Description
Checklist
- I have looked into the Readme and Examples, and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
I have a service which issues a jwt, but also validates a token it has issued (on a separate request).
I want to provide the jwk from the filesystem (rather than a uri, since the key is already in the service).
I also have multiple auth strategies (meaning upstream issuers).
However, if the provided kid isn't in the response from getKeysInterceptor, it will fall back to the uri.
Since i have multiple strategies, it's normal that an auth token will contain a kid that doesn't exist for one of my strategies.
Describe the ideal solution
Ideally (for the stated use case), there would be no fallback, and i would have the option to supply a function OR a uri to jwksUri in order to load the correct jwk.
This would cause issues with existing consumers who rely on the fallback, so some other more pragmatic options:
- allow
jwksUrito be a function (as well as a string), and if it's a function, execute it in a similar way to howgetKeysInterceptorcurrently works (the existinggetKeysInterceptorfunction still exists and falls back tojwksUri, which is a bit confusing). - add another boolean option
jwksUriFallbackwhich defaults totrueto maintain current functionality (this is the simplest option but makes the config confusing: setting thejwksUriis mandatory but will never be used). - make
jwksUriORgetKeysInterceptorbe required (rather thanjwksUribeing required). IfjwksUriis not set, don't fall back.
Alternatives and current workarounds
No response
Additional context
The existing code looks good so I'm happy to put together a PR implement the chosen solution.