Skip to content

Commit 5e1569e

Browse files
jkarnijkarni
authored
Merge pull request #1580 from haskell-servant/jkarni/servant-auth-io-keyset
Allow IO in JWTSettings' validationKeys
2 parents c48a670 + 4e8fb04 commit 5e1569e

File tree

3 files changed

+18
-5
lines changed

3 files changed

+18
-5
lines changed

changelog.d/1580

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
synopsis: Allow IO in validationKeys
2+
prs: #1580
3+
issues: #1579
4+
5+
description: {
6+
7+
Currently validationKeys are a fixed JWKSet. This does not work with OIDC
8+
providers such as AWS Cognito or Okta, which regularly fetching jwks_uri to
9+
discover new and expired keys.
10+
11+
This change alters the type of validationKeys from JWKSet to IO JWKSet.
12+
}

servant-auth/servant-auth-server/src/Servant/Auth/Server/Internal/ConfigTypes.hs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ data JWTSettings = JWTSettings
3333
-- | Algorithm used to sign JWT.
3434
, jwtAlg :: Maybe Jose.Alg
3535
-- | Keys used to validate JWT.
36-
, validationKeys :: Jose.JWKSet
36+
, validationKeys :: IO Jose.JWKSet
3737
-- | An @aud@ predicate. The @aud@ is a string or URI that identifies the
3838
-- intended recipient of the JWT.
3939
, audienceMatches :: Jose.StringOrURI -> IsMatch
@@ -44,7 +44,7 @@ defaultJWTSettings :: Jose.JWK -> JWTSettings
4444
defaultJWTSettings k = JWTSettings
4545
{ signingKey = k
4646
, jwtAlg = Nothing
47-
, validationKeys = Jose.JWKSet [k]
47+
, validationKeys = pure $ Jose.JWKSet [k]
4848
, audienceMatches = const Matches }
4949

5050
-- | The policies to use when generating cookies.

servant-auth/servant-auth-server/src/Servant/Auth/Server/Internal/JWT.hs

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -58,14 +58,15 @@ makeJWT v cfg expiry = runExceptT $ do
5858

5959
verifyJWT :: FromJWT a => JWTSettings -> BS.ByteString -> IO (Maybe a)
6060
verifyJWT jwtCfg input = do
61-
verifiedJWT <- liftIO $ runExceptT $ do
61+
keys <- validationKeys jwtCfg
62+
verifiedJWT <- runExceptT $ do
6263
unverifiedJWT <- Jose.decodeCompact (BSL.fromStrict input)
6364
Jose.verifyClaims
6465
(jwtSettingsToJwtValidationSettings jwtCfg)
65-
(validationKeys jwtCfg)
66+
keys
6667
unverifiedJWT
6768
return $ case verifiedJWT of
6869
Left (_ :: Jose.JWTError) -> Nothing
6970
Right v -> case decodeJWT v of
7071
Left _ -> Nothing
71-
Right v' -> Just v'
72+
Right v' -> Just v'

0 commit comments

Comments
 (0)