Home

Awesome

get-jwks

ci

Fetch utils for JWKS keys

Installation

npm install get-jwks

Usage

Options

const https = require('node:https')
const buildGetJwks = require('get-jwks')

const getJwks = buildGetJwks({
  max: 100,
  ttl: 60 * 1000,
  timeout: 5000,
  issuersWhitelist: ['https://example.com'],
  checkIssuer: (issuer) => {
    return issuer === 'https://example.com'
  },
  providerDiscovery: false,
  agent: new https.Agent({
    keepAlive: true,
  }),
})

max and ttl are provided to lru-cache.

getJwk

const buildGetJwks = require('get-jwks')

const getJwks = buildGetJwks()

const jwk = await getJwks.getJwk({
  domain: 'https://example.com/',
  alg: 'token_alg',
  kid: 'token_kid',
})

Calling the asynchronous function getJwk will fetch the JSON Web Key, and verify if any of the public keys matches the provided alg (if any) and kid values. It will cache the matching key so if called again it will not make another request to retrieve a JWKS. It will also use a cache to store stale values which is used in case of errors as a fallback mechanism.

getPublicKey

const buildGetJwks = require('get-jwks')

const getJwks = buildGetJwks()

const publicKey = await getJwks.getPublicKey({
  domain: 'https://exampe.com/',
  alg: 'token_alg',
  kid: 'token_kid',
})

Calling the asynchronous function getPublicKey will run the getJwk function to retrieve a matching key, then convert it to a PEM public key. It requires the same arguments as getJwk.

Integration Examples

This library can be easily used with other JWT libraries.

@fastify/jwt

@fastify/jwt is a Json Web Token plugin for Fastify.

The following example includes a scenario where you'd like to varify a JWT against a valid JWK on any request to your Fastify server. Any request with a valid JWT auth token in the header will return a successful response, otherwise will respond with an authentication error.

const Fastify = require('fastify')
const fjwt = require('@fastify/jwt')
const buildGetJwks = require('get-jwks')

const fastify = Fastify()
const getJwks = buildGetJwks()

fastify.register(fjwt, {
  decode: { complete: true },
  secret: (request, token, callback) => {
    const {
      header: { kid, alg },
      payload: { iss },
    } = token
    getJwks
      .getPublicKey({ kid, domain: iss, alg })
      .then(publicKey => callback(null, publicKey), callback)
  },
})

fastify.addHook('onRequest', async (request, reply) => {
  await request.jwtVerify()
})

fastify.listen(3000)

fast-jwt

fast-jwt is a fast JSON Web Token implementation.

The following example shows how to use JWKS in fast-jwt via get-jwks.

const { createVerifier } = require('fast-jwt')
const buildGetJwks = require('get-jwks')

// well known url of the token issuer
// often encoded as the `iss` property of the token payload
const domain = 'https://...'

const getJwks = buildGetJwks({ issuersWhitelist: [...]})

// create a verifier function with key as a function
const verifyWithPromise = createVerifier({
  key: async function ({ header }) {
    const publicKey = await getJwks.getPublicKey({
      kid: header.kid,
      alg: header.alg,
      domain,
    })
    return publicKey
  },
})

const payload = await verifyWithPromise(token)