allow verifying the token against a JWKS

[bsmedberg-xometry]

I'd like to add a feature to jwtinfo that allows specifying an optional JWKS URL to verify the token against.

Here's my thought about what it might look like: jwtinfo --jwks=https://mydomain.us.auth0.com/ <token>

There are a couple different ways you could handle output/validation errors:

• no stdout, print error to stderr and exit with a non-zero code
• print data to stdout even if the token is invalid, print error to stderr, exit with non-zero code
• In combination with Allow dumping both header and body #37, extend the output format of the "full" output to include extra keys including valid: bool and validationErrors: str[]

@lmammino interested in your thoughts about whether you'd accept a PR, and suggestions for shaping a reasonable CLI surface.

[lmammino]

hello @bsmedberg-xometry!

This is another feature I have been thinking about. In broader terms thinking about supporting JWT validation could also cover other aspects beyond just the signature:

• time validation
• audience
• issuer
• other arbitrary claims

I haven't come up to a conclusion on what would be a good UX for this, but most likely this could be a subcommand.

A very rough sketch could look like this:

jwtinfo validate \
  [--jwks=<jwk_endpoint>] \
  [--iss=<expected_issuer>] \
  [--aud=<expected_audience>] \
  [--ignore-time-validity] \ # to disabel checks on timing constraints
  [--check-claim=<"name:value">] \  # can be repeated multiple times
  <token>

What do you think?

In terms of outputs, it would be nice to have detailed failure messages (why the validation failed).

For success: status code 0 and a simple message "the token is valid" could do...