7

I want to implement JWT verification in my spring boot application. The algorithm we used for signing token is Ed25519\EDDSA .

I don't find right dependency/library to implement Jwt verifier using ED25519 algorithm.

Can someone suggest maven dependency to validate JWT token ?

Gokul Kulanthaivel
  • 81
  • 1
  • 4

1 Answers1

4

The answer comes late but I just tried to solve the same problem and decided to share my conclusions.

I'd use Spring Security with the OAuth 2.0 Resource Server to validate JWTs.

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>

However, Spring Security's default JWT Decoder NimbusJwtDecoder does not support EdDSA (see list of supported signature algorithms. You will have to write your own JWTDecoder.

Luckily, Spring Security depends on Nimbus JOSE+JWT library that already supports EdDSA. To validate an EdDSA signature with the library, add the following dependency:

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.6.1</version>
</dependency>

Your code will at some point call the following lines, where encodedJwt is the encoded jwt string.

SignedJWT signedJWT = SignedJWT.parse(encodedJwt);

JWSVerifier verifier = new Ed25519Verifier(publicJWK);
assertTrue(signedJWT.verify(verifier));

The complete example can be found here: https://connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-eddsa

Judith Kahrer
  • 301
  • 1
  • 5
  • I'm trying to figure out how the JWTDecoder would look, are you able to post it? Thank you! – William Ross Jun 22 '23 at 20:49
  • 1
    No, I'm sorry, I cleaned up my system and don't have the POC anymore. I did an implementation without Spring that you can find here: https://github.com/curityio/oauth-filter-for-java/pull/6 – Judith Kahrer Jun 28 '23 at 06:38