Safe Haskell	None
Language	Haskell2010

Jose.Jwt

Description

High-level JWT encoding and decoding.

Example usage:

>>> import Jose.Jwe
>>> import Jose.Jwa
>>> import Jose.Jwk
>>> import Data.ByteString
>>> import Data.Aeson (decodeStrict)
>>> import Crypto.Random.AESCtr
>>> g <- makeSystem
>>> let jsonJwk = "{\"kty\":\"RSA\", \"kid\":\"mykey\", \"n\":\"ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddxHmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMsD1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSHSXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ\", \"e\":\"AQAB\", \"d\":\"Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97IjlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYTCBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLhBOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ\"}" :: ByteString
>>> let Just jwk = decodeStrict jsonJwk :: Maybe Jwk
>>> let (Right (Jwt jwtEncoded), g')  = encode g [jwk] (Signed RS256) Nothing (Claims "public claims")
>>> let (Right jwtDecoded, g'') = Jose.Jwt.decode g' [jwk] jwtEncoded
>>> jwtDecoded
Jws (JwsHeader {jwsAlg = RS256, jwsTyp = Nothing, jwsCty = Nothing, jwsKid = Just "mykey"},"public claims")

Synopsis

Documentation

newtype Jwt Source

An encoded JWT.

Constructors

Jwt
Fields unJwt :: ByteString

Instances

Eq Jwt
Show Jwt
ToJSON Jwt
FromJSON Jwt

type Jwe = (JweHeader, ByteString) Source

The header and claims of a decoded JWE.

type Jws = (JwsHeader, ByteString) Source

The header and claims of a decoded JWS.

data JwtClaims Source

Registered claims defined in section 4 of the JWT spec.

Constructors

JwtClaims
Fields jwtIss :: !(Maybe Text) jwtSub :: !(Maybe Text) jwtAud :: !(Maybe [Text]) jwtExp :: !(Maybe IntDate) jwtNbf :: !(Maybe IntDate) jwtIat :: !(Maybe IntDate) jwtJti :: !(Maybe Text)

Instances

Show JwtClaims
Generic JwtClaims
ToJSON JwtClaims
FromJSON JwtClaims
type Rep JwtClaims

data JwsHeader Source

Header content for a JWS.

Constructors

JwsHeader
Fields jwsAlg :: JwsAlg jwsTyp :: Maybe Text jwsCty :: Maybe Text jwsKid :: Maybe KeyId

Instances

Eq JwsHeader
Show JwsHeader
Generic JwsHeader
ToJSON JwsHeader
FromJSON JwsHeader
type Rep JwsHeader

data JweHeader Source

Header content for a JWE.

Constructors

JweHeader
Fields jweAlg :: JweAlg jweEnc :: Enc jweTyp :: Maybe Text jweCty :: Maybe Text jweZip :: Maybe Text jweKid :: Maybe KeyId

Instances

Eq JweHeader
Show JweHeader
Generic JweHeader
ToJSON JweHeader
FromJSON JweHeader
type Rep JweHeader

data JwtContent Source

A decoded JWT which can be either a JWE or a JWS, or an unsecured JWT.

Constructors

Unsecured !ByteString
Jws !Jws
Jwe !Jwe

Instances

Eq JwtContent
Show JwtContent

data JwtError Source

Decoding errors.

Constructors

KeyError Text	No suitable key or wrong key type
BadAlgorithm Text	The supplied algorithm is invalid
BadDots Int	Wrong number of "." characters in the JWT
BadHeader Text	Header couldn't be decoded or contains bad data
BadClaims	Claims part couldn't be decoded or contains bad data
BadSignature	Signature is invalid
BadCrypto	A cryptographic operation failed
Base64Error String	A base64 decoding error

Instances

Eq JwtError
Show JwtError

data Payload Source

The payload to be encoded in a JWT.

Constructors

Nested Jwt
Claims ByteString

Instances

Eq Payload
Show Payload

encode Source

Arguments

:: CPRG g
=> g	Random number generator.
-> [Jwk]	The key or keys. At least one must be consistent with the chosen algorithm
-> Alg	The JWS or JWE algorithm
-> Maybe Enc	The payload encryption algorithm (if applicable)
-> Payload	The payload (claims)
-> (Either JwtError Jwt, g)	The encoded JWT, if successful

Use the supplied JWKs to create a JWT. The list of keys will be searched to locate one which is consistent with the chosen algorithm.

decode Source

Arguments

:: CPRG g
=> g	Random number generator. Only used for RSA blinding
-> [Jwk]	The keys to use for decoding
-> ByteString	The encoded JWT
-> (Either JwtError JwtContent, g)	The decoded JWT payload, if successful

Uses the supplied keys to decode a JWT. Locates a matching key by header kid value where possible or by suitable key type. The JWK use and alg options are currently ignored.

decodeClaims :: ByteString -> Either JwtError (JwtHeader, JwtClaims) Source

Convenience function to return the claims contained in a JWT. This is required in situations such as client assertion authentication, where the contents of the JWT may be required in order to work out which key should be used to verify the token. Obviously this should not be used by itself to decode a token since no integrity checking is done and the contents may be forged.