Allow verifying JWT with private key

[ayZagen]

Currently the library throws an error if we try to verify a JWT with a private key.

Wouldn't it be better if the library automatically extracts the public key if it detects private key is used ?

And I couldn't find any helper method to extract public key from private key.

[panva]

I believe this is already possible when working with KeyObject instances under the Node.js runtime, the node:crypto system just takes care of this.

However, in other runtimes and key representations this is not possible because the CryptoKey and SubtleCrypto interface simply don't allow it.

[ayZagen]

thanks for the fast reply, I have noticed that in Bun but I couldn't find a way to get public key without duplicating data. importJWK seems return a CryptoKey with extractable=false. Can we add an option to importJwk to make the resulting key extractable ?

EDIT: it seems unrelated to importJwk but the key sent to verify method is coming from the result of importJWK

[ayZagen]

I am no way a crypto expert so this my sound stupid, ignore the question if it is, but why is it not allowed to verify a jwt with a private key? Isn't private key basically superset of the public key?

[panva]

importJWK seems return a CryptoKey with extractable=false

No need for one, you can use the ext JWK Parameter that WebCryptoAPI registered. Set the key's ext to true and the resulting private CryptoKey will be extractable.

EDIT: it seems unrelated to importJwk but the key sent to verify method is coming from the result of importJWK

If you pass a JWK to the verify method, yeah. That's new since https://github.com/panva/jose/releases/tag/v5.9.0 and I'm happy to get feedback on it. Its main purpose is for convenience or for when you're not going to be re-using the same set of keys for the operation, in which case you should use one of the import key methods to obtain a CryptoKey or KeyObject and use that instead.

[ayZagen]

thanks a lot for explanations and for your great work!