Add support for passing jwksUri array

[codynguyen]

Hi,

This PR extends the jwksUri option to receive both string (single URI) and array of strings (multiple URIs).

This is useful when we need to verify one token against multiple key sources (for example projects using Amazon Cognito with multiple User Pools).

Feedbacks are welcome & appreciated!

[sandrinodimattia]

Hi @codynguyen thank you for this PR. The only concern is the following: what happens if you have an array of 1000 uris?

If we need to find a key, we'll automatically loop over 1000 uris. Could we solve this on a higher level? Eg, match the URI to the issuer of the token for example? So we just have to fetch the keys from a single uri.

Would that work in Amazon Cognito?

[codynguyen]

@sandrinodimattia thanks for your suggestion!

In order to match the issuer with the array of uris, we'd need to pass the issuer to JwksClient#getSigningKey and its sibling methods (getSigningKeys and getKeys). But that would mean an API change to the lib.

If we're OK with the API change, I think maybe we can go further and pass both the token's header and payload to getSigningKey, so we can access any (unverified) token information inside our lib without having to change the API again. The call would look something like this:

client.getSigningKey(header, payload, (err, key) => {
  if (err) {
    return onError(err, (newError) => cb(newError, null));
  }

  // Provide the key.
  return cb(null, key.publicKey || key.rsaPublicKey);
});

What do you think?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

[codynguyen]

Closing as this is no longer relevant for us