Closed reachmehere89 closed 2 years ago
Hi @reachmehere89, thanks for the question.
Currently only RSA is supported (RS256, RS384, RS512) as you've found, however we'd be interested in expanding algorithm support.
Which provider is that? Can you share the JWKS?
This is our company IDP and unfortunately I can't share it here(at least to be on safer side, though I can check if it can be shared). But my suggestion would be to only validate for jwks where kty is RSA only and ignore rest as other algorithms are not supported.
Okay so IIUC you want to verify a RSA-signed JWT, but the public key is includes in a JWKS that includes non-RSA public keys (that do not have n
and e
).
You're right, currently this lib requires the entire JWKS, all JWKs in it, to have n
and e
.
https://github.com/awslabs/aws-jwt-verify/blob/6476a42d34a0992356a2c12600ab5cd5aa1b651d/src/jwk.ts#L25-L31 https://github.com/awslabs/aws-jwt-verify/blob/6476a42d34a0992356a2c12600ab5cd5aa1b651d/src/jwk.ts#L108-L114
Agree that it seems fair to skip that check for all JWKs, and instead only perform it for the JWK that's actually being used.
For the time being, if you want, you can work around it, with a custom fetcher:
import { JwtRsaVerifier } from "aws-jwt-verify";
import { SimpleJwksCache, Jwks } from "aws-jwt-verify/jwk";
import { SimpleJsonFetcher, JsonFetcher } from "aws-jwt-verify/https";
import { Json } from "aws-jwt-verify/safe-json-parse";
// Please forgive the TypeScript shenanigans
class CustomJsonFetcher extends SimpleJsonFetcher {
fetch = async <ResultType extends Json>(...args: Parameters<JsonFetcher["fetch"]>) => {
const jwks = await super.fetch<Jwks>(...args);
jwks.keys = jwks.keys.filter((key) => key.n && key.e); // Or: jwks.keys.filter(key => key.kty === "RSA")
return jwks as unknown as ResultType;
};
}
const verifier = JwtRsaVerifier.create(
{
issuer: "<your-issuer>",
audience: "<your-audience>",
jwksUri: "<your-jwks-uri>",
},
{
jwksCache: new SimpleJwksCache({
fetcher: new CustomJsonFetcher(),
}),
}
);
Thanks for the suggestion. Will give it a try and post how it goes
Fix is included in v3.1.0
Question Does this library support JWKS if kty value is not only RSA My IDP provider have kty values RSA and EC. Library fails as it mandates n and e as mandatory parameters which are not there in case kty is EC
Versions Which version of
aws-jwt-verify
are you using? Latest Are you using the library in Node.js or in the Web browser? Node js If Node.js, which version of Node.js are you using? (Should be at least 14) 14.x If Web browser, which web browser and which version of it are you using? NA If using TypeScript, which version of TypeScript are you using? (Should be at least 4) NA