Node-jsonwebtoken: support verifying against multiple PEM certs

Created on 21 Jan 2016  路  3Comments  路  Source: auth0/node-jsonwebtoken

Google OAuth 2.0 uses two certs. Would be awesome if we could supply a concatenated string of all of them, and node-jsonwebtoken checked each in turn.

EDIT: I need to check them all because the PEM doesn't include the kid. If you guys supported JWK, the problem wouldn't exist.

EDIT2: I realized google supplies kids even for their PEM certs. But I guess the issue might be helpful to others.

question

Most helpful comment

So, for the case of google, you should first get the kid by using jwt.decode and then use the correct PEM to validate the token.

All 3 comments

^ Maybe this should be added as a remark in docs ?

Here is how I solved this back then:

https://github.com/auth0/connect-google-jwt/blob/master/index.js

I haven't use this code in a while, it might be outdated.

So, for the case of google, you should first get the kid by using jwt.decode and then use the correct PEM to validate the token.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ngminhduong picture ngminhduong  路  3Comments

mathellsmelo picture mathellsmelo  路  3Comments

AndreOneti picture AndreOneti  路  3Comments

BarukhOr picture BarukhOr  路  4Comments

Teebo picture Teebo  路  4Comments