Enhancement Request: Expand JWT Algorithm Support (RFC 7518 Compliance)

[mdaneri]

Description
Pode’s JWT authentication should be expanded to fully comply with [RFC 7518: JSON Web Algorithms (JWA)](https://datatracker.ietf.org/doc/html/rfc7518), allowing Pode to support a wider range of JWT signing and verification algorithms.

Proposed Enhancements

• Add support for additional JWT algorithms:
  • NONE, HS256, HS384, HS512 (HMAC)
  • RS256, RS384, RS512 (RSA)
  • PS256, PS384, PS512 (RSA-PSS)
  • ES256, ES384, ES512 (ECDSA)
• Introduce -PrivateKey parameter:
  • Enables support for RSA and ECDSA verification.
  • Accepts private keys in PEM format as a secure string.
  • Example usage:

    $privateKey = Get-Content 'C:\\path\\to\\private-key.pem' -Raw | ConvertTo-SecureString -AsPlainText -Force
    New-PodeAuthScheme -Bearer -AsJWT -PrivateKey $privateKey | Add-PodeAuth -Name 'JWTAuth' -Sessionless -ScriptBlock {
        param($payload)
        Write-Output "Authenticated user: $($payload.sub)"
    }

• Validate JWT signature against provided keys:
  • Pode should reject JWTs with invalid or mismatched signatures.
  • Signature verification should be optional (e.g., -IgnoreSignature parameter).
• Ensure proper handling of JWT expiry (exp) and not-before (nbf) claims.

Why This is Needed

• Aligns Pode’s JWT authentication with industry standards.
• Supports widely used cryptographic algorithms for stronger security.
• Allows authentication mechanisms to leverage RSA and ECDSA, which are commonly used in enterprise-grade security solutions.

References

• [[RFC 7518: JSON Web Algorithms](https://datatracker.ietf.org/doc/html/rfc7518)](https://datatracker.ietf.org/doc/html/rfc7518)
• [[JWT.io](https://jwt.io/)](https://jwt.io)