Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: raw JWKS --secret for ES256/ES384 alg #310

Merged
merged 1 commit into from
Apr 15, 2024
Merged

fix: raw JWKS --secret for ES256/ES384 alg #310

merged 1 commit into from
Apr 15, 2024

Conversation

vdbulcke
Copy link
Contributor

Summary

Fix passing raw JWKS as --secret (e.g. --secret "$(curl https://auth.domain.com/jwks.json)") for ES256/ES384 alg.

Relates to #299.

Preflight checklist

  • Code formatted rustfmt ($ cargo fmt)
  • Code linter check with clippy ($ cargo clippy)
  • Relevant tests added
  • Any new documentation added

@vdbulcke vdbulcke mentioned this pull request Jan 12, 2024
Merged
4 tasks
mike-engel
mike-engel reviewed Jan 20, 2024
View reviewed changes
tests/main_test.rs
Comment on lines +818 to +819
let jwks = r#"{"keys":[{"use":"sig","kty":"EC","kid":"4h7wt2IHHu_RLR6OtlZjCe_mIt8xAReS0cDEwwWAeKU","crv":"P-256","x":"w7JAoU_gJbZJvV-zCOvU9yFJq0FNC_edCMRM78P8eQQ","y":"wQg1EytcsEmGrM70Gb53oluoDbVhCZ3Uq3hHMslHVb4"},{"use":"enc","kty":"EC","kid":"4h7wt2IHHu_RLR6OtlZjCe_mIt8xAReS0cDEwwWAeKU","crv":"P-256","x":"w7JAoU_gJbZJvV-zCOvU9yFJq0FNC_edCMRM78P8eQQ","y":"wQg1EytcsEmGrM70Gb53oluoDbVhCZ3Uq3hHMslHVb4"}]}
"#;
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this use the @ file notation rather than a raw string, similar to the encode step above?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea is that since typically the JWKS is hosted on a remote server, that needs to be download over https, this allows to validate a JWT signature as a one-liner:

for example:

jwt decode $JWT_TOKEN --secret "$( curl -s https://www.googleapis.com/oauth2/v3/certs)"  --alg RS256

Instead of

## first download JWKS as JSON file
curl -s https://www.googleapis.com/oauth2/v3/certs -o /tmp/jwks.json
## then validate the JWT signature
jwt decode $JWT_TOKEN --secret @/tmp/jwks.json  --alg RS256

Also there is another test that uses the @./tests/pub_ecdsa_jwks.json file notation here https://github.com/mike-engel/jwt-cli/blob/main/tests/main_test.rs#L782.

@mike-engel mike-engel merged commit 8aec4c1 into mike-engel:main Apr 15, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-engel mike-engel mike-engel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@vdbulcke @mike-engel