Skip to content

Add support for direct public key JWT verification without JWKS disco… #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add support for direct public key JWT verification without JWKS disco… #176

wants to merge 1 commit into from

Conversation

arpit-jn
Copy link
Contributor

@arpit-jn arpit-jn commented Jun 5, 2025

…very

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR adds support for directly providing a public key for JWT verification without requiring JWKS discovery or endpoints.

Currently, the library only supports:

  1. Using issuerBaseURL to fetch JWKS
  2. Manually providing jwksUri and issuer

This change extends the secret parameter to accept either:

  • A string (for symmetric algorithms like HS256)
  • A KeyLike object (for asymmetric algorithms like RS256)

This helps in scenarios where the public key is already known, like in air-gapped environments or custom key management systems.

References

Testing

Tested with:

  • Direct public key verification using RSA keys

  • Verification with explicit algorithms

  • Negative tests with mismatched keys

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@arpit-jn arpit-jn requested a review from a team as a code owner June 5, 2025 13:04
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 5, 2025
View reviewed changes
packages/access-token-jwt/test/public-key.test.ts
@@ -0,0 +1,76 @@
import { exportJWK, generateKeyPair } from 'jose';

Check notice

Code scanning / CodeQL

Unused variable, import, function or class Note test

Unused import exportJWK.

Copilot Autofix

AI 4 months ago

To fix the problem, the unused exportJWK import should be removed from the file. This involves editing the import statement on line 1 to exclude exportJWK. The rest of the code remains unchanged, as this modification does not affect any functionality.

Suggested changeset 1
packages/access-token-jwt/test/public-key.test.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/access-token-jwt/test/public-key.test.ts b/packages/access-token-jwt/test/public-key.test.ts
--- a/packages/access-token-jwt/test/public-key.test.ts
+++ b/packages/access-token-jwt/test/public-key.test.ts
@@ -1,2 +1,2 @@
-import { exportJWK, generateKeyPair } from 'jose';
+import { generateKeyPair } from 'jose';
 import nock from 'nock';
EOF
@@ -1,2 +1,2 @@
import { exportJWK, generateKeyPair } from 'jose';
import { generateKeyPair } from 'jose';
import nock from 'nock';
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

publicKey without discovery
1 participant
@arpit-jn