diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/validator/JWTValidator.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/validator/JWTValidator.java index 2d6450c992..7795b83390 100644 --- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/validator/JWTValidator.java +++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/validator/JWTValidator.java @@ -19,6 +19,7 @@ package org.wso2.choreo.connect.enforcer.security.jwt.validator; import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.RemoteKeySourceException; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.RSAKey; import com.nimbusds.jwt.JWTClaimsSet; @@ -114,10 +115,10 @@ private JWTValidationInfo validateToken(SignedJWTInfo signedJWTInfo, ExtendedTok protected boolean validateSignature(SignedJWT signedJWT, ExtendedTokenIssuerDto tokenIssuer) throws EnforcerException { + String certificateAlias = tokenIssuer.getCertificateAlias(); + String keyID = signedJWT.getHeader().getKeyID(); + String jwksUrl = tokenIssuer.getJwksConfigurationDTO().getUrl(); try { - String certificateAlias = tokenIssuer.getCertificateAlias(); - String keyID = signedJWT.getHeader().getKeyID(); - String jwksUrl = tokenIssuer.getJwksConfigurationDTO().getUrl(); if (StringUtils.isNotEmpty(keyID)) { if (tokenIssuer.getJwksConfigurationDTO().isEnabled() && StringUtils .isNotEmpty(jwksUrl)) { @@ -156,6 +157,9 @@ protected boolean validateSignature(SignedJWT signedJWT, ExtendedTokenIssuerDto } } return JWTUtils.verifyTokenSignature(signedJWT, certificateAlias); + } catch (RemoteKeySourceException e) { + logger.error("Error while retrieving the JWKSet from the remote endpoint : " + jwksUrl, e); + throw new EnforcerException("JWT Signature verification failed", e); } catch (JOSEException | IOException e) { throw new EnforcerException("JWT Signature verification failed", e); }