[SOLVED] Does jose4j take care of Azure Signing Key rollover automatically?

Does jose4j take care of Azure Signing Key rollover automatically?

I am implementing jose4j in my Java application to verify the signature of the access token issued by Azure. The application works fine, however, I came across this documentation about Signing Key rollover. Does jose4j take care of it automatically when using the HttpsJwksVerificationKeyResolver?

I am currently using the following snippet to build the JwtConsumer

String azureKeyDiscoveryUrl =
                "https://login.microsoftonline.com/{my-tenant-id}/discovery/keys";
HttpsJwks azureKeyDiscovery = new HttpsJwks(azureKeyDiscoveryUrl);

HttpsJwksVerificationKeyResolver azureJwksKeyResolver = new HttpsJwksVerificationKeyResolver(azureKeyDiscovery);

JwtConsumer azureJwtConsumer = new JwtConsumerBuilder()
                .setRequireExpirationTime()
                .setAllowedClockSkewInSeconds(30)
                .setRequireIssuedAt()
                .setRequireNotBefore()
                .setVerificationKeyResolver(azureJwksKeyResolver)
                .setExpectedAudience("my-audience")
                .setJwsAlgorithmConstraints(new AlgorithmConstraints(
                        AlgorithmConstraints.ConstraintType.WHITELIST, AlgorithmIdentifiers.RSA_USING_SHA256))
                .build();
JwtClaims claims = azureJwtConsumer.processToClaims("tokenStringHere");

Solution

Yes, assuming Azure does the right/reasonable thing with the https://login.microsoftonline.com/{my-tenant-id}/discovery/keys endpoint, which I think they do, it'll work.