How to validate JWT token using this library. #22
-
Heya, First off, thanks for the project. This seems to literally be the only OpenID Connect/OAuth2 library that doesn't use NodeJS libraries. I managed to implement a Authorization Grant Code flow, the only thing i'm struggling with is how to use this library to actually validate JWT I obviously can issue a Introspection Request on each API call to the AS but that would be subpar from a performance perspective and would rather just validate the JWT. What am I missing? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Answered my own question. Apologies, I'm a OpenID/OAuth n00b. The answer is to use the import * as oauth2 from '@panva/oauth4webapi'
import * as jose from 'jose'
const as: oauth2.AuthorizationServer = await oauth2
.discoveryRequest(issuer)
.then((response) => oauth2.processDiscoveryResponse(issuer, response))
const JWKS = jose.createRemoteJWKSet(new URL(as.jwks_uri))
const authorization = c.req.headers.get('Authorization')
if (!authorization) return c.body('Unauthorized', 401)
const parts = authorization.split(/\s+/)
if (parts.length !== 2) return c.body('Unauthorized', 401)
try {
const { payload, protectedHeader } = await jose.jwtVerify(parts[1], JWKS)
console.log(protectedHeader)
console.log(payload)
} catch (e) {
console.log(e)
return new Response(`${e}`, {
status: 401,
statusText: 'Unauthorized'
})
} |
Beta Was this translation helpful? Give feedback.
-
FWIW since |
Beta Was this translation helpful? Give feedback.
FWIW since
v2.8.0
it is possible to useoauth4webapi
to validate an incoming request as a Resource Server would, with an incomingRequest
instance usingvalidateJwtAccessToken
as long as it uses a JWT Access Token as per RFC 9068.