chore: add jwks.json #294
Merged
chore: add jwks.json #294
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Kevin Cui <bh@bugs.cc>
Summary by CodeRabbit
Walkthrough新增两个静态 JWKS 文件于 static/.well-known/ 目录:分别为开发用 dev-jwks.json 与生产/默认用 jwks.json,均包含单个 RSA 公钥条目。未涉及代码或公开接口改动。 Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Pre-merge checks✅ Passed checks (2 passed)
Comment |
Deploying oomol-com with
|
| Latest commit: |
41e39a0
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://367846ea.oomol-com.pages.dev |
| Branch Preview URL: | https://add-jwks.oomol-com.pages.dev |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
static/.well-known/jwks.json (1)
1-12: 提前规划无缝密钥轮换与缓存控制
- 轮换建议:在 JWKS 中同时发布“当前密钥+新密钥”,先让验证端预热新
kid,再切换签发端使用新kid,最后移除旧钥,避免验证失败。- 缓存:为
/.well-known/jwks.json设置合理Cache-Control(如public, max-age=300)并提供ETag,平衡流量与切换时效。- MIME:确保静态服务返回
application/jwk-set+json(若做不到,application/json也可接受)。static/.well-known/dev-jwks.json (1)
1-12: static/.well-known/dev-jwks.json 已验证 — 建议(可选)
- 验证结果:必备字段存在;未包含私钥参数(d/p/q/dp/dq/qi/oth);RSA modulus = 2048 位。
- 建议(可选):
- 在 JWK 中添加 "key_ops": ["verify"] 以显式限定用途;
- 服务端为 /.well-known/dev-jwks.json 设置短 TTL(例如 300s)以减少开发环境中缓存时间;
- 文档化开发/测试密钥的轮换频率与失效流程,避免长期复用。
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
static/.well-known/dev-jwks.json(1 hunks)static/.well-known/jwks.json(1 hunks)
🔇 Additional comments (1)
static/.well-known/jwks.json (1)
1-12: 结构正确,可用于 RS256 验签;确认 kid 与签发端一致JWKS 包含单把 RSA 公钥,e=AQAB(65537),可按 kid 选键。
- 核对 JWT header 中的 kid 与 static/.well-known/jwks.json 中的 kid 完全一致。
- 在仓库运行的脚本输出 JWKS kid:BoY3rIHJMYk6ox5ZS2Rq0WnOZLOWunl1D-7z5gNvu_0;示例 JWT 未提供(TOKEN 环境变量未设置),因此未完成对比。
- 确认发行方(issuer)与该 JWKS URL 的绑定在配置中已生效,避免从错误的 JKU 拉取密钥。
在本地将 TOKEN 设置为示例 JWT 并重跑原脚本以完成一致性检查。
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
使用 https://github.com/bspk/mkjwk.org 项目,本地断网生成。
其和 jwt 的公钥和私钥一一对应。