Consider recommending verification and decoding of JWTs in two separate steps
anderseknert opened this issue · comments
Anders Eknert commented
Although documented, even experienced users get confused by the default constraints (aud
in particular) provided by io.jwt.decode_verify
. I think we might want to consider recommending verifying and decoding as a two-step process, i.e.
Avoid
claims := payload {
[valid, _, payload] := io.jwt.decode_verify("my_jwt_token", {"cert": "my certificate"})
valid
}
Prefer
claims := payload {
io.jwt.verify_rs256("my_jwt_token", "my certificate")
[_, payload, _] := io.jwt.decode("my_jwt_token")
}
Stephan Renatus commented
I generally agree, but we should also give examples of checking the nbf/exp, aud etc criteria from rego, then, maybe? Or at least call out the difference, and that you can't replace snippet 1 with snippet 2 and expect everything to be the same.
Anders Eknert commented
Yes, or even better, provide a library for that purpose :)