This repository was archived by the owner on Jan 26, 2025. It is now read-only.
Package improvements #30
Description
Hey guys,
I'm working on implementing a REST API secured by an Okta Authorization server. Although this package provides everything I need for development, I think I'll face some issues when it comes to production usage. My concerns are the following:
- JWK usage: the package currently loads the JWKs via each
Adaptorimplementation. This is not only a duplication of concerns (both existing adaptor implementations need to implement the fetching of keys even though it is the same process), but it also make it impossible to implement a caching layer so the keys are not loaded from Okta each time a token needs to be verified: the verifier currently makes 2 calls to okta during each request, first to get the jwk url from the authorization server metadata and then to get the keys from that url. - Since Okta access tokens always contain
cidclaim, according to current implementation ofJwtVerifierit must always be verified. My only problem with that is the verifier only supports a single client ID , which means all the consumers of my API must obtain the token using the same Okta app.
I'm wondering if I'm exaggerating these problems due to my limited experience with Okta and Oauth, or they are valid concerns?
I am happy to contribute to this package if that the following improvements should be made:
- inject
KeyRepositoryintoJwtVerifierthat is responsible for fetching (and caching) JWKs, instead of usingAdaptor::getKeys()method. - support passing an array of client IDs to
JwtVerifierso it verifies tokens issued for any of the allowed clients.