.well-known/jwks.json to use in REST API

[jfslin]

Describe the bug

I saw that #1674 now provides an end-point to expose JWT. My understanding is that if I send the following HTTP request

GET https://{supabase_project}.supabase.co/auth/v1/.well-known/jwks.json
Content-Type: application/json
apikey: {anonkey}

I should get back a JWK that I can use in my REST API for auth checking as a publickey location (ie https://quarkus.io/guides/security-jwt). However, I get

{
  "keys": []
}

Response code: 200 (OK); Time: 472ms; Content length: 11 bytes

Did I misunderstand this PR? Thank you. Also, is it actually safe to have the JWK exposed by public URL that is accessible via anonkey? I'm pretty new to HS256 auth and haven't quite wrapped my mind around it yet.

To Reproduce

See above.

Expected behavior

Get JWK JSON.

Thank you.

[kangmingtay]

Hi @jfslin, the symmetric secret (HS256) will never be exposed in the JWKs endpoint. We're in the midst of adding asymmetric key support, so at some point soon, we'll be able to offer that as a configuration option in the platform. When an asymmetric key is used, you'll be able to see the public key reflected as a JWK in the JWKs endpoint.

This is safe because the public key is used for verifying the JWT, which is signed by the private key (not exposed at all).

[jfslin]

Thank you for the explanation. I have a better understanding now.

[lukvermeulen]

Hi, I'd like to jump on the same question. I need a jwks endpoint to connect a PowerSync service to supabase. I was also under the assumption, to receive more than an empty array at this endpoint. Am I using the wrong endpoint @kangmingtay ?