Feature or Problem

While implementing a Secrets backend for wasmCloud/wasmCloud#2190, we landed on JWTs as the authentication mechanism, and since we have nkeys readily available, it would be nice to use them for signing the JWTs.

However, to make it easier on the platform operators, we are not going to require them to provide a static list of the possible public keys used for signing, but instead provide a JWKS endpoint that'll host a list of the public nkeys used to sign the JWT.

It turns out it's pretty straight forward to convert an nkey into a JWK, which is why I thought it would be nice to add as a feature to this crate for other folks to use as well.

cc @protochron

Related Issues

Release Information

Consumer Impact

Testing

Unit Test(s)

Acceptance or Integration

Manual Verification

I validated locally using jose-util from the go-jose project that the keys generated with the new JsonWebkey struct, based on a pre-existing nkey, can be used to sign (with seed) and verify (with public key) payloads correctly:

# Using jose-util built from the main branch (i.e. v4)
$ echo "test message v4" > msg-v4.txt
$ jose-util sign -alg EdDSA -key private.jwk.json -in msg.txt -out signed-msg-v4.txt
$ jose-util verify -key public.jwk.json -in signed-msg-v4.txt
test message v4

# Using jose-util built from the v3.0.3 branch
$ echo "test message v3" > msg-v3.txt
$ jose-util sign --alg=EdDSA --key=private.jwk.json --in=msg-v3.txt > signed-msg-v3.txt
$ jose-util verify --key=public.jwk.json --in=signed-msg-v3.txt
test message v3