scimgateway 5.4.3 → 5.4.4

package/README.md

@@ -16,6 +16,7 @@ Validated through IdP's:
 
 Latest news:  
  
+- External JWKS (JSON Web Key Set) is now supported by JWT Authentication. These are public and typically frequent rotated by modern identity providers
 - [Azure Relay](https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it) is now supported for secure and hassle-free outbound communication — with just one minute of configuration
 - [ETag](https://datatracker.ietf.org/doc/html/rfc7644#section-3.14) is now supported
 - [Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) is now supported
@@ -417,7 +418,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerJwtAzure** - Array of one or more JWT used by Azure SyncFabric. **tenantIdGUID** must be set to Entra ID Tenant ID.
 
-- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.
+- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret**, **publicKey** or **wellKnownUri** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. For JWKS (JSON Web Key Set), the **wellKnownUri** must be set to identity provider well-known URI which will be used for lookup the jwks_uri key.  **options.issuer** should normally be set for validation when using secret or publicKey. Other options may also be included according to jsonwebtoken npm package definition.
 
 - **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. `http://localhost:8880/oauth/token`
 
@@ -816,7 +817,7 @@ const messageHandler = async (message: string) => {
   console.log(message)
 }
 
-async function startSSE() {
+async function startup() {
   while (true) {
     try {
       const resp = await fetch(url, { headers });
@@ -847,7 +848,7 @@ async function startSSE() {
   }
 }
 
