Add jwt.Keyfunc utilities and partial JWK support #105
Conversation
|
This would also provide examples that this issue requires: #58 |
| This package can additionally use a given mapping of key IDs, `kid`, to cryptographic keys parse and validate JWTs. | ||
|
|
||
| It's common for an identity provider, such as [Keycloak](https://www.keycloak.org/) | ||
| or [Amazon Cognito (AWS)](https://aws.amazon.com/cognito/) to expose a JWKs via an HTTPS endpoint. It is important that |
There was a problem hiding this comment.
I would use the full name before introducing the acronym, ie JSON Web Key Set before JWKS
There was a problem hiding this comment.
It's present above on line 7
This package can consume a JSON Web Key Set (JWKs) and or a given set of key ID,
kidto cryptographic key mappings.
|
Thank you for submitting a PR and writing up a detailed description. Very helpful. I'm a bit skeptical, however, that supporting JWKs is within the scope of this Also, applications may choose to implement their own mechanism for fetching/storing keys which is orthogonal to verifying and parsing JWTs. The code also appears to be more complicated than it needs to be, there is a nested lock and that's a bit of a code smell to me. But putting aside the implementation, accepting a PR like this would mean having to support this code which is another major consideration. |
|
I believe having this code in this package would benefit the pacakge users. Parsing and validating JWTs with keys found in a JWK Set is a common use case. Moreover, the documentation around creating a I'd be happy to discuss the benefits and drawbacks to any of the specifics of the implementation. I would also like to offer to help maintain the code, if the PR is accepted. |
| } | ||
|
|
||
| // Create a channel that will never send anything unless there is a refresh interval. | ||
| refreshInterval := make(<-chan time.Time) |
There was a problem hiding this comment.
could this work with a time.Ticker?
There was a problem hiding this comment.
If specifying the RefreshInterval of the keyfunc.Options had a non-zero default, yes.
Since it can be omitted with the expectation of no refresh interval, a time.Ticker cannot be created because it requires a time.Duration greater than zero.
If it were turned into a time.Ticker now, then the below select statement case would need to be guarded by an if refreshInterval != nil statement, which would require two select statements, once for each case.
|
I kinda agree with @mfridman in that the JWKS concern is in a separate scope of this package, altough related and the implementation can be decoupled in a fashion such that that the consumer decides the http Doer implementation to use (just to name one thing). I think that, should this go forward, could go into a separate package like |
|
Seems this PR has gotten a bit stale. I'm going to close it, but please feel free to reach out if it fits inside the scope of this project and I'd be happy to re-open it. I plan on making a handful of changes to |
Purpose
The purpose of this Pull Request is to add
jwt.Keyfuncutilities found ingithub.com/MicahParks/keyfunc.These utilities include creating a
jwt.Keyfuncfrom a given set of cryptographic keys and or a local/remote JWKs. When using a remote JWKs there are additional features such as a background refresh goroutine. For additional details on the provided features, theREADME.mdin thekeyfuncdirectory is a good place to start.This would add partial JWK support for this project and help make progress towards this issue: #73.
It would be ideal for those who found
github.com/MicahParks/keyfuncuseful to only need to import one JWT pacakge. Here is an example of a PR that avoided importinggithub.com/MicahParks/keyfuncand resorted to copying due to the supported forks being dependencies: gofiber/jwt#57.Additionally, if the
github.com/golang-jwt/jwt/v4does another major semantic version update, thegithub.com/MicahParks/keyfuncwill need to include support for both/v4and/v5due to the Go type system. This can be avoided if thegithub.com/MicahParks/keyfuncis included in its dependent project.This PR only includes effectual changes in the
keyfuncdirectory and does not modify anything but a comment in the original project.Terminology
keyfunc.JWKs.Limitations
This package does not yet support EdDSA keys. This means if a JWKs contains a key with an
algofEdDSAwill return an error duringjwt.Parseif a JWT with akidassociated with thealgofEdDSA. I believe implementing this would be very doable, but haven't come across a JWKs that uses EdDSA keys yet. I may implement this before this PR is unmarked as a draft. The relevant RFC is here: https://datatracker.ietf.org/doc/html/rfc8037#appendix-A.4This package does not support creating a JWKs. It only consumes a JWKs for the purpose of parsing and validating JWTs.
Tests
Test coverage for this new
github.com/golang-jwt/jwt/v4/keyfuncpackage is>90%. Some tests make keys to sign tokens, then parse and validate them. Other tests use hard coded tokens and JWKs.Examples
This PR includes an
examplesdirectory. Many of the examples reference this service: https://jwks-service.appspot.com/. As it states on the site: