Support JWKS url and validation using kid

[joel-dubiner-wgu]

Summary

Feature Request: Allow the user to specify the URL for the JWKS and use that for validation of the token

[Delapouite]

Currently, the jwt program has only 2 commands: encode and decode

Joel, do you mean that we should try to implement a third command, validate ?

It could do basic checking on date claims, like nbf or exp. And also, as you ask, more involved checks if it knows how to retrieve a JWK from a set

[erhhung]

I think the OP would like to run something like:

# jwt decode ... [--secret|--jwks]

jwt decode "$token" --jwks "$jwks"

where $jwks could be a full URL like https://example.com/jwks.json or (my idea) the JWKS JSON string itself.
The signature validation would depend on finding the right JWK by matching the kid in the header.

Doing HTTP requests has its own complexities, like potentially having to deal with proxies, etc.
Since this is already a CLI app, having the --jwks value be the JWKS JSON string itself would adhere more to the "Unix philosophy" where another CLI app, like curl, would fetch the actual JWKS:

jwt decode "$token" --jwks "$(curl https://example.com/jwks.json)"

[mike-engel]

Closing in favor of #129