SigningKeyResolver has been replaced by Locator since version 0.12, but Locator has no access to the body

[ccn974]

Starting with version 0.12, how do you resolve a key using a body information (e.g. issuer) without using SigningKeyResolver? SigningKeyResolver has been deprecated and replaced by Locator?

SigningKeyResolver has a method Key resolveSigningKey(JwsHeader header, Claims) but Locator only a method T locate(Header header) which has no access to the body.

Thanks for your help

code example :

    public Key resolveSigningKey(JwsHeader header, Claims claims) {
		String issuer = claims.getIssuer();
		String key = KEY_MAP_BY_ISSUER.get(issuer);
        byte[] keyBytes = key.getBytes(StandardCharsets.UTF_8);

        SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
		
        return new SecretKeySpec(keyBytes, alg.getJcaName());
    }

[lhazlewood]

This is intentional - it is a security risk to read/trust the body of a signed JWT before verifying the signature because that information can be easily spoofed/faked.

There is currently ongoing work in the JWT RFC committee to make this clearer to implementors and application developers, either as an update to https://datatracker.ietf.org/doc/html/rfc8725.html or an addendum as a new RFC that the body should not be read/used before signature verification. Ideally, only the kid value in the header would be used for key lookup, or, as a backup, any necessary information for key lookup would be repeated in the header.

See #857 for more information (and it covers the same Issuer concern)