-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support RS256 JWTs #99
Conversation
There are some 2021-edition crates that Cargo was warning about.
So it's Base64<PEM bytes>, not just PEM bytes.
The JWT spec [1] basically says that JWTs must validate the `aud` claim if its specified: > If the principal > processing the claim does not identify itself with a value in the > "aud" claim when this claim is present, then the JWT MUST be > rejected. [1]: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
Since we now validate the `sub` and `nbf` claims, they need to be set when atticadm generates them.
…serializing `false` permissions
707bada
to
32e6d85
Compare
Hi there, thanks for the PR! Using RS256 definitely makes more sense in production scenarios. I would appreciate if |
This effectively reverts commit 3e0b65a. Because jwt_simple doesn't have a unified type / trait that allows signature and verification, I had to add a SignatureType enum to approximate that.
OK, done in 0a9d493! |
This would be incredibly useful to us. |
Sorry for the delay -- pubkey-only validation is now supported as of 756fef8. |
@zhaofengli Are there any more required changes for this to be merged? |
(Probably one thing would be addressing the conflicts, which I've done now) |
How is this better than HS256 in the context of attic? I've left a longer comment here: #95 (comment) |
I'll be merging this in #177. |
Fixes #95.
While this adds support for RS256 JWTs, it does not remove support for HS256 JWTs. That said, it does recommend using RS256 in documentation.
We switched to using thejsonwebtoken
crate since that's what we're most familiar with, but I can probably switch back tojwt_simple
if that is so desired.