node-jwks-rsa#expressJwtSecret: dynamic jwksUri?

ib-tfenright · June 12, 2023, 7:43pm

Hi there - I am using

auth0/node-jwks-rsa/blob/master/examples/express-demo/server.js

const Express = require('express');
const { expressjwt: jwt } = require('express-jwt');
const logger = require('debug')('express');
const { expressJwtSecret } = require('../../src');

const jwksHost = process.env.JWKS_HOST;
const audience = process.env.AUDIENCE;
const issuer = process.env.ISSUER;

// Initialize the app.
const app = new Express();
app.use(jwt({
  secret: expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 2,
    jwksUri: `${jwksHost}/.well-known/jwks.json`
  }),
  audience: audience,
  issuer: issuer,

This file has been truncated. show original

in conjunction with

on an express server to validate incoming JWTs using the kid passed in the JWT header and a jwks uri. That works fine when the jwks uri is hardcoded (via environment var or magic string), I can demonstrate that valid JWTs and various flavors of invalid (malformed, expired, from a different provider) JWT are handled appropriately.

However, my target use case is to have the jwks uri determined dynamically with information derived from the JWT and the request the JWT is attached to.

express-jwt#Params#secret can be a jwt.Secret or a GetVerificationKey with GetVerificationKey being a callback function. However, jwks-rsa#expressJwtSecret’s Options object specifies that jwksUri is a string - which leads me to believe that I can’t use jwks-rsa#expressJwtSecret for my use case, but I was able to use jwks-rsa#jwksClient to build out my own GetVerificationKey to use.

That being said, I’m pretty new to node and express - so I’m not sure if I’m missing something that will let me use the expressJwtSecret function for my case.

Let me know if more info is needed, and thank you!