I assume that you are getting an exception something like this? org.jose4j.lang.InvalidKeyException: A key of the same size as the hash output (ie 256 bits for HS256) or larger MUST be used with the HMAC SHA algorithms but this key is only 48 bits
HmacKey is the correct type for HS256 , but the key is technically too short according to the second paragraph http://tools.ietf.org/html/rfc7518#section-3.2 which has the same text as the exception message.
You can get around this by building a JwtConsumer with .setRelaxVerificationKeyValidation() , which allows you to use shorter keys. It looks like this (adding only one line to the snippet from your example):
JwtConsumer jwtConsumer = new JwtConsumerBuilder() .setVerificationKey(new HmacKey(secret.getBytes())) .setRelaxVerificationKeyValidation() // allow shorter HMAC keys when used w/ HSxxx algs .build();
In general, although I would try to avoid using a short password, such as a key, such as a "secret", and suggest using a stronger key when possible.
source share