Support JWKS with multiple algorithms
An auth provider that I am currently integrating with serves a JWKS with jumbled signing algorithms. For example, the well-known endpoint will have keys that use RS256, EC256 etc. The current JWSVerificationKeySelector
only supports a single algorithm. My questions as follows:
- Is there already a class that supports this scenario and I simply haven't seen it (very possible)
- If not, can I raise a PR that implements this?
I have already implemented the JWSVerificationMultiKeySelector
in our code base, but would love to contribute this back to your project (with all relevant tests of course!) if you don't have such a thing.
Comments (10)
-
-
Hi Marco,
If the key candidates are stored in a JWK set one could use the
JWSVerificationKeySelector
with anImmutableJWKSet
-If that doesn’t work for you paste snippet and I’ll look at it.
Cheers,
-
Hi Vladimir, unfortunately using an
ImmutableJWKSet
doesn't work for me as we depend on a wellknown JWKS endpoint for serving the keys (with jumbled algorithms). What makes it more tricky is that they do regular key rotation.I’d love to contribute a PR for the work that I did if you are open to it.
Cheers,
Marco.
-
Sure, feel free to send a PR.
Did you look at the https://www.javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jose/jwk/source/RemoteJWKSet.html ?
-
Yes, and I’m using it too. Here is how I implemented the JWT processor using my new key selector implementation.
private val jwtProcessor by lazy { DefaultJWTProcessor<SecurityContext>().apply { jwsTypeVerifier = DefaultJOSEObjectTypeVerifier( JOSEObjectType("ciam+jwt") ) jwsKeySelector = JWSVerificationMultiKeySelector( listOf(ES256, ES384, ES512, HS256, HS384, HS512, RS256, RS384, RS512), RemoteJWKSet(URL(ciamJwksEndpoint)) ) jwtClaimsSetVerifier = DefaultJWTClaimsVerifier( JWTClaimsSet.Builder() .issuer(issuerClaim) .audience(audienceClaim) .claim("scope", scope) .build(), setOf("sub", "iss", "aud", "jti", "iat", "exp") ) } }
Hope that with the example it makes more sense now
-
I got it
Please send in your patch or PR and I’ll review it.
I was also thinking of updating
JWSVerificationKeySelector
with a constructor that allows for multiple JWS algs, but then that would break thegetExpectedJWSAlgorithm()
method :( -
Yes, that was my first approach too, but then ran into that limitation. PR for
JWSVerificationMultiKeySelector
and corresponding test(s) coming up. -
Great, looking forward to it :)
-
I’ve submitted a PR for this work and ended up going for a simpler approach using the existing selector:
https://bitbucket.org/connect2id/nimbus-jose-jwt/pull-requests/65/accomodate-multiple-algorithms-in
Let me know if this looks okay, I’ll be happy to change/improve anything requested.
-
- changed status to resolved
Done with PR 65.
- Log in to comment
Apologies, I submitted this issue without having a bit bucket account.