Adding custom algorithm #429
Conversation
sign.js
Outdated
| header: { isValid: isPlainObject, message: '"header" must be an object' }, | ||
| encoding: { isValid: isString, message: '"encoding" must be a string' }, | ||
| issuer: { isValid: isString, message: '"issuer" must be a string' }, | ||
| subject: { isValid: isString, message: '"subject" must be a string' }, | ||
| jwtid: { isValid: isString, message: '"jwtid" must be a string' }, | ||
| noTimestamp: { isValid: isBoolean, message: '"noTimestamp" must be a boolean' }, | ||
| keyid: { isValid: isString, message: '"keyid" must be a string' } | ||
| keyid: { isValid: isString, message: '"keyid" must be a string' }, | ||
| customAlgorithmFunction: {isValid: isFunction, message: "custom algorithm must provide it's own sign function"} |
sign.js
Outdated
| .once('done', function (signature) { | ||
| callback(null, signature); | ||
| if (isCustomAlgorithmUsed) { | ||
| options.customAlgorithmFunction(payload, secretOrPrivateKey, options, function(err, result) { |
verify.js
Outdated
| try { | ||
| decodedToken = options.customAlgorithmFunction(jwtString, secretOrPublicKey, options); | ||
| return done(null, decodedToken); | ||
| } catch(err) { |
README.md
Outdated
| @@ -203,6 +234,8 @@ __Warning:__ This will __not__ verify whether the signature is valid. You should | |||
|
|
|||
| * `json`: force JSON.parse on the payload even if the header doesn't contain `"typ":"JWT"`. | |||
| * `complete`: return an object with the decoded payload and header. | |||
| * `isCustomAlgorithmUsed`: boolean that declares if you want to use your own algorithm for decoding. | |||
| * `customAlgorithmFunction`: function which will be used for decoding, if isCustomAlgorithmUsed is true | |||
|
I think it should be possible to use a custom signing function even when using a predefined algorithm. My use case: #427 (comment) |
|
Sorry, I still have some concerns about this, what is the benefit of adding custom signing to this library? (at least how it is in the PR so far)
It seems to me like a simple serializer / deserializer. We should think how to offer this as simple as possible to the consumer and be sure that we are still in JWT playground. If you take a look to There is an open ticket there about your own use case: auth0/node-jws#34. I think it would have more sense to have it supported in there. If we still wanted to support it here we would need to write, or bring, most of that to this library, having here two signers with same interface What if you try to bump up the topic on jws repo and we pause this for now? Thoughts? |
I'm currently investigating custom algorithms. In my use case I have a secp256k1 private key I want to use to sign a JWT. The JWT would contain a claim of the corresponding public key. Interface wise I think the jwt.sign(payload, secretOrPrivateKey, {
algorithm: {
'urn:foo:bar:custom:yay' (input) {
return sign(input)
}
}
})
jwt.verify(token, publicKey, {
algorithms: [
{
'urn:foo:bar:custom:yay' (input) {
return verify(input)
}
}
]
})This library could select the correct |
|
There was a PR about it in the past: auth0/node-jws#35 I bet it was closed since some feedback was provided but no reaction was made by the PR creator. |
|
JWT algorithms are well defined and we're committed to support the defined ones, as soon as the
The only other missing defined DSA JWA is EdDSA which is available in node 12 and will eventually make it to Also as a general recommendation you should not roll your own crypto, which this very much looks like. And for the sake of interoperability we should guide the users of this lib to stay within the defined JWAs. |
This pull request introduce possibility to use your own algorithm with jsonwebtoken library. If you pass proper options you can use sign, verify and decode methods together with chosen algorithm function.