doc request for a path from (jwkset, jwt_data, algs, iss, aud) to (verified claims)

[drewp]

Here's what I worked out:

from jwskate import Jwt, JwkSet
jwkset = JwkSet(requests.get('https://authenticate.bigasterisk.com/.well-known/pomerium/jwks.json').json())

def bottleGetAgent() -> URIRef:
    pomAssertion = bottle.request.headers.get('X-Pomerium-Jwt-Assertion', None)
    jwt = Jwt(pomAssertion)
    jwt.validate(jwkset['keys'][0],
                 algs=['ES256'], 
                 issuer='authenticate.bigasterisk.com', 
                 audience='bigasterisk.com')
    log.debug('claims=%r', jwt.claims)
    ...

This seems to work, but obviously I don't want the [0] in there. jwkset.verify seems relevant, but it doesn't take any of the values I want to pass in.

FYI , I'm expecting something like jwt.validate(jwkset.find_key_for(jwt), ...) or jwkset.verify(jwt, algs, issuer, audience).

If someone does write this doc, we should ask https://www.pomerium.com/docs/capabilities/getting-users-identity to link to it.

[guillp]

Is there a Key ID ("kid") in your JWT headers ? If so, you can use JwkSet.get_jwk_by_kid to get the matching Jwk from your keyset, like this:

from jwskate import Jwt, JwkSet
jwkset = JwkSet(requests.get('https://authenticate.bigasterisk.com/.well-known/pomerium/jwks.json').json())

def bottleGetAgent() -> URIRef:
    pomAssertion = bottle.request.headers.get('X-Pomerium-Jwt-Assertion', None)
    jwt = Jwt(pomAssertion)
    jwk = jwkset.get_jwk_by_kid(jwt.kid)
    jwt.validate(jwk,
                 algs=['ES256'], 
                 issuer='authenticate.bigasterisk.com', 
                 audience='bigasterisk.com')
    log.debug('claims=%r', jwt.claims)

Let me know if that works for you.

[guillp]

I'm closing this ticket, but feel free to comment again if the proposed solution is not ideal for you.