rego-style-guide icon indicating copy to clipboard operation
rego-style-guide copied to clipboard

Published 20 hours ago verified publisher icon StyraInc

Consider recommending verification and decoding of JWTs in two separate steps

Open anderseknert opened this issue 2 years ago • 2 comments

Although documented, even experienced users get confused by the default constraints (aud in particular) provided by io.jwt.decode_verify. I think we might want to consider recommending verifying and decoding as a two-step process, i.e.

Avoid

claims := payload {
    [valid, _, payload] := io.jwt.decode_verify("my_jwt_token", {"cert": "my certificate"})
    valid
}

Prefer

claims := payload {
    io.jwt.verify_rs256("my_jwt_token", "my certificate")
    [_, payload, _] := io.jwt.decode("my_jwt_token")
}

anderseknert avatar May 27 '22 10:05 anderseknert

I generally agree, but we should also give examples of checking the nbf/exp, aud etc criteria from rego, then, maybe? Or at least call out the difference, and that you can't replace snippet 1 with snippet 2 and expect everything to be the same.

srenatus avatar Nov 10 '22 11:11 srenatus

Yes, or even better, provide a library for that purpose :)

anderseknert avatar Nov 10 '22 11:11 anderseknert