Ability to verify token without the JWT Secret

[neckaros]

Feature request

Is your feature request related to a problem? Please describe.

I have a main application that identify the user and then i need to communicate with many nodejs server application distributed on users computer so it can not hold the JWT Secret but i need to verify caller identify for right management

Describe the solution you'd like

Like with Firebase i would like to be able to have a public key able to verify the JWT token
https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

Describe alternatives you've considered

I'm using firebase

[awalias]

@kangmingtay we would need to switch to public/private key JWTs , a level up from secret only JWTs

[koba-ninkigumi]

@neckaros
I also use FireBase.

What @awalias said above is not correct.

You are not the only one who is asking for this feature.

What you're asking for is actually the same as this issue.
supabase/auth-js#169

And there is already a pull request for this issue.
supabase/auth-js#207

So, when this pull request is merged, the realization of the functionality you are looking for will be achieved.
If you read this pull request, you will understand it if you are using FireBase.

Please help us to get it merged.

[neckaros]

I don't understand why you close this issue. The PR might fix it but as of now it's not fixed right?

@koba-ninkigumi i'm not sur how the OIDC relate to my request.

Basically i need a public key to verify a token without knowing the private key like in the PR linked by @Alexays (asymetric cryptography)

#195

[koba-ninkigumi]

@neckaros

As a result of my PR being merged a few days ago, you can now authenticate the id_token by specifying the location of the public key with issuer and the correct client_id approved by issuer.

The actual usage is as follows.
If you want to use Google's public key, do the following

const { user, session, error } = await supabase.auth.signIn({
  oidc:{
      id_token: 'your idtoken',
      nonce: 'random value',
      provider: 'google'
  }
})

If you want to use a public key of your choice, specify the location of the public key in issuer.
(If you specify issuer as follows, the public key will be loaded from the location described in https://accounts.google.com/.well-known/openid-configuration based on the oidc specification. Please refer to the oidc specification for details. https://openid.net/specs/openid-connect-core-1_0.html )

const { user, session, error } = await supabase.auth.signIn({
  oidc:{
      id_token: 'your idtoken',
      nonce: 'random value',
      issuer: 'https://accounts.google.com',
      client_id: 'your client_id'
  }
})

The documentation will be available on the supabse website in a few weeks.

[koba-ninkigumi]

@neckaros

And your request is to do the same thing as the link below, right?
https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

In other words, id_token validation on the backend side.
That can be achieved with the following code in goture You can do that with the following code in goture.
Have a look at the following file.
https://github.com/supabase/gotrue/blob/master/api/token.go
line 333 of

func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.Request) error {