Closed glovekyl closed 1 week ago
@glovekyl we have done an improvement to the JWT module to support providing crypto:PrivateKey
and crypto:PublicKey
directly in the issuer/validator configurations [1] [2]
Could you please check whether this approach works for you ?
[1] - https://github.com/ballerina-platform/ballerina-library/issues/6515 [2] - https://github.com/ballerina-platform/module-ballerina-jwt/pull/1229
With Ballerina JWT v2.13.0 [1] we have introduce support to directly provide crypto:PrivateKey
and crypto:PublicKey
directly in the issuer/validator configurations [2] With Ballerina crypto v2.7.2 [3] you can construct a crypto:PrivateKey
and crypto:PublicKey
using the file content [4] With those features I think we can achieve what is described in the issue. Hence, will close the issue and please do not hesitate to re-open it if you are not satisfied with the current features.
[1] - https://central.ballerina.io/ballerina/jwt/2.13.0 [2] - https://github.com/ballerina-platform/ballerina-library/issues/6515 [3] - https://central.ballerina.io/ballerina/crypto/2.7.2 [4] - https://github.com/ballerina-platform/ballerina-library/issues/6517
Description
Although decoding, and verification using JWKS endpoints, and certificate file are supported. The ballerina/jwt package does not support verification of private key-signed RS256 JWT tokens using the public key.
Describe your problem(s)
The
ballerina/jwt
package does not support verification using the public key of a RS256 JWT token, signed using a private key.The keys are generated using the following shell commands:
Describe your solution(s)
Allow ballerina/jwt package to verify a JWT token using the private key, or public key. Something similar to this [frontegg.com].
In a standard typescript example. Simple signing and verification can be done as follows:
JWT tokens are signed as such:
Then use the public key to verify the signed token whenever needed by another service:
It is possible to create a workaround using Ballerina FFI bindings to utilise auth0/java-jwt. The following (rather inelegant) example expects a base64 encoded public key, and sets the privatekey as
null
.Ballerina then uses this Java code through FFI bindings to verify the token using the public key, but this could easily be extended to use a public or private key.
Suggested Labels (optional):
Suggested Assignees (optional): Based on this discord discussion: Verify JWT using public key