ES256 support #170
ES256 support #170
Conversation
src/integrations/express.js
Outdated
| } | ||
| // if (!header || header.alg !== 'RS256') { | ||
| // return cb(null, null); | ||
| // } |
There was a problem hiding this comment.
If this should be removed, then it should be removed, not commented out.
There was a problem hiding this comment.
sorry for that, it was in not up to date branch I pushed first.
| @@ -1,13 +1,14 @@ | |||
| { | |||
| "name": "jwks-rsa", | |||
| "version": "1.9.0", | |||
| "version": "2.0.0-beta", | |||
There was a problem hiding this comment.
Not sure how this would affect the auth0 release/package management, if we're changing version in their master branch
There was a problem hiding this comment.
It is a proposal for now, I actually don't know the release process here and need a guidance.
There was a problem hiding this comment.
we should remove the version proposal from the changeset.
ivn-cote
force-pushed
the
EC-support
branch
from
4d9009f
to
2f3c1c8
Compare
|
@lbalmaceda @damieng @sandrinodimattia can I have your input here? Thank you! |
There was a problem hiding this comment.
package.json engines entry would be greatly valuable since the jose dependency does come with runtime requirements that should be made clear to the module's consumers.
Furthermore the whole implementation could be made way simpler, the rsa utils bundled can get removed and to get all the keys (not just RSA or EC ones, also OKP) all in one go, no need to duplicate code for each key type.
let jwks = JSON.parse(jwks_uri_response)
let keystore = jose.JWKS.asKeyStore(jwks, { ignoreErrors: true })
let signingKeys = keystore.all({ use: 'sig' }).map((key) => {
return {
kid: key.kid,
get publicKey() { return key.toPEM(false) },
getPublicKey() { return key.toPEM(false) },
get keyObject() { return key.keyObject }
}
})
package.json
Outdated
| "description": "Library to retrieve RSA public keys from a JWKS endpoint", | ||
| "main": "lib/index.js", | ||
| "types": "index.d.ts", | ||
| "dependencies": { | ||
| "@types/express-jwt": "0.0.42", | ||
| "axios": "^0.19.2", | ||
| "debug": "^4.1.0", | ||
| "jose": "^1.28.0", |
|
@ivn-cote thanks for taking the time to raise this PR. Would you be willing to contribute @panva's suggested improvements? We are currently evaluating whether setting the |
|
@davidpatrick yes I aim to apply: 1) jose@2, 2) updating |
ivn-cote
force-pushed
the
EC-support
branch
from
2f3c1c8
to
e2845ee
Compare
|
@davidpatrick @panva I've updated the PR with the recommendations provided earlier. |
| @@ -2,7 +2,7 @@ version: 2 | |||
| jobs: | |||
| build: | |||
| docker: | |||
| - image: circleci/node:10 | |||
| - image: circleci/node:13 | |||
There was a problem hiding this comment.
I think we should be testing with a matrix here, 10, 12, 14.
| @@ -1,13 +1,14 @@ | |||
| { | |||
| "name": "jwks-rsa", | |||
| "version": "1.9.0", | |||
| "version": "2.0.0-beta", | |||
There was a problem hiding this comment.
we should remove the version proposal from the changeset.
|
@ivn-cote I just wanted to give you a heads up that I'll be revisiting this PR after our last planned minor for 1.x. |
Description
This PR contains POC for ES256 support. ES256 is similar to RS256, but uses elliptic curve (EC) based crypto instead of RSA.
From implementation side, we've chosen
joselibrary to convert JWK format to PEM because other libraries do not support EC keys.I understand this library provides only RSA support for now, but I'd like to promote changes since library is part of JWT validation ecosystem, and plays a vital role as such on many projects. It means providing more general validation would be beneficial for the community.
References
https://github.com/auth0/node-jwks-rsa/issues?q=is%3Aissue+ec
Testing
More tests should be added.
Checklist
master