Skip to content

Commit 9af0b71

Browse files
hieuk09hieuk09
committed
Update documentation
1 parent 323ffc1 commit 9af0b71

File tree

1 file changed

+4
-21
lines changed

1 file changed

+4
-21
lines changed

README.md

+4-21
Original file line numberDiff line numberDiff line change
@@ -647,24 +647,6 @@ rescue JWT::DecodeError
647647
end
648648
```
649649

650-
### X.509 certificate thumbprint in x5t header
651-
652-
A JWT signature can be verified using a certificate thumbprint given in the `x5t` or `x5t#S256` header.
653-
The thumbprint is a base64url-encoded SHA-1 (or SHA256) hash of the DER encoding of an X.509 certificate.
654-
The verification process involves matching this thumbprint against a set of trusted certificates.
655-
656-
```ruby
657-
# Load your trusted certificates
658-
certificates = [OpenSSL::X509::Certificate.new(File.read('cert.pem'))]
659-
660-
# Decode a JWT with x5t verification
661-
begin
662-
JWT.decode(token, nil, true, { x5t: { certificates: certificates } })
663-
rescue JWT::DecodeError
664-
# Handle error, e.g. no certificate matches the x5t thumbprint
665-
end
666-
```
667-
668650
## JSON Web Key (JWK)
669651

670652
JWK is a JSON structure representing a cryptographic key. This gem currently supports RSA, EC, OKP and HMAC keys. OKP support requires [RbNaCl](https://github.com/RubyCrypto/rbnacl) and currently only supports the Ed25519 curve.
@@ -692,13 +674,14 @@ algorithms = jwks.map { |key| key[:alg] }.compact.uniq
692674
JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwks)
693675
```
694676

695-
The `jwks` option can also be given as a lambda that evaluates every time a kid is resolved.
677+
The `jwks` option can also be given as a lambda that evaluates every time a key identifier is resolved.
696678
This can be used to implement caching of remotely fetched JWK Sets.
697679

698-
If the requested `kid` is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`.
680+
Key identifiers can be specified using `kid`, `x5t` or `x5c` header parameters.
681+
If the requested identifier is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`.
699682
The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
700683

701-
Tokens without a specified `kid` are rejected by default.
684+
Tokens without a specified key identifier (`kid`, `x5t` or `x5c`) are rejected by default.
702685
This behaviour may be overwritten by setting the `allow_nil_kid` option for `decode` to `true`.
703686

704687
```ruby

0 commit comments

Comments
 (0)