Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWKs support #538

Open
ikovalyov opened this issue Dec 4, 2020 · 7 comments
Open

JWKs support #538

ikovalyov opened this issue Dec 4, 2020 · 7 comments
Labels
feature request help wanted

Comments

@ikovalyov
Copy link

Hi.
We are using the jwks in our application to authenticate customers. Unfortunately I can see only the OAuth security module. Do you have any plans on adding the JWKs support?
Thanks.
@daviddenton
Copy link
Member

TBH we have no plans to add a module like this at the moment. PRs gratefully accepted though ;)

What would be interesting is to find out exactly what type of functionality our users would like to see from such a module, so please feel free to enumerate stuff in this thread. 😄

@razvn
Copy link
Contributor

razvn commented Dec 5, 2020

It's quite easy to use JWT with current implementation of BearAuth then it's up to you to handle the JWT. Plus it gives you the liberty to use the JWT lib of your choice.
Maybe the only thing missing is a recipe in the Cookbook which could show an example of how to use it. I can't see what a higher abstraction of a JWT, http4k could add.

@ikovalyov
Copy link
Author

@razvn I'd like to have a module which has something like this:

  • We can configure the jwks endpoint (file which lists the issues keys)
  • We can configure the structure and types of the issues keys (algo, encryption and other stuff)
  • The system adds a firewall which will decode the jwt, verify it over well-known keys and check if user has a permission to access the endpoint
  • System uses cache to store list of the well known keys for future use.

@razvn
Copy link
Contributor

razvn commented Dec 9, 2020

I agree it would be nice having that included in the library, instead of having to do it manually as I had to do a few weeks ago.
But I think is quite specific usage, as I guess most JWT does not use JWKS severs.
Beside it requires some asynchronous tasks (refreshing the JWKS in the background) which the library does not handle yet (I know it can be done with ComputableFutures (I went with coroutines as I like them better)) which adds complexity and difficulty to make it configurable to fit each one requirement.

@oharaandrew314
Copy link
Contributor

oharaandrew314 commented Aug 8, 2022
edited

Sorry to necro this, but a use-case for integrating with http4k did come to mind recently. I was originally using auth0 java-jwt, but then for serverless jar size limitations, I wanted to eliminate guava and jackson. I ended up using Nimbus Jwt, because it uses a low-level json library; but I did have to give up some of the goodies from auth0's implementation.

I still don't know how we could do a better job than auth0, but it would be nice if we could bring our own http and marshalling backends. Maybe if we include auth0 as an implementation dependency, exclude all its dependencies, and then provide a http4k-esque wrapper and Security implementation on top?

@daviddenton
Copy link
Member

Nice idea - might be worth investigating if we can get most of the lower level security stuff for free. When you say Security do you mean an auth0 class?

@oharaandrew314
Copy link
Contributor

I was referring to org.http4k.contract.security.Security, but also a plain filter to go on top of ClientFilters

@oharaandrew314 oharaandrew314 mentioned this issue Jan 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@razvn @oharaandrew314 @daviddenton @ikovalyov