andrewheberle

This is something that is important to implement as it makes the plugin very difficult to use with any service that rotates it’s signing keys (as the should).

All major OIDC providers (Google, Facebook, Github, Cloudflare, Okta, Auth0 etc) provide their certs via a JWKS URL that the application can retrieve for verification rather than hard-coding the certificate.

I’m sure there are other PHP libraries out there but an example of this here:

https://github.com/okta/okta-jwt-verifier-php

Just to add some more info for the second part of my request (getting the keys via a URL), this seems to be some sort of standard that various vendors use.

Some documentation is here:

https://auth0.com/docs/tokens/json-web-tokens/json-web-key-sets

An example in PHP is here (although I think you are using a different library for this plugin):

https://auth0.com/docs/libraries/auth0-php/validating-jwts-with-auth0-php

That’s great news that this is on your roadmap.

For our purposes the option to configure header/cookie location is all that is needed.

Thanks again.