How to use jwks-rsa - 10 common examples
To help you get started, we’ve selected a few jwks-rsa examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Levino / mock-jwks / __tests__ / jwksRsa.ts View on Github 
async (assert) => {
assert.plan(1)
auth0Mock.start()
const client = jwksClient({
jwksUri: 'https://hardfork.eu.auth0.com/.well-known/jwks.json',
strictSsl: true, // Default value
})
const kid = auth0Mock.kid()
client.getSigningKey(kid, (err) => {
auth0Mock.stop()
if (err) {
return assert.fail()
}
assert.pass()
})
}
)(assert) => {
assert.plan(1)
auth0Mock.start()
const client = jwksClient({
jwksUri: 'https://hardfork.eu.auth0.com/.well-known/jwks.json',
strictSsl: true, // Default value
})
const kid = auth0Mock.kid()
client.getSigningKey(kid, (err, key) => {
if (err) {
auth0Mock.stop()
return assert.fail()
}
const signingKey = String(key.publicKey || key.rsaPublicKey)
try {
verify(auth0Mock.token({}), signingKey)
} catch (err) {
auth0Mock.stop()
return assert.fail()token = getToken(event)
} catch (err) {
console.log('could not get token', event, err)
return cb('could not get token')
}
const decoded = decode(token, { complete: true })
if (!decoded) {
return cb('could not decode token')
}
const kid = decoded.header.kid
const TOKEN_ISSUER = `https://cognito-idp.${region}.amazonaws.com/${poolId}`
const JWKS_URI = `${TOKEN_ISSUER}/.well-known/jwks.json`
const client = jwksClient({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 10, // Default value
jwksUri: JWKS_URI
})
client.getSigningKey(kid, function(err, key) {
if (err) {
cb(err)
} else {
const signingKey = key.publicKey || key.rsaPublicKey
verify(token, signingKey, { issuer: TOKEN_ISSUER }, function(
err,
tokenPayload
) {
if (err) {module.exports.auth = (event, context, callback) => {
console.log(event);
// jwt.decode may throw error in case of validating wrong/expired access_token
try {
let token, client, decoded, kid;
token = getToken(event);
client = jwksClient({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 10,
jwksUri: process.env.JWKS_URI
});
decoded = jwt.decode(token, {complete: true});
kid = decoded.header.kid;
client.getSigningKey(kid, (err, key) => {
if (err) {
console.log("getSigningKey error:", err);
callback(null, {policyDocument: getPolicyDocument('Deny', event.methodArn)});
} else {
let signingKey = key.publicKey || key.rsaPublicKey;
let options = {import jwt from 'jsonwebtoken'
import jwksClient from 'jwks-rsa'
import config from '../../src/_config'
/* initialize the JWKS client */
const auth0Domain = process.env.AUTH0_DOMAIN || config.auth0.domain
const authClient = jwksClient({
cache: true,
jwksUri: `https://${auth0Domain}/.well-known/jwks.json`,
audience: 'universe-theater',
issuer: 'https://adobot.auth0.com/',
})
/* Check authorization JWT */
export default function checkAuth(event) {
const alg = 'RS256' // algorithm is RSA http://bit.ly/2xAYygk
return new Promise((resolve, reject) => {
console.log('event.headers', event.headers)
if (!event.headers.authorization) {
const reason = 'Missing event.headers.authorization. You must be signed in to call this function'
return reject(new Error(reason))
}
console.log('event.headers', event.headers)constructor({name, cfg}) {
let handlerCfg = cfg.handlers[name];
assert(handlerCfg.domain, `${name}.domain is required`);
assert(handlerCfg.apiAudience, `${name}.apiAudience is required`);
assert(handlerCfg.clientId, `${name}.clientId is required`);
assert(handlerCfg.clientSecret, `${name}.clientSecret is required`);
_.assign(this, handlerCfg);
// use express-jwt to validate JWTs against auth0
this.jwtCheck = expressJwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `https://${this.domain}/.well-known/jwks.json`,
}),
// expect to see our audience in the JWT
audience: this.apiAudience,
// and expect a token issued by auth0
issuer: `https://${this.domain}/`,
algorithms: ['RS256'],
credentialsRequired: true,
});
this._managementApiExp = null;
this._managementApi = null;
this.identityProviderId = 'mozilla-auth0';import neo4jDriver from './db/neo4jDriver';
import schema from './graphql/schema';
const { NODE_ENV, PORT } = process.env;
const API_PORT = NODE_ENV && NODE_ENV.includes('prod') ? PORT || 3000 : 3100;
const app = express();
if (!NODE_ENV || NODE_ENV.includes('dev')) {
app.use(cors());
}
app.use(jwt({
credentialsRequired: false,
// Dynamically provide a signing key based on the kid in the header
// and the singing keys provided by the JWKS endpoint
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: 'https://theborderland.eu.auth0.com/.well-known/jwks.json',
}),
}));
function getUser(user) {
if (!user) return null;
return Object.assign(
{},
user,
{
email: user['https://realities.theborderland.se/email'],
role: user['https://realities.theborderland.se/role'],
},export function generateJwt(payload: object): string {
return jsonwebtoken.sign(payload, JWT_SECRET, {
algorithm: 'HS256',
});
}
/**
* Auth middleware for all normal users - who are authenticated by Auth0.
*/
const auth0Authenticate = jwt({
secret : jwksRsa.expressJwtSecret({
cache : true,
rateLimit : true,
jwksRequestsPerMinute : 5,
jwksUri : 'https://' + authvalues.DOMAIN + '/.well-known/jwks.json',
}),
// cf. https://github.com/auth0/express-jwt/issues/171#issuecomment-305876709
// audience : process.env[env.AUTH0_AUDIENCE],
aud : authvalues.AUDIENCE,
issuer : 'https://' + authvalues.CUSTOM_DOMAIN + '/',
algorithms : [ 'RS256' ],
});export default () => {
const ensureAuth = jwt({
// Dynamically provide a signing key based on the kid in the header and the singing keys provided by the JWKS endpoint.
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
}),
// Validate the audience and the issuer.
audience: process.env.AUTH0_AUDIENCE || 'graphql',
issuer: process.env.AUTH0_DOMAIN,
algorithms: ['RS256']
});
return [
ensureAuth,
(req, res, next) => {
req.hasScope = hasScope;const app = express();
const jwt = require('express-jwt');
const jwtAuthz = require('express-jwt-authz');
const jwksRsa = require('jwks-rsa');
const cors = require('cors');
require('dotenv').config();
if (!process.env.AUTH0_DOMAIN || !process.env.AUTH0_AUDIENCE) {
throw 'Make sure you have AUTH0_DOMAIN, and AUTH0_AUDIENCE in your .env file'
}
app.use(cors());
const checkJwt = jwt({
// Dynamically provide a signing key based on the kid in the header and the singing keys provided by the JWKS endpoint.
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
}),
// Validate the audience and the issuer.
audience: process.env.AUTH0_AUDIENCE,
issuer: `https://${process.env.AUTH0_DOMAIN}/`,
algorithms: ['RS256']
});
const checkScopes = jwtAuthz([ 'read:messages' ]);
const checkScopesAdmin = jwtAuthz([ 'write:messages' ]);
app.get('/api/public', function(req, res) {jwks-rsa
Library to retrieve RSA public keys from a JWKS endpoint
