Nonsense Parser Microframework

    jwks-rsa
    TypeScript icon, indicating that this package has built-in type declarations

    2.0.4 • Public • Published

    jwks-rsa

    CircleCI codecov NPM version License Downloads FOSSA Status

    A library to retrieve signing keys from a JWKS (JSON Web Key Set) endpoint.

    npm install --save jwks-rsa

    Usage

    You'll provide the client with the JWKS endpoint which exposes your signing keys. Using the getSigningKey you can then get the signing key that matches a specific kid.

    const jwksClient = require('jwks-rsa');
    
    const client = jwksClient({
      jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json',
      requestHeaders: {}, // Optional
      timeout: 30000 // Defaults to 30s
    });
    
    const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg';
    const key = await client.getSigningKey(kid);
    const signingKey = key.getPublicKey();

    Integrations

    API

    JwksClient Options

    • jwksUri: a string that represents the JWKS URI
    • timeout = 30000: (optional) an integer in miliseconds that controls the request timeout
    • cache = true: (optional) enables a LRU Cache (details)
    • rateLimit: (optional) the default fetcher function (details)
    • fetcher: (optional) a Promise returning function to fetch data from the JWKS URI
    • requestHeaders: (optional) an object of headers to pass to the request
    • requestAgent: (optional) a Node http.Agent to be passed to the http(s) request
    • getKeysInterceptor: (optional) a promise returning function hook (details)

    Caching

    By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint. If a signing key matching the kid is found, this will be cached and the next time this kid is requested the signing key will be served from the cache. The caching behavior can be configured as seen below:

    const jwksClient = require('jwks-rsa');
    
    const client = jwksClient({
      cache: true, // Default Value
      cacheMaxEntries: 5, // Default value
      cacheMaxAge: 600000, // Defaults to 10m
      jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json'
    });
    
    const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg';
    const key = await client.getSigningKey(kid);
    const signingKey = key.getPublicKey();

    Rate Limiting

    Even if caching is enabled the library will call the JWKS endpoint if the kid is not available in the cache, because a key rotation could have taken place. To prevent attackers to send many random kids you can also configure rate limiting. This will allow you to limit the number of calls that are made to the JWKS endpoint per minute (because it would be highly unlikely that signing keys are rotated multiple times per minute).

    const jwksClient = require('jwks-rsa');
    
    const client = jwksClient({
      rateLimit: true,
      jwksRequestsPerMinute: 10, // Default value
      jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json'
    });
    
    const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg';
    const key = await client.getSigningKey(kid);
    const signingKey = key.getPublicKey();

    Using Request Agent for TLS/SSL Configuration

    The requestAgent property can be used to configure SSL/TLS options. An example use case is providing a trusted private (i.e. enterprise/corporate) root certificate authority to establish TLS communication with the jwks_uri.

    const jwksClient = require("jwks-rsa");
    const https = require('https');
    const client = jwksClient({
      jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json',
      requestHeaders: {}, // Optional
      requestAgent: new https.Agent({
        ca: fs.readFileSync(caFile)
      })
    });

    Proxy configuration

    You can configure a proxy with using a custom http(s) agent in the requestAgent option.

    Loading keys from local file, environment variable, or other externals

    The getKeysInterceptor property can be used to fetch keys before sending a request to the jwksUri endpoint. This can be helpful when wanting to load keys from a file, env variable, or an external cache. If a KID cannot be found in the keys returned from the interceptor, it will fallback to the jwksUri endpoint. This property will continue to work with the provided LRU cache, if the cache is enabled.

      const client = new JwksClient({ 
        jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json',
        getKeysInterceptor: () => {
          const file = fs.readFileSync(jwksFile);
          return file.keys;
        }
      });

    Running Tests

    npm run test
    

    Showing Trace Logs

    To show trace logs you can set the following environment variable:

    DEBUG=jwks
    

    Output:

    jwks Retrieving keys from http://my-authz-server/.well-known/jwks.json +5ms
    jwks Keys: +8ms [ { alg: 'RS256',
      kty: 'RSA',
      use: 'sig',
      x5c: [ 'pk1' ],
      kid: 'ABC' },
    { alg: 'RS256', kty: 'RSA', use: 'sig', x5c: [], kid: '123' } ]
    

    License

    This project is licensed under the MIT license. See the LICENSE file for more info.

    FOSSA Status

    Keywords

    Install

    npm i jwks-rsa

    DownloadsWeekly Downloads

    1,405,750

    Version

    2.0.4

    License

    MIT

    Unpacked Size

    27.9 kB

    Total Files

    23

    Last publish

    Collaborators

    • charlesrea
    • julien.wollscheid
    • auth0-oss
    • texeira
    • codepete
    • ziluvatar
    • iaco
    • cocojoe
    • fyockm
    • auth0npm
    • auth0alec
    • auth0brokkr
    • hzalaz
    • glena
    • aaguiarz
    • machuga
    • lbalmaceda
    • jstrutz
    • cristiandouce
    • heyitsry
    • sambego
    • stevehobbsdev
    • bmaxwella0
    • davidmoses
    • sandrinodimattia
    • lzychowski
    • joshcanhelp
    • rob.coles
    • faroceann
    • rosnovsky
    • davidpatrick0
    • widcket
    • adamjmcgrath
    • ldoorz
    • th3maio
    • jim.andersoon
    • fadymak
    • navrupt
    • frederikprijck
    • sergii.biienko
    • tomauth0
    • jakewlacey
    • jpadilla
    • gaj.gulati
    • jessele
    • shushen
    • rhamzeh_auth0
    • greglopez
    • damieng