pub struct RegisteredClaims {
pub iss: Option<String>,
pub sub: Option<String>,
pub aud: Option<String>,
pub exp: Option<u64>,
pub nbf: Option<u64>,
pub iat: Option<u64>,
pub cti: Option<Vec<u8>>,
}Expand description
Standard registered claims as defined in RFC 8392.
These claims are standardized and have well-defined meanings:
- iss (Issuer): Identifies the principal that issued the token.
- sub (Subject): Identifies the principal that is the subject of the token.
- aud (Audience): Identifies the recipients that the token is intended for.
- exp (Expiration Time): Identifies the expiration time on or after which the token MUST NOT be accepted.
- nbf (Not Before): Identifies the time before which the token MUST NOT be accepted.
- iat (Issued At): Identifies the time at which the token was issued.
- cti (CWT ID): Provides a unique identifier for the token.
§Example
use common_access_token::RegisteredClaims;
use common_access_token::current_timestamp;
let now = current_timestamp();
let claims = RegisteredClaims::new()
.with_issuer("example-issuer")
.with_subject("user-123")
.with_audience("example-service")
.with_expiration(now + 3600) // 1 hour from now
.with_not_before(now)
.with_issued_at(now);
assert_eq!(claims.iss, Some("example-issuer".to_string()));
assert_eq!(claims.sub, Some("user-123".to_string()));
assert_eq!(claims.exp.unwrap(), now + 3600);Fields§
§iss: Option<String>Issuer - identifies the principal that issued the token
sub: Option<String>Subject - identifies the principal that is the subject of the token
aud: Option<String>Audience - identifies the recipients that the token is intended for
exp: Option<u64>Expiration time (seconds since Unix epoch) - token must not be accepted after this time
nbf: Option<u64>Not before (seconds since Unix epoch) - token must not be accepted before this time
iat: Option<u64>Issued at (seconds since Unix epoch) - when the token was issued
cti: Option<Vec<u8>>CWT ID - unique identifier for the token
Implementations§
Source§impl RegisteredClaims
impl RegisteredClaims
Sourcepub fn new() -> Self
pub fn new() -> Self
Creates a new empty set of registered claims.
§Example
use common_access_token::RegisteredClaims;
let claims = RegisteredClaims::new();
assert!(claims.iss.is_none());
assert!(claims.sub.is_none());
assert!(claims.exp.is_none());Examples found in repository?
examples/basic_usage.rs (line 49)
41fn create_token_with_string_kid(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a token with string key ID
45 TokenBuilder::new()
46 .algorithm(Algorithm::HmacSha256)
47 .protected_key_id(KeyId::string("string-key-example"))
48 .registered_claims(
49 RegisteredClaims::new()
50 .with_issuer("example-issuer")
51 .with_subject("example-subject")
52 .with_audience("example-audience")
53 .with_expiration(now + 3600) // 1 hour from now
54 .with_not_before(now)
55 .with_issued_at(now)
56 .with_cti(b"token-id-1234".to_vec()),
57 )
58 .custom_string(100, "custom-string-value")
59 .custom_binary(101, b"custom-binary-value".to_vec())
60 .custom_int(102, 12345)
61 .sign(key)
62 .expect("Failed to sign token")
63}
64
65/// Create a token with a binary key ID
66fn create_token_with_binary_kid(key: &[u8]) -> common_access_token::Token {
67 let now = current_timestamp();
68 let binary_kid = vec![0x01, 0x02, 0x03, 0x04, 0x05];
69
70 // Create a token with binary key ID
71 TokenBuilder::new()
72 .algorithm(Algorithm::HmacSha256)
73 .protected_key_id(KeyId::binary(binary_kid))
74 .registered_claims(
75 RegisteredClaims::new()
76 .with_issuer("example-issuer")
77 .with_subject("example-subject")
78 .with_audience("example-audience")
79 .with_expiration(now + 3600) // 1 hour from now
80 .with_not_before(now)
81 .with_issued_at(now),
82 )
83 .sign(key)
84 .expect("Failed to sign token")
85}
86
87/// Create a token with a nested map claim
88fn create_token_with_nested_map(key: &[u8]) -> common_access_token::Token {
89 let now = current_timestamp();
90
