Hi

We have a backend junctioned application that is receiving a JWT signed token generated with the TFIMSSO/STS module ( a very simple trust chain ), and the Liberty's Runtime /sps/jwks endpoint is published for backend junctioned application internally (anonymous access).

Developer are wondering what library (java) I can suggest them for parsing/verifying signed JWT before they can safely consume it.

Here I am making a few assumptions about the existence of such library:

• You can provide it a JWKS endpoint URL.
• You provide it obviously the received JWT token payload.
• It will perform for you the entire signature validation of the JWT, without necessitating the developer to perform cryptographic operations.
• Ideally, it could also cache (TTL to define) JWKS endpoint's return results but will purge them if receiving a JWT in which the kid is unknown; it would then go back at the JWKS endpoint for fresh results. This is to ensure that we can truly support certificate rollover but, in a more performant and loosely couple manner. A nice to have.

Please advise.

Thanks