@xemahq/oidc-guard
v0.3.0
Published
Framework-agnostic OIDC / JWT verification for Xema — JWKS fetching, issuer-metadata resolution, and signature validation.
Readme
@xemahq/oidc-guard
Layer 0 — pure, framework-agnostic OpenID-Connect JWT verification. Zero
runtime dependencies (Node crypto + fetch only); zero Xema-domain concepts.
The single, shared implementation of the error-prone bits every Xema service (and every generic submodule) previously copied by hand:
JwksVerifier— per-(cacheKey, kid)signing-key cache,exp/nbfchecks, optional issuer pinning, RS256/384/512 signature verification. Fail-closed.IssuerMetadataResolver— resolves a provider'sjwks_urifrom its OIDC discovery document (<base>/.well-known/openid-configuration), so no caller hard-codes a provider-specific keys path. Cached, fail-closed.OidcTokenVerifier— the high-level primitive: discover the JWKS endpoint for a token's realm/issuer and verify the signature + temporal + issuer claims, returning the decoded payload. Callers layer their own realm/role/context handling on top.
Both the in-monorepo JwtVerificationGuard (@xemahq/platform-common) and the
independent submodule guards consume this package rather than re-implementing
the crypto. Wrapping it in a NestJS guard, an attestation check, or any other
transport is the caller's job — this package holds no framework dependency.
