Consider adding a JWKS retriever helper

[chx]

I am using the helper below but integrating this with decode would avoid decoding twice:

  protected static function getJwks(string $token): array {
    [, $claims_encoded] = explode('.', $token);
    if (!$claims_json = JWT::urlsafeB64Decode($claims_encoded)) {
      throw new \InvalidArgumentException("Unable to decode JWT token claims $claims_encoded");
    }
    if (!$claims = JWT::jsonDecode($claims_json)) {
      throw new \InvalidArgumentException("JWT token claims is invalid JSON $claims_json");
    }
    if (!isset($claims->iss)) {
      throw new \InvalidArgumentException(\sprintf("JWT token claims do not contain issuer $claims_json"));
    }
    $url = $claims->iss . "/.well-known/openid-configuration";
    if (!$configuration_json = @file_get_contents($url)) {
      throw new \LogicException("Unable to read OpenID issuer configuration from $url");
    }
    if (!$configuration = @json_decode($configuration_json, TRUE)) {
      throw new \LogicException("Unable to parse OpenID issuer configuration $configuration_json");
    }
    if (!isset($configuration['jwks_uri'])) {
      throw new \LogicException("OpenID issuer configuration does not contain jwks_uri $configuration_json");
    }
    $jwks_uri = $configuration['jwks_uri'];
    if (!$keys_json = @file_get_contents($jwks_uri)) {
      throw new \LogicException("Unable to read OpenID keys from $jwks_uri");
    }
    if (!$keys = @json_decode($keys_json, TRUE)) {
      throw new \LogicException("Unable to parse OpenID keys $keys_json");
    }
    return JWK::parseKeySet($keys);
  }

[bshaffer]

Could you provide more information (and be explicit) about what it is you're looking for?

[chx]

Currently you need to provide a set of keys like this: JWT::decode($jwt, JWK::parseKeySet($jwks)); but if the server supports discovery then you only need $jwt.

To quote:

Using the Issuer location discovered as described in Section 2 or by other means, the OpenID Provider's configuration information can be retrieved.

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer. The syntax and semantics of .well-known are defined in RFC 5785 [RFC5785] and apply to the Issuer value when it contains no path component.

That's what I am after. The code above takes iss from a JWT, concats /.well-known/openid-configuration as described in the specification, retrieves the config and from there it retrieves the key set specified in jwks_uri.

auth0 supports this: https://auth0.com/docs/get-started/applications/configure-applications-with-oidc-discovery

Microsoft Entra: https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri

Google Identity: https://developers.google.com/identity/openid-connect/openid-connect#getcredentials

[bshaffer]

In other words, you're requesting that this library support discovery?

[chx]

Yes. I supplied the code to do so. In other words... it works for me :)

[bshaffer]

If you like, submit a Pull Request with the changes you'd like to see in this library (along with testing) and I'm happy to review it!

I'm also happy to incorporate this feature when I get the chance, if you are unfamiliar with (or don't want to go through) the pull request process.

[chx]

My problem with the PR is the required signature change to JWT::decode(). It's currently decode(string $jwt, $keyOrKeyArray) are you ok with making $keyOrKeyArray optional?