Skip to content

Add a JWKS implementation#525

Merged
anakinj merged 7 commits intojwt:mainfrom
bellebaum:jwk/set
Oct 21, 2022
Merged

Add a JWKS implementation#525
anakinj merged 7 commits intojwt:mainfrom
bellebaum:jwk/set

Conversation

@bellebaum
Copy link
Copy Markdown
Contributor

@bellebaum bellebaum commented Oct 17, 2022

This PR Draft implements JWK Sets (Part of RFC 7517) for easier handling of sets.

The goal was to make the handling of JWKS easier. E.g.

json = Net::HTTP.get(my_friends_jwks_uri)
jwks = JWT::JWK::Set.new(JSON.parse(json))
jwks.filter! { |key| key[:use] == 'sig' } # Signing Keys only
algorithms = jwks.map { |key| key[:alg] } # & algs_allowed_by_local_policy
JWT.decode some_token, nil, true, algorithms: algorithms, jwks: jwks

my_jwks = JWT::JWK::Set.new # Empty JWKS
my_jwks << JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), use: 'sig')
my_jwks << OpenSSL::PKey::RSA.new(2048)
my_jwks.merge(jwks)
hash = my_jwks.export

The draft allows for basic manipulation of the set:

  • adding JWKs
  • merging JWKSs
  • filtering JWKs inside a JWKS
  • exporting to Hash

Where possible, I tried to use function names and semantics common in the standard library, to not subvert user expectations.

There are currently no tests or documentation, but I would like to get some early feedback to incorporate :)
The selection of methods on JWKSs is currently based on stuff I find helpful in my projects, so feel free to request any changes.

anakinj
anakinj reviewed Oct 18, 2022
View reviewed changes
Comment thread lib/jwt/jwk/key_finder.rb
Comment thread lib/jwt/jwk/set.rb Outdated
@anakinj
Copy link
Copy Markdown
Member

anakinj commented Oct 18, 2022

This is a great idea. Left a few random comments

@bellebaum
Copy link
Copy Markdown
Contributor Author

bellebaum commented Oct 19, 2022

The uniq! bug seems strange.
It sometimes works for me using the openssl gemfile, and I was hoping that this was some setup-issue, but apparently it is not.
The documentation seems to indicate that uniq! on Arrays filters duplicates as indicated by comparison using .eql?. Comparing the two elements manually using this method shows that they are indeed equal, yet uniq! does not find any duplicates. I think I am missing something obvious here.

@anakinj
Copy link
Copy Markdown
Member

anakinj commented Oct 19, 2022

About the #uniq! issue. I think the objects needs to have the #hash method. I think the documentation is wrong.

For example

def hash
  self[:kid].hash
end

@bellebaum bellebaum marked this pull request as ready for review October 20, 2022 10:48
@anakinj
Copy link
Copy Markdown
Member

anakinj commented Oct 20, 2022

The failing test is probably because ruby/openssl#538 has been shipped. Need to make the tests somehow pass on all versions. I'll take a look at this at some point in the near future, on a quick glimpse it looks great.

@anakinj
Copy link
Copy Markdown
Member

anakinj commented Oct 21, 2022

@bellebaum I fixed the CI for ruby-head could you be so kind and rebase/merge main into your branch?

Also a changelog entry would be great in regards to this feature addition.

@anakinj anakinj merged commit 771630d into jwt:main Oct 21, 2022
@anakinj
Copy link
Copy Markdown
Member

anakinj commented Oct 21, 2022

Great stuff. Big thank you for putting effort into this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anakinj anakinj anakinj approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bellebaum @anakinj