-startSSE()
+startup()
 ```
 
 ### Configuration notes - Azure Relay
@@ -1466,7 +1467,29 @@ In code editor (e.g., Visual Studio Code), method details and documentation are
 MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 
-## Change log  
+## Change log
+
+### v5.4.4
+
+[Improved]
+
+- External JWKS (JSON Web Key Set) is now supported by JWT Authentication. These are public and typically frequent rotated by modern identity providers
+
+	JKWS is enabled by setting scimgateway.auth.bearerJwt[].wellKnownUri to the identity provider's well-known URI
+
+	Keycloak example:
+
+		auth: {
+		  "bearerJwt": [
+		    {
+		      "wellKnownUri": "https://keycloak.example.com/realms/example-realm/.well-known/openid-configuration",
+		      "options": {
+		        ...
+		      },
+		      ...
+		     }
+		  ]
+		}
 
 ### v5.4.3
 

package/bun.lock

@@ -17,6 +17,7 @@
         "hyco-https": "^1.4.5",
         "is-in-subnet": "^4.0.1",
         "jsonwebtoken": "^9.0.2",
+        "jwk-to-pem": "^2.0.7",
         "ldapjs": "^3.0.7",
         "lokijs": "^1.5.12",
         "mongodb": "^6.16.0",
@@ -31,6 +32,7 @@
         "@types/bun": "latest",
         "@types/dot-object": "^2.1.6",
         "@types/jsonwebtoken": "^9.0.9",
+        "@types/jwk-to-pem": "^2.0.3",
         "@types/node": "latest",
         "@types/nodemailer": "^6.4.17",
         "@types/passport": "^1.0.17",
@@ -163,6 +165,8 @@
 
     "@types/jsonwebtoken": ["@types/jsonwebtoken@9.0.10", "", { "dependencies": { "@types/ms": "*", "@types/node": "*" } }, "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA=="],
 
+    "@types/jwk-to-pem": ["@types/jwk-to-pem@2.0.3", "", {}, "sha512-I/WFyFgk5GrNbkpmt14auGO3yFK1Wt4jXzkLuI+fDBNtO5ZI2rbymyGd6bKzfSBEuyRdM64ZUwxU1+eDcPSOEQ=="],
+
     "@types/ldapjs": ["@types/ldapjs@3.0.6", "", { "dependencies": { "@types/node": "*" } }, "sha512-E2Tn1ltJDYBsidOT9QG4engaQeQzRQ9aYNxVmjCkD33F7cIeLPgrRDXAYs0O35mK2YDU20c/+ZkNjeAPRGLM0Q=="],
 
     "@types/lokijs": ["@types/lokijs@1.5.14", "", {}, "sha512-4Fic47BX3Qxr8pd12KT6/T1XWU8dOlJBIp1jGoMbaDbiEvdv50rAii+B3z1b/J2pvMywcVP+DBPGP5/lgLOKGA=="],
@@ -235,6 +239,8 @@
 
     "argparse": ["argparse@2.0.1", "", {}, "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="],
 
+    "asn1.js": ["asn1.js@5.4.1", "", { "dependencies": { "bn.js": "^4.0.0", "inherits": "^2.0.1", "minimalistic-assert": "^1.0.0", "safer-buffer": "^2.1.0" } }, "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA=="],
+
     "assert-plus": ["assert-plus@1.0.0", "", {}, "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw=="],
 
     "async": ["async@3.2.6", "", {}, "sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA=="],
@@ -253,10 +259,14 @@
 
     "bl": ["bl@6.1.0", "", { "dependencies": { "@types/readable-stream": "^4.0.0", "buffer": "^6.0.3", "inherits": "^2.0.4", "readable-stream": "^4.2.0" } }, "sha512-ClDyJGQkc8ZtzdAAbAwBmhMSpwN/sC9HA8jxdYm6nVUbCfZbe2mgza4qh7AuEYyEPB/c4Kznf9s66bnsKMQDjw=="],
 
+    "bn.js": ["bn.js@4.12.2", "", {}, "sha512-n4DSx829VRTRByMRGdjQ9iqsN0Bh4OolPsFnaZBLcbi8iXcB+kJ9s7EnRt4wILZNV3kPLHkRVfOc/HvhC3ovDw=="],
+
     "brace-expansion": ["brace-expansion@1.1.12", "", { "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg=="],
 
     "braces": ["braces@3.0.3", "", { "dependencies": { "fill-range": "^7.1.1" } }, "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA=="],
 
+    "brorand": ["brorand@1.1.0", "", {}, "sha512-cKV8tMCEpQs4hK/ik71d6LrPOnpkpGBR0wzxqr68g2m/LB2GxVYQroAjMJZRVM1Y4BCjCKc3vAamxSzOY2RP+w=="],
+
     "bson": ["bson@6.10.4", "", {}, "sha512-WIsKqkSC0ABoBJuT1LEX+2HEvNmNKKgnTAyd0fL8qzK4SH2i9NXg+t08YtdZp/V9IZ33cxe3iV4yM0qg8lMQng=="],
 
     "buffer": ["buffer@6.0.3", "", { "dependencies": { "base64-js": "^1.3.1", "ieee754": "^1.2.1" } }, "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA=="],
@@ -315,6 +325,8 @@
 
     "ecdsa-sig-formatter": ["ecdsa-sig-formatter@1.0.11", "", { "dependencies": { "safe-buffer": "^5.0.1" } }, "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ=="],
 
+    "elliptic": ["elliptic@6.6.1", "", { "dependencies": { "bn.js": "^4.11.9", "brorand": "^1.1.0", "hash.js": "^1.0.0", "hmac-drbg": "^1.0.1", "inherits": "^2.0.4", "minimalistic-assert": "^1.0.1", "minimalistic-crypto-utils": "^1.0.1" } }, "sha512-RaddvvMatK2LJHqFJ+YA4WysVN5Ita9E35botqIYspQ4TkRAlCicdzKOjlyv/1Za5RyTNn7di//eEV0uTAfe3g=="],
+
     "es-define-property": ["es-define-property@1.0.1", "", {}, "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g=="],
 
     "es-errors": ["es-errors@1.3.0", "", {}, "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw=="],
@@ -399,8 +411,12 @@
 
     "has-tostringtag": ["has-tostringtag@1.0.2", "", { "dependencies": { "has-symbols": "^1.0.3" } }, "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw=="],
 
+    "hash.js": ["hash.js@1.1.7", "", { "dependencies": { "inherits": "^2.0.3", "minimalistic-assert": "^1.0.1" } }, "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA=="],
+
     "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
 
+    "hmac-drbg": ["hmac-drbg@1.0.1", "", { "dependencies": { "hash.js": "^1.0.3", "minimalistic-assert": "^1.0.0", "minimalistic-crypto-utils": "^1.0.1" } }, "sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg=="],
