Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide own jwt-verify option #236

Open
deadbaed opened this issue Jul 21, 2022 · 2 comments
Open

Provide own jwt-verify option #236

deadbaed opened this issue Jul 21, 2022 · 2 comments

Comments

@deadbaed
Copy link

deadbaed commented Jul 21, 2022
edited
Loading

Hi,

I'm trying to use passport-jwt and im stuck on validating my JWT.

In strategy.js on line 105, when i log the jwt_error I get this:

TypeError: "EdDSA" is not a valid algorithm.
  Supported algorithms are:
  "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".

This error is normal, because I sign my JWTs with the EdDSA alg, which is not supported in the included jsonwebtoken npm package.

When I look at verify_jwt.js, I see the only thing it does is to call the verify option of the jsonwebtoken package.

So my question is: how would it be possible to tell passport-jwt that im providing my own way of verifying the JWTs?

I use https://github.com/panva/jose to create my JWKs, and I use it to sign my JWTs, and it supports the EdDSA alg, which jsonwebtoken does not. So I'd like to use this lib to verify my JWTs.

If anyone has any hints or already did something like this, I would love some input!

thanks!
@Outternet
Copy link

Current not unfortunately as you said current driver jsonwebtoken hardcoded.

However, this functionality is available in rewrite where jose has an abstrate driver and the jwk can be passed directly.

@tigermax139
Copy link

tigermax139 commented Jan 19, 2025
edited
Loading

Here is a quick example of how to use JOSE in passport-jwt.

You can create your keys using JOSE, and pass one key into secret.

Then you will use a private key for signing and public for verify.

const keystore  = jose.JWK.createKeyStore();

const KEY_ID = 'key1';

// Step 1
await this.keyStore.generate('RSA', 2048, { use: 'sig', kid: KEY_ID });

const jsonKey = keyStore.toJSON(true);  //  display your keys list store it to file or any KeyManager

// Step 2
// load key from file 
await this.keyStore.add(jsonKey, 'json'); // add key to store

// retrieve your PUBLIC key for jwt verification
const secretOrKey = keyStore.get(KEY_ID).toPEM(false); 

// Step 3
super({
			jwtFromRequest: extractJwtRequest,
			passReqToCallback: true,
			ignoreExpiration: false,
			algorithms: ['RS256'],
			secretOrKey: '-----BEGIN PUBLIC KEY-----\n' +
				'your key'
				'-----END PUBLIC KEY-----',
		});

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@deadbaed @tigermax139 @Outternet