Resolves #53 Smarter handling of keys marked for use with encryption

[trevorlyman]

With this pull request, jwks now filters out all JWKs that are explicitly marked for use with encryption operations. Only keys with a "use": "enc" are affected. Keys without a "use" value are not filtered as per the RFC.

This is a somewhat harsh approach to enforcing correct key usage, but this package is currently focused around aiding with signature verification.

[MicahParks]

Thank you for the PR! I'll review it tonight or tomorrow.

[MicahParks]

As a note, JWTs in general have a valid use case for JWK whose use is enc. Here's a portion of a relevant RFC explaining a valid use case. However, my current thinking is JSON Web Keys that are used for encryption shouldn't be relevant for this project, because this project is a helper package for github.com/golang-jwt/jwt/v4, and that project does not support JWT encryption. See this section of their README.md. At least, that is my current understanding. If there is a current or future use case for JWK whose use is enc for this project, it's important that we identify that and work in a compatible way towards that before merging this PR.

Relevant links:

• PR: JWE Support golang-jwt/jwt#220 (comment)
• Issue: Add support for encryption (RFC7516) golang-jwt/jwt#67

[MicahParks]

Thank you for the high quality PR and discussion @trevorlyman! This contribution is much appreciated. I'll believe I'll be merging this PR shortly. I plan on making a few edits before tagging the next release.

[trevorlyman]

Great! Glad to see this addition get made so we adhere more closely to the RFC 🤓

[MicahParks]

@trevorlyman

When merging there were three options:

1. Merge via merge commit.
2. Squash and merge.
3. Rebase and merge.

I wanted to make sure you ended up on the contributors page, so I selected the rebase and merge option. However, I think it had the opposite effect. I think I should have used the first option, the merge commit. I'm really sorry about that. I want you to get credit for your work here in a way that's easily viewable by someone visiting the project/contributors page.

I'm putting a few things from the list of edits I have yet to do before the next release. If you'd like to, you could make a quick and easy PR for anything below and I'll merge it using the correct option to get you on the contributors page.

1. Rename AllowedJWKUses to JWKUseWhitelist
2. Add a new field to keyfunc.Options. A bool, JWKUseNoWhitelist, which will override the default behavior and the JWKUseWhitelist field to allow any value for a JWK use parameter.
3. Rename a local variable, parsedKey, so it does not shadow a type's name.
4. Rename ErrJWKUse to ErrJWKUseWhitelist.
5. In TestReadOnlyKeys change []uint8 to []byte and move/remove the continue.

[trevorlyman]

Thanks for noticing that issue. I would like to show as a contributor. Looks like the whole contribution was attributed to your account. If you're up for reverting those rebase commits I'm happy to submit the same PR again.

If that's not an option I'll make one of the changes you mentioned above.

[MicahParks]

If you're up for reverting those rebase commits I'm happy to submit the same PR again.

I'll do this now.

[MicahParks]

Done reverting. You should be able to submit the same PR again.

Thank you for contributing!

[MicahParks]

Looks like the commits from when I merged with the rebase and merge method do show up on your profile for contributions to this project: https://github.com/MicahParks/keyfunc/commits?author=trevorlyman

I'm including this for anyone whose searching for if the rebase and merge method adds a new contributor to your repository because this is something I searched for a few hours ago.