Add jwks parsing (abandoned)

[dtiukalov]

add jwks implementation to simple access to x5c to verify jwt:

auto decoded_jwt = jwt::decode(token);
auto jwks = jwt::parse_jwks(jwks_json_str);
if (jwks.has_x5c_id()) {
   auto issuer = decoded_jwt.get_issuer();
   auto x5c = jwks.get_x5c();
   if (jwks.get_key_id() == decoded_jwt.get_key_id()) {
      if (!x5c.empty() && !issuer.empty()) {
         auto verifier = jwt::verify()
            .allow_algorithm(jwt::algorithm::rs256(jwt::helper::convert_base64_der_to_pem(x5c), "", "", ""))
            .with_issuer(issuer)
            .leeway(60U); 
         std::error_code err;
         verifier.verify(decoded_jwt, err);
         jwt::error::throw_if_error(err);
     }
}
   else {
      std::cerr << "Key ids are not matched" << std::endl;
   }
}

[prince-chrismc]

Wow! 🏆 super exciting to see this added, thank you so much for your contribution ❤️

This would be a start towards #94 which I think a lot of people would benefit from!

There's a few key details missing in order for this to be merged

• Test code
  • Something similar to this test
  • Feel free to add a new file
• No base64 (required by the helper you are using)
  • You'll need to add a overload like this

    jwt-cpp/include/jwt-cpp/jwt.h

    Lines 420 to 421 in ca110ad

    	template<typename Decode>
    	std::string convert_base64_der_to_pem(const std::string& cert_base64_der_str, Decode decode, std::error_code& ec) {

• Example
  • I think the code you wrote above is excellent, just stick it in the examples!

I very happy to see this PR get merged, let me know if you need more help! 🚀

[prince-chrismc]

Perhaps, a simple token with no expiration is possible?

[prince-chrismc]

this block seems to be copy pasted from the original

📓 for myself to look into a small refactor!

[dtiukalov]

yes, and it costs an extra move, good point to refactor.

[prince-chrismc]

I wonder if this "parser" could be a static method that returns a vector, this was the implementation is not limited on KIDs being used in all the keys

Thoughts?

[dtiukalov]

to_vector() is added

[prince-chrismc]

The changes look really good! 👑

There's a few more details about x5c handling I would appreciate your thoughts on.

Lastly, I need to get my note book and review them, I may come back with a suggestion to make the jwks more generic... there's a lot of variety with the content and I want to make sure. Hopefully you can understand!

Keep up the awesome work 💪

[prince-chrismc]

I think the consumer will/may need the array in larger systems as per the rfc 4.7

The PKIX certificate containing the key value MUST be the first
certificate. This MAY be followed by additional certificates, with
each subsequent certificate being the one used to certify the
previous one.

What do you think about having two functions?

typename json_traits::array_type get_x5c() const;
typename json_traits::string_type get_x5c_key_value() const;

Secondly, front might be a little dangerous! Calling front on an empty container is undefined

please throw if empty 💥

[prince-chrismc]

the caller knows the kid they passed, no need to repeat it

Suggested change

	typename json_traits::string_type error_msg = "jwk with key id \"";
	error_msg += key_id;
	error_msg += "\" not found";
	throw std::runtime_error(error_msg.c_str());
	throw std::runtime_error("jwk with matching key id not found");

[prince-chrismc]

Only because i've implemented this and used a few different auth servers... I am really unsure about this being a map...

What if there are two keys neither have KIDs? One would be lost, most likely the new key that is starting to issue tokens.

[prince-chrismc]

Yep, so I would really like if we could leave the KID outside of the JWKS logic because it's important to support workflows that do not required them.

I will come back with some changes against your branch, I think the biggest limitation is the parsing or "map of claims"

I also see we don't check "keys" explicitly is the JWKS which would open use to a vulnerability

[prince-chrismc]

@dtiukalov please consider dtiukalov#1

[rasmuspeders1]

This looks great! Basically this is exactly what I was looking for. A single nice c++ library to handle jwt auth including jwk handling.
Looking forward to trying it out when it is ready.

[prince-chrismc]

Looking forward to trying it out when it is ready.

Sadly it seems OP has stopped working on this, it would be greatly appreciated if you could pick up and work on this!

Lots of work has been done just needs a little push to get it over

[rasmuspeders1]

Looking forward to trying it out when it is ready.

Sadly it seems OP has stopped working on this, it would be greatly appreciated if you could pick up and work on this!

Lots of work has been done just needs a little push to get it over

That is too bad.
I am not sure I will have the time in the near future nor possess the necessary skill. I will keep it in mind if I find some time.

[ghost]

@prince-chrismc what's left in this PR? maybe i can take a shot at this

[prince-chrismc]

I attempted to help the original author and made a PR against his branch.... https://github.com/prince-chrismc/jwt-cpp/tree/add-jwks is the latest code

Sadly it's been a while and I do not recall the details...
Scrolling over the conversation, I had some concerns the implementation was limiting some JOSE workflows... I see some test code but more is always better

If you have time to push this feature I'd love to help!

[Thalhammer]

It will probably also need a pretty significant update to the current version.

[ghost]

Does it make sense to start a new PR with OP's changes + @prince-chrismc 's suggestions to it, targetting the latest version? I think looking at the latest diff might help us see what's left