RubyGems - jwt - Versions diffs - 2.2.1 → 2.7.1 - Mend

jwt 2.2.1 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

checksums.yaml +4 -4
data/AUTHORS +79 -44
data/CHANGELOG.md +271 -20
data/CODE_OF_CONDUCT.md +84 -0
data/CONTRIBUTING.md +99 -0
data/README.md +253 -35
data/lib/jwt/algos/algo_wrapper.rb +26 -0
data/lib/jwt/algos/ecdsa.rb +55 -14
data/lib/jwt/algos/eddsa.rb +18 -8
data/lib/jwt/algos/hmac.rb +57 -17
data/lib/jwt/algos/hmac_rbnacl.rb +53 -0
data/lib/jwt/algos/hmac_rbnacl_fixed.rb +52 -0
data/lib/jwt/algos/none.rb +19 -0
data/lib/jwt/algos/ps.rb +10 -12
data/lib/jwt/algos/rsa.rb +9 -5
data/lib/jwt/algos/unsupported.rb +7 -4
data/lib/jwt/algos.rb +66 -0
data/lib/jwt/claims_validator.rb +12 -8
data/lib/jwt/configuration/container.rb +21 -0
data/lib/jwt/configuration/decode_configuration.rb +46 -0
data/lib/jwt/configuration/jwk_configuration.rb +27 -0
data/lib/jwt/configuration.rb +15 -0
data/lib/jwt/decode.rb +85 -17
data/lib/jwt/encode.rb +30 -19
data/lib/jwt/error.rb +16 -14
data/lib/jwt/jwk/ec.rb +236 -0
data/lib/jwt/jwk/hmac.rb +103 -0
data/lib/jwt/jwk/key_base.rb +55 -0
data/lib/jwt/jwk/key_finder.rb +19 -30
data/lib/jwt/jwk/kid_as_key_digest.rb +15 -0
data/lib/jwt/jwk/okp_rbnacl.rb +110 -0
data/lib/jwt/jwk/rsa.rb +181 -25
data/lib/jwt/jwk/set.rb +80 -0
data/lib/jwt/jwk/thumbprint.rb +26 -0
data/lib/jwt/jwk.rb +39 -15
data/lib/jwt/verify.rb +18 -3
data/lib/jwt/version.rb +23 -3
data/lib/jwt/x5c_key_finder.rb +55 -0
data/lib/jwt.rb +5 -4
data/ruby-jwt.gemspec +15 -10
metadata +30 -90
data/.codeclimate.yml +0 -20
data/.ebert.yml +0 -18
data/.gitignore +0 -11
data/.rspec +0 -1
data/.rubocop.yml +0 -98
data/.travis.yml +0 -20
data/Appraisals +0 -14
data/Gemfile +0 -3
data/Rakefile +0 -11
data/lib/jwt/default_options.rb +0 -15
data/lib/jwt/security_utils.rb +0 -57
data/lib/jwt/signature.rb +0 -52

data/lib/jwt/algos/ecdsa.rb CHANGED Viewed

@@ -1,34 +1,75 @@
+# frozen_string_literal: true
 module JWT
   module Algos
     module Ecdsa
       module_function
-      SUPPORTED = %w[ES256 ES384 ES512].freeze
       NAMED_CURVES = {
-        'prime256v1' => 'ES256',
-        'secp384r1' => 'ES384',
-        'secp521r1' => 'ES512'
+        'prime256v1' => {
+          algorithm: 'ES256',
+          digest: 'sha256'
+        },
+        'secp256r1' => { # alias for prime256v1
+          algorithm: 'ES256',
+          digest: 'sha256'
+        },
+        'secp384r1' => {
+          algorithm: 'ES384',
+          digest: 'sha384'
+        },
+        'secp521r1' => {
+          algorithm: 'ES512',
+          digest: 'sha512'
+        },
+        'secp256k1' => {
+          algorithm: 'ES256K',
+          digest: 'sha256'
+        }
       }.freeze
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        key_algorithm = NAMED_CURVES[key.group.curve_name]
+      SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
+      def sign(algorithm, msg, key)
+        curve_definition = curve_by_name(key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
         if algorithm != key_algorithm
           raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
         end
-        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+        digest = OpenSSL::Digest.new(curve_definition[:digest])
+        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        key_algorithm = NAMED_CURVES[public_key.group.curve_name]
+      def verify(algorithm, public_key, signing_input, signature)
+        curve_definition = curve_by_name(public_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
         if algorithm != key_algorithm
           raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
         end
-        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
+        digest = OpenSSL::Digest.new(curve_definition[:digest])
+        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
+      end
+      def curve_by_name(name)
+        NAMED_CURVES.fetch(name) do
+          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
+        end
+      end
+      def raw_to_asn1(signature, private_key)
+        byte_size = (private_key.group.degree + 7) / 8
+        sig_bytes = signature[0..(byte_size - 1)]
+        sig_char = signature[byte_size..-1] || ''
+        OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+      end
+      def asn1_to_raw(signature, public_key)
+        byte_size = (public_key.group.degree + 7) / 8
+        OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
       end
     end
   end

