-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWK Set jwt.Verifier implementation #128
Comments
Hi @MicahParks Yes,
Well, I don't have right answer now, one of the thing can be make a Verifier that wraps other verifiers and during verification it just pick ups the same as token alg. func (mf *MultiVerifier) Verify(token *Token) error {
switch token.Alg() {
case "abc":
// do this
case "xyz":
// do that
default:
return errors.New("unsupported alg")
}
} sure this can be a map and not a switch + One more clarification: are you planning to make repo on your own or you're proposing to make it under @cristalhq org? |
I'd like to keep it under my own GitHub account, at least until it's ready for Currently for That's just for key selection, after the key is selected, the key needs to be used to verify the JWT, I'd probably use a
Hmmm, maybe the type Verifier interface {
Algorithm() Algorithm
Verify(token *Token) error
} to this? type Verifier interface {
Verify(token *Token) (Algorithm, error)
} The reason for this is because for a JWKS I'd like to dig up the mentioned article about the Auth0 vulnerability, just to make sure I don't suggest anything that would repeat that mistake. I'd also like to confirm that What do you think of the mentioned breaking change and |
As a note, I think I found the initial set of This is the "initial set" because some follow-up RFCs have added new ones since then. |
Yep, "alg" is from RFC as I mentioned before. This seems obfuscated just to solve external case, looks like this doesn't align well with cristalhq/jwt library goal 😢 type Verifier interface {
Verify(token *Token) (Algorithm, error)
} I assume you came from this thread https://www.reddit.com/r/golang/comments/u68a7e/fast_simple_jwt_for_go_v400_released/ and I'm planning to touch JWS/JWK this weekend so probably this case will be solved in a separate library (probably based on current or even as a dependency, not sure yet). Regarding Auth0, looks like this is the article https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ |
No, I don't really use Reddit. I saw this repo on GitHub Explore and the post on Gopher's Slack. I made a Google Keep note to look into it later. https://gophers.slack.com/archives/C02A3DRK6/p1650285292828819 Best of luck implementing JWS/JWK this weekend! Since you're already on the case, I'll pause the project I originally mentioned, wouldn't want to duplicate any work. Thanks for the link to the Auth0 article. |
Ah, so Gopher Slack is alive, nice to hear) Well, I'm not giving 100% guarantees that I will finish it but at least I'm eager to try and see what we have in RFCs. |
I updated I've made a small wrapper around the project to allow users to parse JWTs signed from keys residing in JWK Sets when using Here is some basic usage. import "github.com/MicahParks/verifier" Step 1: Create the // Create the verifier.JWKSetVerifier.
jwks, err := verifier.NewDefault([]string{server.URL})
if err != nil {
log.Fatalf("Failed to create a verifier.JWKSetVerifier from the server's URL.\nError: %s", err)
} When using the Step 2: Use the // Parse the JWT.
token, err = jwks.Parse(signed)
if err != nil {
log.Fatalf("Failed to parse the JWT.\nError: %s", err)
} |
I'm looking to create a separate helper Go package for this project. This helper Go package will verify JWTs are signed with a key in a JWK Set (JWKS). It helps users of this package by turning a JWKS into a
jwt.Verifier
to more conveniently verify keys.This would be similar to how
github.com/MicahParks/keyfunc
is a helper Go package forgithub.com/golang-jwt/jwt/v4
.However, the
jwt.Verifier
interface has a method calledAlgorithm
that must be implemented. From the Go docs, I can't infer how to implement this method, but looking at the source code, it seems to me that thejwt.Algorithm
return parameter's value is the set of values I often see as the"alg"
in JWT headers. Also glancing at the source code, it seems to me that the only use of theAlgorithm
method is in a_test.go
file, so I'm not sure if an improper implementation of this method would affect anything.Before I continue developing this package, I wanted to confirm how to implement this
Algorithm
method, due to the fact that it's a part of the public facing API. Since a JWKS can contain multiple key types, it's not appropriate to return a single"alg"
value. Perhaps one of the two options may be ideal?jwt.Algorithm
value that indicates any algorithm can be verified.Algorithm
method from thejwt.Verifier
interface (would be a breaking change and require a major semver bump).The text was updated successfully, but these errors were encountered: