-
Since JWKS do not change too often I want to cache it for a certain amount of time to reduce the calls to the IdPs I was thinking about using This is my idea as pseudo code. let jwk = await cache.get('some_cache_key');
if (jwk === null) { // cache expired or similar
JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/oauth2/v3/certs'));
const { payload, protectedHeader, key } = await jose.jwtVerify(jwt, JWKS);
await cache.set('some_cache_key', JSON.stringify(key));
} else {
const publicKey = await jose.importJWK(jwk);
const { payload, protectedHeader} = await jose.jwtVerify(jwt, publicKey);
} But the original JWKS looks like: {
"use": "sig",
"alg": "RS256",
"n": "pOpd5-7RpMvcfBcSjqlTNYjGg3YRwYRV9T9k7eDOEWgMBQEs6ii3cjcuoa1oD6N48QJmcNvAme_ud985DV2mQpOaCUy22MVRKI8DHxAKGWzZO5yzn6otsN9Vy0vOEO_I-vnmrO1-1ONFuH2zieziaXCUVh9087dRkM9qaQYt6QJhMmiNpyrbods6AsU8N1jeAQl31ovHWGGk8axXNmwbx3dDZQhx-t9ZD31oF-usPhFZtM92mxgehDqi2kpvFmM0nzSVgPrOXlbDb9ztg8lclxKwnT1EtcwHUq4FeuOPQMtZ2WehrY10OvsqS5ml3mxXUQEXrtYfa5V1v4o3rWx9Ow",
"kid": "6f9777a685907798ef794062c00b65d66c240b1b",
"e": "AQAB",
"kty": "RSA"
} And the {
"kty": "RSA",
"n": "pOpd5-7RpMvcfBcSjqlTNYjGg3YRwYRV9T9k7eDOEWgMBQEs6ii3cjcuoa1oD6N48QJmcNvAme_ud985DV2mQpOaCUy22MVRKI8DHxAKGWzZO5yzn6otsN9Vy0vOEO_I-vnmrO1-1ONFuH2zieziaXCUVh9087dRkM9qaQYt6QJhMmiNpyrbods6AsU8N1jeAQl31ovHWGGk8axXNmwbx3dDZQhx-t9ZD31oF-usPhFZtM92mxgehDqi2kpvFmM0nzSVgPrOXlbDb9ztg8lclxKwnT1EtcwHUq4FeuOPQMtZ2WehrY10OvsqS5ml3mxXUQEXrtYfa5V1v4o3rWx9Ow",
"e": "AQAB"
} Is there any API in your library around Otherwise I'll have to fetch the JWKS by myself and pass it to let jwks = await cache.get('some_cache_key');
if (jwks === null) {
jwks = await axios.get('https://www.googleapis.com/oauth2/v3/certs');
await cache.set('some_cache_key', jwks);
}
const JWKS = jose.createLocalJWKSet(jwks);
const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS); |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
https://github.com/panva/jose/blob/v5.x/src/jwks/remote.ts |
Beta Was this translation helpful? Give feedback.
In that case just use fetch() to get the JWKS response, cache that and pass it to
createLocalJWKSet
, you'll just need to handle re-fetching and throttling on your own.