Not possible to create a validate only signer

[kdawgwilk]

We have a use case where we have a 3rd party identity provider that generates our JWT tokens and we only want to be able to validate them but not generate them. However, joken requires that we provide a private key (for RS256 tokens) to create a signer which we don't own since it is a 3rd party that generates the tokens.

[victorolinasc]

Joken only requires a private key if you call Joken.sign or simlar functions. You can and should in your use case create a signer with the public key.

This is essential for JokenJwks and we've been using it in production for a while.

Just to be extra sure, I've pushed more tests with that showcase this:

• signer test: https://github.com/joken-elixir/joken/blob/master/test/joken_signer_test.exs#L44
• use_config test: https://github.com/joken-elixir/joken/blob/master/test/use_config_test.exs#L99

Hope this helps! Be sure not to call generate_and_sign! with a signer created using only the public keys.

This is mentioned in the docs too: https://hexdocs.pm/joken/assymetric_cryptography_signers.html#content