Open renedupont opened 5 months ago
If Entra provides a JWKS endpoint and properly announces it in the OpenID Connect discovery endpoint then you could make lua-resty-openidc use the discovery endpoint an pull in the JWKS itself - in which case it handles keystores with multiple keys properly. This currently is the only way to support multiple public keys - which at the same time would simplify your configuration, I guess.
Hello, I am using client credential grant flow and want to verify incoming tokens completely without connecting to my provider (Microsoft Entra, formerly known as Azure AD). Therefore I went to the JWKS URI and saw that they have two JWK entries with different x5c values and unfortunately Entra provides sometimes tokens signed with one OR the other key.
In
lua-resty-openidc
opts
I can only set onepublic_key
as far as I know. I found out that an access token has anx5t
andkid
field that can be used to identify the right public_key (e.g. by a x5t to x5c mapping). I am usingbearer_jwt_verify
, but to setopts.public_key
to the right one, I would need to get the access token before callingbearer_jwt_verify
, which would be rather unfortunate since this method does already do that here: https://github.com/zmartzone/lua-resty-openidc/blob/v1.7.6/lib/resty/openidc.lua#L1860 and I'd like to avoid doing it twice, especially asopenidc_get_bearer_access_token
is a local function and hence I wouldn't be able to use it and would need to copy it into my own code.Currently I am doing this, but this is O(n) and I want to get back to O(1).
Any idea how to deal with this? Or am I understanding something totally wrong? I am not sure how usual that is that a provider uses multiple JWK and returns different ones to the same client id.
Could this be a feature request that it is possible to provide this x5t to x5c mapping in
opts
and the verification considers this?Environment