Safe Haskell | None |
---|---|
Language | Haskell2010 |
Extensions |
|
JWT representation, signing and decoding.
Synopsis
- data Jwt pc ns = Jwt {}
- data Encoded t
- getToken :: Encoded t -> ByteString
- sign :: Encode (PrivateClaims pc ns) => Alg -> Payload pc ns -> Encoded (Jwt pc ns)
- signJwt :: Encode (PrivateClaims pc ns) => Jwt pc ns -> Encoded (Jwt pc ns)
- data Decoded t
- getDecoded :: Decoded t -> t
- decodeString :: (MonadThrow m, Decode (PrivateClaims pc ns)) => Alg -> String -> m (Decoded (Jwt pc ns))
- decodeByteString :: forall ns pc m. (MonadThrow m, Decode (PrivateClaims pc ns)) => Alg -> ByteString -> m (Decoded (Jwt pc ns))
- data Validated t
- getValid :: Validated t -> t
- validateJwt :: MonadTime m => ValidationSettings -> JwtValidation pc ns -> Decoded (Jwt pc ns) -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))
- jwtFromString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m) => ValidationSettings -> JwtValidation pc ns -> Alg -> String -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))
- jwtFromByteString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m) => ValidationSettings -> JwtValidation pc ns -> Alg -> ByteString -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))
Documentation
JSON Web Token representation
Instances
Eq (PrivateClaims pc ns) => Eq (Jwt pc ns) Source # | |
Show (PrivateClaims pc ns) => Show (Jwt pc ns) Source # | |
Encode (PrivateClaims pc ns) => Encode (Jwt pc ns) Source # | |
Defined in Libjwt.Jwt |
base64url-encoded value of type t
getToken :: Encoded t -> ByteString Source #
octets of the UTF-8 representation
Decoded value of type t
Instances
getDecoded :: Decoded t -> t Source #
decodeString :: (MonadThrow m, Decode (PrivateClaims pc ns)) => Alg -> String -> m (Decoded (Jwt pc ns)) Source #
See decodeByteString
decodeByteString :: forall ns pc m. (MonadThrow m, Decode (PrivateClaims pc ns)) => Alg -> ByteString -> m (Decoded (Jwt pc ns)) Source #
Parse the base64url-encoded representation to extract the serialized values for the components of the JWT. Verify that:
token
is a valid UTF-8 encoded representation of a completely valid JSON object,- input JWT signature matches,
- the correct algorithm was used,
- all required fields are present.
If steps 1-2 are unuccessful, DecodeException
will be thrown.
If step 3 fails, AlgorithmMismatch
will be thrown.
If the last step fails, MissingClaim
will be thrown.
Successfully validated value of type t
:: MonadTime m | |
=> ValidationSettings | |
-> JwtValidation pc ns | additional validation rules |
-> Decoded (Jwt pc ns) | decoded token |
-> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns))) |
Accept or reject successfully decoded JWT value. In addition to the default rules mandated by the RFC, the application can add its own rules.
The default rules are:
- check
exp
claim to see if the current time is before the expiration time, - check
nbf
claim to see if the current time is after or equal the not-before time, - check
aud
claim if the application identifies itself with a value in theaud
list (if present)
You may allow a little leeway
when checking time-based claims.
jwtFromString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m) => ValidationSettings -> JwtValidation pc ns -> Alg -> String -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns))) Source #
:: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m) | |
=> ValidationSettings | |
-> JwtValidation pc ns | additional validation rules |
-> Alg | algorithm used to verify the signature |
-> ByteString | base64url-encoded representation (a token) |
-> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns))) |
jwtFromByteString =validateJwt
settings v <=<decodeByteString
alg
In other words, it:
Parses the base64url-encoded representation to extract the serialized values for the components of the JWT. Verifies that:
token
is a valid UTF-8 encoded representation of a completely valid JSON object,- input JWT signature matches,
- the correct algorithm was used,
- all required fields are present.
If steps 1-2 are unuccessful, DecodeException
will be thrown.
If step 3 fails, AlgorithmMismatch
will be thrown.
If the last step fails, MissingClaim
will be thrown.
Once the token has been successfully decoded, it is validated.
In addition to the default rules mandated by the RFC, the application can add its own rules.
The default rules are:
- check
exp
claim to see if the current time is before the expiration time, - check
nbf
claim to see if the current time is after or equal the not-before time, - check
aud
claim if the application identifies itself with a value in theaud
list (if present)
You may allow a little leeway
when checking time-based claims.