Parse and verify JSON Web Tokens.
The general plan is to have a fully RFC compliant, robust and reliable library that can parse, build, and verify JWS and JWE, using all supported algorithms.
This library's current scope is to be used in Auth0 client. But the other use-cases are happily accepted.
Since Auth0 currently only uses JWS with two possible
algorithms: HS256
and RS256, no more algorithms will be implemented in the nearest
future. In fact, currently the only supported algorithm is HS256
since there is no PKCS1 elm library which is required
to verify RSA-based signatures. Same for ECC (ellyptic curve cryptography) based algorithms. PRs are welcome!
import JWT
import Time
token = case JWT.fromString "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjIsIm5hbWUiOiJKb2huIERvZSIsInN1YiI6IjEyMzQ1Njc4OTAifQ.fdOPQ05ZfRhkST2-rIWgUpbqUsVhkkNVNcuG7Ki0s-8" of
Ok t ->
t
Err err ->
Debug.todo "Handle error" err
verifyOptions =
{ issuer = Nothing
, subject = Just "1234567890"
, audience = Nothing
, jwtID = Nothing
, leeway = 0
}
now =
Time.millisToPosix 1558855500000
isValid =
JWT.isValid verifyOptions "your-256-bit-secret" now token
-- Can also verify as a task:
verify =
JWT.verify verifyOptions "your-256-bit-secret" token
Parsing and verification are intentionally two different steps so you can still parse tokens signed with unsupported algorithms. You just won't be able to verify them using this library, but you can implement your own verifiers.
- Parses only the JWS claims (payload). There is a function to get the header, but it's not used by the library itself.
- The token's signature is silently ignored.
- Verification only considers the exp field, although there are other fields worth considering.
- Requires the user to provide a payload type with encoders and decoders, even if some fields are well-known and can be parsed without user's action.
- This is a fork of the previous library, removing
HTTP
support. Same concerns are applied.
- Requires the user to provide a payload type with encoders and decoders, even if some fields are well-known and can be parsed without user's action.
- Verifies the signature (which is good!), but using only HMAC-based algorithms.
- Does not verify the
exp
and other useful fields.
This library is licensed under GNU Public License v3.
Please, consider purchasing a proprietary license if you want to use it in your closed-source project without disclosing the code.