Safe Haskell | None |
---|---|
Language | Haskell2010 |
High-level JWT encoding and decoding.
Example usage:
>>>
import Jose.Jwe
>>>
import Jose.Jwa
>>>
import Jose.Jwk
>>>
import Data.ByteString
>>>
import Data.Aeson (decodeStrict)
>>>
import Crypto.Random.AESCtr
>>>
g <- makeSystem
>>>
let jsonJwk = "{\"kty\":\"RSA\", \"kid\":\"mykey\", \"n\":\"ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddxHmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMsD1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSHSXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ\", \"e\":\"AQAB\", \"d\":\"Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97IjlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYTCBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLhBOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ\"}" :: ByteString
>>>
let Just jwk = decodeStrict jsonJwk :: Maybe Jwk
>>>
let (Right (Jwt jwtEncoded), g') = encode g [jwk] (JwsEncoding RS256) (Claims "public claims")
>>>
let (Right jwtDecoded, g'') = Jose.Jwt.decode g' [jwk] (Just (JwsEncoding RS256)) jwtEncoded
>>>
jwtDecoded
Jws (JwsHeader {jwsAlg = RS256, jwsTyp = Nothing, jwsCty = Nothing, jwsKid = Just (KeyId "mykey")},"public claims")
- newtype Jwt = Jwt {
- unJwt :: ByteString
- type Jwe = (JweHeader, ByteString)
- type Jws = (JwsHeader, ByteString)
- data JwtClaims = JwtClaims {}
- data JwsHeader = JwsHeader {}
- data JweHeader = JweHeader {}
- data JwtContent
- data JwtEncoding
- data JwtError
- data Payload
- encode :: CPRG g => g -> [Jwk] -> JwtEncoding -> Payload -> (Either JwtError Jwt, g)
- decode :: CPRG g => g -> [Jwk] -> Maybe JwtEncoding -> ByteString -> (Either JwtError JwtContent, g)
- decodeClaims :: ByteString -> Either JwtError (JwtHeader, JwtClaims)
Documentation
type Jwe = (JweHeader, ByteString) Source
The header and claims of a decoded JWE.
type Jws = (JwsHeader, ByteString) Source
The header and claims of a decoded JWS.
Registered claims defined in section 4 of the JWT spec.
Header content for a JWS.
Header content for a JWE.
data JwtContent Source
A decoded JWT which can be either a JWE or a JWS, or an unsecured JWT.
data JwtEncoding Source
Defines the encoding information for a JWT.
Used for both encoding new JWTs and validating existing ones.
Decoding errors.
KeyError Text | No suitable key or wrong key type |
BadAlgorithm Text | The supplied algorithm is invalid |
BadDots Int | Wrong number of "." characters in the JWT |
BadHeader Text | Header couldn't be decoded or contains bad data |
BadClaims | Claims part couldn't be decoded or contains bad data |
BadSignature | Signature is invalid |
BadCrypto | A cryptographic operation failed |
Base64Error String | A base64 decoding error |
The payload to be encoded in a JWT.
:: CPRG g | |
=> g | Random number generator |
-> [Jwk] | The key or keys. At least one must be consistent with the chosen algorithm |
-> JwtEncoding | The encoding algorithm(s) used to encode the payload |
-> Payload | The payload (claims) |
-> (Either JwtError Jwt, g) | The encoded JWT, if successful |
Use the supplied JWKs to create a JWT. The list of keys will be searched to locate one which is consistent with the chosen encoding algorithms.
:: CPRG g | |
=> g | Random number generator. Only used for RSA blinding |
-> [Jwk] | The keys to use for decoding |
-> Maybe JwtEncoding | The expected encoding information |
-> ByteString | The encoded JWT |
-> (Either JwtError JwtContent, g) | The decoded JWT payload, if successful |
Uses the supplied keys to decode a JWT.
Locates a matching key by header kid
value where possible
or by suitable key type for the encoding algorithm.
The algorithm(s) used can be optionally be supplied for validation
by setting the JwtEncoding
parameter, in which case an error will
be returned if they don't match.
For unsecured tokens (with algorithm "none"), the expected algorithm
must be set to Just (JwsEncoding None)
or an error will be returned.
decodeClaims :: ByteString -> Either JwtError (JwtHeader, JwtClaims) Source
Convenience function to return the claims contained in a JWT. This is required in situations such as client assertion authentication, where the contents of the JWT may be required in order to work out which key should be used to verify the token. Obviously this should not be used by itself to decode a token since no integrity checking is done and the contents may be forged.