data/lib/jwt/algos/eddsa.rb CHANGED Viewed

@@ -1,22 +1,32 @@
+# frozen_string_literal: true
 module JWT
   module Algos
     module Eddsa
       module_function
-      SUPPORTED = %w[ED25519].freeze
+      SUPPORTED = %w[ED25519 EdDSA].freeze
+      def sign(algorithm, msg, key)
+        if key.class != RbNaCl::Signatures::Ed25519::SigningKey
+          raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
+        end
+        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
+        end
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey" if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"  if algorithm.downcase.to_sym != key.primitive
         key.sign(msg)
       end
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{public_key.primitive} verification key was provided" if algorithm.downcase.to_sym != public_key.primitive
+      def verify(algorithm, public_key, signing_input, signature)
+        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
+        end
         raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
         public_key.verify(signature, signing_input)
+      rescue RbNaCl::CryptoError
+        false
       end
     end
   end

data/lib/jwt/algos/hmac.rb CHANGED Viewed

@@ -1,33 +1,73 @@
+# frozen_string_literal: true
 module JWT
   module Algos
     module Hmac
       module_function
-      SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
+      MAPPING = {
+        'HS256' => OpenSSL::Digest::SHA256,
+        'HS384' => OpenSSL::Digest::SHA384,
+        'HS512' => OpenSSL::Digest::SHA512
+      }.freeze
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
-        if authenticator && padded_key
-          authenticator.auth(padded_key, msg.encode('binary'))
-        else
-          OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
+      SUPPORTED = MAPPING.keys
+      def sign(algorithm, msg, key)
+        key ||= ''
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+        OpenSSL::HMAC.digest(MAPPING[algorithm].new, key, msg)
+      rescue OpenSSL::HMACError => e
+        if key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
+          raise JWT::DecodeError, 'OpenSSL 3.0 does not support nil or empty hmac_secret'
         end
+        raise e
+      end
+      def verify(algorithm, key, signing_input, signature)
+        SecurityUtils.secure_compare(signature, sign(algorithm, signing_input, key))
       end
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
-        if authenticator && padded_key
-          begin
-            authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
-          rescue RbNaCl::BadAuthenticatorError
-            false
+      # Copy of https://github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb
+      # rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
+      module SecurityUtils
+        # Constant time string comparison, for fixed length strings.
+        #
+        # The values compared should be of fixed length, such as strings
+        # that have already been processed by HMAC. Raises in case of length mismatch.
+        if defined?(OpenSSL.fixed_length_secure_compare)
+          def fixed_length_secure_compare(a, b)
+            OpenSSL.fixed_length_secure_compare(a, b)
           end
         else
-          SecurityUtils.secure_compare(signature, sign(JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
+          def fixed_length_secure_compare(a, b)
+            raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
+            l = a.unpack "C#{a.bytesize}"
+            res = 0
+            b.each_byte { |byte| res |= byte ^ l.shift }
+            res == 0
+          end
+        end
+        module_function :fixed_length_secure_compare
+        # Secure string comparison for strings of variable length.
+        #
+        # While a timing attack would not be able to discern the content of
+        # a secret compared via secure_compare, it is possible to determine
+        # the secret length. This should be considered when using secure_compare
+        # to compare weak, short secrets to user input.
+        def secure_compare(a, b)
+          a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
         end
+        module_function :secure_compare
       end
+      # rubocop:enable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
     end
   end
 end

data/lib/jwt/algos/hmac_rbnacl.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+module JWT
+  module Algos
+    module HmacRbNaCl
+      module_function
+      MAPPING = {
+        'HS256' => ::RbNaCl::HMAC::SHA256,
+        'HS512256' => ::RbNaCl::HMAC::SHA512256,
+        'HS384' => nil,
+        'HS512' => ::RbNaCl::HMAC::SHA512
+      }.freeze
+      SUPPORTED = MAPPING.keys
+      def sign(algorithm, msg, key)
+        if (hmac = resolve_algorithm(algorithm))
+          hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
+        else
+          Hmac.sign(algorithm, msg, key)
+        end
+      end
+      def verify(algorithm, key, signing_input, signature)
+        if (hmac = resolve_algorithm(algorithm))
+          hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
+        else
+          Hmac.verify(algorithm, key, signing_input, signature)
+        end
+      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+        false
+      end
+      def key_for_rbnacl(hmac, key)
+        key ||= ''
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+        return padded_empty_key(hmac.key_bytes) if key == ''
+        key
+      end
+      def resolve_algorithm(algorithm)
+        MAPPING.fetch(algorithm)
+      end
+      def padded_empty_key(length)
+        Array.new(length, 0x0).pack('C*').encode('binary')
+      end
+    end
+  end
+end

