Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

JWT: Support for x509 PEM cert

See original GitHub issue

Hello! Thanks for the nice work!

To provide a bit of backgorund , I am trying to use firebase authentication on cf workers environment. So I was trying to use this package until I find out, firebase-auth doesn’t provide JWKS.json instead they provide "public keys in (pem) format , to verify signature. Here are the keys for reference, https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

Is there a plan to support verifying JWT with public keys in this package? If you can give some hint on how to generate jwk from public keys, or if you think there is another way to do it, I would be happy to create a PR for the feature.

Thanks

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:8 (5 by maintainers)

Top GitHub Comments

3reactions

m3haricommented, Dec 19, 2020

@jdanyow We were able to convert x509 certificate to CryptoKey following that blog post, but at the end it turns out firebase publishes JWKs with standard format here , though they don’t mention it in the docs. So we decided to use that.

As you can see firebase don’t publish the keys in the standard /.well-known/jwks.json path.

I will make a PR to cover such cases. I think adding optional keyset parameter will make it flexible.

1reaction

jdanyowcommented, Dec 11, 2020

The keys you linked appear to be PEM encoded x509 certs. I found a blog post that describes how to parse these and eventually use importKey to get a CryptoKey. Assuming all that works you could then export the CryptoKey as a jwk that @cfworker/jwt can use.

Example:

// ... logic from blog post ...
// ...
// ...
const publicKey: CryptoKey = await crypto.subtle.importKey(/* logic from blog post */);
// export as jwk that @cfworker/jwt can use.
const jwk = await crypto.subtle.exportKey('jwk', publicKey);

Then you can pass the jwk to @cfworker/jwt’s importKey function (below). issuer should match the iss value found in the JWTs you’re trying to validate. https://github.com/cfworker/cfworker/blob/2292f528ac85397f538256447d8e00e840c4cdeb/packages/jwt/src/jwks.ts#L20-L25

Hope that helps!