// Step 1: signature validation
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(jwtString);
jws.setKey(new AesKey(jwtConfig.getSigningKey().getBytes(StandardCharsets.UTF_8)));
jws.setAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE);
if (!jws.verifySignature()) {
logger.error(String.format("jwt have invalid signature:%s", jwtString));
return new ValidationDTO(false, false);
}
// Step 2: check if encryption is fine, but possibly a expired token
final byte[] decodedBytes = Base64.decodeBase64(jws.getEncodedPayload().getBytes(StandardCharsets.UTF_8));
final String decodedPayload = new String(decodedBytes, StandardCharsets.UTF_8);
final JsonWebKey jsonWebKey = JsonWebKey.Factory
.newJwk("\n" + "{\"kty\":\"oct\",\n" + " \"k\":\"" + jwtConfig.getEncriptionKey() + "\"\n" + "}");
JwtConsumer maybeExpiredConsumer = new JwtConsumerBuilder()
.setSkipAllValidators()
.setDisableRequireSignature()
.setSkipSignatureVerification()
.setDecryptionKey(new AesKey(jsonWebKey.getKey().getEncoded()))
.setJweAlgorithmConstraints(
new AlgorithmConstraints(ConstraintType.WHITELIST,
KeyManagementAlgorithmIdentifiers.DIRECT))
.setJweContentEncryptionAlgorithmConstraints(
new AlgorithmConstraints(ConstraintType.WHITELIST,
ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256)) //this have to match CAS configuration
.build();
JwtContext context = maybeExpiredConsumer.process(decodedPayload); // <<<<< Exception thrown here. “Invalid JOSE Compact Serialization"