There are a few things missing in this quick start (but actually in all Java quick starts), so that it's not as illustrative as for example the SPA quick starts (Vue.js, etc.):
String authorizeUrl = controller.buildAuthorizeUrl(req, redirectUri)
//.withAudience(String.format("https://%s/userinfo", appConfig.getDomain())) // I don't think is actually needed here
.withScope("openid profile email email_verified") // but this should be used to show "real" user profile info like email, username, etc.
.build();
DecodedJWT jwt = JWT.decode(tokens.getIdToken());
// do something with jwt.getPayload();
// ....
try {
JwkProvider provider = new UrlJwkProvider("https://<tenant>.eu.auth0.com/.well-known/jwks.json");
Jwk jwk = provider.get(jwt.getKeyId());
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(),null);
algorithm.verify(jwt);
// or ...?
Verification verifier = JWT.require(algorithm);
verifier.build().verify(jwt);
} catch (JWTVerificationException exception){
exception.printStackTrace();
//Invalid signature/claims
} catch (JwkException e) {
e.printStackTrace();
}