Skip to main content
Deno 2 is finally here 🎉️
Learn more
Module

x/jose/jwks/remote.ts>createRemoteJWKSet

"JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
panva/jose
Extremely Popular
Go to Latest
function createRemoteJWKSet
import { createRemoteJWKSet } from "https://deno.land/x/jose@v4.13.0/jwks/remote.ts";

Returns a function that resolves to a key object downloaded from a remote endpoint returning a JSON Web Key Set, that is, for example, an OAuth 2.0 or OIDC jwks_uri. The JSON Web Key Set is fetched when no key matches the selection process but only as frequently as the cooldownDuration option allows to prevent abuse.

It uses the "alg" (JWS Algorithm) Header Parameter to determine the right JWK "kty" (Key Type), then proceeds to match the JWK "kid" (Key ID) with one found in the JWS Header Parameters (if there is one) while also respecting the JWK "use" (Public Key Use) and JWK "key_ops" (Key Operations) Parameters (if they are present on the JWK).

Only a single public key must match the selection process. As shown in the example below when multiple keys get matched it is possible to opt-in to iterate over the matched keys and attempt verification in an iterative manner.

Examples

Usage

const JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/oauth2/v3/certs'))

const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience',
})
console.log(protectedHeader)
console.log(payload)

Opting-in to multiple JWKS matches using createRemoteJWKSet

const options = {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience',
}
const { payload, protectedHeader } = await jose
  .jwtVerify(jwt, JWKS, options)
  .catch(async (error) => {
    if (error?.code === 'ERR_JWKS_MULTIPLE_MATCHING_KEYS') {
      for await (const publicKey of error) {
        try {
          return await jose.jwtVerify(jwt, publicKey, options)
        } catch (innerError) {
          if (innerError?.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
            continue
          }
          throw innerError
        }
      }
      throw new jose.errors.JWSSignatureVerificationFailed()
    }

    throw error
  })
console.log(protectedHeader)
console.log(payload)

Type Parameters

optional
T extends KeyLike = KeyLike

Parameters

url: URL

URL to fetch the JSON Web Key Set from.

optional
options: RemoteJWKSetOptions

Options for the remote JSON Web Key Set.