Can JWT verify function use pem files to verify the signature

[beepdot]

io.jwt.verify_rs256(token, certificate) - Can we pass a file location to this function for the certificate argument?

I have a bunch of public keys and based on the kid, I would like to use a appropriate file for token verification.

In the below JWT header, I have a kid field "kid": "key1". I also have similarly named files on the system like /somepath/key1 which contains the public key contents.

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "key1"
}

I would like to do something like this
io.jwt.verify_rs256(token, /somepath/key1)

I am open to writing my own function also which can do this. Before that, I would like to hear from you folks.

[anderseknert]

Hi @keshavprasadms 👋

No, that function does not read certificates from disk. You'd need to either store them as part of OPA's in-memory data, in environment variables, or retrieve them from a remote endpoint. The latter solution is definitely them most common/idiomatic one, as exposing public keys via a JWKS endpoint is standardized. You can see examples of this in the docs on OAuth2 and OpenID Connect, though the principle of JWKS works just as well outside of those protocols.

[beepdot]

Thanks for the suggestion @anderseknert I got it working using it as a environment variable as we dont have a jwks endpoint at the moment.

[anderseknert]

Great!