GBrawl
commented
4 years ago Hi there! I finished implementing those builtins, but got a little stuck writing tests, I see there is already a public key, certificate and jwk here:
https://github.com/open-policy-agent/opa/blob/master/topdown/tokens_test.go#L867
And I would like to reuse this one in my tests, but I can't seem to find the matching private key, can you help me find it so I can generate new JWTs with it? I could also just generate a new keypair if needed.
patrick-east
We only support the following explicit verification functions today:
io.jwt.verify_rs256io.jwt.verify_ps256io.jwt.verify_es256io.jwt.verify_hs256However, under the hood the
io.jwt.decode_verifyfunction (which is a catch-all, try to "do the right thing" option) supports several other algorithms (see https://github.com/open-policy-agent/opa/blob/master/topdown/tokens.go#L499):We need to (1) update the docs so that it's clear that
io.jwt.decode_verifysupports all of these and (2) update OPA with these new io.jwt.verify_xyz variants. My preference is to direct people to useio.jwt.decodeandio.jwt.verify_xyzand implement claim validation themselves (perhaps as reusable Rego libraries) because it makes it much easier to provide explanations about WHY the validation failed or succeeded. The validation behaviour is also clearer because it's not hidden inside a built-in function.