funcool

A channel for discussing and asking questions about Funcool libraries https://github.com/funcool/
2018-02-13T13:43:11.000397Z

Hi, is there a good example for verifying a JWT token from another service, not signing one with/for a buddy backend? Thanks in advance.

mccraigmccraig 2018-02-13T13:52:32.000184Z

@juliobarros it's quite simple - https://gist.github.com/mccraigmccraig/e166277b8964f5562dd45937a60bebd3 (along with requires

[buddy.auth.middleware :refer [wrap-authentication]]
   [buddy.auth.backends.token :as auth-token]
)

2018-02-13T13:54:51.000219Z

well … I’m not sure I fully understand this but … I’m exploring using cognito. They give you a set of keys and you have to match the right one (if understand it correctly) so/and I’m not sure I want to use the standard auth middleware but rather verify it myself.

mccraigmccraig 2018-02-13T14:03:12.000126Z

@juliobarros the wrap-authentication handler will verify the JWT signature and make the token assertions available in your request context as a map... you are then free to do any further validation you want

2018-02-13T14:04:56.000592Z

Thanks for trying to help me out. I think I need to explore this further. I don’t believe I have the secret (or it is not a constant) at the time I create the middleware … so I need to do something more flexible. Perhaps I should look at the middleware code to see how it is doing the verification.

mccraigmccraig 2018-02-13T14:09:21.000621Z

if you don't have the secret at middleware creation then i'd create a new auth backend using the existing one as a starting point, and adding in a secret-source or something https://github.com/funcool/buddy-auth/blob/master/src/buddy/auth/backends/token.clj#L35

2018-02-13T16:49:06.000062Z

I think what I need is more in line with JWK/JWKS which Is not supported yet but there is a PR https://github.com/funcool/buddy-sign/pull/56