+
     "http-proxy-agent": ["http-proxy-agent@7.0.2", "", { "dependencies": { "agent-base": "^7.1.0", "debug": "^4.3.4" } }, "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig=="],
 
     "https": ["https@1.0.0", "", {}, "sha512-4EC57ddXrkaF0x83Oj8sM6SLQHAWXw90Skqu2M4AEWENZ3F02dFJE/GARA8igO79tcgYqGrD7ae4f5L3um2lgg=="],
@@ -463,6 +479,8 @@
 
     "jwa": ["jwa@1.4.2", "", { "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } }, "sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw=="],
 
+    "jwk-to-pem": ["jwk-to-pem@2.0.7", "", { "dependencies": { "asn1.js": "^5.3.0", "elliptic": "^6.6.1", "safe-buffer": "^5.0.1" } }, "sha512-cSVphrmWr6reVchuKQZdfSs4U9c5Y4hwZggPoz6cbVnTpAVgGRpEuQng86IyqLeGZlhTh+c4MAreB6KbdQDKHQ=="],
+
     "jws": ["jws@3.2.2", "", { "dependencies": { "jwa": "^1.4.1", "safe-buffer": "^5.0.1" } }, "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA=="],
 
     "keyv": ["keyv@4.5.4", "", { "dependencies": { "json-buffer": "3.0.1" } }, "sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw=="],
@@ -507,6 +525,10 @@
 
     "micromatch": ["micromatch@4.0.8", "", { "dependencies": { "braces": "^3.0.3", "picomatch": "^2.3.1" } }, "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA=="],
 
+    "minimalistic-assert": ["minimalistic-assert@1.0.1", "", {}, "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="],
+
+    "minimalistic-crypto-utils": ["minimalistic-crypto-utils@1.0.1", "", {}, "sha512-JIYlbt6g8i5jKfJ3xz7rF0LXmv2TkDxBLUkiBeZ7bAx4GnnNMr8xFpGnOxn6GhTEHx3SjRrZEoU+j04prX1ktg=="],
+
     "minimatch": ["minimatch@3.1.2", "", { "dependencies": { "brace-expansion": "^1.1.7" } }, "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw=="],
 
     "minimist": ["minimist@1.2.8", "", {}, "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA=="],

package/config/plugin-api.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-entra-id.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-ldap.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-loki.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-mongodb.json

@@ -50,6 +50,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-mssql.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-saphana.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-scim.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-soap.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/lib/scimgateway.ts

@@ -21,6 +21,7 @@ import dot from 'dot-object'
 import nodemailer from 'nodemailer'
 import fs from 'node:fs'
 import path from 'node:path'
+import jwkToPem from 'jwk-to-pem'
 import * as jwt from 'jsonwebtoken'
 import * as utils from './utils.ts'
 import * as utilsScim from './utils-scim.ts'
@@ -37,7 +38,6 @@ export class ScimGateway {
   private getMemberOf: any
   private getAppRoles: any
   private pub: any
-  private Nonce = new utils.TimerMapCache(2000)
   // @ts-expect-error: has no initializer
   private helperRest: HelperRest
   /** pluginName is the name of plugin e.g., plugin-loki */
@@ -670,37 +670,78 @@ export class ScimGateway {
       })
     }
 
-    const jwtVerify = async (baseEntity: string, method: string, el: Record<string, any>, authToken: string) => { // used by bearerJwt
-      return await new Promise((resolve) => {
-        jwt.verify(authToken, (el.secret) ? el.secret : el.publicKeyContent, el.options, (err) => {
-          if (err != null) resolve(false)
-          else {
-            if (el.baseEntities) {
-              if (Array.isArray(el.baseEntities) && el.baseEntities.length > 0) {
-                if (!baseEntity) return resolve(false)
-                if (!el.baseEntities.includes(baseEntity)) return resolve(false)
-              }
-            }
-            if (el.readOnly === true && method !== 'GET') return resolve(false)
-            resolve(true) // authorization OK
+    const getJwksPemKey = async (kid: string, wellKnownUri: string): Promise<Array<any>> => { // retrieves "JSON Web Key Set" from well-known jwks_uri and returns the public key that corresponds with the access token kid value
+      if (!this.helperRest) this.helperRest = this.newHelperRest()
+      let res
+      try { // get issuer and jwks_uri from well-knonw uri
+        res = await this.helperRest.doRequest('undefined', 'GET', wellKnownUri)
+      } catch (err: any) {
+        logger.error(`${gwName}[${pluginName}] JWKS wellKnownUri=${wellKnownUri} error: ${err.message}`)
+        return []
+      }
+      if (!res?.body) return []
+      const issuer = res.body.issuer
+      const jwks_uri = res.body.jwks_uri
+      if (!issuer || !jwks_uri) {
+        logger.error(`${gwName}[${pluginName}] JWKS wellKnownUri=${wellKnownUri} error: found issuer=${issuer} and jwks_uri=${jwks_uri} - both should be found`)
+        return []
+      }
+      // JWKS
+      try { // get jwks that correspods with kid from jwks_uri
+        res = await this.helperRest.doRequest('undefined', 'GET', jwks_uri)
+      } catch (err: any) {
+        logger.error(`${gwName}[${pluginName}] JWKS jwks_uri=${jwks_uri} error: ${err.message}`)
