jose-jwt-0.3.1: JSON Object Signing and Encryption Library

Safe HaskellNone
LanguageHaskell2010

Jose.Jwt

Description

High-level JWT encoding and decoding.

Example usage:

>>> import Jose.Jwe
>>> import Jose.Jwa
>>> import Jose.Jwk
>>> import Data.Aeson (decodeStrict)
>>> import Crypto.Random.AESCtr
>>> g <- makeSystem
>>> let jsonJwk = "{\"kty\":\"RSA\", \"kid\":\"mykey\", \"n\":\"ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddxHmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMsD1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSHSXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ\", \"e\":\"AQAB\", \"d\":\"Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97IjlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYTCBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLhBOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ\"}"
>>> let Just jwk = decodeStrict jsonJwk :: Maybe Jwk
>>> let (Right jwtEncoded, g')  = encode g jwk (Signed RS256) Nothing "public claims"
>>> let (Right jwtDecoded, g'') = Jose.Jwt.decode g' [jwk] jwtEncoded
>>> jwtDecoded
Jws (JwsHeader {jwsAlg = RS256, jwsTyp = Nothing, jwsCty = Nothing, jwsKid = Just "mykey"},"public claims")

Synopsis

Documentation

data Jwt Source

A decoded JWT which can be either a JWE or a JWS.

Constructors

Jws !Jws 
Jwe !Jwe 

Instances

type Jwe = (JweHeader, ByteString) Source

The header and claims of a decoded JWE.

type Jws = (JwsHeader, ByteString) Source

The header and claims of a decoded JWS.

data JwtClaims Source

Registered claims defined in section 4 of the JWT spec.

Constructors

JwtClaims 

Fields

jwtIss :: !(Maybe Text)
 
jwtSub :: !(Maybe Text)
 
jwtAud :: !(Maybe [Text])
 
jwtExp :: !(Maybe IntDate)
 
jwtNbf :: !(Maybe IntDate)
 
jwtIat :: !(Maybe IntDate)
 
jwtJti :: !(Maybe Text)
 

Instances

data JwsHeader Source

Header content for a JWS.

Constructors

JwsHeader 

Fields

jwsAlg :: JwsAlg
 
jwsTyp :: Maybe Text
 
jwsCty :: Maybe Text
 
jwsKid :: Maybe KeyId
 

Instances

data JweHeader Source

Header content for a JWE.

Constructors

JweHeader 

Fields

jweAlg :: JweAlg
 
jweEnc :: Enc
 
jweTyp :: Maybe Text
 
jweCty :: Maybe Text
 
jweZip :: Maybe Text
 
jweKid :: Maybe KeyId
 

Instances

data JwtError Source

Decoding errors.

Constructors

KeyError Text

No suitable key or wrong key type

BadAlgorithm Text

The supplied algorithm is invalid

BadDots Int

Wrong number of "." characters in the JWT

BadHeader Text

Header couldn't be decoded or contains bad data

BadClaims

Claims part couldn't be decoded or contains bad data

BadSignature

Signature is invalid

BadCrypto

A cryptographic operation failed

Base64Error String

A base64 decoding error

Instances

encode Source

Arguments

:: CPRG g 
=> g

Random number generator.

-> [Jwk]

The key or keys. At least one must be consistent with the chosen algorithm

-> Alg

The JWS or JWE algorithm

-> Maybe Enc

The payload encryption algorithm (if applicable)

-> ByteString

The payload (claims)

-> (Either JwtError ByteString, g)

The encoded JWT, if successful

Use the supplied JWKs to create a JWT. The list of keys will be searched to locate one which is consistent with the chosen algorithm.

decode Source

Arguments

:: CPRG g 
=> g

Random number generator. Only used for RSA blinding

-> [Jwk]

The keys to use for decoding

-> ByteString

The encoded JWT

-> (Either JwtError Jwt, g)

The decoded JWT, if successful

Uses the supplied keys to decode a JWT. Locates a matching key by header kid value where possible or by suitable key type. The JWK use and alg options are currently ignored.

decodeClaims :: ByteString -> Either JwtError (JwtHeader, JwtClaims) Source

Convenience function to return the claims contained in a JWT. This is required in situations such as client assertion authentication, where the contents of the JWT may be required in order to work out which key should be used to verify the token. Obviously this should not be used by itself to decode a token since no integrity checking is done and the contents may be forged.