Hi, is there a good example for verifying a JWT token from another service, not signing one with/for a buddy backend? Thanks in advance.
@juliobarros it's quite simple - https://gist.github.com/mccraigmccraig/e166277b8964f5562dd45937a60bebd3 (along with requires
[buddy.auth.middleware :refer [wrap-authentication]]
[buddy.auth.backends.token :as auth-token]
)well … I’m not sure I fully understand this but … I’m exploring using cognito. They give you a set of keys and you have to match the right one (if understand it correctly) so/and I’m not sure I want to use the standard auth middleware but rather verify it myself.
@juliobarros the wrap-authentication
handler will verify the JWT signature and make the token assertions available in your request context as a map... you are then free to do any further validation you want
Thanks for trying to help me out. I think I need to explore this further. I don’t believe I have the secret (or it is not a constant) at the time I create the middleware … so I need to do something more flexible. Perhaps I should look at the middleware code to see how it is doing the verification.
if you don't have the secret at middleware creation then i'd create a new auth backend using the existing one as a starting point, and adding in a secret-source or something https://github.com/funcool/buddy-auth/blob/master/src/buddy/auth/backends/token.clj#L35
I think what I need is more in line with JWK/JWKS which Is not supported yet but there is a PR https://github.com/funcool/buddy-sign/pull/56