jose-0.5.0.4: Javascript Object Signing and Encryption and JSON Web Token library

Safe HaskellNone
LanguageHaskell98

Crypto.JWT

Description

JSON Web Token implementation.

Synopsis

Documentation

data JWT Source #

JSON Web Token data.

Constructors

JWT 

Fields

Instances

Eq JWT Source # 

Methods

(==) :: JWT -> JWT -> Bool #

(/=) :: JWT -> JWT -> Bool #

Show JWT Source # 

Methods

showsPrec :: Int -> JWT -> ShowS #

show :: JWT -> String #

showList :: [JWT] -> ShowS #

ToCompact JWT Source # 

Methods

toCompact :: (AsError e, MonadError e m) => JWT -> m [ByteString] Source #

FromCompact JWT Source # 

Methods

fromCompact :: (AsError e, MonadError e m) => [ByteString] -> m JWT Source #

data JWTCrypto Source #

Data representing the JOSE aspects of a JWT.

Constructors

JWTJWS (JWS JWSHeader) 

data JWTError Source #

class HasCheckIssuedAt s where Source #

Minimal complete definition

checkIssuedAt

createJWSJWT :: (MonadRandom m, MonadError e m, AsError e) => JWK -> JWSHeader -> ClaimsSet -> m JWT Source #

Create a JWT that is a JWS.

validateJWSJWT :: (MonadTime m, HasAllowedSkew a, HasAudiencePredicate a, HasIssuerPredicate a, HasCheckIssuedAt a, HasValidationSettings a, AsError e, AsJWTError e, MonadError e m) => a -> JWK -> JWT -> m () Source #

Validate a JWT as a JWS (JSON Web Signature), then as a Claims Set.

data ClaimsSet Source #

The JWT Claims Set represents a JSON object whose members are the claims conveyed by the JWT.

Constructors

ClaimsSet 

Fields

  • _claimIss :: Maybe StringOrURI

    The issuer claim identifies the principal that issued the JWT. The processing of this claim is generally application specific.

  • _claimSub :: Maybe StringOrURI

    The subject claim identifies the principal that is the subject of the JWT. The Claims in a JWT are normally statements about the subject. The subject value MAY be scoped to be locally unique in the context of the issuer or MAY be globally unique. The processing of this claim is generally application specific.

  • _claimAud :: Maybe Audience

    The audience claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the aud claim when this claim is present, then the JWT MUST be rejected.

  • _claimExp :: Maybe NumericDate

    The expiration time claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of exp claim requires that the current date/time MUST be before expiration date/time listed in the exp claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.

  • _claimNbf :: Maybe NumericDate

    The not before claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the nbf claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the nbf claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.

  • _claimIat :: Maybe NumericDate

    The issued at claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT.

  • _claimJti :: Maybe Text

    The JWT ID claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object. The jti claim can be used to prevent the JWT from being replayed. The jti value is a case-sensitive string.

  • _unregisteredClaims :: HashMap Text Value

    Claim Names can be defined at will by those using JWTs.

emptyClaimsSet :: ClaimsSet Source #

Return an empty claims set.

validateClaimsSet :: (MonadTime m, HasAllowedSkew a, HasAudiencePredicate a, HasIssuerPredicate a, HasCheckIssuedAt a, AsJWTError e, MonadError e m) => a -> ClaimsSet -> m () Source #

Validate the claims made by a ClaimsSet. Currently only inspects the exp and nbf claims. N.B. These checks are also performed by validateJWSJWT, which also validates any signatures, so you shouldn’t need to use this directly in the normal course of things.

newtype Audience Source #

Audience data. In the general case, the aud value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the aud value MAY be a single case-sensitive string containing a StringOrURI value.

Constructors

Audience [StringOrURI] 

data StringOrURI Source #

A JSON string value, with the additional requirement that while arbitrary string values MAY be used, any value containing a : character MUST be a URI.

fromString :: Text -> StringOrURI Source #

Construct a StringOrURI from text

fromURI :: URI -> StringOrURI Source #

Construct a StringOrURI from a URI

getURI :: StringOrURI -> Maybe URI Source #

Get the uri from a StringOrURI