Support loading jwk from json

[kleinmrk]

This MR enables loading keys from json to jwk objects. It also adds an interface to the verifier class which accepts such keys and uses them as appropriate, based on the kid and alg claims, during token verification.

So far only RSA and oct keys can be loaded from json to jwk

• RSA keys
• EC keys
• oct keys (HMAC)

[kleinmrk]

This is still just a draft, there is much to do regarding error handling (currently I just lazily throw std::runtime_error all over the place) but I would be happy to hear your feedback, whether this PR goes the right direction.

[Thalhammer]

I added a bunch of small nitpicks and one thing I really think we should change.
One of jwt-cpp's strengths has been that its trivial to add custom algorithms and this has indeed been used in academics to research new ones.
The jwks part doesn't take that into account at all. While I get that the set of algorithms currently allowed in jwks is fixed, it might be useful to provide a way to add custom ones for research or if someone needs support of future algorithms before we add it.

Apart from that I have no major complains. Obviously documentation is non existant yet, but thats fine for a draft, just something we should keep an eye on before finishing it.

EDIT: Macos and no base seems to fail, so we need to take the user provided base64 function into account.

[Thalhammer]

Key should definitly have some additional introspection methods, is it an async key ? if so rsa ? or ecdsa, what size ?
I think you get the point.

[Thalhammer]

I think rather than the EVP_PKEY algorithms should take the key structure above, in order to reduce typing for the user and providing a nicer interface.

[Thalhammer]

This is a problem. The entire point of the algorithm support we used to have is to easily allow user defined algorithms, either for researching new ones or adding support for custom ones. A global list of algorithms doesn't really work out for that.

[Thalhammer]

Same issue as above with supported_alg.

[Thalhammer]

I know this is my own code, but since we are already at changing it, this would be better:

auto alg = algs.find(algo);
if(alg == algs.end()) {
      ec = error::token_verification_error::wrong_algorithm;
      return;
}
alg->second->verify(data, sig, ec);

Prevents the duplicate lookup.

[Thalhammer]

auto is your friend

[kleinmrk]

@Thalhammer

One of jwt-cpp's strengths has been that its trivial to add custom algorithms and this has indeed been used in academics to research new ones.
The jwks part doesn't take that into account at all. While I get that the set of algorithms currently allowed in jwks is fixed, it might be useful to provide a way to add custom ones for research or if someone needs support of future algorithms before we add it.

I looked into how to make it possible to extend JWKs by custom algorithm and I ended up exposing algo_base and algo structures so the users can register their own algorithms like this. I don't know whether this is acceptable but I am out of other ideas. If you don't like the approach then please stop me now :D

[prince-chrismc]

Please use make_unique

[prince-chrismc]

A lot of code moved so the diff is very confusing. It hard to tell what is new 🙊