#1 verifyJwt as the compliment to signJwt

Open
opened 4 months ago by CrowdHailer · 4 comments

Would you support adding a verifyJwt function to the library. I'm currently using this library on a node service that I want to accept self-issued tokens. So they are signed with a key that is sent in the sub_jws field.

https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued

Would you support adding a verifyJwt function to the library. I'm currently using this library on a node service that I want to accept self-issued tokens. So they are signed with a key that is sent in the `sub_jws` field. https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued
coolaj86 commented 4 months ago
Owner

I have the fetching and verification pieces over at https://git.coolaj86.com/coolaj86/keyfetch.js

I'd prefer to put it over there... if it can fit.

However, I wasn't aware of the special case of https://self-issued.me.

Also, it appears that he JWK thumbprint there is at odds with the other thumbprint standard which specifies that the SHA-XXX should match that of the key's length (which for all practical purposes in 2020 is 256, but in the future could be 384 or 512).

I have the fetching and verification pieces over at https://git.coolaj86.com/coolaj86/keyfetch.js I'd prefer to put it over there... if it can fit. However, I wasn't aware of the special case of `https://self-issued.me`. Also, it appears that he JWK thumbprint there is at odds with the other thumbprint standard which specifies that the SHA-XXX should match that of the key's length (which for all practical purposes in 2020 is 256, but in the future could be 384 or 512).
CrowdHailer commented 4 months ago
Poster

That looks like a sensible separation. maybe a note in the docs to say it exits?

The https://self-issued.me part of the spec is very interesting. I'm trying to use it to create an OAuth provider which cannot track sign ins.

(p.s. is it possible to use this library and set the extractable option on keys to false)

That looks like a sensible separation. maybe a note in the docs to say it exits? The `https://self-issued.me` part of the spec is very interesting. I'm trying to use it to create an OAuth provider which cannot track sign ins. (p.s. is it possible to use this library and set the extractable option on keys to false)
coolaj86 commented 4 months ago
Owner

Yeah, I'm surprised I don't have it linked already. I'll keep that on my TODO list.

As far as setting the extractable option to false, I'd say just wrap the function and delete it the property. These things have too many options.

Yeah, I'm surprised I don't have it linked already. I'll keep that on my TODO list. As far as setting the extractable option to false, I'd say just wrap the function and delete it the property. These things have too many options.
CrowdHailer commented 3 months ago
Poster

Is it also possible to use keyfetch from a CDN? I was looking for it on rootprojects.org but cannot find it.

Is it also possible to use keyfetch from a CDN? I was looking for it on rootprojects.org but cannot find it.
Sign in to join this conversation.
No Label
No Milestone
No Assignees
2 Participants
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
Cancel
Save
There is no content yet.