ruby-jose icon indicating copy to clipboard operation
ruby-jose copied to clipboard
verified publisher icon potatosalad

Verify JWT with JWK set

Open FranklinYu opened this issue 8 years ago • 5 comments

When verifying with JWK set, I have to manually loop through all the keys:

token, signature = nil
jwk.keys.find do |key|
  success, token, signature = JOSE::JWT.verify_strict(key, ['RS256'], jwt)
  success
end

I hope I can just do

JOSE::JWT.verify_strict(jwk, ['RS256'], jwt)

This has two benefits:

  1. No longer test whether it’s a JWK or JWK set.
  2. Meets the documentation better. Currently it only says jwk should be JOSE::JWK.

FranklinYu avatar Jul 06 '17 04:07 FranklinYu

bump?

FranklinYu avatar Dec 03 '17 04:12 FranklinYu

@franklinyu Sorry for the delayed response to this.

Yes, I agree with you that JWK sets should have first-class support. I'll see if I can get that together at some point.

potatosalad avatar Sep 21 '18 00:09 potatosalad

I'm trying to figure out how to use this library to do the same as OP, and in my tests, in classic red-green style, I am trying to generate the JWKS with kid first. There are almost no mentions of kid in the code or documentation, and actually one of the places where it seems like I would need it, it is being explicitly removed.

@potatosalad Is this because kid is explicitly not supported?

  def generate_key(fields)
    kty, other_fields = JOSE::JWK::KTY_RSA.generate_key([:rsa, key.n.num_bits, key.e.to_i])
    return kty, fields.delete('kid').merge(other_fields)
  end

pboling avatar Mar 11 '22 22:03 pboling

@pboling kid is often derived from the keying material itself, so when generating a new key from an existing key, the kid usually changes, too. There may be other fields that would need to be cleaned up, too, but that's outside the scope of this library.

If using a static or derived kid, I would recommend merging the kid in after generation, like:

# using existing key and a static 'kid'
old_key.generate_key().merge({'kid' => 'my_static_kid', 'use' => 'sig'})

# using params with a derived thumbprint 'kid'
jwk = JOSE::JWK.generate_key([:rsa, 4096])
jwk = jwk.merge({'kid' => jwk.thumbprint(), 'use' => 'sig'})

potatosalad avatar Mar 11 '22 22:03 potatosalad

@potatosalad Thanks! That fixed the issue for me!

I'll post up some example code to the wiki once I'm all green. I am using this library for key generation, and payload encoding, where the decoding is done with ruby-jwt. If I can figure out how to replicate ruby-jwt's JWKS support for cached / rotating keys over here, I'll switch entirely. This library is awesome!

pboling avatar Mar 11 '22 23:03 pboling