JWKS processing library with cache/rateLimiting using jose library to verify tokens
As this repository doesnt strictly provide integration middewares - to prevent inclusion of every framework as deps here - here is how to integrate with it.
import { JwksClient } from './JwksClient';
import * as jose from 'jose';
// this client definition should be on top level of your module/plugin
const client = new JwksClient({
jwksUri: 'https://oauth.berlingskemedia-testing.net/.well-known/jwks.json',
requestHeaders: {
'Content-Type': 'application/json',
'User-Agent': 'NodeJS',
}, // Optional
timeout: 30000, // Defaults to 30s
});
// your access_token - should be only fetched from Authorization: Bearer <access_token> header.
const jwt = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2Jlcmxpbmdza2UuZGsiLCJhdWQiOiJhcnRpY2xlLXJlYWRlciIsInN1YiI6ImVlOTdiYmMxODI3NTQ3YjZiNGI3MWQ4ZmE5ODRhNjI5IiwibmFtZSI6ImFkbWluIEt1cmVrIiwiZW1haWwiOiJ4cGlrdUBiZXJsaW5nc2tlbWVkaWEuZGsiLCJleHAiOjE3MTE2MjAzNzQsInJvbGVzIjpbXSwic3Vic2NyaXB0aW9uVHlwZXMiOltdLCJjb21wYW55IjoiIiwiaWF0IjoxNzExNjE5NDc0fQ.AKOsMq8Gcnw4C1OkzVmbGQQtVSPfh9kH39FaeO6Q1UIEqeIaSot1azI48-dusR-mao918hzJcWWc4N9mzW02nqTj2blh5DqG8Lc5fnwFrCLEaY59wMFqwVpcUoJZC8IZk8wUx9oI5LR2FDXUdWQVg3j6DPNKH85BYoJ84i3C0dyiRRWAq9VNBc0ibuF3L_qqMUaQkO7uhx9yxS9lLpKFM8d-KFxwR_AZ76WRKuDgDd48QPXy2bHevWCFk6mPdT2mWx4N8kWOVVsJXJVmHL7nGHPR5xc-WqqtlZp4ZOhFo0WhrULKufaCl8fDsGJvsf77fXceWNvgKnsw6Gc_zpZSDg';
const jwtHeader = jose.decodeProtectedHeader(jwt);
// keyid isn't strictly required but verification will fail if there is more then 1 key in jwksUri
const key = await client.getSigningKey(jwtHeader.kid || undefined);
const publicKey = await jose.importSPKI(key.publicKey, key.alg);
// issuer and audience verification is optional but it adds security
const { payload, protectedHeader } = await jose.jwtVerify(jwt, publicKey, {
// issuer: 'https://oauth.berlingskemedia-testing.net',
// audience: 'article-reader',
});For examples see /src/integrations