Safe Haskell	None
Language	Haskell2010
Extensions	UndecidableInstances ScopedTypeVariables OverloadedStrings StandaloneDeriving DerivingStrategies FlexibleContexts ExplicitForAll

Libjwt.Jwt

Description

JWT representation, signing and decoding.

Synopsis

data Jwt pc ns = Jwt {
- header :: Header
- payload :: Payload pc ns
}
data Encoded t
getToken :: Encoded t -> ByteString
sign :: (Encode (PrivateClaims pc ns), SigningKey k) => Algorithm k -> Payload pc ns -> Encoded (Jwt pc ns)
sign' :: (Encode (PrivateClaims pc ns), SigningKey k) => Typ -> Algorithm k -> Payload pc ns -> Encoded (Jwt pc ns)
data Decoded t
getDecoded :: Decoded t -> t
decodeString :: (MonadThrow m, Decode (PrivateClaims pc ns), DecodingKey k) => Algorithm k -> String -> m (Decoded (Jwt pc ns))
decodeByteString :: forall ns pc m k. (MonadThrow m, Decode (PrivateClaims pc ns), DecodingKey k) => Algorithm k -> ByteString -> m (Decoded (Jwt pc ns))
data Validated t
getValid :: Validated t -> t
validateJwt :: MonadTime m => ValidationSettings -> JwtValidation pc ns -> Decoded (Jwt pc ns) -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))
jwtFromString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m, DecodingKey k) => ValidationSettings -> JwtValidation pc ns -> Algorithm k -> String -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))
jwtFromByteString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m, DecodingKey k) => ValidationSettings -> JwtValidation pc ns -> Algorithm k -> ByteString -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))

Documentation

data Jwt pc ns Source #

JSON Web Token representation

Constructors

Jwt
Fields header :: Header payload :: Payload pc ns

Instances

Instances details

Eq (PrivateClaims pc ns) => Eq (Jwt pc ns) Source #
Instance details Defined in Libjwt.Jwt Methods (==) :: Jwt pc ns -> Jwt pc ns -> Bool # (/=) :: Jwt pc ns -> Jwt pc ns -> Bool #
Show (PrivateClaims pc ns) => Show (Jwt pc ns) Source #
Instance details Defined in Libjwt.Jwt Methods showsPrec :: Int -> Jwt pc ns -> ShowS # show :: Jwt pc ns -> String # showList :: [Jwt pc ns] -> ShowS #

data Encoded t Source #

base64url-encoded value of type t

Instances

Instances details

Eq (Encoded t) Source #
Instance details Defined in Libjwt.Jwt Methods (==) :: Encoded t -> Encoded t -> Bool # (/=) :: Encoded t -> Encoded t -> Bool #
Show (Encoded t) Source #
Instance details Defined in Libjwt.Jwt Methods showsPrec :: Int -> Encoded t -> ShowS # show :: Encoded t -> String # showList :: [Encoded t] -> ShowS #

getToken :: Encoded t -> ByteString Source #

octets of the UTF-8 representation

sign Source #

Arguments

:: (Encode (PrivateClaims pc ns), SigningKey k)
=> Algorithm k	algorithm
-> Payload pc ns	JWT payload
-> Encoded (Jwt pc ns)

Compute the encoded JWT value with the JWS Signature in the manner defined for the algorithm. typ of the JWT Header is set to JWT alg of the JWT Header is set according to the algorithm used (see toHeaderAlg)

Creates the serialized ouput, that is: BASE64URL(UTF8(JWT Header)) || . || BASE64URL(JWT Payload) || . || BASE64URL(JWT Signature)

sign' Source #

Arguments

:: (Encode (PrivateClaims pc ns), SigningKey k)
=> Typ	typ
-> Algorithm k	algorithm
-> Payload pc ns	JWT payload
-> Encoded (Jwt pc ns)

Compute the encoded JWT value with the JWS Signature in the manner defined for the algorithm . typ of the JWT Header is set to typ alg of the JWT Header is set according to the algorithm used (see toHeaderAlg)

