Multiple JWKS URIs

Question

Multiple JWKS URIs

MeStrak opened this issue 3 years ago · 4 comments

Hi,

I'm working on adding auth to this app https://github.com/Sanofi-IADC/whispr implemented in NestJS.

The nature of the app is basically a backend which multiple clients can connect to, and I'm looking at how we can allow trusted clients to pass us their JWT from their own authentication provider to authenticate with the whispr API. I would like to be able to configure this dynamically by providing the different auth provider configurations as an array read at application startup.

My questions

Is there a clean way of doing this already?
If the answer to the first question is no, then could the changes described below be a sensible way for me to approach this?
In passport-jwt strategy.js I saw the following comment. Does this mean there is a better way of passing this information, or is it recommended not to use these options at all?

//for backwards compatibility, still allowing you to pass
//audience / issuer / algorithms / ignoreExpiration
//on the options

Possible approach
From a first code review I think that the change might be fairly straightforward to implement, although I have not yet tried any code changes as I wanted to check if there was an obviously better way of doing this.

Edit the strategy setup (in whispr code) to send an array of configurations instead of a single config:

    super([{
       secretOrKeyProvider: passportJwtSecret({
         cache: true,
         rateLimit: true,
         jwksRequestsPerMinute: 5,
         jwksUri: `${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`,
       }),

       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
       audience: process.env.AUTH0_AUDIENCE,
       issuer: `${process.env.AUTH0_DOMAIN}/`,
       algorithms: ['RS256'],
      },
      {another config}
    ]);
  }

(but that array would be constructed dynamically).

In passport-jwt strategy.js

Edit function JwtStrategy(options, verify) to read the array and store options in an array
Edit function JwtStrategy.prototype.authenticate = function(req, options) to launch an async verification for each set of options in the options array, and return self.success when the first async request returns true

Thanks!

Answer 1 · 2021-05-20T12:20:13.000Z

I started a fork to work on this. It's WIP with some failing tests but looks promising.

https://github.com/MeStrak/passport-jwt.

Answer 2 · 2022-02-03T19:27:17.000Z

I finally got round to finishing the implementation and the @mestrak/passport-multi-jwt package is available here: https://www.npmjs.com/package/@mestrak/passport-multi-jwt.

Of course I'm definitely open to merging it with this package if requested by the maintainer.