Styjun

How did the USSR manage to innovate in an environment characterized by government censorship and high bureaucracy?

"to be prejudice towards/against someone" vs "to be prejudiced against/towards someone"

How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?

How can I make my BBEG immortal short of making them a Lich or Vampire?

I’m planning on buying a laser printer but concerned about the life cycle of toner in the machine

What typically incentivizes a professor to change jobs to a lower ranking university?

Smoothness of finite-dimensional functional calculus

Why Is Death Allowed In the Matrix?

How to find program name(s) of an installed package?

Arthur Somervell: 1000 Exercises - Meaning of this notation

What are these boxed doors outside store fronts in New York?

Why not use SQL instead of GraphQL?

Why was the small council so happy for Tyrion to become the Master of Coin?

Adding span tags within wp_list_pages list items

Can I ask the recruiters in my resume to put the reason why I am rejected?

Is a tag line useful on a cover?

Show that if two triangles built on parallel lines, with equal bases have the same perimeter only if they are congruent.

Which models of the Boeing 737 are still in production?

How does strength of boric acid solution increase in presence of salicylic acid?

Why did Neo believe he could trust the machine when he asked for peace?

Are the number of citations and number of published articles the most important criteria for a tenure promotion?

Has the BBC provided arguments for saying Brexit being cancelled is unlikely?

What do the dots in this tr command do: tr .............A-Z A-ZA-Z <<< "JVPQBOV" (with 13 dots)

Prove that NP is closed under karp reduction?

Handshake in JWT public/private key authentication using vertx

What is the difference between public, protected, package-private and private in Java?Use RSA private key to generate public key?How to share a public key for OAuth2 JWT validation?How do JWTs Implement Public-key Cryptography?JWT signature validation using certificate authority's public keyUnderstanding RSA signing for JWTPublic and private keys governance in JWTWhy does Spring's default OAuth JWT implementation make the JWT verifier public?Where to get Public key for validating a JWT Token in Java or KotlinGenerate JWT Token in Keycloak and get the public key to verify the JWT token on a third party platform

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I created a small vertx auth-server which signs/generates JWT tokens using public/private key.

 PrivateKey privateKey = CertUtil.getPrivateKey("config/private_key.der");
 PublicKey publicKey = CertUtil.getPublicKey("config/public_key.der");

 // Create a JWT Auth Provider
 JWTAuth jwt = JWTAuth.create(vertx, new JWTAuthOptions()
 .setPubSecKeys(List.of(new PubSecKeyOptions()
 .setAlgorithm("RS256")
 .setPublicKey(Base64.getEncoder().encodeToString(publicKey.getEncoded()))
 .setSecretKey(Base64.getEncoder().encodeToString(privateKey.getEncoded())))));
 // protect the API
 router.route("/api/*").handler(JWTAuthHandler.create(jwt, "/api/new-token"));

 // this route is excluded from the auth handler
 router.get("/api/new-token").handler(ctx -> this.generateAndSendToken(ctx, jwt));

 // this is the secret API
 router.get("/api/protected").handler(ctx -> 
 ctx.response().putHeader("Content-Type", "text/plain");
 ctx.response().end("a secret you should keep for yourself...");
 );

 vertx.createHttpServer().requestHandler(router).listen(8080);

now when i access /api/new-token from client i get a JWT token back signed from my auth-server above. however I have some open questions:

• How is auth-server making sure that client has server public key and it is genuine?


• How can client send public key to auth-server?


• How can i make /api/new-token secure so only legitimate client can connect to it?

java jwt rsa public-key-encryption vert.x

share|improve this question

asked Mar 21 at 23:47

vivekIndiavivekIndia

5219

add a comment | 

0

I created a small vertx auth-server which signs/generates JWT tokens using public/private key.

 PrivateKey privateKey = CertUtil.getPrivateKey("config/private_key.der");
 PublicKey publicKey = CertUtil.getPublicKey("config/public_key.der");

 // Create a JWT Auth Provider
 JWTAuth jwt = JWTAuth.create(vertx, new JWTAuthOptions()
 .setPubSecKeys(List.of(new PubSecKeyOptions()
 .setAlgorithm("RS256")
 .setPublicKey(Base64.getEncoder().encodeToString(publicKey.getEncoded()))
 .setSecretKey(Base64.getEncoder().encodeToString(privateKey.getEncoded())))));
 // protect the API
 router.route("/api/*").handler(JWTAuthHandler.create(jwt, "/api/new-token"));

 // this route is excluded from the auth handler
 router.get("/api/new-token").handler(ctx -> this.generateAndSendToken(ctx, jwt));

 // this is the secret API
 router.get("/api/protected").handler(ctx -> 
 ctx.response().putHeader("Content-Type", "text/plain");
 ctx.response().end("a secret you should keep for yourself...");
 );

 vertx.createHttpServer().requestHandler(router).listen(8080);

now when i access /api/new-token from client i get a JWT token back signed from my auth-server above. however I have some open questions:

• How is auth-server making sure that client has server public key and it is genuine?


• How can client send public key to auth-server?


• How can i make /api/new-token secure so only legitimate client can connect to it?

java jwt rsa public-key-encryption vert.x

share|improve this question

asked Mar 21 at 23:47

vivekIndiavivekIndia

5219

add a comment | 

I created a small vertx auth-server which signs/generates JWT tokens using public/private key.

