Define JSON Web Key Set for Authorization Server using Spring Authorization Server and PKCS12 key store file

The JSON Web Key Set is a collection of JSON Web Key public keys provided by the Authorization Server so that the Resource Server can verify the access token sent by the Client Application. In the tutorial about implementing OAuth Authorization Server using Spring Authorization Server, I showed you how to define this JSON Web Key using code. But for applications running in production, for security reasons, the JSON Web Key information will often be managed by another party, possibly the IT team. They will generate a keystore file, our task is to use this keystore file to define the JSON Web Key Set. In this tutorial, I will show you how to define JSON Web Key Set for Authorization Server using Spring Authorization Server and PKCS12 key store file.

First, I will generate a keystore file with PKCS12 format as an example.

The following results:

Usually, we will expose the environment variable pointing to the path of the .pfx file for their IT team to configure. But for the sake of simplicity in this tutorial, I will put this .pfx file in the src/main/resources folder of the example project in the tutorial Implement OAuth Authorization Server using Spring Authorization Server:

We will initialize Java Security’s KeyStore object to hold the information of the .pfx file as follows:

There are several overloads of the getInstance() method that you can use. Here, I am using getInstance() with the parameter being the type of the keystore file. You can see all the keystore types that Java supports here.

If you use a password to protect the keystore file, you can get the content of the keystore file as follows:

123456 is the password of keystore file.

After you have loaded the content of the keystore file, you can convert this content to the JWKSet object of the Nimbus library, the library that Spring Authorization Server is using to work with the access token, as follows:

When converting the content of the keystore file to the JWKSet object, we need to pass the password information of the private key. With keystore type PKCS12, the password of the private key is the same as the password of the keystore file.

The entire content of the method to build my JWKSet object information is as follows:

You can use this method when building your Authorization Server using Spring Authorization Server! Declare the JWKSource object now in the Spring container as follows:

You can use the JWKSet build code for any keystore!

Add Comment