How do I verify a token with the cloudflare-worker-jwt library

dan

I want to use a token signed by FusionAuth with an RS256 key with this library: https://github.com/tsndr/cloudflare-worker-jwt

But it doesn't say it works with JWKS (it implies it).

How can I do this?

dan

Here's a more full featured implementation:

import jwt from '@tsndr/cloudflare-worker-jwt';

import dev_jwks from './jwks/dev.json';

function authenticate(handler) {
    return async function (request, response) {
        let headers = request.headers;
        if (!headers.has("Authorization")) {
            return json_error(401, "No Auth header present");
        }

        let auth_header = headers.get("Authorization");
        if (auth_header.indexOf("Bearer ") !== 0) {
            return json_error(403, "Bad auth header");
        }

        let token = auth_header.slice(7);

		let verified = await jwt.verify(token, dev_jwks.keys[0], {algorithm: "RS256"});
		if (!verified) {
			return json_error(403, "Bad auth token");
		}

        try {
            token = jwt.decode(token);
        } catch (e) {
            return json_error(403, "Unable to decode token");
        }

        let { header: meta, payload } = token;
		// TODO: inspect the payload of the jwt

        return await handler(request, response);
    };
}

where json_error is an error handler function outside the scope of this example and the JWKS file is downloaded and put into './jwks/dev.json' and the key is known to exist in the first entry in that array.

A more sophisticated version would examine the key id from the token header and find the corresponding public key in the the JWKS array.

dan

You have to do a few things:

• download the JWKS file yourself (here's info on where to find it)
• select the key
• specify the algorithm (the library doesn't examine the header of the token to determine the algorithm)

So here's what it might look like:

let verification = await jwt.verify(token, jwks.keys[0], {algorithm: "RS256"});

dan

Here's a more full featured implementation:

import jwt from '@tsndr/cloudflare-worker-jwt';

import dev_jwks from './jwks/dev.json';

function authenticate(handler) {
    return async function (request, response) {
        let headers = request.headers;
        if (!headers.has("Authorization")) {
            return json_error(401, "No Auth header present");
        }

        let auth_header = headers.get("Authorization");
        if (auth_header.indexOf("Bearer ") !== 0) {
            return json_error(403, "Bad auth header");
        }

        let token = auth_header.slice(7);

		let verified = await jwt.verify(token, dev_jwks.keys[0], {algorithm: "RS256"});
		if (!verified) {
			return json_error(403, "Bad auth token");
		}

        try {
            token = jwt.decode(token);
        } catch (e) {
            return json_error(403, "Unable to decode token");
        }

        let { header: meta, payload } = token;
		// TODO: inspect the payload of the jwt

        return await handler(request, response);
    };
}

where json_error is an error handler function outside the scope of this example and the JWKS file is downloaded and put into './jwks/dev.json' and the key is known to exist in the first entry in that array.

A more sophisticated version would examine the key id from the token header and find the corresponding public key in the the JWKS array.