-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
publicKey without discovery #133
Comments
I've came across this issue trying to migrate from Is there any suggested workaround? Hoping to not have to introduce JWKS for this asymmetrical setup where I have the public key available to me which I hoped to pass into Otherwise faced with |
There's no way to do it currently. You can pass a custom It's pretty straightforward with import fs from 'node:fs/promises'
import jsonWebToken from 'jsonwebtoken'
const TEN_HOURS = 10 * 60 * 60
const AUDIENCE = 'https://example.com/api'
const payload = {
iss: 'https://example.com',
sub: '0123456789abcdef',
aud: [AUDIENCE],
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + TEN_HOURS,
scope: 'openid profile email offline_access',
azp: '0123456789abcdef',
}
const privateKey = await fs.readFile('/path/to/private.pem', 'utf8')
const publicKey = await fs.readFile('/path/to/public.pem', 'utf8')
const token = jsonWebToken.sign(payload, privateKey, { algorithm: 'RS256' })
try {
const payload = jsonWebToken.verify(token, publicKey, {
algorithms: ['RS256'],
audience: AUDIENCE,
}) as jsonWebToken.JwtPayload
// or if you need `{ header, payload, signature }` for some reason:
// const { header, payload, signature } = jsonWebToken.verify(token, publicKey, {
// algorithms: ['RS256'],
// audience: AUDIENCE,
// complete: true,
// }) as jsonWebToken.Jwt
console.log('payload:', payload)
} catch (error) {
// throws if expired, invalid signature, incorrect audience, etc.
console.error(error)
} |
Checklist
Describe the problem you'd like to have solved
It seems possible to avoid discovery altogether by specifying
issuer
instead ofissuerBaseURL
, and this is perfectly fine with symmetrical algorithms. However, it seems impossible to provide an asymmetrical algorithm and not specifyissuerBaseURL
.Describe the ideal solution
I would like to pass the public key explicitly without doing discovery. So something like defining
issuer
,audience
, and then public key insecret
. The libraryjose
seems to allow passing the public key already, but we never get here becausenode-oauth2-jwt-bearer
will throw before that during validation.Alternatives and current workarounds
Currently not possible.
Additional context
No response
The text was updated successfully, but these errors were encountered: