add jwks support, enable use of jwks rotation feature and upgrade underlying JWT library

[tarcisioN]

As #40 and #27, we need to support multiple keys (jwks) and support rotation.

This PR implements new methods to handle with that. Also we update github.com/lestrrat-go/jwx to v2 to support those features.

[tanmaij]

jwtauth. go file has some errors

jwtauth.go:39:40: too many arguments in call to jwt.WithVerify have (jwa.SignatureAlgorithm, interface{}) want (bool) C:\Users\HP\go\src\github.com\go-chi\jwtauth\jwtauth.go:41:40: too many arguments in call to jwt.WithVerify have (jwa.SignatureAlgorithm, interface{}) want (bool) C:\Users\HP\go\src\github.com\go-chi\jwtauth\jwtauth.go:135:25: cannot use ja.alg (variable of type jwa.SignatureAlgorithm) as type jwt.SignOption in argument to jwt.Sign: jwa.SignatureAlgorithm does not implement jwt.SignOption (missing Ident method) C:\Users\HP\go\src\github.com\go-chi\jwtauth\jwtauth.go:135:33: cannot use ja.signKey (variable of type interface{}) as type jwt.SignOption in argument to jwt.Sign: interface{} does not implement jwt.SignOption (missing Ident method)

[tarcisioN]

@tanmaij Building fine and all tests passing here. It seems to be something wrong on your environment. Have you updated (go mod tidy) lestrrat-go/jwx/v2?

Actually, i think you are running master code:

that is jwtauth.go:39: func New(alg string, signKey interface{}, verifyKey interface{}) *JWTAuth {

and that is jwtauth.go:135: func VerifyRequest(ja *JWTAuth, r *http.Request, findTokenFns ...func(r *http.Request) string)

[Shaun1]

Any plans on merging this feature in? Would be useful if so.

[pkieltyka]

hi @tanmaij thanks for your work on this PR -- I've merged another PR which upgrades us to the latest version of jwx/v2, and tagged https://github.com/go-chi/jwtauth/releases/tag/v5.1.0

can you rebase your branch? I will provide a review here too, and then we can get this one merged too

[adam2k]

@tarcisioN this PR is super helpful! Do you want help rebasing and getting this merged? I'm running into this exact problem right now and this PR would solve it for me.

[jhutsonCTL]

My team needs this key set support for upcoming work. What do we need to do to get this PR merged in? Looks like the author hasn't responded to this PR in over a year. Would it make sense to create a new branch and PR for this change?

I'd be happy to help move this forward.

[pkieltyka]

I propose, fork it, finish it, use it in prod and then submit PR with update. Or link to fork and we can consume your changes once they’re refined. See my comments above.

[jhutsonCTL]

I propose, fork it, finish it, use it in prod and then submit PR with update. Or link to fork and we can consume your changes once they’re refined. See my comments above.

Given it doesn't look like this PR will be completed enough to be merged, this strategy looks like the right path forward.

[davidallendj]

For anyone interested, I tried forking, made the requested changes, and rebased. Test seems to pass and things seem to work as expected. This is what I'm using in my own code below.

ctx, cancel := context.WithCancel(context.Background())
defer cancel()
set, err := jwk.Fetch(ctx, url)
if err != nil {
    return fmt.Errorf("%v", err)
}
jwks, err := json.Marshal(set)
if err != nil {
    return fmt.Errorf("failed to marshal key set: %v", err)
}
tokenAuth, err = jwtauth.NewKeySet(jwks)
if err != nil {
    return fmt.Errorf("failed to initialize key set: %v", err)
}

Fork with changes: https://github.com/davidallendj/jwtauth