Joken JWKS version 2.0

[victorolinasc]

This library is around 5 years old currently and not only my understanding of the environment and language has hopefully evolved but also the uses of JWKS and the understanding of the spec itself is better nowadays. So, I think it is time we discuss a bit about a 2.0 version.

Current breaking issues are:

• We should support kid-less and duplicated kids in sets as per the discussion on Add support for kid-less jwks signature validation #37
• We are simply using process the wrong way and have caused unfortunate side-effects ets table not being cleaned up, causes application crash #40
• More and more people want to use a fixed set of JWKs sources and even a completely dynamic set of sources Allow dynamically starting strategies + expand GenServer-ness of the DefaultStrategyTemplate #39
• Manually re-fetching might help solve some issues to some people during emergencies Question about manually refetch the token from public API (e.g. google). #30

These have to be tackled either way (breaking or not).

Some others I think are important:

• JWKS claims like certificate thumbprints are increasingly important for security
  • This has mainly x5t and x5c claims as targets
• Better HTTP configuration would also have helped avoid needing to release new versions
• More observability would also help here (not only HTTP events per-se but also cache events for example)
• Better guides and documentation examples (many issues were open about that in the past)
• More options to re-trigger fetching (like cache expiration as mentioned on Have the default fetcher implementation respect caching headers #35

I will have time to work on these on May. If anybody has any other issues that would like to see added here please join the discussion :)

[victorolinasc]

We are about a year past this... unfortunately a few things happened that pushed me away a bit from the OSS work... changed jobs, lived abroad for a while, currently working with a different stack... in the meantime also a sad thing happened. I had a working version of a pure Elixir JWT library that I stupidly lost in a switch of machines...

So, all in all, just wanted to let people know that I am slowly regaining time to rework my way through these discussions and will re-code a pure Elixir version of a JWT library... it will take time but key validation through x509 will be built-in (with an additional optional dep of x509 of course...).

After that I hope to come back to a 2.0 version of jwks. In the meantime I will probably release a new version with the new process structure currently in master.

For anyone watching this issue, thanks for your patience! OSS is rewarding in many ways but I can't live off of it for now so I have to do with the little spare time here (but I plan on becoming a linux kernel developer for retirement... that is still some decades away hopefully... ).

I am still looking at all issues and if any nasty one appears I try to make some room to help and not let this get stuck.