servant-auth icon indicating copy to clipboard operation
servant-auth copied to clipboard

Published 20 hours ago verified publisher icon haskell-servant

Use iss field for validation?

Open cdupont opened this issue 5 years ago • 3 comments

In the JWT there is a field "iss", that contains the issuer claim. For example (in the case of Keycloak):

"iss": "https://example.com/auth/realms/my-realm",

This address gives:

{
  "realm": "example",
  "public_key": "MIIBIjANBgkqh...........",
  "token-service": "https://example.com/auth/realms/waziup/protocol/openid-connect",
  "account-service": "https://example.com/auth/realms/waziup/account",
  "tokens-not-before": 1587561531
}

Is it possible to use that in Servant-Auth? Maybe as an option in JWTSettings?

cdupont avatar Oct 14 '20 14:10 cdupont

You can provide your own instance for FromJWT and ToJWT. I do this as well :)

domenkozar avatar Oct 22 '20 10:10 domenkozar

Hi @domenkozar , no, what I meant is to perform a request to the "iss" (Issuer address) to get the JWKSet. This JWKSet can then be used to verify the JWT/ extract claims. Something like that (psoeudocode):

  1. Receive a JWT
  2. open the JWT and read the "iss" address
  3. Get the JWKSet from the iss (HTTP GET)
  4. Verify/extract the claims from the JWT using the JWKSet

This could be an option in the JWTSettings.

cdupont avatar Oct 27 '20 13:10 cdupont

Sure.

domenkozar avatar Oct 27 '20 13:10 domenkozar