What is the roadmap about supporting JOSE? #94
Comments
|
Hi, However @prince-chrismc did a lot of contributions lately and @Sp3EdeR works on implementing EdDSA support right now, so going forward I am pretty sure we will implement it eventually. It's just that theres no timeline for it. |
prince-chrismc
changed the title
|
@Thalhammer @prince-chrismc what is your take on loading keys from JWK? I experimented with it a bit and I can also contribute a minimal working feature but it feels like the interface is not optimal and I would like to avoid putting effort into something that will be dismissed as "clumsy to use". Namely, it looks like there is missing a class that represents keys. @Thalhammer already mentioned something similar here. Keys are currently loaded directly from certificates/PEM encoded public keys and stored in jwt::jwk key = jwk::build_from_certificate("-----BEGIN CERTIFICATE...")
auto verify = jwt::verify().allow_algorithm(jwt::algorithm::rs256(key));
verify.verify(jwt::decode(token));and in future one could implement reading JWK from JSON jwt::jwk key = jwk::build_from_json(R"({"kty" : "oct", "k" : "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ"})")
auto verify = jwt::verify().allow_algorithm(jwt::algorithm::hs256(key));
verify.verify(jwt::decode(token));Such change would probably result in decoupling |
|
Loading keys from jwk and jwks is definitly something I'd like to support in the future. I don't personally like jwks much because it is an invitation to loading untrusted keys and has numerous problems (CVE-2018-0114, JWKS Spoofing, just to name a few), however it is a fixed standard and if used correctly is probably fine.
Like you already noticed, the interface (if one can call it that) is pretty suboptimal for anything more advanced. We really need to clean that part up quite a bit. I think its fine to wrap a EVP_PKEY for asymmetric and std::string for symetric keys, since we rely on openssl (or a close enough replacement) anyway. I was thinking about something like that: classDiagram
class jwt_key {
+type get_type()
}
class jwt_asymmetric_key {
+std::shared_ptr<EVP_PKEY> get_key()
}
class jwt_symetric_key {
+std::string get_key()
}
jwt_key <|-- jwt_asymmetric_key
jwt_key <|-- jwt_symetric_key
^^ Nothing special, but I wanted to try out the new inline diagrams. We should also provide a way to convert between jwk and key. I don't think we should directly integrate the crypto part with the jwk class (which is more of a convience wrapper for parsing). But I am open for discussion on that part.
Not necessarily. One could simply parse the values in the jwk in the algorithm constructor just like we parse the pem there at the moment. I think we should clean up the constructor params (especially for asymmetric) since atm half of the args is unused at any given point (You don't need the private cert for verifying if you pass in the public one and you dont need the public one if you pass the private part). Another thing worth considering might be some sort of "keychain" concept. Jwt's have a header claim "kid" which defines the key that should be used for verifying the token, which means you can have a number of valid keys (for the same algorithm) and depending on the token one is choosen. If you want to make use of this at the moment you would have to parse the header of the decoded token, load the appropriate key (making sure not to screw up, since the value in there is not trusted yet), build a matching verifier and use that one to verify the token. What we could do now is have a interface class TLDR: Yes we need an abstraction for keys and yes we need a way to import/export jwk/jwks (as well as der, pem, ...). |
Me too 😱 They look really good!
We will never be dismissive 🤗 The JOSE ecosytem is so wide. Contributions will always be considered since lots of other will benefit from the work. Thanks a lot for sharing first ❤️ JWK(s) are growing in popularity, I think this is an excellent addition. If the first implementation is "suboptimal" that's why we are allowed unlimited PRs 😆 and it can always be improved (unlike my jokes, those seems to only get worse).
Yes! I think this is a great value add, it makes the whole integration easier for clients side (and maybe server)
Big fan of this, I have done the work for RSA, so we probably should template the algo's out to be able to add more in the future #160 (comment) Green light from me! |
prince-chrismc
changed the title
What about baking "keychain" directly into the
A JWK can also contain information about a context in which the key can be used, e.g., algorithm that is to be used with the key (RS256 vs. RS384). I believe that right now life will be easier when one could validate these parameters during verification, e.g., if JWT contains TL;DR: Should the |
Trusted as in passed to the
I don't see why not, we have the notion of |
Dear @Thalhammer
Thanks for this useful library and recent changes are wonderful, we can use the json library like simdjson or rapidjson for performance point of view
Since you develop this jwt library, do you have any plan to imitate the library for JOSE completely, I mean jwe, jws, jwk, etc?
In order to answer the questions about future plans. This has been edited to give a summary.
All contributions are welcomed! If you need a feature we will do our best to help you add it!
jwks-verify.cppexample? #160The text was updated successfully, but these errors were encountered: