node-jwk | JWK support for Node | Runtime Evironment library
kandi X-RAY | node-jwk Summary
kandi X-RAY | node-jwk Summary
JWK (JSON Web Key) support for Node
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of node-jwk
node-jwk Key Features
node-jwk Examples and Code Snippets
Community Discussions
Trending Discussions on node-jwk
QUESTION
I currently am retrieving a JWKS keys using the Auth0 JWKS library for my Lambda custom authoriser function.
As explained in this issue on the JWKS library, apparently the caching built into JWKS for the public key ID does not work on lambda functions and as such they recommend writing the key to the tmp file.
What reasons could there be as to why cache=true would not work?
As far as I was aware, there should be no difference that would prevent in-memory caching working with lambda functions but allow file-based caching on the tmp folder to be the appropriate solution.
As far as I can tell, the only issues that would occur would be from the spawning of containers rate-limiting JWKS API and not the act of caching using the memory of the created containers.
In which case, what would be the optimal pattern of storing this token externally in Lambda?
...ANSWER
Answered 2021-Apr-04 at 17:14There are a lot of option how to solve this. All have different advantages and disadvantages.
First of, storing the keys in memory or on the disk (/tmp) has the same result in terms of persistence. Both are available across calls to the same Lambda instance.
I would recommend storing the keys in memory, because memory access is a lot faster than reading from a file (on every request).
Here are other options to solve this:
- Store the keys in S3 and download during init.
- Store the keys on an EFS volume, mount that volume in your Lambda instance, load the keys from the volume during init.
- Download the keys from the API during init.
- Package the keys with the Lambdas deployment package and load them from disk during init.
- Store the keys in AWS SSM parameter store and load them during init.
As you might have noticed, the "during init" phase is the most important part for all of those solutions. You don't want to do that for every request.
Option 1 and 2 would require some other "application" that you build do regularly download the keys and store them on S3 or a EFS volume. That is extra effort, but might in certain circumstances be a good idea for more complex setups.
Option 3 is basically what you are already doing at the moment and is probably the best tradeoff between simplicity and sound engineering for simple use cases. As stated before, you should store the key in memory.
Option 4 is a working "hack" that is the easiest way to get your key to your Lambda. I'd never recommend doing this, because sudden changes to the key would require a re-deployment of the Lambda, while in the meantime requests can't be authenticated, resulting in a down time.
Option 5 can be a valid alternative to option 3, but requires the same key management by another application like option 1 and 2. So it is not necessarily a good fit for a simple authorizer.
QUESTION
I'm trying to decode a JWT id_token using jwks-rsa and jsonwebtoken but the result is returning as undefined.
I know this has something to do with callbacks, and the fact that I need to wait for a response from the getKey function but I can't wrap my head around how to structure the code to make that happen.
This is what I have so far...
...ANSWER
Answered 2021-Mar-05 at 06:58You're not handling the asynchronous code correctly. The jwt.verify method returns a Promise if you do not pass it the callback method.
If you use return jwt.verify(id_token, getKey, { algorithms: ['RS256'] }) inside the do_thing function and call it like this do_thing().then((decodedToken) => console.log(decodedToken)), it should work as expected.
QUESTION
Trying to stub a method getSigningKey of jwksClient. However, it actually executes the non stub version of the function and returns an error instead of the mockResponse. How to stub it such that it will return the mockResponse instead?
ANSWER
Answered 2017-Jun-11 at 06:48This code looks more complex than necessary, especially the Sinon part. I am assuming auth0authorizer.jwksClient is a typo in your example code, and that you really meant just jwksClient.
If you mean to stub the instance, you need to stub the generated instance, not a non-existing method on the factory method (which is what you are doing!).
That would simply mean
QUESTION
I'm trying to create an authentication flow where the user's access token is kept in a server-side session along with the refresh token, and when the token expires it is renewed if the session is still valid. However, the token I get back from Azure AD after refresh has an invalid signature, when verifying it with the same method as the original token.
Here's a runnable gist that illustrates the problem: https://gist.github.com/tlycken/fdaf47dc31e03de43a1a07fbbea2ab91
What I'm doing is basically this:
When the user requests a page, check for a session. If none exists, redirect to
/authwhich redirects to Azure AD, and when I'm returned I have a valid token which I store in the session.Verify the token from the session using
jwks-rsa. (This normally works fine, so I'm purposely adding something to the token string to make the signature invalid in the test code.)If token verification failed, and there is a refresh token on the session, try to fetch a new token using that refresh token. This request normally returns with status
200 OKand a new set of access/refresh tokens.Verify the new access token using the same code as was used to verify the old one (now without garbling the token). This should work, IIUC, but it fails with the error
invalid signature.
Why does my newly refreshed token not pass verification?
Update: I was able to create a simpler flow for reproducing this; the gist has been updated. It now does the following (printing these messages, along the way):
...ANSWER
Answered 2018-Jun-21 at 18:00You're code is using the v1 Endpoint to obtain the initial access token but the v2 Endpoint to exorcise the refresh token. These two endpoints operate differently. In particular, the v1 Endpoint uses "resource" while v2 uses "scopes".
The reason this is happening is your calling v1 explicitly but relying on the v2 /openid-configuration for the Refresh Token endpoint.
To correct this, change line 19 of refresh-auth-token.js to
QUESTION
I am using this library, node-jwks-rsa, to fetch JWT keys from my auth0 jwks.json file in order to verify that the id_token my application retrieves after authentication is actually coming from my auth provider.
Under the hood it uses this method to build a public key PEM
...ANSWER
Answered 2017-Oct-30 at 09:01Using a RSA assymetric key pair, the JWT is signed with the private key and verified with the public. You can not verify a digital signature with the private key
Modulus and exponent are the components of the public key and you can use it to build the public key in PEM format, which is a base64 representation of the public key (modulus and exponent) encoded in DER binary format. You can use PEM, DER or modulus and exponent because the contain the same information
But anybody can't build the private key with modulus and exponent. He would need the private RSA elements, which must be kept secret so that no one can sign for you.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install node-jwk
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
