-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RS256 support #331
Add RS256 support #331
Conversation
Thanks for your PR, will take a look. |
Correct me if I am wrong, but seems you are asking for the public certificate in the settings, can you use the here is how the php sdk handles it https://github.com/auth0/auth0-PHP/blob/master/src/Helpers/JWKFetcher.php thank you for the contribution |
awesome, one thing is missing to get this merged, would be posible to add a cache for the JWK? I am thinking about using a hidden setting (like the one you added but without the adding the field in the settings page. Also, we would need to add a configurable field to configure the expiration (in minutes). If this value is WDYT @cocojoe? I am thinking that in the future we will need also some retry logic to try to fetch again the keys when the |
In general looks good, agree on suggested improvements. I think we should have the I wish we had more/any tests 😄 |
OK, I have addressed all of the above except for:
Not sure where/how |
The transients API doesn't guarantee a minimum availability, it only guarantees it will not be available after the cache expiry time. So it could disappear after 1 second and need refreshed which from a performance standpoint bothers me. |
I am ok by using transient. About the kid (key id), that is an attribute in the token header. The JWKS has a set of keys each one has its own kid, the format is something like:
if a token has a kid that is not present in the cached version of the JWKS, you might need to refresh it to see if the key has rotated. If after fetching a new version of the JWKS it is still not present, the token should be considered invalid. if you check the jwt library (https://github.com/firebase/php-jwt/blob/master/src/JWT.php#L99-L108) it checks for the right key based on the kid and if not present it fails. Thinking it through, having a sensible cache should solve this issue, we can leave this retrying logic aside for now. |
@glena I've tested this and it works, default cache is 24 hours and it is configurable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I am using React-native-auth0
webAuth()
method which uses PKCE. My understanding is that this requires RS256 signing.So my proposal is to add a select in the basic settings to choose to use HS256 (default) or RS256. wherever
JWT::decode
is used, I've pulled the option from the settings.The validation response for the settings page needs the HS256 secret, so it has complicated it a bit having an extra input added for client secret when using RS256 signing... maybe there's a better way to do this. (and it is perhaps superfluous).
Issues
I am getting an
Expired token received for JSON Web Token validation
error on search_connection , andNot Found
on update_connection. basically I can't sync settings between wp and auth0. I think this might just be the API token having expired though?I manually created a new API token and it is working for updating connections and adding/removing rules. I am not sure whether this sis supposed to get refreshed automatically by the plugin?
The Auth0 data in the WP dashboard is all empty - again not sure if this is related because it seems to be empty even with the default signing / secret settings.
The main thing I can see that won't work with a Native client is the validation check in
WP_Auth0_Admin_Basic.php
Predicament
To be clear, the changes I've made work for my purpose – my client is set to Native, my signing to RS256, and I can log in to WordPress via auth0, and use the WordPress API through my app (with the JWT auth0 plugin modified similarly).
If anybody has any insight or could help with further testing and implementation that'd be great.