Nerzal
commented
3 years ago I honestly have never looked at how to implement other signatures. But yes, it would be a great addition, to be able to work with other algorithms aswell.
Closed mirisbowring closed 2 years ago
Nerzal
commented
3 years ago I honestly have never looked at how to implement other signatures. But yes, it would be a great addition, to be able to work with other algorithms aswell.
mirisbowring
commented
3 years ago There is a Library called jwx for go. It supports JWT, JWK(what we need), JWS, and so on.
Probably this could be used for a more generic verification function?
I had a look yesterday in the evening, but it would be a breaking change for your Framework unless this generic validation mechanism becomes a new endpoint.
Nerzal
commented
3 years ago How would that breaking change look like?
A breaking change would be okay, if we are able to add more features. We'd just raise the major version by one in that case.
mirisbowring
commented
3 years ago Breaking change would be to keep the function (DecodeAccessToken) and implement a machanism to automatically detect / parse algorithm. Based on the jwt library (i think you are using jwt-go) one could decode the algorithms.
Softchange could be, to implement a function to detect type and add a function for each algorithm.
Nerzal
commented
3 years ago @SVilgelm do you have an opinion on this one?
Personally i'd be fine with both ways.
SVilgelm
commented
3 years ago I'm OK with breaking changes as well, don't see any problems here
Is your feature request related to a problem? Please describe. The following function does support rsa signatures only. https://github.com/Nerzal/gocloak/blob/2abe97ee6b3036efff7611e94119f50c8fe90709/pkg/jwx/jwx.go#L78
Due to compliance guidelines, i have to use es256 as signature algorithm.
Besides, es256 is much more performant than rs signatures.
Describe the solution you'd like It would be a nice improvement for this framework to implement other signature algorithms like es too.