ory · aeneasr · Dec 28, 2023 · Dec 27, 2023 · Dec 28, 2023
@@ -6,6 +6,8 @@
 import (
 	"context"
 
+	"github.com/ory/hydra/v2/jwk"
+
 	"github.com/spf13/cobra"
 
 	hydra "github.com/ory/hydra-client-go/v2"
@@ -46,12 +48,20 @@
 				return cmdx.PrintOpenAPIError(cmd, err)
 			}
 
+			if flagx.MustGetBool(cmd, "public") {
+				jwks.Keys, err = jwk.OnlyPublicSDKKeys(jwks.Keys)
+				if err != nil {
+					return err
+				}
+			}
+
 			cmdx.PrintTable(cmd, &outputJSONWebKeyCollection{Keys: jwks.Keys, Set: args[0]})
 			return nil
 		},
 	}
-	cmd.Root().Name()
+
 	cmd.Flags().String(alg, "RS256", "The algorithm to be used to generated they key. Supports: RS256, RS512, ES256, ES512, EdDSA")
 	cmd.Flags().String(use, "sig", "The intended use of this key. Supports: sig, enc")
+	cmd.Flags().Bool("public", false, "Only return public keys")
 	return cmd
 }
@@ -33,4 +33,12 @@ func TestCreateJWKS(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, expected.Keys[0].KeyID, actual.Get("keys.0.kid").String())
 	})
+
+	t.Run("case=gets jwks public", func(t *testing.T) {
+		set := uuid.Must(uuid.NewV4()).String()
+		actual := gjson.Parse(cmdx.ExecNoErr(t, c, set, "--use", "enc", "--alg", "RS256", "--public"))
+
+		assert.NotEmptyf(t, actual.Get("keys.0.kid").String(), "Expected kid to be set but got: %s", actual.Raw)
+		assert.Empty(t, actual.Get("keys.0.p").String(), "public key should not contain private key components: %s", actual.Raw)
+	})
 }
@@ -6,20 +6,28 @@
 import (
 	"github.com/spf13/cobra"
 
+	"github.com/ory/hydra/v2/jwk"
+	"github.com/ory/x/flagx"
+
 	"github.com/ory/hydra/v2/cmd/cliclient"
 	"github.com/ory/x/cmdx"
 )
 
 func NewGetJWKSCmd() *cobra.Command {
-	return &cobra.Command{
+	cmd := &cobra.Command{
 		Use:     "jwk set-1 [set-2] ...",
 		Aliases: []string{"jwks"},
 		Args:    cobra.MinimumNArgs(1),
 		Short:   "Get one or more JSON Web Key Set by its ID(s)",
 		Long:    `This command gets all the details about an JSON Web Key. You can use this command in combination with jq.`,
-		Example: `To get the JSON Web Key Set's secret, run:
+		Example: `To get the JSON Web Key Set's use, run:
+
+	{{ .CommandPath }} <set-id> | jq -r '.[].use'
 
-	{{ .CommandPath }} <set-id> | jq -r '.[].use'`,
+To get the JSON Web Key Set as only public keys:
+
+	{{ .CommandPath }} --public <set-id>'
+`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			m, _, err := cliclient.NewClient(cmd)
 			if err != nil {
@@ -36,6 +44,13 @@
 				sets.Keys = append(sets.Keys, key.Keys...)
 			}
 
+			if flagx.MustGetBool(cmd, "public") {
+				sets.Keys, err = jwk.OnlyPublicSDKKeys(sets.Keys)
+				if err != nil {
+					return err
+				}
+			}
+
 			if len(sets.Keys) == 1 {
 				cmdx.PrintRow(cmd, outputJsonWebKey{Set: args[0], JsonWebKey: sets.Keys[0]})
 			} else if len(sets.Keys) > 1 {
@@ -45,4 +60,6 @@
 			return nil
 		},
 	}
+	cmd.Flags().Bool("public", false, "Only return public keys")
+	return cmd
 }
@@ -17,7 +17,7 @@ import (
 	"github.com/ory/x/cmdx"
 )
 
-func TestGetJwks(t *testing.T) {
+func TestGetJWKS(t *testing.T) {
 	ctx := context.Background()
 	c := cmd.NewGetJWKSCmd()
 	reg := setup(t, c)
@@ -34,4 +34,16 @@ func TestGetJwks(t *testing.T) {
 
 		assert.Equal(t, expected.Keys[0].KeyID, actual.Get("kid").String())
 	})
+
+	t.Run("case=gets jwks public", func(t *testing.T) {
+		actual := gjson.Parse(cmdx.ExecNoErr(t, c, set, "--public"))
+
+		expected, err := reg.KeyManager().GetKeySet(ctx, set)
+		require.NoError(t, err)
+
+		assert.Equal(t, expected.Keys[0].KeyID, actual.Get("kid").String())
+
+		assert.NotEmptyf(t, actual.Get("kid").String(), "Expected kid to be set but got: %s", actual.Raw)
+		assert.Empty(t, actual.Get("p").String(), "public key should not contain private key components: %s", actual.Raw)
+	})
 }