Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify JWT with JWK set #4

Open
FranklinYu opened this issue Jul 6, 2017 · 5 comments
Open

Verify JWT with JWK set #4

FranklinYu opened this issue Jul 6, 2017 · 5 comments

Comments

@FranklinYu
Copy link

When verifying with JWK set, I have to manually loop through all the keys:

token, signature = nil
jwk.keys.find do |key|
  success, token, signature = JOSE::JWT.verify_strict(key, ['RS256'], jwt)
  success
end

I hope I can just do

JOSE::JWT.verify_strict(jwk, ['RS256'], jwt)

This has two benefits:

  1. No longer test whether it’s a JWK or JWK set.
  2. Meets the documentation better. Currently it only says jwk should be JOSE::JWK.
@FranklinYu
Copy link
Author

bump?

@potatosalad
Copy link
Owner

@FranklinYu Sorry for the delayed response to this.

Yes, I agree with you that JWK sets should have first-class support. I'll see if I can get that together at some point.

@pboling
Copy link

pboling commented Mar 11, 2022
edited
Loading

I'm trying to figure out how to use this library to do the same as OP, and in my tests, in classic red-green style, I am trying to generate the JWKS with kid first. There are almost no mentions of kid in the code or documentation, and actually one of the places where it seems like I would need it, it is being explicitly removed.

@potatosalad Is this because kid is explicitly not supported?

  def generate_key(fields)
    kty, other_fields = JOSE::JWK::KTY_RSA.generate_key([:rsa, key.n.num_bits, key.e.to_i])
    return kty, fields.delete('kid').merge(other_fields)
  end

@potatosalad
Copy link
Owner

@pboling kid is often derived from the keying material itself, so when generating a new key from an existing key, the kid usually changes, too. There may be other fields that would need to be cleaned up, too, but that's outside the scope of this library.

If using a static or derived kid, I would recommend merging the kid in after generation, like:

# using existing key and a static 'kid'
old_key.generate_key().merge({'kid' => 'my_static_kid', 'use' => 'sig'})

# using params with a derived thumbprint 'kid'
jwk = JOSE::JWK.generate_key([:rsa, 4096])
jwk = jwk.merge({'kid' => jwk.thumbprint(), 'use' => 'sig'})

@pboling
Copy link

pboling commented Mar 11, 2022
edited
Loading

@potatosalad Thanks! That fixed the issue for me!

I'll post up some example code to the wiki once I'm all green. I am using this library for key generation, and payload encoding, where the decoding is done with ruby-jwt. If I can figure out how to replicate ruby-jwt's JWKS support for cached / rotating keys over here, I'll switch entirely. This library is awesome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@potatosalad @pboling @FranklinYu