data/lib/jwt/algos/hmac_rbnacl_fixed.rb ADDED Viewed

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+module JWT
+  module Algos
+    module HmacRbNaClFixed
+      module_function
+      MAPPING = {
+        'HS256' => ::RbNaCl::HMAC::SHA256,
+        'HS512256' => ::RbNaCl::HMAC::SHA512256,
+        'HS384' => nil,
+        'HS512' => ::RbNaCl::HMAC::SHA512
+      }.freeze
+      SUPPORTED = MAPPING.keys
+      def sign(algorithm, msg, key)
+        key ||= ''
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+          hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
+        else
+          Hmac.sign(algorithm, msg, key)
+        end
+      end
+      def verify(algorithm, key, signing_input, signature)
+        key ||= ''
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+          hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
+        else
+          Hmac.verify(algorithm, key, signing_input, signature)
+        end
+      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+        false
+      end
+      def resolve_algorithm(algorithm)
+        MAPPING.fetch(algorithm)
+      end
+      def padded_key_bytes(key, bytesize)
+        key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
+      end
+    end
+  end
+end

data/lib/jwt/algos/none.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+module JWT
+  module Algos
+    module None
+      module_function
+      SUPPORTED = %w[none].freeze
+      def sign(*)
+        ''
+      end
+      def verify(*)
+        true
+      end
+    end
+  end
+end

data/lib/jwt/algos/ps.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module JWT
   module Algos
     module Ps
@@ -7,31 +9,27 @@ module JWT
       SUPPORTED = %w[PS256 PS384 PS512].freeze
-      def sign(to_sign)
+      def sign(algorithm, msg, key)
         require_openssl!
-        algorithm, msg, key = to_sign.values
-        key_class = key.class
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
+        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key.is_a?(String)
         translated_algorithm = algorithm.sub('PS', 'sha')
         key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
       end
-      def verify(to_verify)
+      def verify(algorithm, public_key, signing_input, signature)
         require_openssl!
-        SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
+        translated_algorithm = algorithm.sub('PS', 'sha')
+        public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
       def require_openssl!
         if Object.const_defined?('OpenSSL')
-          major, minor = OpenSSL::VERSION.split('.').first(2)
-          unless major.to_i >= 2 && minor.to_i >= 1
+          if ::Gem::Version.new(OpenSSL::VERSION) < ::Gem::Version.new('2.1')
             raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
           end
         else

data/lib/jwt/algos/rsa.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module JWT
   module Algos
     module Rsa
@@ -5,14 +7,16 @@ module JWT
       SUPPORTED = %w[RS256 RS384 RS512].freeze
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
+      def sign(algorithm, msg, key)
+        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.instance_of?(String)
         key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
       end
-      def verify(to_verify)
-        SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
+      def verify(algorithm, public_key, signing_input, signature)
+        public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
     end
   end

data/lib/jwt/algos/unsupported.rb CHANGED Viewed

@@ -1,16 +1,19 @@
+# frozen_string_literal: true
 module JWT
   module Algos
     module Unsupported
       module_function
-      SUPPORTED = Object.new.tap { |object| object.define_singleton_method(:include?) { |*| true } }
-      def verify(*)
-        raise JWT::VerificationError, 'Algorithm not supported'
-      end
+      SUPPORTED = [].freeze
       def sign(*)
         raise NotImplementedError, 'Unsupported signing method'
       end
+      def verify(*)
+        raise JWT::VerificationError, 'Algorithm not supported'
+      end
     end
   end
 end

