Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi all - can oathkeeper verify JWTs signed with a symmetric algorithm? I couldn’t see it in the config, but I wasn’t sure.

It can. See also <https://github.com/ory/oathkeeper/blob/310aa5fc30de0338b33effbb942f84824be223c2/credentials/verifier_default.go#L76>

Ooh! Thanks. I’ve not seen it mentioned in the docs, though. Is it exposed in there yet?

I only see an option for asymmetric (i.e. JWKS):

I've not tried it by myself. But just try it. E.g. if your jwt is signed with HMAC-SHA256, configure `allowed_algorithms` with HS256.

Ah - and see what errors it throws on where the key is? I can try that.

Oathkeeper fetches the key from the configured jwks endpoint. If it can find the corresponding key it should work. The key identification happen via the `kid` claim in the JWT header. If it is not present, you might run into issues (I don't remember wither oathkeeper iterates through the key set in such case to identify the used key). In our case you would like to configure the jwks url to have the key locally available to oathkeeper (in its file system)