Request to Contribute: Signing using Managed Keys #928
Description
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
Popular cloud providers e.x. AWS + Google provide APIs for key signing that allow for asymetric encryption without the private key being accessible to code. It would be nice to be able to create JWTs with such APIs using this library.
Describe the ideal solution
There are different approaches to solving this but I think the right level might be to have some set of options like:
{
alg: 'RSA256',
pub: '...',
sign: signFunc,
}
I read through the comments in issue #427 which makes me think that it would be best to force usage of wellknown algorithms but provide a way to use third party key apis.
Alternatives and current work-arounds
Currently one would have to rebuild the entire signature code which is error prone.
Additional context
I'm happy to provide a pull request if we can agree on APIs