Verify token signature from public key in third party service

[leogout]

Hello, I would like to know if the library exposes anything related to the public key used for an RS256 token signature. For example, something like a view that returns the public key associated with the private key used to sign the token ?

This way I could fetch that pubkey in another web service, then cache it and verify my token from there without having to call the /verify/ endpoint everytime.

What do you think ?

[Andrew-Chen-Wang]

I'm somewhat confused.

Are you saying the same pairs are stored in two different services? If you're caching something, then cache it via JS CacheStorage or whatever language you're using. Maybe I'm just dumb;. I don't know :P Please clarify and thanks!

[leogout]

No I am using this token other applications. I have multiple clients using the same endpoint to get a token. This token must in turn be verified by my clients. To do that, I want to fetch the public key from my token endpoint to verify the claims of that token.
Maybe I am off track here and thats not at all how I should do it. I am aware of the /verify endpoint but this would mean that I have to make a call to this endpoint each time a new token is encountered. If I could get the public key instead, my clients could verify the token integrity without calling /verify each time.

Anyways I ended up creating my own /pubkey endpoint which provides my public key as a JWK.
I was just wondering if something similar was provided by that library, because I thought my usecase wasn't uncommon.

[damelLP]

Yeah I don't think this usecase is uncommon as it looks like this is needed for Auth0 compatibility: https://auth0.com/docs/quickstart/backend/django/01-authorization#validate-access-tokens

the custom jwt bit at the bottom

def jwt_decode_token(token):
    header = jwt.get_unverified_header(token)
    jwks = requests.get('https://{}/.well-known/jwks.json'.format('YOUR_DOMAIN')).json()
    public_key = None
    for jwk in jwks['keys']:
        if jwk['kid'] == header['kid']:
            public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk))

    if public_key is None:
        raise Exception('Public key not found.')

    issuer = 'https://{}/'.format('YOUR_DOMAIN')
    return jwt.decode(token, public_key, audience='YOUR_API_IDENTIFIER', issuer=issuer, algorithms=['RS256'])

What about adding a JWKS_URL setting and in the TokenBackend creating a PyJWKClient to get the signing key if JWKS_URL is set:

https://pyjwt.readthedocs.io/en/latest/usage.html#retrieve-rsa-signing-keys-from-a-jwks-endpoint

[Andrew-Chen-Wang]

That sounds like OAuth2 (from the well-known path). Are you sure you aren't supposed to be using django-oauth-toolkit?

If anything, PRs welcome!

[damelLP]

That sounds like OAuth2 (from the well-known path). Are you sure you aren't supposed to be using django-oauth-toolkit?

If anything, PRs welcome!

In my case I'm looking to have auth handled outside of django but be able to authenticate a user for endpoints handled by django. So I'm using an external auth handler that has Oauth2 etc... https://auth0.com/

Then using jwt tokens to authenticate endpoints in django as per their docs:
https://auth0.com/docs/quickstart/backend/django/01-authorization#validate-access-tokens

but I noticed it was for drf-jwt and not simplejwt

[Andrew-Chen-Wang]

Yea, due to the archiving of drf-jwt and the endorsement of simplejwt by the head owner, many Auth0 users have been coming here, where there wasn't as much interest in the past to get the ball rolling on integrating well with Auth0. Thus, all Auth0 examples use drf-jwt but everyone ends up here due to the archiving of the drf-jwt lib.

However, this is now the go-to library, and I do hope people still marking some PRs to help with the integration process.

I'm lost in time since I neither use their service nor have the time (sophomore in college; can't wait to die :D 👍). So PRs are super appreciative (unless they're not necessary and the auth0 team just needs to migrate their docs)! I've seen other people using their auth handler; don't know how others have been doing it; highly encourage posting on the auth0 forums to tell them "hey please migrate your docs :)"

[damelLP]

I think this PR covers it #437 from what I could see

[damelLP]

unless there is an existing mechanism for handling the rotating keys?

[Andrew-Chen-Wang]

@damelLP added my review. I've got some other questions that I'd rather address in the PR though, especially in regards to your comment about unless there is an existing mechanism for handling the rotating keys.