Multi-Backend JWK Registry

Build a module that loads multiple JOSE keys from varied inputs, prefers one crypto backend but falls back to another when needed, and allows registering an extra symmetric key type. Expose functions to add keys, fetch keys by kid/alg/use, and export public JWKS data.

Capabilities

Build keys from mixed inputs

• Loading a config containing a symmetric secret, an RSA private key in PEM form, and an EC JWK produces usable key entries with the provided kid, alg, and use, rejecting unknown algorithms. @test
• Keys built from PEM and JWK inputs expose only their public portion when exported while preserving the configured kid. @test

Backend preference and fallback

• When a preferred backend is unavailable, constructing an RSA key still succeeds via a fallback backend and records which backend was used. @test

Custom key registration

• Registering a custom symmetric key label "oct-cat" allows constructing and using that key alongside standard keys, with kid tagging and algorithm validation. @test

JWKS export

• Exporting a public JWKS includes only public parameters for asymmetric keys and excludes symmetric key material. @test

Implementation

@generates

API

class KeyRegistry:
    def __init__(self, preferred_backend: str | None = None, allow_fallback: bool = True): ...
    def add_key(self, kid: str, alg: str, use: str, material: object) -> None: ...
    def register_custom_symmetric(self, label: str, alg: str, secret: bytes | str) -> str: ...
    def get_key(self, kid: str) -> object: ...
    def export_public_jwks(self) -> dict: ...
    def describe_backends(self) -> dict: ...

Dependencies { .dependencies }

python-jose { .dependency }

Provides JOSE key construction, backend selection, and custom key registration.