keyfetch.js-ARCHIVED/README.md

# keyfetch

Lightweight support for fetching JWKs.

Fetches JSON native JWKs and exposes them as PEMs that can be consumed by the `jsonwebtoken` package
(and node's native RSA and ECDSA crypto APIs).

## Features

Works great for

* [x] `jsonwebtoken` (Auth0)
* [x] OIDC (OpenID Connect)
* [x] .well-known/jwks.json (Auth0)
* [x] Other JWKs URLs

Crypto Support

* [x] JWT verification
* [x] RSA (all variants)
* [x] EC / ECDSA (NIST variants P-256, P-384)
* [ ] esoteric variants (excluded to keep the code featherweight and secure)

# Install

```bash
npm install --save keyfetch
```

# Usage

Retrieve a key list of keys:

```js
var keyfetch = require('keyfetch');

keyfetch.oidcJwks("https://example.com/").then(function (results) {
  results.forEach(function (result) {
    console.log(result.jwk);
    console.log(result.thumprint);
    console.log(result.pem);
  });
});
```

Quick JWT verification (for authentication):

```js
var keyfetch = require('keyfetch');
var jwt = '...';

keyfetch.jwt.verify(jwt).then(function (decoded) {
  console.log(decoded);
});
```

JWT verification (for authorization):

```js
var options = { issuers: ['https://example.com/'], claims: { role: 'admin' } };
keyfetch.jwt.verify(jwt, options).then(function (decoded) {
  console.log(decoded);
});
```

Verify a JWT with `jsonwebtoken`:

```js
var keyfetch = require('keyfetch');
var jwt = require('jsonwebtoken');
var auth = "..."; // some JWT
var token = jwt.decode(auth, { json: true, complete: true })

if (!isTrustedIssuer(token.payload.iss)) {
  throw new Error("untrusted issuer");
}

keyfetch.oidcJwk(
  token.header.kid
, token.payload.iss
).then(function (result) {
  console.log(result.jwk);
  console.log(result.thumprint);
  console.log(result.pem);

  jwt.jwt.verify(jwt, { jwk: result.jwk });
});
```

*Note*: You might implement `isTrustedIssuer` one of these:

```js
function isTrustedIssuer(iss) {
  return -1 !== [ 'https://partner.com/', 'https://auth0.com/'].indexOf(iss);
}
```

```js
function isTrustedIssuer(iss) {
  return /^https:/.test(iss) &&         // must be a secure domain
    /(\.|^)example\.com$/.test(iss);    // can be example.com or any subdomain
}
```

# API

All API calls will return the RFC standard JWK SHA256 thumbprint as well as a PEM version of the key.

Note: When specifying `id`, it may be either `kid` (as in `token.header.kid`)
or `thumbprint` (as in `result.thumbprint`).

### JWKs URLs

Retrieves keys from a URL such as `https://example.com/jwks/` with the format `{ keys: [ { kid, kty, exp, ... } ] }`
and returns the array of keys (as well as thumbprint and jwk-to-pem).

```js
keyfetch.jwks(jwksUrl)
// Promises [ { jwk, thumbprint, pem } ] or fails
```

```js
keyfetch.jwk(id, jwksUrl)
// Promises { jwk, thumbprint, pem } or fails
```

### Auth0

If `https://example.com/` is used as `issuerUrl` it will resolve to
`https://example.com/.well-known/jwks.json` and return the keys.

```js
keyfetch.wellKnownJwks(issuerUrl)
// Promises [ { jwk, thumbprint, pem } ] or fails
```

```js
keyfetch.wellKnownJwk(id, issuerUrl)
// Promises { jwk, thumbprint, pem } or fails
```

### OIDC

If `https://example.com/` is used as `issuerUrl` then it will first resolve to
`https://example.com/.well-known/openid-configuration` and then follow `jwks_uri` to return the keys.

```js
keyfetch.oidcJwks(issuerUrl)
// Promises [ { jwk, thumbprint, pem } ] or fails
```

```js
keyfetch.oidcJwk(id, issuerUrl)
// Promises { jwk, thumbprint, pem } or fails
```

### Verify JWT

This can accept a _JWT string_ (compact JWS) or a _decoded JWT object_ (JWS).

