Make the ´jwksRequest()´ method public?

[joolfe]

Hi,

I was wondering why the library didn't validate the 'id_token' signature and I have found this topic #60 which after reading OIDC makes total sense (as usual happens when discussing with you FIlip :-)) because as OIDC say this is a "MAY" which is implementer's decision

If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature.

It is easy to use some libraries to validate the 'id_token' signature, as https://github.com/panva/jose/tree/main :-), but is it possible to, in a future version of the library, make the method like ´jwksRequest()´ public? I know it is not a matter of the library managing JWKS, but would be great to use the same code to resolve the JWKS when using methods like validateJwtAuthResponse() and when validating the 'id_token'. I know that I can use the '[oauth.experimental_jwksCache]' option to provide and obtain the keys but I have a use case where I should be able to use 'validateJwtAuthResponse' or 'validateAuthResponse' method, then interchange the code and then validate the id_token, in one case I can reuse the JWKS but not in the other one, so have a method to resolve the JWKS before everything would be really useful.

Best Regards

[panva]

Hi @joolfe,

I gave this a couple reads but I am unfortunately not able to make heads or tails of it. Can you try a different angle?

FWIW I don't plan on exposing jwksRequest() as it on its own doesn't do anything but fetch() on the jwks_uri URL.

[joolfe]

Sorry, I read again and even I'm not able to understand myself XD.

So basically I propose to make public some method like getPublicSigKeyFromIssuerJwksUri() where not only you make the request to the JWKS endpoint but also validate the response following the standards.... or maybe make it possible to resolve the JWKS uri in the discovery phase? i mean as something to concatenate to the promise chain when configuring the client.

const as = await oauth
  .discoveryRequest(issuer, { algorithm })
  .then((response) => oauth.processDiscoveryResponse(issuer, response))

[panva]

Not likely, you can just fetch() the endpoint yourself.