Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION] Support for customizing default verification #147

Open
bigen1925 opened this issue Nov 3, 2023 · 1 comment
Open

[QUESTION] Support for customizing default verification #147

bigen1925 opened this issue Nov 3, 2023 · 1 comment
Labels
question Further information is requested

Comments

@bigen1925
Copy link

bigen1925 commented Nov 3, 2023
edited

Question
Would it be acceptable to add a support for customizing default verification?

Thanks in advance for develop and maintenance this great library!
This save me from many complex lines and common mistakes.

Btw, I use the emulator of cognito in local development environment (and real cognito in production).
It works with container and in local endpoint (ex, http://localhost:9229).

I want to use aws-jwt-verify with it , but there are some issues.

  • jwks_uri is needed to customize (this is possible)
    • ex) jwksUri: settings.cognitoEndpoint && `${settings.cognitoEndpoint}/.well-known/jwks.json`
  • user-pool-id is generated as local_xxxxxx with the emulator, and user-pool-id verification is failed.
  • issuer in JWT become http://localhost:9229/ with the emulator, and issuer verification is failed.
  • and there may be more ( now verification is stopped with issuer error )

I'm happy if I can handle these with aws-jwt-verify in some way.

There are some possible solutions, but I think most of those are more or less emulator-specific.
For example,

  • CognitoJwtVerifier receive customEndpoint as a parameter, and use it as endpoint of jwksUri and issuer verification
    • emulators may use or not the same path as a jwksUri
    • emulators may use or not the same string as a issuer
  • when customEndpoint is specified, skip user-pool-id verification
    • if emulators doesn't custom region name, verification should not be skipped.

So, I think well new feature is

  • CognitoJwtVerifier receive customUserPoolIdCheck customIssuerCheck and override default behavior
  • or, receive customDefaultCheck and override all default check.

I understand and agree that aws-jwt-verify should focus on real AWS services.
This feature weaken security with wrong use so I'm wondering if it is acceptable.

On the other hand, many aws-sdk clients are basically support for customEndpoint and can use with several emulators.
I would be happy if aws-jwt-verify can use with them :)

Versions
Which version of aws-jwt-verify are you using?
4.0.0
Are you using the library in Node.js or in the Web browser?
Node.js
If Node.js, which version of Node.js are you using? (Should be at least 14)
18.12.1
If Web browser, which web browser and which version of it are you using?

If using TypeScript, which version of TypeScript are you using? (Should be at least 4)
5.1.6
@bigen1925 bigen1925 added the question Further information is requested label Nov 3, 2023
@ottokruse
Copy link
Contributor

Valid request! Thanks for posting.

We need some time to research this and form an opinion. Thanks for your suggestions and ideas, that's very helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ottokruse @bigen1925