Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for multiple keys in SignedWith validation #1011

Closed
wants to merge 1 commit into from
Closed

Added support for multiple keys in SignedWith validation #1011

wants to merge 1 commit into from

Conversation

rhertogh
Copy link
Contributor

@rhertogh rhertogh commented Apr 22, 2023
edited
Loading

In order to support key rotation, this pull request adds the possibility to pass multiple keys to the SignedWith validator to verify against.

@rhertogh
Copy link
Contributor Author

@lcobucci Hi, could you please approve the workflows?

Slamdunk
Slamdunk requested changes Apr 22, 2023
View reviewed changes
Copy link
Collaborator

@Slamdunk Slamdunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing the current constraint would weaken the library, I suggest to propose something like a new AtLeastOne constraint which accepts multiple SignedWith constraints.

@lcobucci
Copy link
Owner

Changing the current constraint would weaken the library, I suggest to propose something like a new AtLeastOne constraint which accepts multiple SignedWith constraints.

Let's also wrap the array. JWK has the concept of key sets, we can use this as opportunity to introduce the it.

@lcobucci
Copy link
Owner

@lcobucci Hi, could you please approve the workflows?

@rhertogh you may also run everything locally with make

@rhertogh
Copy link
Contributor Author

@Slamdunk @lcobucci

Changing the current constraint would weaken the library, I suggest to propose something like a new AtLeastOne constraint which accepts multiple SignedWith constraints.

Let's also wrap the array. JWK has the concept of key sets, we can use this as opportunity to introduce the it.

Using a "JWK Set" does indeed make sense.
However, in that case we're passing only 1 thing (the entire set) to the constraint. But when going that path, AtLeastOne, which would accept multiple SignedWith, sounds contradicting to me.

I see two options:

  1. Have SignedWith accept Key|KeySet
  2. Have SignedWith only accept Key and add a second constraint like SignedWithOneInSet which then accepts a KeySet

Option 1 makes more sense to me, since it's still validating against either the Key or KeySet. And since the purpose of the KeySet is to be a list of keys (e.g. key rotation and/or different algorithms) there is no risk of confusion or misuse.

@Slamdunk @lcobucci What are your thoughts on this?

@lcobucci
Copy link
Owner

@rhertogh many apologies for my delay... doing OSS has been a little challenging lately.

And since the purpose of the KeySet is to be a list of keys (e.g. key rotation and/or different algorithms) there is no risk of confusion or misuse.

I'm not sure if I understood what you mean...
A JWK key does point to an algorithm and a key set may contain keys with different algorithms.

Going with option 1 might lead us to abstractions that don't match the real-life possibilities.

Perhaps forgetting about the key set for now and having something like the implementation bellow is indeed the most flexible solution for now:

use Lcobucci\JWT\Validation\SignedWith as SignedWithInterface;

final class SignedWithOneInSet implements SignedWithInterface
{
    /** @var list<SignedWithInterface> */
    private readonly array $constraints;
    
    public function __construct(SignedWithInterface ...$constraints)
    {
        $this->constraints = $constraints;
    }

    public function assert(object $token): void
    {
        // (...)
    }
}

@lcobucci lcobucci mentioned this pull request Nov 4, 2023
Merged
@lcobucci
Copy link
Owner

lcobucci commented Nov 4, 2023

@rhertogh I'll close this one in favour of #1033

Thanks for your help!

@lcobucci lcobucci closed this Nov 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Slamdunk Slamdunk Slamdunk requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rhertogh @lcobucci @Slamdunk