add jwks support, enable use of jwks rotation feature and upgrade underlying JWT library #71
Conversation
|
jwtauth. go file has some errors jwtauth.go:39:40: too many arguments in call to jwt.WithVerify |
|
@tanmaij Building fine and all tests passing here. It seems to be something wrong on your environment. Have you updated ( Actually, i think you are running master code: that is and that is |
|
Any plans on merging this feature in? Would be useful if so. |
|
hi @tanmaij thanks for your work on this PR -- I've merged another PR which upgrades us to the latest version of jwx/v2, and tagged https://github.com/go-chi/jwtauth/releases/tag/v5.1.0 can you rebase your branch? I will provide a review here too, and then we can get this one merged too |
| // be the generic `jwtauth.Authenticator` middleware or your own custom handler | ||
| // which checks the request context jwt token and error to prepare a custom | ||
| // http response. | ||
| func VerifierDynamic(jaf func() (*JWTAuth, error)) func(http.Handler) http.Handler { |
There was a problem hiding this comment.
I don't think we need this method. Instead just update the Verifier method to check ja.keySet, if its not nil, then verify against the keySet instead of verifyKey, etc..
There was a problem hiding this comment.
I apologize, I left the project where I was working on this feature.
Now I'm a bit outdated, from what I remember this function is necessary for the possibility of modifying the keys available at runtime. As can be seen in the test: jwtauth_test.go:393.
| @@ -76,6 +114,23 @@ func Verify(ja *JWTAuth, findTokenFns ...func(r *http.Request) string) func(http | |||
| } | |||
| } | |||
|
|
|||
| func VerifyDynamic(jaf func() (*JWTAuth, error), findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler { | |||
There was a problem hiding this comment.
we don't need this method, as we can check which "mode" the JWTAuth object is in by checking verifyKey or keySet
There was a problem hiding this comment.
The idea behind this functionality is to allow keys to be obtained dynamically, such as in integration with Vault.
|
@tarcisioN this PR is super helpful! Do you want help rebasing and getting this merged? I'm running into this exact problem right now and this PR would solve it for me. |
|
My team needs this key set support for upcoming work. What do we need to do to get this PR merged in? Looks like the author hasn't responded to this PR in over a year. Would it make sense to create a new branch and PR for this change? I'd be happy to help move this forward. |
|
I propose, fork it, finish it, use it in prod and then submit PR with update. Or link to fork and we can consume your changes once they’re refined. See my comments above. |
Given it doesn't look like this PR will be completed enough to be merged, this strategy looks like the right path forward. |
|
For anyone interested, I tried forking, made the requested changes, and rebased. Test seems to pass and things seem to work as expected. This is what I'm using in my own code below. ctx, cancel := context.WithCancel(context.Background())
defer cancel()
set, err := jwk.Fetch(ctx, url)
if err != nil {
return fmt.Errorf("%v", err)
}
jwks, err := json.Marshal(set)
if err != nil {
return fmt.Errorf("failed to marshal key set: %v", err)
}
tokenAuth, err = jwtauth.NewKeySet(jwks)
if err != nil {
return fmt.Errorf("failed to initialize key set: %v", err)
}Fork with changes: https://github.com/davidallendj/jwtauth |
As #40 and #27, we need to support multiple keys (jwks) and support rotation.
This PR implements new methods to handle with that.
Also we update github.com/lestrrat-go/jwx to v2 to support those features.