How to verify HS256 ID Token using FusionAuth java Client libraries ?
Description: I have created an app in FusionAuth that has a Client ID and Client Secret generated, I have not touched any other section/tab like JWT etc, default JWT signing algo is OIDC standard HMAC SHA256.
I tried using following code approach to validate the token based on public key, but its not working for HS256 signed token, I searched over internet and found public key is not applicable for HS256
Could you please provide me a Java code to verify HS256 signed token using FusionAuth Java client libraries (https://github.com/FusionAuth/fusionauth-jwt). Please also let me know that do I need any additional configuration on FusionAuth Admin Console.
Code which I tried: It's giving blank public keys.
List<JSONWebKey> keys = JSONWebKeySetHelper.retrieveKeysFromJWKS("http://localhost:9011/.well-known/jwks.json");
Map<String, Verifier> publicKeyVerifiers = new HashMap<String, Verifier>();
JWT jwtDecoded = JWT.getDecoder().decode(idToken, publicKeyVerifiers);
It looks like there is an example in the README:
// Build an HMC verifier using the same secret that was used to sign the JWT
Verifier verifier = HMACVerifier.newVerifier("too many secrets");
// Verify and decode the encoded string JWT to a rich object
JWT jwt = JWT.getDecoder().decode(encodedJWT, verifier);
// Assert the subject of the JWT is as expected
assertEquals(jwt.subject, "f1e33ab3-027f-47c5-bb07-8dd8ab37a2d3");
https://github.com/FusionAuth/fusionauth-jwt#verify-and-decode-a-jwt-using-hmac
With HMAC signing you need to distribute the secret ("too many secrets" in the example above) to all locations which need to verify the JWT.