Open 1-alex98 opened 1 year ago
Thanks for the suggestion, we'll see what's involved in supporting this.
I second that
Any advance on this? At the moment it's our main concern with using this module as we'd rather point to our KeyCloak instead of managing keys ourselves
Can you give some examples -- is it just a simple, unauthenticated URL, a URL with a token in it, etc...?
~So an example would be keyclock which exposes the url http://[keycloak-instance]/realms/[realm]/protocol/openid-connect/certs which is unauthenticated and returns a jwk file as a json object https://datatracker.ietf.org/doc/html/rfc7517~
Oops, wrong endpoint it would be this one: https://[keycloak-domain]/realms/[realm]/.well-known/openid-configuration
/.well-known/openid-configuration is standard across other IdP's as well I believe - and the public key. From there the actual jwks is in the object that is returned under .jwks_uri
- so either you could pull it from that URL (and have that jwks url be the thing that's actually queries) or pull it from openid-configuration but that's just an extra step.
None of these calls need any authentication to get to
I have implemented an endpoint by my own in my application. Also JWK. Here is the specification for jwk and an example https://www.rfc-editor.org/rfc/rfc7517.html#appendix-A.2
it is an unauthenticated URL
A lot of times jwk is supported by jwt libaries
You'll need to parse the JWK to extract the key material. JWKs are JSON objects, and libjwt itself doesn't directly handle the conversion of JWK to a usable format for JWT signing/verification. You might need to use a JSON parsing library (like Jansson) in conjunction with libjwt.
Instead of reading the key from file or config, allow getting the key via http Similar to see auth_jwt_key_request in nginx plus docs