Expose `access-token-jwt` library, so this package could be used without express

[markelog]

Describe the problem you'd like to have solved

In my project I use nodejs but do not use the express, would it be possible for you to export or publish the access-token-jwt as a separate entity?

Thank you

[markelog]

Until this issue is resolved I extracted and published it as auth0-access-token-jwt

[adamjmcgrath]

Hi @markelog - thanks for your interest in this.

You are of course welcome to fork and publish your own versions of this code, I would only kindly ask that you don't include "auth0" in the name.

Regarding publishing this, we do hope to extend this to more frameworks either through a framework agnostic package or through more framework specific packages. Will close this in favour of https://github.com/auth0/node-oauth2-jwt-bearer/issues/63

[markelog]

Regarding publishing this, we do hope to extend this to more frameworks either through a framework agnostic package or through more framework specific packages.

Gotta say, as a paying customer, I am quite disappointed with your community work 😢. Since you are expressing this hope in at least three other issues like it.

You are of course welcome to fork and publish your own versions of this code, I would only kindly ask that you don't include "auth0" in the name.

it has auth0 in it's name because that's your code, I have nothing to do with it besides exposing it. Honestly, publishing this package and adding docs for it could be done in like, 30 minutes?

How would you propose for me to call it?

[adamjmcgrath]

Gotta say, as a paying customer, I am quite disappointed with your community work 😢. Since you are expressing this hope in at least three other issues like it.

I'm really sorry you feel that way @markelog - we're a relatively small team of SDK engineers with a large surface area of SDKs to support and have to make hard decisions about what to support. We are grateful for the feedback though.

it has auth0 in it's name because that's your code, I have nothing to do with it besides exposing it. How would you propose for me to call it?

Auth0 has no control over what goes into your auth0-access-token-jwt package, you are the owner. I would suggest a package name that doesn't include "auth0", that way there's no risk of confusing others about ownership.

[ngothiensinh]

I have the same need today, the Guard in the guidelines doesn't work with the SocketIO gateway in NestJS. So I have to verify the token manually and need some method to do so but it is not exposed.

[ehaynes99]

we're a relatively small team of SDK engineers with a large surface area of SDKs to support

Respectfully, this is a strong argument in FAVOR of publishing it. The linked ticket is 2 years old now. You're never going to get to all of the frameworks, and even if you did, plenty of use cases don't use any framework at all. This isn't some component library, it's security. I want to use an official package from the auth provider, not some third party module.

But at any rate, rather than republishing, here's a bit of middleware abuse to expose the same interface as access-token-jwt:

import { auth, type AuthOptions, type AuthResult, type JWTPayload, UnauthorizedError } from 'express-oauth2-jwt-bearer'

export const jwtVerifier = (config?: Omit<AuthOptions, 'authRequired'>) => {
  const middleware = auth(config)

  return (accessToken?: string): Promise<AuthResult> => {
    return new Promise((resolve, reject) => {
      const request = {
        query: { access_token: accessToken },
        headers: {},
        is: () => false,
        auth: undefined as unknown as AuthResult,
      }

      middleware(request as any, {} as any, (error: unknown) => {
        error ? reject(error) : resolve(request.auth)
      })
    })
  }
}

Which can be used like:

const verifyJwt = jwtVerifier({
  issuerBaseURL: 'https://example.com',
  audience: 'https://example.com/api',
})

try {
  const authResult = await verifyJwt('abcd1234')
} catch (error) {
  console.error(error)
}