Issue #, if available: #87 (but that was not the main point of this PR)
Description of changes: This PR adds support for verifying JWTs that were signed with ES256/ES384/ES512.
This is a necessary step in order to e.g. add an AWS ALB JWT verifier #109
I've added support for ES256/ES384/ES512 by making the previous JwtRsaVerifier more generic: it has now become the JwtVerifier. For backward compatibility, I added an alias from JwtRsaVerifier to JwtVerifier that should cover most simple cases––but all in all this PR is a pervasive change; for example several types were changed and these changes are likely to be breaking for some users. Thus we should release the updated code in a new major version.
Interestingly the CognitoJwtVerifier now also supports verifying ES256/ES384/ES512 signed JWTs, because it subclasses the same machinery that the generic JwtVerifier uses, but I see this not as an issue. If Cognito would ever start using ES256/ES384/ES512 it means this lib will just work as is. Also, the alg on the Cognito JWKs is leading for which alg is supported anyway, which currently is always RS256,RS384,RS512. I've also added some docs on how the alg from the JWK must match the alg on the JWT header.
ALSO TAKE NOTE: we no longer support Node 14 but now require Node 16. This seems reasonable since Node 14 is really old by now (even 16 is). The benefit to the codebase of dropping Node 14 support and requiring Node 16 is that we no longer need the custom ASN.1 decoder. So we got rid of some code 🎉
While at it, also fixed #87 because it was low hanging fruit in a piece of code I was touching.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue #, if available: #87 (but that was not the main point of this PR)
Description of changes: This PR adds support for verifying JWTs that were signed with ES256/ES384/ES512.
This is a necessary step in order to e.g. add an AWS ALB JWT verifier #109
I've added support for ES256/ES384/ES512 by making the previous
JwtRsaVerifiermore generic: it has now become theJwtVerifier. For backward compatibility, I added an alias fromJwtRsaVerifiertoJwtVerifierthat should cover most simple cases––but all in all this PR is a pervasive change; for example several types were changed and these changes are likely to be breaking for some users. Thus we should release the updated code in a new major version.Interestingly the
CognitoJwtVerifiernow also supports verifying ES256/ES384/ES512 signed JWTs, because it subclasses the same machinery that the genericJwtVerifieruses, but I see this not as an issue. If Cognito would ever start using ES256/ES384/ES512 it means this lib will just work as is. Also, thealgon the Cognito JWKs is leading for whichalgis supported anyway, which currently is always RS256,RS384,RS512. I've also added some docs on how thealgfrom the JWK must match thealgon the JWT header.ALSO TAKE NOTE: we no longer support Node 14 but now require Node 16. This seems reasonable since Node 14 is really old by now (even 16 is). The benefit to the codebase of dropping Node 14 support and requiring Node 16 is that we no longer need the custom ASN.1 decoder. So we got rid of some code 🎉
While at it, also fixed #87 because it was low hanging fruit in a piece of code I was touching.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.