async secretOrKeyProvider

[rafaelcorreiapoli]

I'm submitting a...

[ ] Regression 
[ ] Bug report
[x] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

secretOrKeyProvider must return the key synchronously

Expected behavior

If we are using jwks, we need to get this key from a http endpoint. Therefore, secretOrKeyProvider must support promises

What is the motivation / use case for changing the behavior?

Auth0 exposes the public keys via JWKS (https://github.com/auth0/node-jwks-rsa/tree/master/examples/express-demo)

Environment

Nest version: 7.0.0
 
For Tooling issues:
- Node version: 12
- Platform:  Mac

[kamilmysliwiec]

Would you like to create a PR for this issue?

[rafaelcorreiapoli]

Sure! If you think it makes sense I can work on a PR :)

[kamilmysliwiec]

That would be great!

[iamsuneeth]

Hi @rafaelcorreiapoli , any update on the PR for this one?

[rafaelcorreiapoli]

@iamsuneeth Sorry I could not advance with the PR.

[katesroad]

Hey, any updates with this issue?

[guru2228]

Hi, any updates on supporting JWKS URI as secretOrKeyProvider

[foolishell]

Hi, from Japan.
I'm also looking forward to this feature!

[vtrphan]

i need this feature too. I think with the package passport-jwt we can use this feature already

[sergeyampo]

Russian needs too :)

[muuran]

I found temporary workaround for AzureAD.

import { Module } from '@nestjs/common';
import { JwtModule } from '@nestjs/jwt';
import { JwksClient } from 'jwks-rsa';
import * as jwt from 'jsonwebtoken';

@Module({
  imports: [
    JwtModule.registerAsync({
      async useFactory() {
        const client = new JwksClient({
          cache: true,
          rateLimit: true,
          jwksRequestsPerMinute: 5,
          jwksUri: `https://login.microsoftonline.com/common/discovery/keys`,
        });
        const keys = await client.getSigningKeys();

        return {
          secretOrKeyProvider(requestType, token: string) {
            const decoded = jwt.decode(token, { complete: true });
            return keys
              .find((key) => key.kid === decoded.header.kid)
              .getPublicKey();
          },
          verifyOptions: {
            audience: '(client id)',
            issuer:
              'https://login.microsoftonline.com/(tenant id}/v2.0',
            algorithms: ['RS256'],
          },
        };
      },
    }),
  ],
})
export class AuthModule {}

[xzyfer]

Please 🙏

[xzyfer]

I've updated #469 in #1486 to resolve conflicts and typos as the proposed workaround only fetches keys on boot which isn't suitable to handle key rotations.

[kamilmysliwiec]

Let's track this here #1486