 PrivateKey privateKey = CertUtil.getPrivateKey("config/private_key.der");
 PublicKey publicKey = CertUtil.getPublicKey("config/public_key.der");

 // Create a JWT Auth Provider
 JWTAuth jwt = JWTAuth.create(vertx, new JWTAuthOptions()
 .setPubSecKeys(List.of(new PubSecKeyOptions()
 .setAlgorithm("RS256")
 .setPublicKey(Base64.getEncoder().encodeToString(publicKey.getEncoded()))
 .setSecretKey(Base64.getEncoder().encodeToString(privateKey.getEncoded())))));
 // protect the API
 router.route("/api/*").handler(JWTAuthHandler.create(jwt, "/api/new-token"));

 // this route is excluded from the auth handler
 router.get("/api/new-token").handler(ctx -> this.generateAndSendToken(ctx, jwt));

 // this is the secret API
 router.get("/api/protected").handler(ctx -> 
 ctx.response().putHeader("Content-Type", "text/plain");
 ctx.response().end("a secret you should keep for yourself...");
 );

 vertx.createHttpServer().requestHandler(router).listen(8080);

now when i access /api/new-token from client i get a JWT token back signed from my auth-server above. however I have some open questions:

• How is auth-server making sure that client has server public key and it is genuine?


• How can client send public key to auth-server?


• How can i make /api/new-token secure so only legitimate client can connect to it?

java jwt rsa public-key-encryption vert.x

share|improve this question

asked Mar 21 at 23:47

vivekIndiavivekIndia

5219

 PrivateKey privateKey = CertUtil.getPrivateKey("config/private_key.der");
 PublicKey publicKey = CertUtil.getPublicKey("config/public_key.der");

 // Create a JWT Auth Provider
 JWTAuth jwt = JWTAuth.create(vertx, new JWTAuthOptions()
 .setPubSecKeys(List.of(new PubSecKeyOptions()
 .setAlgorithm("RS256")
 .setPublicKey(Base64.getEncoder().encodeToString(publicKey.getEncoded()))
 .setSecretKey(Base64.getEncoder().encodeToString(privateKey.getEncoded())))));
 // protect the API
 router.route("/api/*").handler(JWTAuthHandler.create(jwt, "/api/new-token"));

 // this route is excluded from the auth handler
 router.get("/api/new-token").handler(ctx -> this.generateAndSendToken(ctx, jwt));

 // this is the secret API
 router.get("/api/protected").handler(ctx -> 
 ctx.response().putHeader("Content-Type", "text/plain");
 ctx.response().end("a secret you should keep for yourself...");
 );

 vertx.createHttpServer().requestHandler(router).listen(8080);

share|improve this question

asked Mar 21 at 23:47

vivekIndiavivekIndia

5219

share|improve this question

asked Mar 21 at 23:47

vivekIndiavivekIndia

5219

asked Mar 21 at 23:47

vivekIndiavivekIndia

5219

asked Mar 21 at 23:47

vivekIndiavivekIndia

5219

1 Answer
1

active

oldest

votes

0

Why don't you delegate this task to KeyCloak an Open Source Identity and Access Management. It adds authentication to your app and secures services with minimum fuss.

We have used it into our project and it works pretty well!

To plug it with Vert.x, you can follow these tutos :

• https://vertx.io/blog/vertx-3-and-keycloak-tutorial/


• https://medium.com/@alexpitacci/vert-x-and-keycloak-working-together-9d459a5ebd9e


• http://paulbakker.io/java/jwt-keycloak-angular2/


• https://piotrminkowski.wordpress.com/2017/09/15/building-secure-apis-with-vert-x-and-oauth2/

share|improve this answer

answered Mar 25 at 15:39

hzitounhzitoun

1,7761632

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55290860%2fhandshake-in-jwt-public-private-key-authentication-using-vertx%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Why don't you delegate this task to KeyCloak an Open Source Identity and Access Management. It adds authentication to your app and secures services with minimum fuss.

We have used it into our project and it works pretty well!

To plug it with Vert.x, you can follow these tutos :

• https://vertx.io/blog/vertx-3-and-keycloak-tutorial/


• https://medium.com/@alexpitacci/vert-x-and-keycloak-working-together-9d459a5ebd9e


• http://paulbakker.io/java/jwt-keycloak-angular2/


• https://piotrminkowski.wordpress.com/2017/09/15/building-secure-apis-with-vert-x-and-oauth2/

share|improve this answer

answered Mar 25 at 15:39

hzitounhzitoun

1,7761632

add a comment | 

0

Why don't you delegate this task to KeyCloak an Open Source Identity and Access Management. It adds authentication to your app and secures services with minimum fuss.

We have used it into our project and it works pretty well!

To plug it with Vert.x, you can follow these tutos :

• https://vertx.io/blog/vertx-3-and-keycloak-tutorial/


• https://medium.com/@alexpitacci/vert-x-and-keycloak-working-together-9d459a5ebd9e


• http://paulbakker.io/java/jwt-keycloak-angular2/


• https://piotrminkowski.wordpress.com/2017/09/15/building-secure-apis-with-vert-x-and-oauth2/

share|improve this answer

answered Mar 25 at 15:39

hzitounhzitoun

1,7761632

add a comment | 

Why don't you delegate this task to KeyCloak an Open Source Identity and Access Management. It adds authentication to your app and secures services with minimum fuss.

We have used it into our project and it works pretty well!

To plug it with Vert.x, you can follow these tutos :

• https://vertx.io/blog/vertx-3-and-keycloak-tutorial/


• https://medium.com/@alexpitacci/vert-x-and-keycloak-working-together-9d459a5ebd9e


• http://paulbakker.io/java/jwt-keycloak-angular2/


• https://piotrminkowski.wordpress.com/2017/09/15/building-secure-apis-with-vert-x-and-oauth2/

share|improve this answer

answered Mar 25 at 15:39

hzitounhzitoun

1,7761632

share|improve this answer

answered Mar 25 at 15:39

hzitounhzitoun

1,7761632

answered Mar 25 at 15:39

hzitounhzitoun

1,7761632

answered Mar 25 at 15:39

hzitounhzitoun

1,7761632