-
Notifications
You must be signed in to change notification settings - Fork 236
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into bump-jose
- Loading branch information
Showing
2 changed files
with
176 additions
and
139 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
# Examples | ||
|
||
- [Integrations](#integrations) | ||
- [Configuration](#configuration) | ||
- [Caching](#caching) | ||
- [Rate Limiting](#rate-limiting) | ||
- [Using Request Agent for TLS/SSL Configuration](#using-request-agent-for-tlsssl-configuration) | ||
- [Proxy Configuration](#proxy-configuration) | ||
- [Loading keys from local file, environment variable, or other externals](#loading-keys-from-local-file-environment-variable-or-other-externals) | ||
- [Showing Trace Logs](#showing-trace-logs) | ||
|
||
## Integrations | ||
|
||
This repository holds a number of example integrations found in the [examples](./examples/) folder. | ||
|
||
- [express/express-jwt](examples/express-demo) | ||
- [express/passport-jwt](examples/passport-demo) | ||
- [hapi/hapi-auth-jwt2](examples/hapi-demo) | ||
- [koa/koa-jwt](examples/koa-demo) | ||
|
||
## Configuration | ||
|
||
- `jwksUri`: a string that represents the JWKS URI | ||
- `timeout = 30000`: (_optional_) an integer in miliseconds that controls the request timeout | ||
- `cache = true`: (_optional_) enables a LRU Cache [(details)](#caching) | ||
- `rateLimit`: (_optional_) the default fetcher function [(details)](#rate-limiting) | ||
- `fetcher`: (_optional_) a Promise returning function to fetch data from the JWKS URI | ||
- `requestHeaders`: (_optional_) an object of headers to pass to the request | ||
- `requestAgent`: (_optional_) a Node `http.Agent` to be passed to the http(s) request | ||
- `getKeysInterceptor`: (_optional_) a promise returning function hook [(details)](#loading-keys-from-local-file-environment-variable-or-other-externals) | ||
- `cacheMaxAge`: (_optional_) the duration for which to store a cached JWKS in ms (default 600,000 or 10 minutes) | ||
- `jwksRequestsPerMinute`: (_optional_) max number of requests allowed to the JWKS URI per minute (defaults to 10) | ||
|
||
## Caching | ||
|
||
By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint. If a signing key matching the `kid` is found, this will be cached and the next time this `kid` is requested the signing key will be served from the cache. The caching behavior can be configured as seen below: | ||
|
||
```js | ||
const jwksClient = require('jwks-rsa'); | ||
|
||
const client = jwksClient({ | ||
cache: true, // Default Value | ||
cacheMaxEntries: 5, // Default value | ||
cacheMaxAge: 600000, // Defaults to 10m | ||
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json' | ||
}); | ||
|
||
const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg'; | ||
const key = await client.getSigningKey(kid); | ||
const signingKey = key.getPublicKey(); | ||
``` | ||
|
||
## Rate Limiting | ||
|
||
Even if caching is enabled the library will call the JWKS endpoint if the `kid` is not available in the cache, because a key rotation could have taken place. To prevent attackers to send many random `kid`s you can also configure rate limiting. This will allow you to limit the number of calls that are made to the JWKS endpoint per minute (because it would be highly unlikely that signing keys are rotated multiple times per minute). | ||
|
||
```js | ||
const jwksClient = require('jwks-rsa'); | ||
|
||
const client = jwksClient({ | ||
rateLimit: true, | ||
jwksRequestsPerMinute: 10, // Default value | ||
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json' | ||
}); | ||
|
||
const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg'; | ||
const key = await client.getSigningKey(kid); | ||
const signingKey = key.getPublicKey(); | ||
``` | ||
|
||
## Using Request Agent for TLS/SSL Configuration | ||
|
||
The `requestAgent` property can be used to configure SSL/TLS options. An | ||