data/lib/jwt/algos.rb ADDED Viewed

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+begin
+  require 'rbnacl'
+rescue LoadError
+  raise if defined?(RbNaCl)
+end
+require 'openssl'
+require 'jwt/algos/hmac'
+require 'jwt/algos/eddsa'
+require 'jwt/algos/ecdsa'
+require 'jwt/algos/rsa'
+require 'jwt/algos/ps'
+require 'jwt/algos/none'
+require 'jwt/algos/unsupported'
+require 'jwt/algos/algo_wrapper'
+module JWT
+  module Algos
+    extend self
+    ALGOS = [Algos::Ecdsa,
+             Algos::Rsa,
+             Algos::Eddsa,
+             Algos::Ps,
+             Algos::None,
+             Algos::Unsupported].tap do |l|
+      if ::JWT.rbnacl_6_or_greater?
+        require_relative 'algos/hmac_rbnacl'
+        l.unshift(Algos::HmacRbNaCl)
+      elsif ::JWT.rbnacl?
+        require_relative 'algos/hmac_rbnacl_fixed'
+        l.unshift(Algos::HmacRbNaClFixed)
+      else
+        l.unshift(Algos::Hmac)
+      end
+    end.freeze
+    def find(algorithm)
+      indexed[algorithm && algorithm.downcase]
+    end
+    def create(algorithm)
+      Algos::AlgoWrapper.new(*find(algorithm))
+    end
+    def implementation?(algorithm)
+      (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
+        (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
+    end
+    private
+    def indexed
+      @indexed ||= begin
+        fallback = [nil, Algos::Unsupported]
+        ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
+          cls.const_get(:SUPPORTED).each do |alg|
+            hash[alg.downcase] = [alg, cls]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwt/claims_validator.rb CHANGED Viewed

@@ -1,33 +1,37 @@
+# frozen_string_literal: true
 require_relative './error'
 module JWT
   class ClaimsValidator
-    INTEGER_CLAIMS = %i[
+    NUMERIC_CLAIMS = %i[
       exp
       iat
       nbf
     ].freeze
     def initialize(payload)
-      @payload = payload.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
+      @payload = payload.transform_keys(&:to_sym)
     end
     def validate!
-      validate_int_claims
+      validate_numeric_claims
       true
     end
     private
-    def validate_int_claims
-      INTEGER_CLAIMS.each do |claim|
-        validate_is_int(claim) if @payload.key?(claim)
+    def validate_numeric_claims
+      NUMERIC_CLAIMS.each do |claim|
+        validate_is_numeric(claim) if @payload.key?(claim)
       end
     end
-    def validate_is_int(claim)
-      raise InvalidPayload, "#{claim} claim must be an Integer but it is a #{@payload[claim].class}" unless @payload[claim].is_a?(Integer)
+    def validate_is_numeric(claim)
+      return if @payload[claim].is_a?(Numeric)
+      raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
     end
   end
 end

data/lib/jwt/configuration/container.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+require_relative 'decode_configuration'
+require_relative 'jwk_configuration'
+module JWT
+  module Configuration
+    class Container
+      attr_accessor :decode, :jwk
+      def initialize
+        reset!
+      end
+      def reset!
+        @decode = DecodeConfiguration.new
+        @jwk    = JwkConfiguration.new
+      end
+    end
+  end
+end

data/lib/jwt/configuration/decode_configuration.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+module JWT
+  module Configuration
+    class DecodeConfiguration
+      attr_accessor :verify_expiration,
+                    :verify_not_before,
+                    :verify_iss,
+                    :verify_iat,
+                    :verify_jti,
+                    :verify_aud,
+                    :verify_sub,
+                    :leeway,
+                    :algorithms,
+                    :required_claims
+      def initialize
+        @verify_expiration = true
+        @verify_not_before = true
+        @verify_iss = false
+        @verify_iat = false
+        @verify_jti = false
+        @verify_aud = false
+        @verify_sub = false
+        @leeway = 0
+        @algorithms = ['HS256']
+        @required_claims = []
+      end
+      def to_h
+        {
+          verify_expiration: verify_expiration,
+          verify_not_before: verify_not_before,
+          verify_iss: verify_iss,
+          verify_iat: verify_iat,
+          verify_jti: verify_jti,
+          verify_aud: verify_aud,
+          verify_sub: verify_sub,
+          leeway: leeway,
+          algorithms: algorithms,
+          required_claims: required_claims
+        }
+      end
+    end
+  end
+end

data/lib/jwt/configuration/jwk_configuration.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require_relative '../jwk/kid_as_key_digest'
+require_relative '../jwk/thumbprint'
+module JWT
+  module Configuration
+    class JwkConfiguration
+      def initialize
+        self.kid_generator_type = :key_digest
+      end
+      def kid_generator_type=(value)
+        self.kid_generator = case value
+                             when :key_digest
+                               JWT::JWK::KidAsKeyDigest
+                             when :rfc7638_thumbprint
+                               JWT::JWK::Thumbprint
+                             else
+                               raise ArgumentError, "#{value} is not a valid kid generator type."
+        end
+      end
+      attr_accessor :kid_generator
+    end
+  end
+end

data/lib/jwt/configuration.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+require_relative 'configuration/container'
+module JWT
+  module Configuration
+    def configure
+      yield(configuration)
+    end
+    def configuration
+      @configuration ||= ::JWT::Configuration::Container.new
+    end
+  end
+end