-
Notifications
You must be signed in to change notification settings - Fork 72
Allows IO in validation keyset #169
base: master
Are you sure you want to change the base?
Conversation
data JWTSettings | ||
= JWTSettings | ||
{ -- | Key used to sign JWT. | ||
signingKey :: Jose.JWK, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the Okta or Auth0 case, we wouldn't have a signing key. We can only validate using public keys. Should this signing key always be required? We could make a dummy one, of course...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it's a perpetual awkwardness of this library. The signing key is used for cookies (since those are also JWTs). There is sometimes an advantage to having it, since you can store data that's different than whatever you got during login, but it's really annoying to make it (and cookies) optional.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough! Thanks again for working on this.
Any progress on this? I think this approach is a good one and thanks for working on it @jkarni |
Fixes #153
I still want to try this out before merging. Note that it also should follow #168.