Safe Haskell | None |
---|---|
Language | Haskell2010 |
Extensions |
|
JWT representation, signing and decoding.
Synopsis
- data Jwt pc ns = Jwt {}
- data Encoded t
- getToken :: Encoded t -> ByteString
- sign :: (Encode (PrivateClaims pc ns), SigningKey k) => Algorithm k -> Payload pc ns -> Encoded (Jwt pc ns)
- sign' :: (Encode (PrivateClaims pc ns), SigningKey k) => Typ -> Algorithm k -> Payload pc ns -> Encoded (Jwt pc ns)
- data Decoded t
- getDecoded :: Decoded t -> t
- decodeString :: (MonadThrow m, Decode (PrivateClaims pc ns), DecodingKey k) => Algorithm k -> String -> m (Decoded (Jwt pc ns))
- decodeByteString :: forall ns pc m k. (MonadThrow m, Decode (PrivateClaims pc ns), DecodingKey k) => Algorithm k -> ByteString -> m (Decoded (Jwt pc ns))
- data Validated t
- getValid :: Validated t -> t
- validateJwt :: MonadTime m => ValidationSettings -> JwtValidation pc ns -> Decoded (Jwt pc ns) -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))
- jwtFromString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m, DecodingKey k) => ValidationSettings -> JwtValidation pc ns -> Algorithm k -> String -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))
- jwtFromByteString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m, DecodingKey k) => ValidationSettings -> JwtValidation pc ns -> Algorithm k -> ByteString -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))
Documentation
JSON Web Token representation
base64url-encoded value of type t
getToken :: Encoded t -> ByteString Source #
octets of the UTF-8 representation
:: (Encode (PrivateClaims pc ns), SigningKey k) | |
=> Algorithm k | algorithm |
-> Payload pc ns | JWT payload |
-> Encoded (Jwt pc ns) |
Compute the encoded JWT value with the JWS Signature in the manner defined for the algorithm
.
typ
of the JWT Header
is set to JWT
alg
of the JWT Header
is set according to the algorithm used (see toHeaderAlg
)
Creates the serialized ouput, that is:
BASE64URL(UTF8(JWT Header)) || . || BASE64URL(JWT Payload) || . || BASE64URL(JWT Signature)
:: (Encode (PrivateClaims pc ns), SigningKey k) | |
=> Typ | typ |
-> Algorithm k | algorithm |
-> Payload pc ns | JWT payload |
-> Encoded (Jwt pc ns) |
Compute the encoded JWT value with the JWS Signature in the manner defined for the algorithm
.
typ
of the JWT Header
is set to typ
alg
of the JWT Header
is set according to the algorithm used (see toHeaderAlg
)
Creates the serialized ouput, that is:
BASE64URL(UTF8(JWT Header)) || . || BASE64URL(JWT Payload) || . || BASE64URL(JWT Signature)
Decoded value of type t
Instances
getDecoded :: Decoded t -> t Source #
decodeString :: (MonadThrow m, Decode (PrivateClaims pc ns), DecodingKey k) => Algorithm k -> String -> m (Decoded (Jwt pc ns)) Source #
See decodeByteString
:: forall ns pc m k. (MonadThrow m, Decode (PrivateClaims pc ns), DecodingKey k) | |
=> Algorithm k | algorithm used to verify the signature |
-> ByteString | token |
-> m (Decoded (Jwt pc ns)) |
Parse the base64url-encoded representation to extract the serialized values for the components of the JWT. Verify that:
token
is a valid UTF-8 encoded representation of a completely valid JSON object,- input JWT signature matches the
algorithm
, - the correct algorithm was used,
- all required fields are present.
If steps 1-2 are unuccessful, DecodeException
will be thrown.
If step 3 fails, AlgorithmMismatch
will be thrown.
If the last step fails, MissingClaim
will be thrown.
Successfully validated value of type t
:: MonadTime m | |
=> ValidationSettings | |
-> JwtValidation pc ns | additional validation rules |
-> Decoded (Jwt pc ns) | decoded token |
-> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns))) |
Accept or reject successfully decoded JWT value. In addition to the default rules mandated by the RFC, the application can add its own rules.
The default rules are:
- check
exp
claim to see if the current time is before the expiration time, - check
nbf
claim to see if the current time is after or equal the not-before time, - check
aud
claim if the application identifies itself with a value in theaud
list (if present)
You may allow a little leeway
when checking time-based claims.
jwtFromString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m, DecodingKey k) => ValidationSettings -> JwtValidation pc ns -> Algorithm k -> String -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns))) Source #
:: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m, DecodingKey k) | |
=> ValidationSettings | |
-> JwtValidation pc ns | additional validation rules |
-> Algorithm k | algorithm used to verify the signature |
-> ByteString | base64url-encoded representation (a token) |
-> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns))) |
jwtFromByteString =validateJwt
settings v <=<decodeByteString
alg
In other words, it:
Parses the base64url-encoded representation to extract the serialized values for the components of the JWT. Verifies that:
token
is a valid UTF-8 encoded representation of a completely valid JSON object,- input JWT signature matches,
- the correct
algorithm
was used, - all required fields are present.
If steps 1-2 are unuccessful, DecodeException
will be thrown.
If step 3 fails, AlgorithmMismatch
will be thrown.
If the last step fails, MissingClaim
will be thrown.
Once the token has been successfully decoded, it is validated.
In addition to the default rules mandated by the RFC, the application can add its own rules.
The default rules are:
- check
exp
claim to see if the current time is before the expiration time, - check
nbf
claim to see if the current time is after or equal the not-before time, - check
aud
claim if the application identifies itself with a value in theaud
list (if present)
You may allow a little leeway
when checking time-based claims.