Creates the serialized ouput, that is: BASE64URL(UTF8(JWT Header)) || . || BASE64URL(JWT Payload) || . || BASE64URL(JWT Signature)

data Decoded t Source #

Decoded value of type t

Instances

Instances details

Eq t => Eq (Decoded t) Source #
Instance details Defined in Libjwt.Jwt Methods (==) :: Decoded t -> Decoded t -> Bool # (/=) :: Decoded t -> Decoded t -> Bool #
Show t => Show (Decoded t) Source #
Instance details Defined in Libjwt.Jwt Methods showsPrec :: Int -> Decoded t -> ShowS # show :: Decoded t -> String # showList :: [Decoded t] -> ShowS #

getDecoded :: Decoded t -> t Source #

decodeString :: (MonadThrow m, Decode (PrivateClaims pc ns), DecodingKey k) => Algorithm k -> String -> m (Decoded (Jwt pc ns)) Source #

See decodeByteString

decodeByteString Source #

Arguments

:: forall ns pc m k. (MonadThrow m, Decode (PrivateClaims pc ns), DecodingKey k)
=> Algorithm k	algorithm used to verify the signature
-> ByteString	token
-> m (Decoded (Jwt pc ns))

Parse the base64url-encoded representation to extract the serialized values for the components of the JWT. Verify that:

token is a valid UTF-8 encoded representation of a completely valid JSON object,
input JWT signature matches the algorithm,
the correct algorithm was used,
all required fields are present.

If steps 1-2 are unuccessful, DecodeException will be thrown. If step 3 fails, AlgorithmMismatch will be thrown. If the last step fails, MissingClaim will be thrown.

data Validated t Source #

Successfully validated value of type t

Instances

Instances details

Eq t => Eq (Validated t) Source #
Instance details Defined in Libjwt.Jwt Methods (==) :: Validated t -> Validated t -> Bool # (/=) :: Validated t -> Validated t -> Bool #
Show t => Show (Validated t) Source #
Instance details Defined in Libjwt.Jwt Methods showsPrec :: Int -> Validated t -> ShowS # show :: Validated t -> String # showList :: [Validated t] -> ShowS #

getValid :: Validated t -> t Source #

validateJwt Source #

Arguments

:: MonadTime m
=> ValidationSettings	`leeway` and `appName`
-> JwtValidation pc ns	additional validation rules
-> Decoded (Jwt pc ns)	decoded token
-> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))

Accept or reject successfully decoded JWT value. In addition to the default rules mandated by the RFC, the application can add its own rules.

The default rules are:

check exp claim to see if the current time is before the expiration time,
check nbf claim to see if the current time is after or equal the not-before time,
check aud claim if the application identifies itself with a value in the aud list (if present)

You may allow a little leeway when checking time-based claims.

aud claim is checked against appName.

jwtFromString :: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m, DecodingKey k) => ValidationSettings -> JwtValidation pc ns -> Algorithm k -> String -> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns))) Source #

See jwtFromByteString

jwtFromByteString Source #

Arguments

:: (Decode (PrivateClaims pc ns), MonadTime m, MonadThrow m, DecodingKey k)
=> ValidationSettings	`leeway` and `appName`
-> JwtValidation pc ns	additional validation rules
-> Algorithm k	algorithm used to verify the signature
-> ByteString	base64url-encoded representation (a token)
-> m (ValidationNEL ValidationFailure (Validated (Jwt pc ns)))

jwtFromByteString = validateJwt settings v <=< decodeByteString alg

In other words, it:

Parses the base64url-encoded representation to extract the serialized values for the components of the JWT. Verifies that:

token is a valid UTF-8 encoded representation of a completely valid JSON object,
input JWT signature matches,
the correct algorithm was used,
all required fields are present.

If steps 1-2 are unuccessful, DecodeException will be thrown. If step 3 fails, AlgorithmMismatch will be thrown. If the last step fails, MissingClaim will be thrown.

Once the token has been successfully decoded, it is validated.

In addition to the default rules mandated by the RFC, the application can add its own rules.

The default rules are:

check exp claim to see if the current time is before the expiration time,
check nbf claim to see if the current time is after or equal the not-before time,
check aud claim if the application identifies itself with a value in the aud list (if present)

You may allow a little leeway when checking time-based claims.

aud claim is checked against appName.