Support for JSON Web Key Sets #505
Conversation
|
For now removed guidance of caching / storing the public key as this can lead to unexpected behaviour when keys are rotated. Auth0 has some guidance regards caching: https://community.auth0.com/t/caching-jwks-signing-key/17654/2 Unclear currently if this is something that should be supported in php-jwt, here or within the app. Guess it would be best to have it in firebase/php-jwt and beeing able to configure it. Opened a Issue there: |
|
@ADmad / @markstory - thanks for you reviews - added a test and made several improvements (see comments) |
|
@swiffer looks like the target branch was change to 2.next. Can you rebase the PR? |
Thus is a non trivial feature addition, so better to target the next minor release, hence I changed it to 2.next. |
|
Can we get it merged or is something missing? :) |
| @@ -0,0 +1,27 @@ | |||
| -----BEGIN RSA PRIVATE KEY----- | |||
There was a problem hiding this comment.
Is this file used? I don't see it referenced in this diff.
There was a problem hiding this comment.
It's not used directly at the moment. But as the fake JSON response is containing a key set with two public keys I thought it's helpful to also include both private keys... Should I remove it?
|
@swiffer Nice work! |
|
Thanks! Hopefully useful for others as well. Looking forward to the next release :) |
Solution for #504
secretKeyis currently used to built a Key and decode the token does not allow JWKSjsonWebKeySethas been introduced to not dilute the meaning of thesecretKeyLet me know what you think