add custom KeyFunc to middleware configuration

README.md

@@ -48,6 +48,7 @@ jwtware.New(config ...jwtware.Config) func(*fiber.Ctx) error
 | KeyRefreshRateLimit | `*time.Duration` |KeyRefreshRateLimit limits the rate at which refresh requests are granted.  | `nil` |
 | KeyRefreshTimeout | `*time.Duration` |KeyRefreshTimeout is the duration for the context used to create the HTTP request for a refresh of the JWKs. | `1min` |
 | KeyRefreshUnknownKID | `bool` |KeyRefreshUnknownKID indicates that the JWKs refresh request will occur every time a kid that isn't cached is seen. | `false` |
+| KeyFunc | `func() jwt.Keyfunc` |KeyFunc defines a user-defined function that supplies the public key for a token validation. | `jwtKeyFunc` |
 
 
 ### HS256 Example
@@ -243,3 +244,53 @@ The RS256 is actually identical to the HS256 test above.
 
 ### JWKs Test
 The tests are identical to basic `JWT` tests above, with exception that `KeySetURL` to valid public keys collection in JSON format should be supplied.
+
+### Custom KeyFunc example
+
+KeyFunc defines a user-defined function that supplies the public key for a token validation.
+The function shall take care of verifying the signing algorithm and selecting the proper key.
+A user-defined KeyFunc can be useful if tokens are issued by an external party.
+
+When a user-defined KeyFunc is provided, SigningKey, SigningKeys, and SigningMethod are ignored.
+This is one of the three options to provide a token validation key.
+The order of precedence is a user-defined KeyFunc, SigningKeys and SigningKey.
+Required if neither SigningKeys nor SigningKey is provided.
+Default to an internal implementation verifying the signing algorithm and selecting the proper key.
+
+```go
+package main
+
+import (
+	"fmt"
+  "github.com/gofiber/fiber/v2"
+
+  jwtware "github.com/gofiber/jwt/v3"
+  "github.com/golang-jwt/jwt/v4"
+)
+
+func main() {
+	app := fiber.New()
+
+	app.Use(jwtware.New(jwtware.Config{
+		KeyFunc: customKeyFunc(),
+	}))
+
+	app.Get("/ok", func(c *fiber.Ctx) error {
+		return c.SendString("OK")
+	})
+}
+
+func customKeyFunc() jwt.Keyfunc {
+	return func(t *jwt.Token) (interface{}, error) {
+		// Always check the signing method
+		if t.Method.Alg() != jwtware.HS256 {
+			return nil, fmt.Errorf("Unexpected jwt signing method=%v", t.Header["alg"])
+		}
+
+		// TODO custom implementation of loading signing key like from a database
+    signingKey := "secret"
+
+		return []byte(signingKey), nil
+	}
+}
+```

config.go

@@ -101,7 +101,16 @@ type Config struct {
 	// Optional. Default: "Bearer".
 	AuthScheme string
 
-	keyFunc jwt.Keyfunc
+	// KeyFunc defines a user-defined function that supplies the public key for a token validation.
+	// The function shall take care of verifying the signing algorithm and selecting the proper key.
+	// A user-defined KeyFunc can be useful if tokens are issued by an external party.
+	//
+	// When a user-defined KeyFunc is provided, SigningKey, SigningKeys, and SigningMethod are ignored.
+	// This is one of the three options to provide a token validation key.
+	// The order of precedence is a user-defined KeyFunc, SigningKeys and SigningKey.
+	// Required if neither SigningKeys nor SigningKey is provided.
+	// Default to an internal implementation verifying the signing algorithm and selecting the proper key.
+	KeyFunc jwt.Keyfunc
 }
 
 // makeCfg function will check correctness of supplied configuration
@@ -123,7 +132,7 @@ func makeCfg(config []Config) (cfg Config) {
 			return c.Status(fiber.StatusUnauthorized).SendString("Invalid or expired JWT")
 		}
 	}
-	if cfg.SigningKey == nil && len(cfg.SigningKeys) == 0 && cfg.KeySetURL == "" {
+	if cfg.SigningKey == nil && len(cfg.SigningKeys) == 0 && cfg.KeySetURL == "" && cfg.KeyFunc == nil {
 		panic("Fiber: JWT middleware requires signing key or url where to download one")
 	}
 	if cfg.SigningMethod == "" && cfg.KeySetURL == "" {
@@ -144,13 +153,15 @@ func makeCfg(config []Config) (cfg Config) {
 	if cfg.KeyRefreshTimeout == nil {
 		cfg.KeyRefreshTimeout = &defaultKeyRefreshTimeout
 	}
-	if cfg.KeySetURL != "" {
-		jwks := &KeySet{
-			Config: &cfg,
+	if cfg.KeyFunc == nil {
+		if cfg.KeySetURL != "" {
+			jwks := &KeySet{
+				Config: &cfg,
+			}
+			cfg.KeyFunc = jwks.keyFunc()
+		} else {
+			cfg.KeyFunc = jwtKeyFunc(cfg)
 		}
-		cfg.keyFunc = jwks.keyFunc()
-	} else {
-		cfg.keyFunc = jwtKeyFunc(cfg)
 	}
 	return cfg
 }

main.go

@@ -48,11 +48,11 @@ func New(config ...Config) fiber.Handler {
 		var token *jwt.Token
 
 		if _, ok := cfg.Claims.(jwt.MapClaims); ok {
-			token, err = jwt.Parse(auth, cfg.keyFunc)
+			token, err = jwt.Parse(auth, cfg.KeyFunc)
 		} else {
 			t := reflect.ValueOf(cfg.Claims).Type().Elem()
 			claims := reflect.New(t).Interface().(jwt.Claims)
-			token, err = jwt.ParseWithClaims(auth, claims, cfg.keyFunc)
+			token, err = jwt.ParseWithClaims(auth, claims, cfg.KeyFunc)
 		}
 		if err == nil && token.Valid {
 			// Store user information from token into context.

main_test.go

@@ -1,6 +1,8 @@
 package jwtware_test
 
 import (
+	"fmt"
+	"github.com/golang-jwt/jwt/v4"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -231,3 +233,47 @@ func TestJwkFromServer(t *testing.T) {
 		utils.AssertEqual(t, 200, resp.StatusCode)
 	}
 }
+
+func TestCustomKeyFunc(t *testing.T) {
+	t.Parallel()
+
+	defer func() {
+		// Assert
+		if err := recover(); err != nil {
+			t.Fatalf("Middleware should not panic")
+		}
+	}()
+
+	test := hamac[0]
+	// Arrange
+	app := fiber.New()
+
+	app.Use(jwtware.New(jwtware.Config{
+		KeyFunc: customKeyFunc(),
+	}))
+
+	app.Get("/ok", func(c *fiber.Ctx) error {
+		return c.SendString("OK")
+	})
+
+	req := httptest.NewRequest("GET", "/ok", nil)
+	req.Header.Add("Authorization", "Bearer "+test.Token)
+
+	// Act
+	resp, err := app.Test(req)
+
+	// Assert
+	utils.AssertEqual(t, nil, err)
+	utils.AssertEqual(t, 200, resp.StatusCode)
+}
+
+func customKeyFunc() jwt.Keyfunc {
+	return func(t *jwt.Token) (interface{}, error) {
+		// Always check the signing method
+		if t.Method.Alg() != jwtware.HS256 {
+			return nil, fmt.Errorf("Unexpected jwt signing method=%v", t.Header["alg"])
+		}
+
+		return []byte(defaultSigningKey), nil
+	}
+}