Offline JWT Validation with openid-client

[DoisKoh]

Hello, does the library support offline JWT validation or is it beyond the scope of this? It just seems like it makes a lot of sense - I presumed it would be able to but I can't find the function in the documentation.

It looks like I'd have to get the JWKS myself from the Issuer.metadata.jwks_uri and use it to validate access tokens myself with some other library... I'd just like to confirm if that's the case or if I'm misunderstanding something. Thanks!

[panva]

Nothing of the sort is in this library. All JWTs that need to be validated by the client are getting validated as they're received. Whatever other flows you need to deal with yourself.

Are you looking for something like this?

import * as jose from 'jose';

const JWKS = jose.createRemoteJWKSet(new URL(issuer.metadata.jwks_uri))

const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience',
})

Or truly offline, where you get the JWK Set value, save it locally and then

import * as jose from 'jose';

const JWKS = jose.createLocalJWKSet({
  keys: [
    {
      // ...
    },
    {
      // ...
    },
    // ...
  ],
})

const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience',
})
console.log(protectedHeader)
console.log(payload)

[DoisKoh]

Yea, I'll just do that then... I was planning to use jsonwebtoken, just wanted to confirm if I was misunderstanding anything because it seemed like naturally an OIDC Client would be able to handle it (but admittedly, I'm not all that familiar OIDC and what's appropriate. I remember seeing your comment in another discussion about not exposing functions meant for resource servers etc.)

Thanks!

[panva]

Use whatever works best for you.