I was wondering whether Jose4J handles the redirect http status codes (e.g. 307) when retrieving the JWKS from the OpenID Connect Endpoint.
I myself now do the retrieval and pass on the JWKS to Jose4J so called out of band. Now when i switched network i got a lot of 307's and wonder if it's wise to let Jose4J do the JWKS retrieval when it supports 307 and the other redirect statusses
HttpURLConnection.HTTP_MOVED_TEMP
HttpURLConnection.HTTP_MOVED_PERM
HttpURLConnection.HTTP_SEE_OTHER
Thanks!
Jan
Yes, it will follow redirects when making requests to a JWKS endpoint. org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver uses org.jose4j.jwk.HttpsJwks that by default uses org.jose4j.http.Get which in turn uses java's HttpsURLConnection that will follow redirects unless the behaviour has been changed at the class level:
https://docs.oracle.com/javase/8/docs/api/java/net/HttpURLConnection.html#setFollowRedirects-boolean-