Add functionality to allow directly provided jwt keysets (#191)

Adds ability to provide jwks directly

Co-authored-by: David <david.patrick@auth0.com>

examples/koa-demo/server.js

@@ -1,35 +1,35 @@
-const Koa = require('koa');
-const Router = require('koa-router');
-const jwt = require('koa-jwt');
-const jwksRsa = require('../../lib');
-
-const jwksHost = process.env.JWKS_HOST;
-const audience = process.env.AUDIENCE;
-const issuer = process.env.ISSUER;
-
-// Initialize the app.
-const app = new Koa();
-
-app.use(jwt({
-  secret: jwksRsa.koaJwtSecret({
-    cache: true,
-    rateLimit: true,
-    jwksRequestsPerMinute: 2,
-    jwksUri: `${jwksHost}/.well-known/jwks.json`
-  }),
-  audience,
-  issuer,
-  algorithms: [ 'RS256' ]
-}));
-
-const router = new Router();
-
-router.get('/me', ctx => {
-  ctx.body = ctx.state.user
-});
-
-app.use(router.middleware());
-
-// Start the server.
-const port = process.env.PORT || 4001;
-app.listen(port);
+const Koa = require('koa');
+const Router = require('koa-router');
+const jwt = require('koa-jwt');
+const jwksRsa = require('../../lib');
+
+const jwksHost = process.env.JWKS_HOST;
+const audience = process.env.AUDIENCE;
+const issuer = process.env.ISSUER;
+
+// Initialize the app.
+const app = new Koa();
+
+app.use(jwt({
+  secret: jwksRsa.koaJwtSecret({
+    cache: true,
+    rateLimit: true,
+    jwksRequestsPerMinute: 2,
+    jwksUri: `${jwksHost}/.well-known/jwks.json`
+  }),
+  audience,
+  issuer,
+  algorithms: [ 'RS256' ]
+}));
+
+const router = new Router();
+
+router.get('/me', ctx => {
+  ctx.body = ctx.state.user;
+});
+
+app.use(router.middleware());
+
+// Start the server.
+const port = process.env.PORT || 4001;
+app.listen(port);

index.d.ts

@@ -4,7 +4,7 @@ declare function JwksRsa(options: JwksRsa.ClientOptions): JwksRsa.JwksClient;
 
 declare namespace JwksRsa {
   class JwksClient {
-    constructor(options: ClientOptions);
+    constructor(options: ClientOptions | ClientOptionsWithObject);
 
     getKeys(cb: (err: Error | null, keys: unknown) => void): void;
     getKeysAsync(): Promise<unknown>;
@@ -31,6 +31,10 @@ declare namespace JwksRsa {
     timeout?: number;
   }
 
+  interface ClientOptionsWithObject extends Omit<ClientOptions, 'jwksUri'> {
+    jwksObject: { keys: SigningKey[] };
+  }
+
   interface CertSigningKey {
     kid: string;
     nbf: string;

src/JwksClient.js

@@ -36,6 +36,11 @@ export class JwksClient {
   }
 
   getKeys(cb) {
+    if (this.options.jwksObject) {
+      this.logger('Returning directly provided keyset.');
+      return cb(null, this.options.jwksObject.keys);
+    }
+
     this.logger(`Fetching keys from '${this.options.jwksUri}'`);
     request({
       uri: this.options.jwksUri,

src/integrations/koa.js

@@ -3,8 +3,8 @@ import { JwksClient } from '../JwksClient';
 
 module.exports.koaJwtSecret = (options = {}) => {
 
-  if (!options.jwksUri) {
-    throw new ArgumentError('No JWKS URI provided');
+  if (!options.jwksUri && !options.jwksObject) {
+    throw new ArgumentError('No JWKS provided. Please provide a jwksUri or jwksObject');
   }
 
   const client = new JwksClient(options);

src/integrations/passport.js

@@ -19,6 +19,10 @@ module.exports.passportJwtSecret = (options) => {
     throw new ArgumentError('An options object must be provided when initializing passportJwtSecret');
   }
 
+  if (!options.jwksUri && !options.jwksObject) {
+    throw new ArgumentError('No JWKS provided. Please provide a jwksUri or jwksObject');
+  }
+
   const client = new JwksClient(options);
   const onError = options.handleSigningKeyError || handleSigningKeyError;
 

tests/jwksClient.tests.js

@@ -5,6 +5,7 @@ import { expect } from 'chai';
 
 import { x5cMultiple } from './keys';
 import { JwksClient } from '../src/JwksClient';
+import jwksObject from './mocks/jwks.json';
 
 describe('JwksClient', () => {
   const jwksHost = 'http://my-authz-server';
@@ -65,6 +66,18 @@ describe('JwksClient', () => {
       });
     });
 
+    it('should return keys that are directly provided', done => {
+      const client = new JwksClient({ jwksObject });
+
+      client.getKeys((err, respKeys) => {
+        expect(err).to.be.null;
+        expect(respKeys).not.to.be.null;
+        expect(respKeys.length).to.equal(jwksObject.keys.length);
+        expect(respKeys[1].kid).to.equal(jwksObject.keys[1].kid);
+        done();
+      });
+    });
+
     it('should set request agentOptions when provided', done => {
       nock(jwksHost)
         .get('./well-known/jwks.json')

tests/koa.tests.js

@@ -11,7 +11,7 @@ const koaJwt = require('koa-jwt');
 const jwksRsa = require('../src');
 
 describe('koaJwtSecret', () => {
-  it('should throw error if options.jwksUri is null', () => {
+  it('should throw error if options.jwksUri and options.jwksObject is null', () => {
     let err = null;
 
     try {

tests/mocks/jwks.json

@@ -0,0 +1 @@
+{"keys": [{"alg":"RS256","kty":"RSA","use":"sig","x5c":["pk1"],"kid":"ABC"},{"alg":"RS256","kty":"RSA","use":"sig","x5c":[],"kid":"123"}]}

tests/passport.tests.js

@@ -13,7 +13,7 @@ const ExtractJwt = require('passport-jwt').ExtractJwt;
 const jwksRsa = require('../src');
 
 describe('passportJwtSecret', () => {
-  it('should throw error if options.jwksUri is null', () => {
+  it('should throw error if options is null', () => {
     let err = null;
 
     try {
@@ -25,6 +25,18 @@ describe('passportJwtSecret', () => {
     expect(err instanceof jwksRsa.ArgumentError).to.be.true;
   });
 
+  it('should throw error if options.jwksUri and options.jwksObject is null', () => {
+    let err = null;
+
+    try {
+      new jwksRsa.passportJwtSecret({});
+    } catch (e) {
+      err = e;
+    }
+
+    expect(err instanceof jwksRsa.ArgumentError).to.be.true;
+  });
+
   it('should accept the secret function', () => {
     new JwtStrategy(
       {