This can be used purely for verifying pure authentication tokens, as well as authorization tokens.

```js
keyfetch.jwt.verify(jwt, { strategy: 'oidc' }).then(function (verified) {
  /*
    { protected: '...'  // base64 header
    , payload: '...'    // base64 payload
    , signature: '...'  // base64 signature
    , header: {...}     // decoded header
    , claims: {...}     // decoded payload
    }
  */
});
```

When used for authorization, it's important to specify which `issuers` are allowed
(otherwise anyone can create a valid token with whatever any claims they want).

If your authorization `claims` can be expressed as exact string matches, you can specify those too.

```js
keyfetch.jwt.verify(jwt, {
  strategy: 'oidc'
, issuers: [ 'https://example.com/' ]
, claims: { role: 'admin', sub: 'abc', group: 'xyz' }
}).then(function (verified) {

```

* `strategy` may be `oidc` (default) , `auth0`, or a direct JWKs url.
* `issuers` must be a list of https urls (though http is allowed for things like Docker swarm)
* `claims` is an object with arbitrary keys (i.e. everything except for the standard `iat`, `exp`, `jti`, etc)
* `exp` may be set to `false` if you're validating on your own (i.e. allowing time drift leeway)
* `jwks` can be used to specify a list of allowed public key rather than fetching them (i.e. for offline unit tests)
* `jwk` same as above, but a single key rather than a list

### Decode JWT

```jwt
try {
  console.log( keyfetch.jwt.decode(jwt) );
} catch(e) {
  console.error(e);
}
```

```js
{ protected: '...'  // base64 header
, payload: '...'    // base64 payload
, signature: '...'  // base64 signature
, header: {...}     // decoded header
, claims: {...}     // decoded payload
```

It's easier just to show the code than to explain the example.

```js
keyfetch.jwt.decode = function (jwt) {
  // Unpack JWS from "compact" form
  var parts = jwt.split('.');
  var obj = {
    protected: parts[0]
  , payload: parts[1]
  , signature: parts[2]
  };

  // Decode JWT properties from JWS as unordered objects
  obj.header = JSON.parse(Buffer.from(obj.protected, 'base64'));
  obj.claims = JSON.parse(Buffer.from(obj.payload, 'base64'));

  return obj;
};
```

### Cache Settings

```js
keyfetch.init({
  // set all keys at least 1 hour (regardless of jwk.exp)
  mincache: 1 * 60 * 60

  // expire each key after 3 days (regardless of jwk.exp)
, maxcache: 3 * 24 * 60 * 60

  // re-fetch a key up to 15 minutes before it expires (only if used)
, staletime: 15 * 60
})
```

There is no background task to cleanup expired keys as of yet.
For now you can limit the number of keys fetched by having a simple whitelist.
initial commit 2019-02-25 22:54:08 +00:00			`# keyfetch`

			`Lightweight support for fetching JWKs.`

			Fetches JSON native JWKs and exposes them as PEMs that can be consumed by the `jsonwebtoken` package
			`(and node's native RSA and ECDSA crypto APIs).`

			`## Features`

			`Works great for`

			* [x] `jsonwebtoken` (Auth0)
			`* [x] OIDC (OpenID Connect)`
			`* [x] .well-known/jwks.json (Auth0)`
			`* [x] Other JWKs URLs`

			`Crypto Support`

			`* [x] JWT verification`
			`* [x] RSA (all variants)`
			`* [x] EC / ECDSA (NIST variants P-256, P-384)`
			`* [ ] esoteric variants (excluded to keep the code featherweight and secure)`