example use case is providing a trusted private (i.e. enterprise/corporate) root | ||
certificate authority to establish TLS communication with the `jwks_uri`. | ||
|
||
```js | ||
const jwksClient = require("jwks-rsa"); | ||
const https = require('https'); | ||
const client = jwksClient({ | ||
jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json', | ||
requestHeaders: {}, // Optional | ||
requestAgent: new https.Agent({ | ||
ca: fs.readFileSync(caFile) | ||
}) | ||
}); | ||
``` | ||
|
||
## Proxy configuration | ||
|
||
You can configure a proxy with using a [custom http(s) agent](https://github.com/TooTallNate/node-https-proxy-agent) in the `requestAgent` option. | ||
|
||
## Loading keys from local file, environment variable, or other externals | ||
|
||
The `getKeysInterceptor` property can be used to fetch keys before sending a request to the `jwksUri` endpoint. This can be helpful when wanting to load keys from a file, env variable, or an external cache. If a KID cannot be found in the keys returned from the interceptor, it will fallback to the `jwksUri` endpoint. This property will continue to work with the provided LRU cache, if the cache is enabled. | ||
|
||
```js | ||
const client = new JwksClient({ | ||
jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json', | ||
getKeysInterceptor: () => { | ||
const file = fs.readFileSync(jwksFile); | ||
return file.keys; | ||
} | ||
}); | ||
``` | ||
|
||
## Showing Trace Logs | ||
|
||
To show trace logs you can set the following environment variable: | ||
|
||
``` | ||
DEBUG=jwks | ||
``` | ||
|
||
Output: | ||
|
||
``` | ||
jwks Retrieving keys from http://my-authz-server/.well-known/jwks.json +5ms | ||
jwks Keys: +8ms [ { alg: 'RS256', | ||
kty: 'RSA', | ||
use: 'sig', | ||
x5c: [ 'pk1' ], | ||
kid: 'ABC' }, | ||
{ alg: 'RS256', kty: 'RSA', use: 'sig', x5c: [], kid: '123' } ] | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,171 +1,83 @@ | ||
# jwks-rsa | ||
![A library to retrieve signing keys from a JWKS (JSON Web Key Set) endpoint.](https://cdn.auth0.com/website/sdks/banner/node-jwks-rsa-banner.png) | ||
|
||
[![CircleCI][circle-image]][circle-url] | ||
[![codecov][codecov-image]][codecov-url] | ||
[![NPM version][npm-image]][npm-url] | ||
[![License][license-image]][license-url] | ||
[![Downloads][downloads-image]][downloads-url] | ||
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fnode-jwks-rsa.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fnode-jwks-rsa?ref=badge_shield) | ||
![Release](https://img.shields.io/npm/v/jwks-rsa) | ||
[![Codecov](https://img.shields.io/codecov/c/github/auth0/node-jwks-rsa)](https://codecov.io/gh/auth0/node-jwks-rsa) | ||
![Downloads](https://img.shields.io/npm/dw/jwks-rsa) | ||
[![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT) | ||
![CircleCI](https://img.shields.io/circleci/build/github/auth0/node-jwks-rsa) | ||
|
||
A library to retrieve signing keys from a JWKS (JSON Web Key Set) endpoint. | ||
📚 [Documentation](#documentation) - 🚀 [Getting Started](#getting-started) - 💬 [Feedback](#feedback) | ||
|
||
> npm install --save jwks-rsa | ||
## Documentation | ||
|
||
Supports all currently registered JWK types and JWS Algorithms, see [panva/jose#262](https://github.com/panva/jose/issues/262) for more information. | ||
- [Examples](https://github.com/auth0/node-jwks-rsa/blob/master/EXAMPLES.md) - code samples for common scenarios. | ||
- [Docs Site](https://auth0.com/docs) - explore our Docs site and learn more about Auth0. | ||
|
||
## Usage | ||
## Getting Started | ||
|
||
You'll provide the client with the JWKS endpoint which exposes your signing keys. Using the `getSigningKey` you can then get the signing key that matches a specific `kid`. | ||
### Installation | ||
|
||
```js | ||
const jwksClient = require('jwks-rsa'); | ||
Using [npm](https://npmjs.org) in your project directory run the following command: | ||
|
||
const client = jwksClient({ | ||
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json', | ||
