mercure
mercure copied to clipboard
dunglas
adding support for JWKS
Adds support for JWKS in Mercure. With this update, you would simply configure the JWKS URL and Mercure would validate the subscriber and publisher JWT based on the Key ID and the keys in the JWKS. Still a work in progress, as most tests that look for JWT need to be duplicated to test JWKS
@dunglas Finallly had some time to come back to this again. It now supports URL, json or key as jwks config.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
We cannot merge the path as-is because it uses the deprecated version of keyfunc and jwt.
I rebased and slightly adjusted this patch (https://github.com/dunglas/mercure/compare/jwks_support) but there is more work to do.
Edit: upgrade to github.com/golang-jwt/jwt/v5 done in #883
@broncha just rebasing on top of #822 and upgrading to the latest version of keyfunc should be enough. The latest version seems to provide a simplified API, so we just need a new option to provide the server JWKS server URL and that should be enough.
@broncha btw, do you mind if I force-push my rebase in your branch (I squashed all the commits)?
I would also like to unify the jwt and jwks configs too. But I am not sure about the current status of the configs. Ill check those when I get a change to look at this.
Also for the record, one issue have been repeatedly facing is clock skew, where jwt creation and validation happens almost at the same time. It would be good to be able to support, which landed in golang-jwt v5.