			`# Install`

			```bash
			`npm install --save keyfetch`
			```

			`# Usage`

			`Retrieve a key list of keys:`

			```js
			`var keyfetch = require('keyfetch');`

			`keyfetch.oidcJwks("https://example.com/").then(function (results) {`
			`results.forEach(function (result) {`
			`console.log(result.jwk);`
			`console.log(result.thumprint);`
			`console.log(result.pem);`
			`});`
			`});`
			```

v1.2.0: add code to check issuers and claims 2019-03-15 19:45:27 +00:00			`Quick JWT verification (for authentication):`
initial commit 2019-02-25 22:54:08 +00:00
			```js
			`var keyfetch = require('keyfetch');`
			`var jwt = '...';`

v1.2.0: add code to check issuers and claims 2019-03-15 19:45:27 +00:00			`keyfetch.jwt.verify(jwt).then(function (decoded) {`
			`console.log(decoded);`
			`});`
			```

			`JWT verification (for authorization):`

			```js
			`var options = { issuers: ['https://example.com/'], claims: { role: 'admin' } };`
			`keyfetch.jwt.verify(jwt, options).then(function (decoded) {`
initial commit 2019-02-25 22:54:08 +00:00			`console.log(decoded);`
			`});`
			```

			Verify a JWT with `jsonwebtoken`:

			```js
			`var keyfetch = require('keyfetch');`
			`var jwt = require('jsonwebtoken');`
			`var auth = "..."; // some JWT`
			`var token = jwt.decode(auth, { json: true, complete: true })`

			`if (!isTrustedIssuer(token.payload.iss)) {`
			`throw new Error("untrusted issuer");`
			`}`

			`keyfetch.oidcJwk(`
			`token.header.kid`
			`, token.payload.iss`
			`).then(function (result) {`
			`console.log(result.jwk);`
			`console.log(result.thumprint);`
			`console.log(result.pem);`

v1.2.0: add code to check issuers and claims 2019-03-15 19:45:27 +00:00			`jwt.jwt.verify(jwt, { jwk: result.jwk });`
initial commit 2019-02-25 22:54:08 +00:00			`});`
			```

			Note: You might implement `isTrustedIssuer` one of these:

			```js
			`function isTrustedIssuer(iss) {`
			`return -1 !== [ 'https://partner.com/', 'https://auth0.com/'].indexOf(iss);`
			`}`
			```

			```js
			`function isTrustedIssuer(iss) {`
			`return /^https:/.test(iss) && // must be a secure domain`
			`/(\.\|^)example\.com$/.test(iss); // can be example.com or any subdomain`
			`}`
			```

			`# API`

			`All API calls will return the RFC standard JWK SHA256 thumbprint as well as a PEM version of the key.`

			Note: When specifying `id`, it may be either `kid` (as in `token.header.kid`)
			or `thumbprint` (as in `result.thumbprint`).

			`### JWKs URLs`

			Retrieves keys from a URL such as `https://example.com/jwks/` with the format `{ keys: [ { kid, kty, exp, ... } ] }`
			`and returns the array of keys (as well as thumbprint and jwk-to-pem).`

			```js
			`keyfetch.jwks(jwksUrl)`
			`// Promises [ { jwk, thumbprint, pem } ] or fails`
			```

			```js
			`keyfetch.jwk(id, jwksUrl)`
			`// Promises { jwk, thumbprint, pem } or fails`
			```

			`### Auth0`

			If `https://example.com/` is used as `issuerUrl` it will resolve to
			`https://example.com/.well-known/jwks.json` and return the keys.

			```js
			`keyfetch.wellKnownJwks(issuerUrl)`
			`// Promises [ { jwk, thumbprint, pem } ] or fails`
			```

			```js
			`keyfetch.wellKnownJwk(id, issuerUrl)`
			`// Promises { jwk, thumbprint, pem } or fails`
			```

			`### OIDC`

			If `https://example.com/` is used as `issuerUrl` then it will first resolve to
			`https://example.com/.well-known/openid-configuration` and then follow `jwks_uri` to return the keys.

