search

feathersjs-ecosystem / authentication-jwt

[MOVED] JWT authentication strategy for feathers-authentication using Passport
https://github.com/feathersjs/feathers
MIT License
30 stars 10 forks source link

Add support for dynamic secrets from passport-jwt #30

Closed jawadst closed 6 years ago

jawadst commented 7 years ago

passport-jwt is preparing (https://github.com/themikenicholson/passport-jwt/pull/108) the support for dynamic secrets provided by a function which is useful for tokens signed with asymmetric algorithms used with JWKS endpoints and key rotation (see https://auth0.com/blog/navigating-rs256-and-jwks/ for an example).

They will support it by adding a new config property secretOrKeyProvider that will accept a function and can be used instead of the existing secretOrKey property. Either secretOrKey or secretOrKeyProvider must be provided. Both must not be provided. The updated README: https://github.com/themikenicholson/passport-jwt/tree/pr108-secret-key-provider

This is not usable through feathers-authentication-jwt because it requires a secret property that it then maps to secretOrKey and fails if no secret is provided.

It would be great to add support for that option in feathers-authentication-jwt. This could be done by supporting an extra property that will be map to secretOrKeyProvider if it's present or by simply not required the secret key to be provided to feathers-authentication-jwt and only map it if it's present.

baljeet commented 7 years ago

This would be very useful... Is anyone taking this up?

erkkaha commented 7 years ago

I think #32 closes this, could we get a new version to npm?

ptsteadman commented 7 years ago

Also interested in this. When the new version of feathers-authentication-jwt gets on npm, would we then pass a jwks client getSigningKey function as secretOrKeyProvider option?

erkkaha commented 7 years ago

I tried this out like this.

function keyProvider(app){
  return function(request, rawJwtToken, done){
    //secretOrKeyProvider code

  };
}

app.configure(jwt({secretOrKeyProvider:keyProvider(app), secret:false}));
ricardopolo commented 6 years ago

Any news about this @daffl ? I am trying to pass secretOrKeyProvider but I get an error saying i need a secret.

erkkaha commented 6 years ago

@ricardopolo I think you need to pass secret: false. For me this works now with the 1.0.2 version and could be closed.

ricardopolo commented 6 years ago

@erkkaha I just confirm. Feathers Authentication-jwt accepts secret false, but Feathers authentication not. Soy I had to pass a dunny secret.

Do you have please a working function of seceretodrkeyprovider? Thanks

erkkaha commented 6 years ago

@ricardopolo My setup is like this

function keyProvider(app){
  return function(request, rawJwtToken, done){
    //secretOrKeyProvider code

  };
}

app.configure(jwt({secretOrKeyProvider:keyProvider(app), secret:false}));