You are not logged in.
- Topics: Active | Unanswered
#1 2025-11-24 07:33:48
- tfopc
- Member
- Registered: 2024-01-08
- Posts: 36
Jwt - verify (signature) via jwk (jwks-endpoint) - public key
Hi Arnaud,
i have a IdP/OIDC-server that will do the authentication and authorization for some api-routes. (for example MS-Entra). After successful login i got my jwt auth token. My service than tries to verify the token like recommended:
- Confirm the token is not expired (exp claim).
- Check that the iss (issuer) matches your IdP-server endpoint.
- Ensure the aud (audience) matches the API resource identifier you registered.
- Split the scope claim (space-separated) and check for required permissions.
One point is missing and i struggle with:
- Verify the token signature (via JWKs).
At the moment i do the following.
- Query the oidc-wellknown-endpoint to get the jwsk-endpoint, and get the public key info in jwk format via this info-uri
- Transform the jwk (keys - element) to PEM via some Online - Tool (jwk-generator)
I see that there is a function to compute the Jwk (JwkCompute) but the opposite function is missing "JwkPublicKeyToPem" to fill the TJwtCrypt.create with the public key an check the token with "Verify" after that.
Also i did't see a option the get the needed TCryptAsymAlgo from the JwtContent parsed before with ParseJwt (opposite from ToText(TCryptAsymAlgo))
Is it possible to add a TJwtCrypt with input (token,jwk-json-keys[<jwk>..],...) to do the verify step, or provide some util function JwkPublicKeyToPem (for publickey)?
I think the jwk - json it must me transformed in some ASN.1 structure (BinaryCert) and than converted to Base64 to get the pem.
Thanks,
Tobias
Offline
#2 2025-11-24 08:56:14
Offline
#3 2025-11-24 09:27:16
- tfopc
- Member
- Registered: 2024-01-08
- Posts: 36
Re: Jwt - verify (signature) via jwk (jwks-endpoint) - public key
Hi ab,
i have at the moment 2 idp's in test.
ms entra and logto (selfhosted)
jwk for entra (here are also multiple - jwk keys - don't know if this is the cert-chain):
jwsk-info-endpoint: https://login.microsoftonline.com/<tena … /v2.0/keys
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "...",
"x5t": "...",
"n": "...",
"e": "AQAB",
"x5c": [
"MIIC..."
],
"cloud_instance_name": "microsoftonline.com",
"issuer": "https://login.microsoftonline.com/<tenant>/v2.0"
},
... 4-keys-objects ...
]}
know i see that ms provides the pem in "x5c" - so this can maybe used..
jwk for logto (no pem provided via "x5c")
jwsk-info-endpoint: https://<auth-domain>/oidc/jwks
{"keys":[{"kty":"EC","use":"sig","kid":"...","alg":"ES384","crv":"P-384","x":"...","y":"..."}]}
Thank you!
Offline
#4 2025-11-24 10:49:42
Re: Jwt - verify (signature) via jwk (jwks-endpoint) - public key
Since you need P-384 I guess you would need OpenSSL.
Edit: I have added preliminary support for mORMot RSA and ECC-256.
More to come tomorrow.
Edit 2: now JWK is supported as public key input.
Tested with both OpenSSL and pure mORMot code.
Offline