search

supabase / auth

A JWT based API for managing users and issuing JWT tokens
https://supabase.com/docs/guides/auth
MIT License
1.53k stars 373 forks source link

Ability to verify token without the JWT Secret #171

Closed neckaros closed 2 years ago

neckaros commented 3 years ago

Feature request

Is your feature request related to a problem? Please describe.

I have a main application that identify the user and then i need to communicate with many nodejs server application distributed on users computer so it can not hold the JWT Secret but i need to verify caller identify for right management

Describe the solution you'd like

Like with Firebase i would like to be able to have a public key able to verify the JWT token https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

Describe alternatives you've considered

I'm using firebase

awalias commented 3 years ago

@kangmingtay we would need to switch to public/private key JWTs , a level up from secret only JWTs

koba-ninkigumi commented 2 years ago

@neckaros I also use FireBase.

What @awalias said above is not correct.

You are not the only one who is asking for this feature.

What you're asking for is actually the same as this issue. https://github.com/supabase/gotrue-js/issues/169

And there is already a pull request for this issue. https://github.com/supabase/gotrue-js/pull/207

So, when this pull request is merged, the realization of the functionality you are looking for will be achieved. If you read this pull request, you will understand it if you are using FireBase.

Please help us to get it merged.

neckaros commented 2 years ago

I don't understand why you close this issue. The PR might fix it but as of now it's not fixed right?

@koba-ninkigumi i'm not sur how the OIDC relate to my request.

Basically i need a public key to verify a token without knowing the private key like in the PR linked by @Alexays (asymetric cryptography)

https://github.com/supabase/gotrue/pull/195

koba-ninkigumi commented 2 years ago

@neckaros

As a result of my PR being merged a few days ago, you can now authenticate the id_token by specifying the location of the public key with issuer and the correct client_id approved by issuer.

The actual usage is as follows. If you want to use Google's public key, do the following

const { user, session, error } = await supabase.auth.signIn({
  oidc:{
      id_token: 'your idtoken',
      nonce: 'random value',
      provider: 'google'
  }
})

If you want to use a public key of your choice, specify the location of the public key in issuer. (If you specify issuer as follows, the public key will be loaded from the location described in https://accounts.google.com/.well-known/openid-configuration based on the oidc specification. Please refer to the oidc specification for details. https://openid.net/specs/openid-connect-core-1_0.html )

const { user, session, error } = await supabase.auth.signIn({
  oidc:{
      id_token: 'your idtoken',
      nonce: 'random value',
      issuer: 'https://accounts.google.com',
      client_id: 'your client_id'
  }
})

The documentation will be available on the supabse website in a few weeks.

koba-ninkigumi commented 2 years ago

@neckaros

And your request is to do the same thing as the link below, right? https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

In other words, id_token validation on the backend side. That can be achieved with the following code in goture You can do that with the following code in goture. Have a look at the following file. https://github.com/supabase/gotrue/blob/master/api/token.go line 333 of

func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.Request) error {