Expose function to check if jws.Verify failed with verifyError or not

[arxeiss]

Abstract

If I use jws.Verify and it fails, it is hard to know why. If signature is invalid, I would like to return Unauthenticated/Invalid argument error. In all other cases I would like to return just Internal error and log that error.

If I got keys from jwk.Fetch and similar, I might be almost 100% sure that issue is because of invalid signature.
But would be nice to know that for sure.

Describe the proposed solution/change

Something similar like https://github.com/lestrrat-go/jwx/blob/develop/v2/jwt/validate.go#L147 or just simple helper

func IsVerifyError(err error) bool {
	var ve verifyError
	return errors.As(err, &ve)
}

[lestrrat]

Better error reporting for jws.Verify is something that I'm absolutely 👍 for, but I'm not 100% as to exactly what you're going after.

For example,

If I got keys from jwk.Fetch and similar, I might be almost 100% sure that issue is because of invalid signature.
But would be nice to know that for sure.

What does this (jwk.Fetch) have to do with jws.Verify and verifyError?

Perhaps... are you dynamically loading keys in a KeyProvider? And this is failing and you want to differentiate against this line?

(If this is the case I can certainly accept a PR with your proposed change, as long as there are test cases included :)

[arxeiss]

I do

1. claims, err := jwt.Parse(bearerToken, jwt.WithVerify(false))
2. then based on value from claims.Issuer() I call keySet, err := jwk.Fetch() and do some caching
3. and finally jws.Verify(bearerToken, jws.WithKeySet(keySet))

That's why I'm almost 100% sure, that if jws.Verify is failing, it is due to invalid signature, because token was parsed and keySet should be valid as it is returned by jwk.Fetch().

So I would like to differentiate basically any error from jws.Verify with this line https://github.com/lestrrat-go/jwx/blob/develop/v2/jws/jws.go#L451

[lestrrat]

Okay, so your proposed changes for IsVerifyError makes sense to me. I'm still on vacation, so if you're in a hurry, please consider filing a PR. Otherwise I will get on it sometime next week

[lestrrat]

@arxeiss I got other stuff that I also need to fix on this module, so I'll work on this now

[lestrrat]

@arxeiss Please check #1049. I opted to rename the function IsVerificationError. After implementing IsVerifyError, I compared it to jws.Verify and I thought it was unclear what IsVerifyError checks for from the naming -- technically, all errors returned from jws.Verify would be a "VerifyError", right? So while it's a bit more typing, I opted for the IsVerificationError name.

[arxeiss]

You were much faster than I'm. I had to focus to different task so I put this on hold. I checked the PR, seems good. Thank you