Support RS256 JWTs #99
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There are some 2021-edition crates that Cargo was warning about.
So it's Base64<PEM bytes>, not just PEM bytes.
The JWT spec [1] basically says that JWTs must validate the `aud` claim if its specified: > If the principal > processing the claim does not identify itself with a value in the > "aud" claim when this claim is present, then the JWT MUST be > rejected. [1]: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
Since we now validate the `sub` and `nbf` claims, they need to be set when atticadm generates them.
…serializing `false` permissions
cole-h
force-pushed
the
rs256-support
branch
from
707bada
to
32e6d85
Compare
Closed
|
Hi there, thanks for the PR! Using RS256 definitely makes more sense in production scenarios. I would appreciate if |
This effectively reverts commit 3e0b65a. Because jwt_simple doesn't have a unified type / trait that allows signature and verification, I had to add a SignatureType enum to approximate that.
|
OK, done in 0a9d493! |
niklaskorz
reviewed
Nov 14, 2023
|
This would be incredibly useful to us. |
|
Sorry for the delay -- pubkey-only validation is now supported as of 756fef8. |
|
@zhaofengli Are there any more required changes for this to be merged? |
|
(Probably one thing would be addressing the conflicts, which I've done now) |
|
How is this better than HS256 in the context of attic? I've left a longer comment here: #95 (comment) |
|
I'll be merging this in #177. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #95.
While this adds support for RS256 JWTs, it does not remove support for HS256 JWTs. That said, it does recommend using RS256 in documentation.
We switched to using thejsonwebtokencrate since that's what we're most familiar with, but I can probably switch back tojwt_simpleif that is so desired.