Support for "jku" header?

[ekosz]

Hi there,

I noticed jose doesn't currently have support for the "jku" header. My questions are:

1. Is jose open to updating the JoseHeaderParameters type to add "jku"?
2. Would the jose project be open to using that header to fetch / use the JWK set returned from that URL natively?

I was think of opening PRs for both of these, but I wanted to make sure the project was open to it first.

Cheers!

[panva]

but I wanted to make sure the project was open to it first.

Amazing that you asked first, i would hate to disappoint you if you worked on a PR but had parts of it rejected.

Is jose open to updating the JoseHeaderParameters type to add "jku"?

Absolutely, I don't see a reason why not. but given that JWSHeaderParameters and JWEHeaderParameters both have indexable string properties I don't think it's strictly necessary. I don't mind it tho.

Would the jose project be open to using that header to fetch / use the JWK set returned from that URL natively?

Not natively no, there's too much risk involved in it to have it exposed natively. But also, there's already a native function built in that you can wrap around with minimal code to achieve it.

import { createRemoteJWKSet } from 'jose/jwks/remote'
import { jwtVerify } from 'jose/jwt/verify'

const cache = new Map(); // replace with lru-cache?
const memoize = (jku) => {
  if (!cache.has(jku)) {
    cache.set(jku, createRemoteJWKSet(new URL(jku)))
  }
  
  return cache.get(jku);
}

function jkuJWKS(...args) {
  const { jku } = args[0]
  if (!jku || !allowed(jku)) {
    // error?
  }
  
  return memoize(jku)(...args)
}

const { payload, protectedHeader } = await jwtVerify(jwt, jkuJWKS, {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience'
})

[ekosz]

That's basically the exact code I wrote haha! But totally makes sense that you would like to keep that in userland.

I'll open the PR to add just the addition to the types, just so there is typehead/docs around it. What do you think of another PR that would add a snippet like this to the docs around createRemoteJWKSet to show how one would use it with the jku header?

[panva]

What do you think of another PR that would add a snippet like this to the docs around...

I'm fairly confident that if someone were to search for it now they would find this discussion.