			```js
			`keyfetch.oidcJwks(issuerUrl)`
			`// Promises [ { jwk, thumbprint, pem } ] or fails`
			```

			```js
			`keyfetch.oidcJwk(id, issuerUrl)`
			`// Promises { jwk, thumbprint, pem } or fails`
			```

			`### Verify JWT`

v1.2.0: add code to check issuers and claims 2019-03-15 19:45:27 +00:00			`This can accept a _JWT string_ (compact JWS) or a _decoded JWT object_ (JWS).`

			`This can be used purely for verifying pure authentication tokens, as well as authorization tokens.`

			```js
			`keyfetch.jwt.verify(jwt, { strategy: 'oidc' }).then(function (verified) {`
			`/*`
			`{ protected: '...' // base64 header`
			`, payload: '...' // base64 payload`
			`, signature: '...' // base64 signature`
			`, header: {...} // decoded header`
			`, claims: {...} // decoded payload`
			`}`
			`*/`
			`});`
			```

			When used for authorization, it's important to specify which `issuers` are allowed
			`(otherwise anyone can create a valid token with whatever any claims they want).`

			If your authorization `claims` can be expressed as exact string matches, you can specify those too.

initial commit 2019-02-25 22:54:08 +00:00			```js
v1.2.0: add code to check issuers and claims 2019-03-15 19:45:27 +00:00			`keyfetch.jwt.verify(jwt, {`
			`strategy: 'oidc'`
			`, issuers: [ 'https://example.com/' ]`
			`, claims: { role: 'admin', sub: 'abc', group: 'xyz' }`
			`}).then(function (verified) {`

initial commit 2019-02-25 22:54:08 +00:00			```

			* `strategy` may be `oidc` (default) , `auth0`, or a direct JWKs url.
v1.2.0: add code to check issuers and claims 2019-03-15 19:45:27 +00:00			* `issuers` must be a list of https urls (though http is allowed for things like Docker swarm)
			* `claims` is an object with arbitrary keys (i.e. everything except for the standard `iat`, `exp`, `jti`, etc)
			* `exp` may be set to `false` if you're validating on your own (i.e. allowing time drift leeway)
			* `jwks` can be used to specify a list of allowed public key rather than fetching them (i.e. for offline unit tests)
			* `jwk` same as above, but a single key rather than a list

			`### Decode JWT`

			```jwt
			`try {`
			`console.log( keyfetch.jwt.decode(jwt) );`
			`} catch(e) {`
			`console.error(e);`
			`}`
			```

			```js
			`{ protected: '...' // base64 header`
			`, payload: '...' // base64 payload`
			`, signature: '...' // base64 signature`
			`, header: {...} // decoded header`
			`, claims: {...} // decoded payload`
			```

			`It's easier just to show the code than to explain the example.`

			```js
			`keyfetch.jwt.decode = function (jwt) {`
			`// Unpack JWS from "compact" form`
			`var parts = jwt.split('.');`
			`var obj = {`
			`protected: parts[0]`
			`, payload: parts[1]`
			`, signature: parts[2]`
			`};`

			`// Decode JWT properties from JWS as unordered objects`
			`obj.header = JSON.parse(Buffer.from(obj.protected, 'base64'));`
			`obj.claims = JSON.parse(Buffer.from(obj.payload, 'base64'));`

			`return obj;`
			`};`
			```
initial commit 2019-02-25 22:54:08 +00:00
			`### Cache Settings`

			```js
			`keyfetch.init({`
			`// set all keys at least 1 hour (regardless of jwk.exp)`
			`mincache: 1 * 60 * 60`

			`// expire each key after 3 days (regardless of jwk.exp)`
			`, maxcache: 3 * 24 * 60 * 60`

			`// re-fetch a key up to 15 minutes before it expires (only if used)`
			`, staletime: 15 * 60`
			`})`
			```

			`There is no background task to cleanup expired keys as of yet.`
			`For now you can limit the number of keys fetched by having a simple whitelist.`