jwt icon indicating copy to clipboard operation
jwt copied to clipboard

Published 20 hours ago verified publisher icon lcobucci

Support JWK

Open fproject opened this issue 8 years ago • 31 comments

Could you add support for JWK?

http://tools.ietf.org/html/draft-ietf-jose-json-web-key-02

fproject avatar Sep 09 '15 16:09 fproject

+1

nguyenbs avatar Sep 09 '15 16:09 nguyenbs

Sure! I'm just fixing the issue #30 and will plan the best way to support it.

lcobucci avatar Sep 10 '15 02:09 lcobucci

I'm starting this effort on lcobucci/jwk#1 and I'll change this lib to use JWK to sign this. Any help is welcome!

lcobucci avatar Sep 11 '15 13:09 lcobucci

Can I use this library in PHP 5.3.3?

oasisguy avatar Nov 16 '15 18:11 oasisguy

@eugenehan no, this lib can just be used with PHP 5.5+ (since there's no support for earlier versions http://php.net/supported-versions.php).

Our next major release will only support PHP 7.

lcobucci avatar Nov 16 '15 23:11 lcobucci

@lcobucci would you support previous version after migrating on php7

scaytrase avatar Feb 07 '16 08:02 scaytrase

@scaytrase the plan is that we'll keep the new features on v4.x+ and security/bug fixes on both v3.x and v4.x+.

lcobucci avatar Feb 07 '16 11:02 lcobucci

This would be handy, AWS Cognito provides a RSA JWK and to verify them you need to convert to PEM first.

benjy avatar Aug 10 '17 07:08 benjy

Is there any more news on this feature? Currently, this appears to best PHP library for features and small size but it is a pain to write my own code to convert JWKs to PEM. I'm happy to help if there are specific jobs to do, I don't believe it is hard to convert Base64 JWK into a raw public key.

lukos avatar May 29 '18 14:05 lukos

https://github.com/acodercat/php-jwk-to-pem might be helpful until JWK support lands.

shadowhand avatar Jul 02 '19 20:07 shadowhand

@shadowhand the problem with this library is that it only supports RSA keys, not EC ones. Moreover it will add some dependencies to your project... not really fun right?

May I suggest you to have a look at PHP console app?

curl -OL https://github.com/web-token/jwt-app/raw/gh-pages/jose.phar
curl -OL https://github.com/web-token/jwt-app/raw/gh-pages/jose.phar.pubkey
chmod +x jose.phar

./jose.phar key:convert:pkcs1 '{"kty":"EC","crv":"P-256","d":"kiNCxSbRjlAbHrEbrwVKS8vIXUh6URChrmw","x":"-wdLWDWCZP6oFYl8aGVfU0MsFlckjaSVrO7hEsc8lgk","y":"rt8XDTalLMCRB5Tu9WQc2d0TOVwXXHkVDbI7cIig6r4"}'

# Will return:
# -----BEGIN EC PRIVATE KEY-----
# MHcCAQEEIJIjQsUm0Y5QGx6xG68N4GrprVrFSkvLyF1IelEQoa5soAoGCCqGSM49
# AwEHoUQDQgAE+wdLWDWCZP6oFYl8aGVfU0MsFlckjaSVrO7hEsc8lgmu3xcNNqUs
# wJEHlO71ZBzZ3RM5XBdceRUNsjtwiKDqvg==
# -----END EC PRIVATE KEY-----

It also offers a lot of useful commands (key creation, analyze, keyset features...).

Spomky avatar Jul 05 '19 09:07 Spomky

@Spomky We only need support for PEM keys during a HTTP request lifecycle, so the package I linked is better fit for our needs.

As a side node about: jwt-framework (and jose.phar) is an impressive project. Unfortunately it seems more concerned with being academically correct than useful. The docs took a long time to digest, and in our case, the gmp requirement a show stopper, as our runtime (lambda + bref) doesn't have it available.

shadowhand avatar Jul 05 '19 11:07 shadowhand

Any details about the implementation, are you still waiting or is there already a branch to support?

dimacros avatar Aug 02 '19 19:08 dimacros

Just wanted to register my +1 for this feature.

I've implemented acodercat/php-jwk-to-pem in the meantime and it works fine for AWS Cognito. Perhaps you could simply consume this library as an optional dependency to add this feature more quickly?

@lcobucci If you're interested I could put together a PR for you based on using this library? Let me know if this is an approach you'd be happy with, or if you'd rather go another way.

sc0ttdav3y avatar Oct 23 '19 02:10 sc0ttdav3y

+1 from my side as well. JSON web key document should be the part of this library.

tarunjangra avatar Jan 04 '20 08:01 tarunjangra

@lcobucci Would this be eligible for a move to 4.0.0 milestone from 5.0.0 with sponsored development?

bradjones1 avatar Oct 28 '20 17:10 bradjones1

@bradjones1 thanks for the offer. My plan is to redesign the key so that we can implement jwk without breaking BC but wanted to make it part of v4.1.

v4 requires PHP 7.4+, does that meet your needs?

lcobucci avatar Oct 31 '20 22:10 lcobucci

@lcobucci Modern PHP at 7.4+ is no blocker on our side. Thanks very much for your work on the module and I look forward to helping.

bradjones1 avatar Nov 13 '20 01:11 bradjones1

Not a solution to JWK-to-PEM problem nor any help for JWK support, but just a mention that https://github.com/lcobucci/jwt/pull/605 got merged and now EdDSA signature can be used too for asymmetric signing: EdDSA keys don't need PEM conversion so they can be a nice workaround, considering also they are more secure.