+        return []
+      }
+      if (!res || !Array.isArray(res?.body?.keys)) return []
+      const keys = res.body.keys.filter((k: any) => k.kid === kid)
+      if (keys.length !== 1) return []
+      try {
+        return [jwkToPem(keys[0]), issuer, keys[0].alg]
+      } catch (err: any) {
+        return []
+      }
+    }
+
+    const jwtVerify = async (baseEntity: string, method: string, el: Record<string, any>, authToken: string, kid?: string): Promise<boolean> => { // used by bearerJwt
+      try {
+        jwt.verify(authToken, (el.secret) ? el.secret : el.publicKeyContent, el.options)
+        if (Array.isArray(el?.baseEntities) && el.baseEntities.length > 0) {
+          if (!el.baseEntities.includes(baseEntity)) return false
+        }
+        if (el.readOnly === true && method !== 'GET') return false
+        return true // authorization OK
+      } catch (err: any) {
+        if (!el.wellKnownUri) throw new Error(`JWT error: ${err.message}`)
+        // using wellKnownUri - JWKS and external public certificate - try once again we might have an updated certificate (key)
+        if (!kid) throw new Error(`JWKS error: missing kid`)
+        const [pemKey, issuer, alg] = await getJwksPemKey(kid, el.wellKnownUri)
+        if (!pemKey) throw new Error('JWKS error: no external public certificate found')
+        el.publicKeyContent = pemKey
+        if (!el.options) el.options = {}
+        if (issuer) el.options.issuer = issuer
+        if (alg) el.options.algorithms = [alg]
+        try {
+          jwt.verify(authToken, el.publicKeyContent, el.options)
+          if (Array.isArray(el?.baseEntities) && el.baseEntities.length > 0) {
+            if (!el.baseEntities.includes(baseEntity)) return false
           }
-        })
-      })
+          if (el.readOnly === true && method !== 'GET') return false
+          return true // authorization OK
+        } catch (err: any) {
+          throw new Error(`JWKS error: ${err.message}`)
+        }
+      }
     }
 
     const bearerJwt = async (baseEntity: string, method: string, authType: string, authToken: string): Promise<boolean> => {
       if (authType !== 'Bearer' || !found.BearerJwt) return false // no standard jwt bearer token
       const jtoken: any = jwt.decode(authToken, { complete: true })
-      if (jtoken == null) return false
+      if (!jtoken) return false
       if (jtoken?.payload['iss'] && jtoken?.payload['iss'].indexOf('https://sts.windows.net') === 0) return false // azure - handled by bearerJwtAzure
-      const promises: any = []
       const arr = this.config.scimgateway.auth.bearerJwt
       for (let i = 0; i < arr.length; i++) {
-        promises.push(jwtVerify(baseEntity, method, arr[i], authToken))
-      }
-      const arrResolve = await Promise.all(promises).catch((err) => { throw (err) })
-      for (const i in arrResolve) {
-        if (arrResolve[i]) return true
+        if (await jwtVerify(baseEntity, method, arr[i], authToken, jtoken?.header?.kid) === true) return true
       }
       throw new Error('JWT authentication failed')
     }
@@ -786,7 +827,7 @@ export class ScimGateway {
         ])
           .catch((err) => { throw (err) })
         for (const i in arrResolve) {
-          if (arrResolve[i]) return true // auth OK - continue with routes
+          if (arrResolve[i] === true) return true // auth OK - continue with routes
         }
         // all false - invalid auth method or missing pluging config
         let err: Error
@@ -827,7 +868,6 @@ export class ScimGateway {
         }
         return false
       }
-      return false
     }
 
     const ipAllowList = (ipAddr: string): boolean => {
@@ -3554,7 +3594,7 @@ Content-Transfer-Encoding: quoted-printable
       if (lastKey === 'password' && key.startsWith('scimgateway.auth.basic')) foundBasic = true
       else if (lastKey === 'token' && key.startsWith('scimgateway.auth.bearerToken')) foundBearerToken = true
       else if (lastKey === 'tenantIdGUID' && key.startsWith('scimgateway.auth.bearerJwtAzure')) foundBearerJwtAzure = true
-      else if (lastKey === 'secret' && key.startsWith('scimgateway.auth.bearerJwt')) foundBearerJwt = true
+      else if ((lastKey === 'publicKey' || lastKey === 'secret' || lastKey === 'wellKnownUri') && key.startsWith('scimgateway.auth.bearerJwt')) foundBearerJwt = true
       else if (lastKey === 'clientSecret' && key.startsWith('scimgateway.auth.bearerOAuth')) foundBearerOAuth = true
 
       // certificate full path

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.4.3",
+  "version": "5.4.4",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
@@ -48,6 +48,7 @@
     "hyco-https": "^1.4.5",
     "is-in-subnet": "^4.0.1",
     "jsonwebtoken": "^9.0.2",
+    "jwk-to-pem": "^2.0.7",
     "ldapjs": "^3.0.7",
     "lokijs": "^1.5.12",
     "mongodb": "^6.16.0",
@@ -65,6 +66,7 @@
     "@types/bun": "latest",
     "@types/dot-object": "^2.1.6",
     "@types/jsonwebtoken": "^9.0.9",
+    "@types/jwk-to-pem": "^2.0.3",
     "@types/node": "latest",
     "@types/nodemailer": "^6.4.17",
     "@types/passport": "^1.0.17",