in gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java [556:609]
protected boolean verifyTokenSignature(final JWT token) {
boolean verified;
final String serializedJWT = token.toString();
// Check if the token has already been verified
verified = hasSignatureBeenVerified(serializedJWT);
// If it has not yet been verified, then perform the verification now
if (!verified) {
try {
boolean attemptedPEMVerification = false;
boolean attemptedJWKSVerification = false;
if (publicKey != null) {
attemptedPEMVerification = true;
verified = authority.verifyToken(token, publicKey);
log.pemVerificationResultMessage(verified);
}
if (!verified && expectedJWKSUrls != null && !expectedJWKSUrls.isEmpty()) {
attemptedJWKSVerification = true;
verified = authority.verifyToken(token, expectedJWKSUrls, expectedSigAlg, allowedJwsTypes);
log.jwksVerificationResultMessage(verified);
}
if(!verified && ((!attemptedPEMVerification && !attemptedJWKSVerification) || isJwtInstanceKeyFallback)) {
verified = authority.verifyToken(token);
log.signingKeyVerificationResultMessage(verified);
}
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
}
// Check received signature algorithm if expectation is configured
if (verified && expectedSigAlg != null) {
try {
final String receivedSigAlg = JWSHeader.parse(token.getHeader()).getAlgorithm().getName();
if (!receivedSigAlg.equals(expectedSigAlg)) {
verified = false;
}
} catch (ParseException e) {
log.unableToVerifyToken(e);
verified = false;
}
}
if (verified) { // If successful, record the verification for future reference
recordSignatureVerification(serializedJWT);
}
}
return verified;
}