Closed toupeira closed 6 years ago
It might also be nice to make these public at the same time if possible: https://github.com/nov/json-jwt/blob/aa09a07e4b3939d7a9025ba9db97a861dc0c0817/lib/json/jwk.rb#L55-L65
JSON::JWK#normalize
is not to calculate JWK of public keys from it's pared private keys.
It is for JWK Thumbprint calculation, which is used for default kid
calculation.
You can serialize public keys as below.
rsa_private_key = OpenSSL::PKey::RSA.generate(2048)
rsa_public_key = rsa_private_key.public_key
ec_private_key = OpenSSL::PKey::EC.generate('prime256v1')
ec_public_key = ec_private_key.dup.tap do |key|
# NOTE: `ec_private_key.public_key` returns `OpenSSL::PKey::EC::Point`, not `OpenSSL::PKey::EC`
key.private_key = nil
end
JSON::JWK.new(rsa_private_key) # NOTE: same with `rsa_private_key.to_jwk`
JSON::JWK.new(rsa_public_key) # NOTE: same with `rsa_public_key.to_jwk`
JSON::JWK.new(ec_private_key) # NOTE: same with `ec_private_key.to_jwk`
JSON::JWK.new(ec_public_key) # NOTE: same with `ec_public_key.to_jwk`
Plus, you won't use shared key JWK generally.
(it's not public, so you can't publish it via jwks_url
)
However, if you really want JWK-formatted shared key, you can do so.
JSON::JWK.new(shared_key)
@nov thanks for the clarification! Do you mean :oct
keys by "shared key"? I'm thinking we can leave it in to support OIC providers in private networks with trusted clients.
See related discussion at https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/34, we're not sure which key properties we can expose for the JWKS response for key algorithms other than RSA.
It looks like
JSON::JWK#normalize
might already do this, is this indeed the case and would you accept a PR making that method public?