MP-JWT verification examples

[Scott Stark]

In today's MP-JWT call there was a discussion about which settings involved in verification of a token various JWT libraries supported. I have put together tests of 4 of the Java libraries from jwt.io in the following package in the sandbox:

https://github.com/eclipse/microprofile-jwt-auth/tree/master/sandbox/src/test/java/jwt

Based on this, there does not appear to be a problem with supporting configuration of the following verification items:

- public key of JWT signer

- issuer

- exp date

- clock skew / exp grace period

I'll next look at how JWK and JWKS are handled as part of the verification process by each of the libraries.

[Scott Stark]

I have added tests that show how 3 of the Java libraries support the use of JWKS as the source of the signer public key to the sandbox module under:

https://github.com/eclipse/microprofile-jwt-auth/tree/master/sandbox/src/test/java/jwks

Take a look at those and let me know if there are other libraries in use that need to be validated. While all 3 libraries support a JWKS, not all have the direct notion of a verifierJwksRefreshInterval type reload period, so while we could have such a configuration parameter, there is no behavioral guarantee that it is supported.