Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for JWKS public keys #63

Closed
mcollina opened this issue Feb 2, 2021 · 9 comments
Closed

Support for JWKS public keys #63

mcollina opened this issue Feb 2, 2021 · 9 comments
Assignees
@conor909

Comments

@mcollina
Copy link
Contributor

mcollina commented Feb 2, 2021
edited
Loading

We should support fetching from a JWKS url and cache things.

#62 for the caching bit.
@simoneb
Copy link
Member

simoneb commented Feb 3, 2021

I believe there's an implementation of support for JWKS specific to auth0 in https://github.com/nearform/fastify-auth0-verify.

We also probably want to have this feature integrated in https://github.com/fastify/fastify-jwt but the implementation should live in a standalone library so it can be used outside of fastify-jwt

@simoneb
Copy link
Member

simoneb commented Feb 4, 2021

This is the AWS Cognito documentation about how to validate the JWTs it generates, which also uses JWKS. https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html

@p16 p16 self-assigned this Feb 4, 2021
@p16
Copy link

p16 commented Feb 8, 2021

To add more context to this issue:

  • we need a separate package for jwks (not inside fast-jwt)
  • fastify-auth0-verify and fastify-jwt would use that new package
  • fast-jwt conceptually is like jsonwebtoken, but it's not reasonable to assume we can replace jsonwebtoken inside fastify-jwt: fast-jwt is not at that level yet.

The package should do

  • fetch jwks
  • having a way to return you the secret that matches kid and alg
  • validate a jwt against that secret

@p16 p16 assigned p16 and unassigned p16 Feb 8, 2021
@mcollina
Copy link
Contributor Author

mcollina commented Feb 8, 2021

I would avoid:

validate a jwt against that secret

and leave it to jsonwebtoken and this module.

@p16
Copy link

p16 commented Feb 15, 2021

What has been done up until now:

What is left to do:

  • use jwks-fetch in fastify-auth0-verify
  • use jwks-fetch in fast-jwt

@p16 p16 removed their assignment Feb 15, 2021
@simoneb
Copy link
Member

simoneb commented Feb 15, 2021

@conor909 let's do this first:

  • use jwks-fetch in fast-jwt

Which requires that jwks-fetch is published to npm, CI is setup and so on

@simoneb simoneb mentioned this issue Feb 15, 2021
Closed
@mcollina
Copy link
Contributor Author

The best approach would be:

const  {createVerifier} = require('fast-jwt')
const buildJwks = require('jwks-fetch')
const verify = createVerifier({ key: buildJwks() })

Essentially making the two modules loosely couple (but working well together).

@simoneb
Copy link
Member

simoneb commented Mar 12, 2021

there is now a hint about how to do this via get-jwks here. It's not exactly the one liner you had in mind but it's not too bad either

@sameer-coder sameer-coder mentioned this issue Apr 26, 2021
Closed
@sameer-coder
Copy link
Contributor

JWKS public keys are supported by get-jwks package. Please refer get-jwks docs for examples on integration with fast-jwt. Closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@conor909 conor909

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Docs updated with an example on JWKS and caching nearform/fast-jwt
5 participants
@simoneb @mcollina @p16 @sameer-coder @conor909