Slamdunk avatar Dec 16 '20 15:12 Slamdunk

Dear @lcobucci,

What's the status of this?

Thanks!

drupol avatar Feb 08 '21 13:02 drupol

+1

abbluiz avatar Aug 05 '21 20:08 abbluiz

If you want to verify that a JWT has been signed using someone's private key, you can do:

composer req web-token/jwt-core

use Jose\Component\Core\JWK;
use Jose\Component\Core\Util\RSAKey;
use Lcobucci\JWT\Signer;
use Lcobucci\JWT\Validation;

$key = <<<'KEY'
{
  "kty": "RSA",
  "e": "AQAB",
  "kid": "rsa1",
  "alg": "RS256",
  "n": "yKqGRQyJtqxRm_Mo2YTCCAkPS..."
}
KEY;

// web-token/jwt-core
$jwk = JWK::createFromJson($key);
$pem = RSAKey::createFromJWK($jwk)->toPEM();

// lcobucci/jwt
$token = '...';
$constraints = [
    new Validation\Constraint\SignedWith(
        new Signer\Rsa\Sha256(), 
        Signer\Key\InMemory::plainText($pem)
    ),
];
$validator = new Validation\Validator();
$validator->assert($token, ...$constraints);

...

🤝

hallboav avatar Aug 28 '21 02:08 hallboav

@shadowhand in https://github.com/lcobucci/jwt/issues/32#issuecomment-508733011:

The docs took a long time to digest, and in our case, the gmp requirement a show stopper, as our runtime (lambda + bref) doesn't have it available.

As I understand @Spomky, gmp extension is now optional in the web-token/jwt-core library you suggested above, yes?

From https://web-token.spomky-labs.com/introduction/pre-requisite:

Please note that cypher operation may be really slow, especially RSA functions. It is highly recommended to enable GMP or BCMath.

But presumably this will be no slower than a library that avoids either of those deps, right?

patcon avatar May 16 '22 00:05 patcon

@lcobucci I've been having a look at this after the discussion on #mezzio slack.

From what I can see, the shortest path would be a Validation\Constraint\SignedWithJwk that consumes a JwkSet containing the parsed key(s). I think this can be done without any BC breaks. The assert() method would get the kid from the token, construct a "real" SignedWith using the PEM from the matching JWK, then call assert() on that.

Does that make sense to you? If there's a better approach let me know... I sort of feel like the existing SignedWith should be handling it, but I can't see a way without a custom Signer, which would require further changes to the code.

kynx avatar Aug 09 '22 17:08 kynx

For those wondering how to achieve something like @hallboav showcased, but with phpseclib instead. Here is some sample code that my colleague and I wrote to try this out: https://gist.github.com/sicet7/115bfe433e9f6f68d892c5966ed33ebb

sicet7 avatar Jul 04 '23 15:07 sicet7

This helped me https://www.tuxed.net/fkooman/blog/json_web_key_set.html

coffe4u avatar Aug 24 '23 00:08 coffe4u

This feature seem not to be planned anymore?

I tested the solution @hallboav provided, it works good, thank you for that. Unfortunately it has yet two flaws which makes it not really an acceptable solution (to me).

  1. It adds another dependency for a relatively neat technology like JWT which could be unmaintained in the future.
  2. A lot worse: The RsaKey class is marked internal

I picked lcobucci/jwt because it is used in league/oauth2-server which is planned to be used for oauth as well, but for those like me needing a bigger feature set around jwt the webtoken library collection seem unfortunately the better fit.

simonberger avatar Aug 28 '23 18:08 simonberger

for a relatively neat technology like JWT which could be unmaintained in the future.

???????????? What?

Ocramius avatar Aug 28 '23 18:08 Ocramius

for a relatively neat technology like JWT which could be unmaintained in the future.

???????????? What?

Where exactly is your big question mark? I was talking about the two libraries the solution is using which increases the likelihood one could be unmaintained. Surely not JWT if that was the issue here. 😆

simonberger avatar Aug 28 '23 21:08 simonberger

Hello @simonberger, thanks for sharing your thoughts.

It's very unlikely that this library will get unmaintained in the future.

You see, I've implemented this library to satisfy the needs I had. Opening it up as OSS was mainly to share that with the rest of the world.

All the features we ended up having were either centred around my needs or the community's (who valiantly pushed change requests over years).

I've never missed JWK support, therefore it was never logical to spend my time implementing it. Especially after I became a father and started having less and less time for myself.

I see four possibilities here:

  1. Someone who needs JWK, uses their time to implement it in a way that's compatible with the existing API - and keeps external deps at a minimum. I'm more than happy to provide guidence for them
  2. Someone's company sponsors the development of the feature. I'd gladly hop in a call and further explain this
  3. People follow the advice given here to integrate different tools and have the convertion between JWK and openssl/sodium keys
  4. People switch to a different solution that meet their requirements - after all, we never intended to be the one library to rule them all.

Feel free to send us a PR or an email if you decide to follow paths 1 or 2 👍

lcobucci avatar Aug 29 '23 07:08 lcobucci