Would you support adding a verifyJwt function to the library.
I'm currently using this library on a node service that I want to accept self-issued tokens. So they are signed with a key that is sent in the sub_jws field.
I have the fetching and verification pieces over at
I'd prefer to put it over there... if it can fit.
However, I wasn't aware of the special case of https://self-issued.me.
Also, it appears that he JWK thumbprint there is at odds with the other thumbprint standard which specifies that the SHA-XXX should match that of the key's length (which for all practical purposes in 2020 is 256, but in the future could be 384 or 512).
That looks like a sensible separation. maybe a note in the docs to say it exits?
The https://self-issued.me part of the spec is very interesting. I'm trying to use it to create an OAuth provider which cannot track sign ins.
(p.s. is it possible to use this library and set the extractable option on keys to false)
Yeah, I'm surprised I don't have it linked already. I'll keep that on my TODO list.
As far as setting the extractable option to false, I'd say just wrap the function and delete it the property. These things have too many options.
Is it also possible to use keyfetch from a CDN? I was looking for it on rootprojects.org but cannot find it.
No due date set.
This issue currently doesn't have any dependencies.
Deleting a branch is permanent. It CANNOT be undone. Continue?