Skip to content

Verify JWT token signature using JWKs list. #5897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 7, 2022
Merged

Verify JWT token signature using JWKs list. #5897

merged 3 commits into from
Jul 7, 2022

Conversation

@isoos
Copy link
Collaborator

@isoos isoos commented Jul 5, 2022

  • Allow publishing from github #5769
  • Only the RSA algorithm is recognized/implemented, other algorithms will not be verified.
  • Uses the ASN.1 encoder to create a PEM public key, and openssl to verify the text input + signature with the key.

@isoos isoos requested a review from sigurdm July 5, 2022 15:39
sigurdm
sigurdm approved these changes Jul 7, 2022
View reviewed changes
app/lib/service/openid/openid_models.dart
return false;
}
return await verifyTextWithRsaSignature(
input: input,
Copy link
Contributor

@sigurdm sigurdm Jul 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it have made more sense for verifyTextWithRsaSignature to take a Uint8list - i guess the thing is base64-encoded and thus it should not matter much - it just seems fragile to decode and reencode when you verify a signature...

Copy link
Collaborator Author

@isoos isoos Jul 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verifyTextWithRsaSignature is using openssl, and there is no further encoding: the input will be written into a file, and the file is being verified. We could use Uint8List too, but here the input is really the concatenated token parts, without further coding with base64... I think we should keep it like this for now.

@sigurdm sigurdm requested a review from jonasfj July 7, 2022 10:02
isoos and others added 2 commits July 7, 2022 13:48
@isoos isoos merged commit 16926f4 into dart-lang:master Jul 7, 2022
@isoos isoos deleted the jwk-signature branch July 7, 2022 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sigurdm sigurdm sigurdm approved these changes

@jonasfj jonasfj Awaiting requested review from jonasfj

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@isoos @sigurdm