-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add jwks support, enable use of jwks rotation feature and upgrade underlying JWT library #71
base: master
Are you sure you want to change the base?
Conversation
jwtauth. go file has some errors jwtauth.go:39:40: too many arguments in call to jwt.WithVerify |
@tanmaij Building fine and all tests passing here. It seems to be something wrong on your environment. Have you updated ( Actually, i think you are running master code: that is and that is |
Any plans on merging this feature in? Would be useful if so. |
hi @tanmaij thanks for your work on this PR -- I've merged another PR which upgrades us to the latest version of jwx/v2, and tagged https://github.com/go-chi/jwtauth/releases/tag/v5.1.0 can you rebase your branch? I will provide a review here too, and then we can get this one merged too |
// be the generic `jwtauth.Authenticator` middleware or your own custom handler | ||
// which checks the request context jwt token and error to prepare a custom | ||
// http response. | ||
func VerifierDynamic(jaf func() (*JWTAuth, error)) func(http.Handler) http.Handler { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need this method. Instead just update the Verifier
method to check ja.keySet, if its not nil, then verify against the keySet instead of verifyKey, etc..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I apologize, I left the project where I was working on this feature.
Now I'm a bit outdated, from what I remember this function is necessary for the possibility of modifying the keys available at runtime. As can be seen in the test: jwtauth_test.go:393.
@@ -76,6 +114,23 @@ func Verify(ja *JWTAuth, findTokenFns ...func(r *http.Request) string) func(http | |||
} | |||
} | |||
|
|||
func VerifyDynamic(jaf func() (*JWTAuth, error), findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't need this method, as we can check which "mode" the JWTAuth object is in by checking verifyKey or keySet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea behind this functionality is to allow keys to be obtained dynamically, such as in integration with Vault.
@tarcisioN this PR is super helpful! Do you want help rebasing and getting this merged? I'm running into this exact problem right now and this PR would solve it for me. |
My team needs this key set support for upcoming work. What do we need to do to get this PR merged in? Looks like the author hasn't responded to this PR in over a year. Would it make sense to create a new branch and PR for this change? I'd be happy to help move this forward. |
I propose, fork it, finish it, use it in prod and then submit PR with update. Or link to fork and we can consume your changes once they’re refined. See my comments above. |
Given it doesn't look like this PR will be completed enough to be merged, this strategy looks like the right path forward. |
For anyone interested, I tried forking, made the requested changes, and rebased. Test seems to pass and things seem to work as expected. This is what I'm using in my own code below. ctx, cancel := context.WithCancel(context.Background())
defer cancel()
set, err := jwk.Fetch(ctx, url)
if err != nil {
return fmt.Errorf("%v", err)
}
jwks, err := json.Marshal(set)
if err != nil {
return fmt.Errorf("failed to marshal key set: %v", err)
}
tokenAuth, err = jwtauth.NewKeySet(jwks)
if err != nil {
return fmt.Errorf("failed to initialize key set: %v", err)
} Fork with changes: https://github.com/davidallendj/jwtauth |
As #40 and #27, we need to support multiple keys (jwks) and support rotation.
This PR implements new methods to handle with that.
Also we update github.com/lestrrat-go/jwx to v2 to support those features.