-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ES256 support #170
ES256 support #170
Conversation
src/integrations/express.js
Outdated
} | ||
// if (!header || header.alg !== 'RS256') { | ||
// return cb(null, null); | ||
// } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this should be removed, then it should be removed, not commented out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry for that, it was in not up to date branch I pushed first.
@@ -1,13 +1,14 @@ | |||
{ | |||
"name": "jwks-rsa", | |||
"version": "1.9.0", | |||
"version": "2.0.0-beta", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure how this would affect the auth0
release/package management, if we're changing version in their master
branch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a proposal for now, I actually don't know the release process here and need a guidance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should remove the version proposal from the changeset.
4d9009f
to
2f3c1c8
Compare
@lbalmaceda @damieng @sandrinodimattia can I have your input here? Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
package.json engines
entry would be greatly valuable since the jose dependency does come with runtime requirements that should be made clear to the module's consumers.
Furthermore the whole implementation could be made way simpler, the rsa utils bundled can get removed and to get all the keys (not just RSA or EC ones, also OKP) all in one go, no need to duplicate code for each key type.
let jwks = JSON.parse(jwks_uri_response)
let keystore = jose.JWKS.asKeyStore(jwks, { ignoreErrors: true })
let signingKeys = keystore.all({ use: 'sig' }).map((key) => {
return {
kid: key.kid,
get publicKey() { return key.toPEM(false) },
getPublicKey() { return key.toPEM(false) },
get keyObject() { return key.keyObject }
}
})
package.json
Outdated
"description": "Library to retrieve RSA public keys from a JWKS endpoint", | ||
"main": "lib/index.js", | ||
"types": "index.d.ts", | ||
"dependencies": { | ||
"@types/express-jwt": "0.0.42", | ||
"axios": "^0.19.2", | ||
"debug": "^4.1.0", | ||
"jose": "^1.28.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
jose@2 is already available
@ivn-cote thanks for taking the time to raise this PR. Would you be willing to contribute @panva's suggested improvements? We are currently evaluating whether setting the |
@davidpatrick yes I aim to apply: 1) jose@2, 2) updating |
2f3c1c8
to
e2845ee
Compare
@davidpatrick @panva I've updated the PR with the recommendations provided earlier. |
@@ -2,7 +2,7 @@ version: 2 | |||
jobs: | |||
build: | |||
docker: | |||
- image: circleci/node:10 | |||
- image: circleci/node:13 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should be testing with a matrix here, 10, 12, 14.
@@ -1,13 +1,14 @@ | |||
{ | |||
"name": "jwks-rsa", | |||
"version": "1.9.0", | |||
"version": "2.0.0-beta", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should remove the version proposal from the changeset.
@ivn-cote I just wanted to give you a heads up that I'll be revisiting this PR after our last planned minor for 1.x. |
Description
This PR contains POC for ES256 support. ES256 is similar to RS256, but uses elliptic curve (EC) based crypto instead of RSA.
From implementation side, we've chosen
jose
library to convert JWK format to PEM because other libraries do not support EC keys.I understand this library provides only RSA support for now, but I'd like to promote changes since library is part of JWT validation ecosystem, and plays a vital role as such on many projects. It means providing more general validation would be beneficial for the community.
References
https://github.com/auth0/node-jwks-rsa/issues?q=is%3Aissue+ec
Testing
More tests should be added.
Checklist
master