Support for JWT with JWKS

[qoomon]

What is the feature you are proposing?

currently the jwt middleware requires a static secret value, however in my use case (see below) it's not a static secret instead it is retrieved from an JWKS. Therefore it would be nice if the jwt middleware also support an async function(payload: any) : string as secret parameter.

Use Case:

I'm working on a server endpoint that is called by GitHub actions to authenticate I'm using the Github Actions OIDC tokens.

Currently I'm using my own middleware by using fast-jwt with get-jwks like this

import {createVerifier, DecodedJwt, KeyFetcher} from 'fast-jwt'
import buildJwks from 'get-jwks'

const jwks = buildJwks({providerDiscovery: true})
const keyFetcher: KeyFetcher = async (jwt: DecodedJwt) => jwks.getPublicKey({
  kid: jwt.header.kid,
  alg: jwt.header.alg,
  domain: jwt.payload.iss,
})

const jwtVerifier = createVerifier({
  key: keyFetcher,
})

app.use(async (c, next) => {
  // ... get jwtTokenString value
  await jwtVerifier(jwtTokenString)
  // ... handle verification errors
  await next()
})

however it would be nice if I can switch to an official middleware.

[qoomon]

probably related to #672

[sparanoid]

Apple Music API also needs kid header which is not compatible with current jwt middleware:

expected headers and payload:

{
     "alg": "ES256",
     "kid": "ABC123DEFG"
}
{
     "iss": "DEF123GHIJ",
     "iat": 1437179036,
     "exp": 1493298100
}

actual:

{
     "alg": "ES256",
     "typ": "JWT"
}
{
     "iss": "DEF123GHIJ",
     "iat": 1437179036,
     "exp": 1493298100
}

[maxpetretta]

also have need for kid in headers, only reason i have to stick with a separate jwt library now

[ngdbao]

It's better if we can custom header before signing jwt