This repository has been archived by the owner on Mar 22, 2021. It is now read-only.
Abstract JWT library to enable use of JWKS public keys #123
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
With the direct dependency on the
ruby-jwtlibrary, knock currently can't easily support Client Credentials Grants via Auth0. This is due to the fact that theJWTlibrary only accepts RSA public keys for decoding, rather than JWKS keys provided from a well-known URL. This issue is being discussed here: jwt/ruby-jwt#158 and will perhaps be resolved in the near future.Since there's such a small footprint of the code that depends on JWT, perhaps it's possible to abstract the library and default to JWT but allow the user to replace it with
JSON::JWTwhich does support decoding tokens with JWKS public keys.I will see if I can make the time to put together a pull request, but in the meantime, would love to hear feedback about this approach.
I guess the simpler alternative would be to simply switch dependencies, since they seem to ultimately perform the same function.Just saw that it doesn't do claims verification, so it's not exactly the same (although it's easily replicated as per the example here: https://github.com/nov/json-jwt/wiki#decode--verify).The text was updated successfully, but these errors were encountered: