Use iss field for validation?

[cdupont]

In the JWT there is a field "iss", that contains the issuer claim.
For example (in the case of Keycloak):

"iss": "https://example.com/auth/realms/my-realm",

This address gives:

{
  "realm": "example",
  "public_key": "MIIBIjANBgkqh...........",
  "token-service": "https://example.com/auth/realms/waziup/protocol/openid-connect",
  "account-service": "https://example.com/auth/realms/waziup/account",
  "tokens-not-before": 1587561531
}

Is it possible to use that in Servant-Auth? Maybe as an option in JWTSettings?

[domenkozar]

You can provide your own instance for FromJWT and ToJWT. I do this as well :)

[cdupont]

Hi @domenkozar ,
no, what I meant is to perform a request to the "iss" (Issuer address) to get the JWKSet.
This JWKSet can then be used to verify the JWT/ extract claims.
Something like that (psoeudocode):

  1. Receive a JWT
  2. open the JWT and read the "iss" address
  3. Get the JWKSet from the iss (HTTP GET)
  4. Verify/extract the claims from the JWT using the JWKSet     

This could be an option in the JWTSettings.

[domenkozar]

Sure.