In today's MP-JWT call there was a discussion about which settings involved in verification of a token various JWT libraries supported. I have put together tests of 4 of the Java libraries from
jwt.io in the following package in the sandbox:
Based on this, there does not appear to be a problem with supporting configuration of the following verification items:
- public key of JWT signer
- issuer
- exp date
- clock skew / exp grace period
I'll next look at how JWK and JWKS are handled as part of the verification process by each of the libraries.