-
-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Change jws.Verify (and thereore jwt.Parse) for 2.0.0 #577
Comments
Looks good. Let me know when you start a 2.0 branch, I can migrate to it and start testing. |
Changes on the
|
I'm not creating a v2 branch for this yet, as I don't know if this is the approach that I will be end up taking. For the time being I'm done with the PoC above, and I'm going to sit on it for a while. No dates have been set for v2 yet. |
Most of this is done. closing for now |
Idea: change the basic API structure to
jws.Verify([]byte, options)
, and handle keys by having users provideKeyProvider
sIf we no
KeyProvider
can be detected, it is an error.basic idea
the jws verification process received multiple key providers.
A key provider may return multiple keys to be tried, for cases such as
jwk.Set
single key
Internally, creates a
StaticKeyProvider
, always returns the same alg/key paira JWKS
Internally creaes a
KeySetProvider
, returns the possible keys to be tried. However, normally the kid must match, and therefore a lot of times only one key would be returneda user-provided function
a
jws.KeySink
is an object where the user specifies (possible multiple) keys to be usedauto-verify using jku
This is an odd-ball case, but it will create a
JKUProvider
or some such.Other considerations
We need a way to give back the user which key was used.
This is a fairly major change. behind the scenes, we will need to standardize on using
jws.Message
all the time (previously, we optimized the path for compact serialization). We will probably also need to standardize onjwk.Key
in some cases (I thinkWithKey()
can accept any raw key as well)There are going to be issues trying to report problems from within these options.
some errors will have to be ignored, but there may be cases where users need a way to reach these ignored errors
Addendum Feb 21
FetchKey()
signaturejws.WithVerifyAuto()
signatureThe text was updated successfully, but these errors were encountered: