client-registration financial-grade open-banking software-statement use-case

Last synced: 10 months ago
JSON representation

An example showing how to validate a JWT using jose4j and jwks

Awesome Lists containing this project

README 

          
# Software Statement Validation with Java



[![Quality](https://img.shields.io/badge/quality-experiment-red.svg)](https://curity.io/resources/code-examples/status/)

[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)

 



## Overview



This example shows how to validate a software statement with java using [jose4j](https://bitbucket.org/b_c/jose4j). A simple service is created that accepts a JWT, loads the verification key from a JWKS endpoint and validates the signature of the token. In addition, the example also checks that `PS256` (RSASSA-PSS) was used to generate the signature and that the JWT aka the software statement does not exceed the lifetime of 5 minutes. Such requirements are, for example, part of the software statement defined in [Open Banking Brasil Financial-grade API Dynamic Client Registration Profile 1.0](https://github.com/OpenBanking-Brasil/specs-seguranca).



To enable quick testing two mocking endpoints have been added: `/jwks` for the public keys of the "Regulatory Body" that issues the JWT at `/softwarestatement`. In the Open Banking scenario a regulatory authority will issue the software statement out of band and publish its keys in form of a JWKS file at a secure endpoint. Just change the values for `jwt.issuer.jwks_uri` and `jwt.issuer` to adapt the example for a different authority.



## Running the JWT Validation Service



### Prerequisites

* Java SDK 11

* Maven



### Getting Started

Start the service with the following command:



```shell

mvn spring-boot:run

```

The service is listening on port 8080.



Retrieve a software statement for testing:



```shell

curl http://localhost:8080/softwarestatement > softwarestatement.txt

```



Validate the token:



```shell

curl -X POST -H "Content-Type: text/plain" -d @softwarestatement.txt http://localhost:8080/validate -v

```



The token is valid if the server returns `HTTP/1.1 204 No Content`.



To change the issuer export environment variables with the corresponding values before starting the service:



```shell

export jwt_issuer="Authority"

export jwt_issuer_jwks_uri="https://some-very-trusted-server/authority.jwks"

./mvn spring-boot:run

```



## More Information

This example implements a simple, reactive web service using Spring Boot. Check out [the reference documentation for WebFlux](https://spring.getdocs.org/en-US/spring-framework-docs/docs/spring-web-reactive/webflux/webflux.html) for further details.

 

The goal is to show how to implement the validation of a software statement that is a simple JWT without the overhead of a full OAuth 2.0 or OpenID Connect flow. Therefore, this example uses [jose4j](https://bitbucket.org/b_c/jose4j) for parsing and validating the token. For information about how to protect an API with access tokens using OAuth 2.0 or OpenID Connect in Spring Boot checkout [OAuth 2.0 for WebFlux (Spring Security)](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-resource-server) and have a look at the example [Securing a Spring Boot API with JWTs](https://curity.io/resources/learn/spring-boot-api/).



## Licensing



This software is copyright (C) 2021 Curity AB. It is open source software that is licensed under the [Apache 2](LICENSE).