JWT RS256 Token Validation

#1

Hi,

I´m trying to do a plugin to validate the integrity of an JWT Token emitted my IDP (IdentityServer 4).

Steps:

  1. Retrieve the JWKS from the discovery endpoint, and filter for potential signing keys (e.g., any keys missing a public key or with a kid property).
  2. Extract the JWT from the request’s authorization header and decode it.
  3. Grab the kid property from the header of the decoded JWT.
  4. Search your filtered JWKS for the key with the matching kid property.
  5. Build a certificate using the corresponding x5c property in your JWKS.
  6. Use the certificate to verify the JWT’s signature.

Im using the method verify of https://github.com/Kong/kong/blob/master/kong/plugins/jwt/jwt_parser.lua but im getting this error "Consumer Public Key is Invalid "

Any idea or help?

Thanks

#2

i´ve done some advances on the plugin and its working now, with a little workaround.

I need to found a way to convert x5c to pem format, with that we plugin works well