Fetch jwk via sub request to upstream service

[1-alex98]

Instead of reading the key from file or config, allow getting the key via http
Similar to see auth_jwt_key_request in nginx plus docs

[JoshMcCullough]

Thanks for the suggestion, we'll see what's involved in supporting this.

[racic]

I second that

[jessfdm-codes]

Any advance on this? At the moment it's our main concern with using this module as we'd rather point to our KeyCloak instead of managing keys ourselves

[JoshMcCullough]

Can you give some examples -- is it just a simple, unauthenticated URL, a URL with a token in it, etc...?

[jessfdm-codes]

So an example would be keyclock which exposes the url http://[keycloak-instance]/realms/[realm]/protocol/openid-connect/certs which is unauthenticated and returns a jwk file as a json object https://datatracker.ietf.org/doc/html/rfc7517

[jessfdm-codes]

Oops, wrong endpoint it would be this one: https://[keycloak-domain]/realms/[realm]/.well-known/openid-configuration

[jessfdm-codes]

/.well-known/openid-configuration is standard across other IdP's as well I believe - and the public key. From there the actual jwks is in the object that is returned under .jwks_uri - so either you could pull it from that URL (and have that jwks url be the thing that's actually queries) or pull it from openid-configuration but that's just an extra step.

None of these calls need any authentication to get to

[1-alex98]

I have implemented an endpoint by my own in my application. Also JWK.
Here is the specification for jwk and an example
https://www.rfc-editor.org/rfc/rfc7517.html#appendix-A.2

it is an unauthenticated URL

[1-alex98]

A lot of times jwk is supported by jwt libaries

[1-alex98]

You'll need to parse the JWK to extract the key material. JWKs are JSON objects, and libjwt itself doesn't directly handle the conversion of JWK to a usable format for JWT signing/verification. You might need to use a JSON parsing library (like Jansson) in conjunction with libjwt.