Support for JWTs signed by private keys

[plambrechtsen]

I would like to see the ability to create signed JWTs as part of an OAuth flow using a Private Key instead of a shared secret.
There is already a sample to generate a JWTs using HS256 which is a SHA256 signed value of the header and payload.
As part of Issue 900 support for X509 certificates is being added and it would be ideal if support for public/private key signing algorithms for JWTs was also added.
This should include:

• RS256/384/512 (Standard RSA)
• PS256/384/512 (RSA-PSS)
• EC256/384/512 (Elliptic curve)

There is already support for these in two different node libraries that can generate a full signed JWT.

• https://github.com/dgrijalva/jwt-go
• https://github.com/dvsekhvalnov/jose2go
  And there is a list of other GO libraries on https://jwt.io/

I think the most sensible approach is to allow developers to pass their own built JWT values inside JS code and just have the signing function in Go.

Similar to how the existing jwt.go sample works. Passing the certificate as an *key object if you follow what jwt-go is doing. If you have a look through https://github.com/dgrijalva/jwt-go/blob/master/rsa.go you get the idea.

[damnhandy]

I would not limit this to to JWT only, but also provide full JOSE support. We use JSON Web Encryption for some of our APIs, in addition to JSON Web Tokens, thus making k6 unusable for us at the moment. While there are a few great JOSE NPMs for Node and some JOSE libraries for the browser, none of these will work with K6 due to the fact that they are different runtimes.

[mstoykov]

Hi @damnhandy , this will likely get more traction once we once again start working on our crypto support. You can read more about why we stopped doing so and possibly use this gist made by @robingustafsson that implements JWT with the current k6/crypto.

As mentioned by @na-- in the other issue you will be able to probably use plugins ... soon ™️ which will also make it easier to experiment and develop a better API :D

[damnhandy]

@mstoykov so that could work, but our process doesn't work with JWTs, but rather JSON Web Encrypted (JWE) payloads. And it also relies on asymmetric keys. The browser will load a JSON Web Keyset and selected a key, and encrypt the payload using one of the keys in the JWKS.

[oleiade]

Hi folks 👋🏻

We now have an experimental k6/experimental/webcrypto module, where we intend to implement JWK support as per the specification of the WebCrypto API.

I think it would be a good idea to bring this discussion and potential contributions around this topic directly to the xk6-webcrypto repository. See the dedicated issue tracking the JWK implementation.