Support for JWT with JWKS
Opened this issue · 2 comments
qoomon commented
What is the feature you are proposing?
currently the jwt
middleware requires a static secret value, however in my use case (see below) it's not a static secret instead it is retrieved from an JWKS. Therefore it would be nice if the jwt
middleware also support an async function(payload: any) : string
as secret parameter.
Use Case:
I'm working on a server endpoint that is called by GitHub actions to authenticate I'm using the Github Actions OIDC tokens.
Currently I'm using my own middleware by using fast-jwt
with get-jwks
like this
import {createVerifier, DecodedJwt, KeyFetcher} from 'fast-jwt'
import buildJwks from 'get-jwks'
const jwks = buildJwks({providerDiscovery: true})
const keyFetcher: KeyFetcher = async (jwt: DecodedJwt) => jwks.getPublicKey({
kid: jwt.header.kid,
alg: jwt.header.alg,
domain: jwt.payload.iss,
})
const jwtVerifier = createVerifier({
key: keyFetcher,
})
app.use(async (c, next) => {
// ... get jwtTokenString value
await jwtVerifier(jwtTokenString)
// ... handle verification errors
await next()
})
however it would be nice if I can switch to an official middleware.
sparanoid commented
Apple Music API also needs kid
header which is not compatible with current jwt middleware:
expected headers and payload:
{
"alg": "ES256",
"kid": "ABC123DEFG"
}
{
"iss": "DEF123GHIJ",
"iat": 1437179036,
"exp": 1493298100
}
actual:
{
"alg": "ES256",
"typ": "JWT"
}
{
"iss": "DEF123GHIJ",
"iat": 1437179036,
"exp": 1493298100
}