[RFC] fastify-auth0-verify

[simoneb]

Hey @fastify/plugins, I'd like to hear your thoughts about what we could do with https://github.com/nearform/fastify-auth0-verify.

This plugin was built with the purpose of validating JWTs generated by Auth0, and recently one user brought up that it's not really linked to Auth0 as it's largely spec compliant, although it will require breaking changes to the public API to make it generic and not tied to Auth0.

The work is being done in this PR: nearform/fastify-auth0-verify#291

The next step is deciding what to do with the new version:

• shall we fork the repo and release a new package with a more generic name, while deprecating the existing package
• shall we keep developing both at the same time
• ...

What I'd like to check with you is whether the functionality built into this plugin fits in any existing core plugins instead, so that rather than creating a new package we move the features over to an existing one instead. Note that although this boils down to verifying JWT tokens, it's the way this is done that differs, because it uses JWK, which is a more involved process for validation requiring interaction with an external service.

[jsumners]

Adding it to fastify-jwt could make maintenance difficult and configuration confusing. So my inclination would be to publish fastify-jwt-jwk and update the readme of fastify-jwt to highlight the missing functionality and where to find it.

🤷‍♂️ I could be wrong though. I haven't used either of the plugins in question. The last time I had to deal with this I ended up writing my own plugin that communicated with the auth0 JWKS.

[mcollina]

I would recommend to:

1. fork the project in a new fastify-jwt-jwks repo
2. rewrite fastify-auth0-verify as a tiny facade on top of fastify-jwt-jwks