Skip to content

malinoff/elm-jwt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

JWT

Parse and verify JSON Web Tokens.

Scope

The general plan is to have a fully RFC compliant, robust and reliable library that can parse, build, and verify JWS and JWE, using all supported algorithms.

This library's current scope is to be used in Auth0 client. But the other use-cases are happily accepted.

Since Auth0 currently only uses JWS with two possible algorithms: HS256 and RS256, no more algorithms will be implemented in the nearest future. In fact, currently the only supported algorithm is HS256 since there is no PKCS1 elm library which is required to verify RSA-based signatures. Same for ECC (ellyptic curve cryptography) based algorithms. PRs are welcome!

Example

import JWT
import Time

token = case JWT.fromString "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjIsIm5hbWUiOiJKb2huIERvZSIsInN1YiI6IjEyMzQ1Njc4OTAifQ.fdOPQ05ZfRhkST2-rIWgUpbqUsVhkkNVNcuG7Ki0s-8" of
    Ok t ->
        t
    Err err ->
        Debug.todo "Handle error" err

verifyOptions =
    { issuer = Nothing
    , subject = Just "1234567890"
    , audience = Nothing
    , jwtID = Nothing
    , leeway = 0
    }
    
now =
    Time.millisToPosix 1558855500000
    
isValid =
    JWT.isValid verifyOptions "your-256-bit-secret" now token

-- Can also verify as a task:
verify =
    JWT.verify verifyOptions "your-256-bit-secret" token

Parsing and verification are intentionally two different steps so you can still parse tokens signed with unsupported algorithms. You just won't be able to verify them using this library, but you can implement your own verifiers.

Why not...

  • Parses only the JWS claims (payload). There is a function to get the header, but it's not used by the library itself.
  • The token's signature is silently ignored.
  • Verification only considers the exp field, although there are other fields worth considering.
  • Requires the user to provide a payload type with encoders and decoders, even if some fields are well-known and can be parsed without user's action.
  • This is a fork of the previous library, removing HTTP support. Same concerns are applied.
  • Requires the user to provide a payload type with encoders and decoders, even if some fields are well-known and can be parsed without user's action.
  • Verifies the signature (which is good!), but using only HMAC-based algorithms.
  • Does not verify the exp and other useful fields.

License

This library is licensed under GNU Public License v3.

Please, consider purchasing a proprietary license if you want to use it in your closed-source project without disclosing the code.

About

Parse and verify JWT in Elm

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages