Module sd_jwt

Expand description

SD-JWT (Selective Disclosure JWT) implementation.

Implements the IETF SD-JWT specification (draft-ietf-oauth-selective-disclosure-jwt) for creating JWTs whose claims can be selectively disclosed by the holder.

§Architecture

Issuer: Creates an SD-JWT with selectively disclosable claims hashed into the _sd array. Each claim becomes a separate disclosure.
Holder: Receives the full SD-JWT and can present a subset of disclosures to a verifier, revealing only the claims they choose.
Verifier: Validates the JWT signature and reconstructs disclosed claims by matching disclosure hashes against the _sd array.

§Example

use auth_framework::protocols::sd_jwt::{SdJwtIssuer, SdJwtConfig};

let config = SdJwtConfig::default();
let issuer = SdJwtIssuer::new(config);

let mut claims = serde_json::Map::new();
claims.insert("sub".into(), serde_json::json!("user-42"));
claims.insert("email".into(), serde_json::json!("user@example.com"));

// "email" is selectively disclosable; "sub" stays in the clear
let sd_jwt = issuer.issue(
    &claims,
    &["email"],
    "signing-secret-key",
).unwrap();

Structs§

Disclosure: A single disclosure: the base64url-encoded [salt, claim_name, claim_value] array.
SdJwt: The issued SD-JWT: a compact JWT, the tilde-separated disclosures, and an optional key-binding JWT.
SdJwtConfig: Configuration for SD-JWT operations.
SdJwtIssuer: SD-JWT issuer: creates SD-JWTs with selectively disclosable claims.
SdJwtVerifier: SD-JWT verifier: validates SD-JWTs and reconstructs disclosed claims.
VerifiedSdJwt: Result of verifying an SD-JWT.

Enums§

SdHashAlgorithm: Hash algorithm used for disclosure digests.

Module sd_jwt

Module sd_jwt Copy item path

§Architecture

§Example

Structs§

Enums§

Module sd_jwt