requestHeaders: {}, // Optional | ||
timeout: 30000 // Defaults to 30s | ||
}); | ||
|
||
const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg'; | ||
const key = await client.getSigningKey(kid); | ||
const signingKey = key.getPublicKey(); | ||
``` | ||
````bash | ||
npm install --save jwks-rsa | ||
```` | ||
|
||
### Integrations | ||
|
||
- [express/express-jwt](examples/express-demo) | ||
- [express/passport-jwt](examples/passport-demo) | ||
- [hapi/hapi-auth-jwt2](examples/hapi-demo) | ||
- [koa/koa-jwt](examples/koa-demo) | ||
|
||
### API | ||
|
||
#### JwksClient Options | ||
|
||
- `jwksUri`: a string that represents the JWKS URI | ||
- `timeout = 30000`: (_optional_) an integer in miliseconds that controls the request timeout | ||
- `cache = true`: (_optional_) enables a LRU Cache [(details)](#caching) | ||
- `rateLimit`: (_optional_) the default fetcher function [(details)](#rate-limiting) | ||
- `fetcher`: (_optional_) a Promise returning function to fetch data from the JWKS URI | ||
- `requestHeaders`: (_optional_) an object of headers to pass to the request | ||
- `requestAgent`: (_optional_) a Node `http.Agent` to be passed to the http(s) request | ||
- `getKeysInterceptor`: (_optional_) a promise returning function hook [(details)](#loading-keys-from-local-file-environment-variable-or-other-externals) | ||
- `cacheMaxAge`: (_optional_) the duration for which to store a cached JWKS in ms (default 600,000 or 10 minutes) | ||
- `jwksRequestsPerMinute`: (_optional_) max number of requests allowed to the JWKS URI per minute (defaults to 10) | ||
Supports all currently registered JWK types and JWS Algorithms, see [panva/jose#262](https://github.com/panva/jose/issues/262) for more information. | ||
|
||
### Caching | ||
### Configure the client | ||
|
||
By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint. If a signing key matching the `kid` is found, this will be cached and the next time this `kid` is requested the signing key will be served from the cache. The caching behavior can be configured as seen below: | ||
Provide a JWKS endpoint which exposes your signing keys. | ||
|
||
```js | ||
````js | ||
const jwksClient = require('jwks-rsa'); | ||
|
||
const client = jwksClient({ | ||
cache: true, // Default Value | ||
cacheMaxEntries: 5, // Default value | ||
cacheMaxAge: 600000, // Defaults to 10m | ||
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json' | ||
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json', | ||
requestHeaders: {}, // Optional | ||
timeout: 30000 // Defaults to 30s | ||
}); | ||
```` | ||
|
||
const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg'; | ||
const key = await client.getSigningKey(kid); | ||
const signingKey = key.getPublicKey(); | ||
``` | ||
|
||
### Rate Limiting | ||
|
||
Even if caching is enabled the library will call the JWKS endpoint if the `kid` is not available in the cache, because a key rotation could have taken place. To prevent attackers to send many random `kid`s you can also configure rate limiting. This will allow you to limit the number of calls that are made to the JWKS endpoint per minute (because it would be highly unlikely that signing keys are rotated multiple times per minute). | ||
|
||
```js | ||
const jwksClient = require('jwks-rsa'); | ||
### Retrieve a key | ||
|
||
const client = jwksClient({ | ||
rateLimit: true, | ||
jwksRequestsPerMinute: 10, // Default value | ||
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json' | ||
}); | ||
Then use `getSigningKey` to retrieve a signing key that matches a specific `kid`. | ||
|
||
````js | ||
const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg'; | ||
const key = await client.getSigningKey(kid); | ||
const signingKey = key.getPublicKey(); | ||
``` | ||
|
||
### Using Request Agent for TLS/SSL Configuration | ||
|
||
The `requestAgent` property can be used to configure SSL/TLS options. An | ||
example use case is providing a trusted private (i.e. enterprise/corporate) root | ||
certificate authority to establish TLS communication with the `jwks_uri`. | ||
|
||
```js | ||
const jwksClient = require("jwks-rsa"); | ||
const https = require('https'); | ||
const client = jwksClient({ | ||
jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json', | ||
requestHeaders: {}, // Optional | ||
requestAgent: new https.Agent({ | ||
ca: fs.readFileSync(caFile) | ||
}) | ||
}); | ||
``` | ||
|
||
### Proxy configuration | ||
|
||
You can configure a proxy with using a [custom http(s) agent](https://github.com/TooTallNate/node-https-proxy-agent) in the `requestAgent` option. | ||
|
||
### Loading keys from local file, environment variable, or other externals | ||
|
||
The `getKeysInterceptor` property can be used to fetch keys before sending a request to the `jwksUri` endpoint. This can be helpful when wanting to load keys from a file, env variable, or an external cache. If a KID cannot be found in the keys returned from the interceptor, it will fallback to the `jwksUri` endpoint. This property will continue to work with the provided LRU cache, if the cache is enabled. | ||
|
||
```js | ||
const client = new JwksClient({ | ||
jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json', | ||
getKeysInterceptor: () => { | ||
const file = fs.readFileSync(jwksFile); | ||
return file.keys; | ||
} | ||
}); | ||
``` | ||
|
||
## Running Tests | ||
|
||
``` | ||
npm run test | ||
``` | ||
```` | ||
|
||
## Showing Trace Logs | ||
## Feedback | ||
|
||
To show trace logs you can set the following environment variable: | ||
### Contributing | ||
|
||
``` | ||
DEBUG=jwks | ||
``` | ||
We appreciate feedback and contribution to this repo! Before you get started, please see the following: | ||
|
||
Output: | ||
- [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) | ||
- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) | ||
|
||
``` | ||
jwks Retrieving keys from http://my-authz-server/.well-known/jwks.json +5ms | ||
jwks Keys: +8ms [ { alg: 'RS256', | ||
kty: 'RSA', | ||
use: 'sig', | ||
x5c: [ 'pk1' ], | ||
kid: 'ABC' }, | ||
{ alg: 'RS256', kty: 'RSA', use: 'sig', x5c: [], kid: '123' } ] | ||
``` | ||
### Raise an issue | ||
|
||
## License | ||
To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/node-jwks-rsa/issues). | ||
|
||
This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info. | ||
### Vulnerability Reporting | ||
|
||
[circle-image]: https://img.shields.io/circleci/build/github/auth0/node-jwks-rsa/master?style=flat-square | ||
[circle-url]: https://circleci.com/gh/auth0/node-jwks-rsa/tree/master | ||
[codecov-image]: https://img.shields.io/codecov/c/github/auth0/node-jwks-rsa?style=flat-square | ||
[codecov-url]: https://codecov.io/gh/auth0/node-jwks-rsa | ||
[npm-image]: https://img.shields.io/npm/v/jwks-rsa.svg?style=flat-square | ||
[npm-url]: https://npmjs.org/package/jwks-rsa | ||
[license-image]: http://img.shields.io/npm/l/jwks-rsa.svg?style=flat-square | ||
[license-url]: #license | ||
[downloads-image]: http://img.shields.io/npm/dm/jwks-rsa.svg?style=flat-square | ||
[downloads-url]: https://npmjs.org/package/jwks-rsa | ||
Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. | ||
|
||
## What is Auth0? | ||
|
||
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fnode-jwks-rsa.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fnode-jwks-rsa?ref=badge_large) | ||
<p align="center"> | ||
<picture> | ||
<source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150"> | ||
<source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150"> | ||
<img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150"> | ||
</picture> | ||
</p> | ||
<p align="center"> | ||
Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a> | ||
</p> | ||
<p align="center"> | ||
This project is licensed under the MIT license. See the <a href="https://github.com/auth0/node-jwks-rsa/blob/master/LICENSE"> LICENSE</a> file for more info. | ||
</p> |