Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support '.json' or inline JWKS secret for jwt decoding #299

Merged
merged 1 commit into from
Nov 24, 2023
Merged

feat: support '.json' or inline JWKS secret for jwt decoding #299

merged 1 commit into from
Nov 24, 2023

Conversation

vdbulcke
Copy link
Contributor

@vdbulcke vdbulcke commented Nov 3, 2023
edited
Loading

Summary

Add support for JWKs secret for jwt decode for RSA and ES algorithms:

  • jwks can be passed via the --secret arg as .json file
$ jwt decode --alg PS512 --secret @tests/pub_rsa_jwks.json --ignore-exp eyJ0eXAiOiJKV1QiLCJraWQiOiIyY2FGY1B4LWFYYUM2U2V2aFY3OVVESXJzOExnVW9rMnhvMEE2REpQcUpvIiwiYWxnIjoiUFM1MTIifQ.eyJmaWVsZCI6InZhbHVlIiwiZm9vIjoiYmFyIn0.O6r-pK6rDw0B
AadqJmBivtjk7ELU2pYpKIOU7qD8rah9mzwm29A0KoCoOabtQCkKNcmlcIKoC812UrP_nDZrAsC1msHPfjvkKlbkX63_zEcRCv-6VC1FMuek8yY6mhKiFaTISPDBfHCg_Fru2BDar_qBJn8rtct9y6cgDA5vLvL81jLmJrCXW8C5wP9xrkG5CUXdW9A8fqtxcEDoNZoYUoxCnLkh3Pz5IfAluepqDYjj6kvMWuAC88K1B_a1Z8QTqCuJZNIj_5g6UExmK7pqKvB5RZo62KGTw8wWqkmaPTf4TnD4n3Rb1K-MN1LTWMySqgPaw5YlSxT2eFwDvhRBnA

Token header
------------
{
  "typ": "JWT",
  "alg": "PS512",
  "kid": "2caFcPx-aXaC6SevhV79UDIrs8LgUok2xo0A6DJPqJo"
}

Token claims
------------
{
  "field": "value",
  "foo": "bar"
}
  • Jwks can be passed as inline json via --secret arg:
$ jwt decode --alg PS512 --secret "$(cat tests/pub_rsa_jwks.json)" --ignore-exp eyJ0eXAiOiJKV1QiLCJraWQiOiIyY2FGY1B4LWFYYUM2U2V2aFY3OVVESXJzOExnVW9rMnhvMEE2REpQcUpvIiwiYWxnIjoiUFM1MTIifQ.eyJmaWVsZCI6InZhbHVlIiwiZm9vIjoiYmFyIn0.O6r-pK6rDw0BAadqJmBivtjk7ELU2pYpKIOU7qD8rah9mzwm29A0KoCoOabtQCkKNcmlcIKoC812UrP_nDZrAsC1msHPfjvkKlbkX63_zEcRCv-6VC1FMuek8yY6mhKiFaTISPDBfHCg_Fru2BDar_qBJn8rtct9y6cgDA5vLvL81jLmJrCXW8C5wP9xrkG5CUXdW9A8fqtxcEDoNZoYUoxCnLkh3Pz5IfAluepqDYjj6kvMWuAC88K1B_a1Z8QTqCuJZNIj_5g6UExmK7pqKvB5RZo62KGTw8wWqkmaPTf4TnD4n3Rb1K-MN1LTWMySqgPaw5YlSxT2eFwDvhRBnA


Token header
------------
{
  "typ": "JWT",
  "alg": "PS512",
  "kid": "2caFcPx-aXaC6SevhV79UDIrs8LgUok2xo0A6DJPqJo"
}

Token claims
------------
{
  "field": "value",
  "foo": "bar"
}

NOTE: a more practical use case for this inline json would be $(curl https:/oauth.mydomain.com/.well-known/jwk.json) to fetch the JWKS from a remote endpoint

Tests

I have added tests/pub_rsa_jwks.json and tests/pub_ecdsa_jwks.json which are JWKS representation of tests/private_rsa_key.der and tests/private_ecdsa_key.pk8.

Documentation

I guess this serves as doc?

Preflight checklist

  • Code formatted rustfmt ($ cargo fmt)
  • Code linter check with clippy ($ cargo clippy)
  • Relevant tests added
  • Any new documentation added

@mike-engel mike-engel merged commit b58b787 into mike-engel:main Nov 24, 2023
5 checks passed
@mike-engel
Copy link
Owner

Thanks @vdbulcke!

deepu105
deepu105 reviewed Jan 12, 2024
View reviewed changes
src/translators/decode.rs
return Err(JWTError::Internal(format!(
"Secret for {alg:?} must be a file path starting with @",
)));
// allows to read JWKS from argument (e.g. output of 'curl https://auth.domain.com/jwks.json')
Copy link
Contributor

@deepu105 deepu105 Jan 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if JWKS is not supported for EdDSA why is this being read? I think the error below should be in the previous block where its missing

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you are correct. My bad. #310 should fix this

@vdbulcke vdbulcke mentioned this pull request Jan 12, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deepu105 deepu105 deepu105 left review comments

@mike-engel mike-engel mike-engel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vdbulcke @mike-engel @deepu105