91 // Create a nested map for the token
92 let mut nested_map = BTreeMap::new();
93 nested_map.insert(1, CborValue::Text("nested-text-value".to_string()));
94 nested_map.insert(2, CborValue::Integer(42));
95 nested_map.insert(3, CborValue::Bytes(vec![1, 2, 3, 4, 5]));
96
97 // Create a second level nested map
98 let mut second_level_map = BTreeMap::new();
99 second_level_map.insert(1, CborValue::Text("second-level-text".to_string()));
100 second_level_map.insert(2, CborValue::Integer(99));
101
102 // Add the second level map to the first level
103 nested_map.insert(4, CborValue::Map(second_level_map));
104
105 // Create a token with a nested map claim
106 TokenBuilder::new()
107 .algorithm(Algorithm::HmacSha256)
108 .protected_key_id(KeyId::string("nested-map-example"))
109 .registered_claims(
110 RegisteredClaims::new()
111 .with_issuer("example-issuer")
112 .with_subject("example-subject")
113 .with_audience("example-audience")
114 .with_expiration(now + 3600) // 1 hour from now
115 .with_not_before(now)
116 .with_issued_at(now),
117 )
118 .custom_map(200, nested_map)
119 .sign(key)
120 .expect("Failed to sign token")
121}More examples
examples/cat_specific_claims.rs (line 70)
41fn create_token_with_cat_claims(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a CATU claim (Common Access Token URI)
45 let mut catu_components = BTreeMap::new();
46
47 // Restrict to https scheme
48 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
49
50 // Restrict to example.com host
51 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
52
53 // Restrict to paths starting with /content
54 catu_components.insert(uri_components::PATH, catu::prefix_match("/content"));
55
56 // Restrict to .m3u8 files
57 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".m3u8"));
58
59 // Create a CATM claim (Common Access Token Methods)
60 let allowed_methods = vec!["GET", "HEAD"];
61
62 // Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some((now + 3000) as i64));
64
65 // Build the token with CAT-specific claims
66 TokenBuilder::new()
67 .algorithm(Algorithm::HmacSha256)
68 .protected_key_id(KeyId::string("example-key-id"))
69 .registered_claims(
70 RegisteredClaims::new()
71 .with_issuer("example-issuer")
72 .with_subject("example-subject")
73 .with_audience("example-audience")
74 .with_expiration(now + 3600) // 1 hour from now
75 .with_not_before(now)
76 .with_issued_at(now)
77 .with_cti(b"token-id-1234".to_vec()),
78 )
79 // Add CAT-specific claims
80 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
81 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
82 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
83 .custom_int(cat_keys::CATV, 1) // Version 1
84 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
85 .sign(key)
86 .expect("Failed to sign token")
87}examples/cat_validation.rs (line 74)
38fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
39 println!("Creating token with CAT-specific claims...");
40
41 // 1. Create a CATU claim (Common Access Token URI)
42 let mut catu_components = BTreeMap::new();
43
44 // Restrict to https scheme
45 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
46
47 // Restrict to example.com host
48 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
49
50 // Restrict to paths starting with /api
51 catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));
52
53 // Restrict to .json extension
54 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));
55
56 println!(" Added CATU claim with URI restrictions");
57
58 // 2. Create a CATM claim (Common Access Token Methods)
59 let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
60 println!(" Added CATM claim allowing methods: {:?}", allowed_methods);
61
62 // 3. Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
64 println!(" Added CATR claim with automatic renewal");
65
66 // 4. Create a CATREPLAY claim (prohibit token replay)
67 println!(" Added CATREPLAY claim prohibiting token replay");
68
69 // Build the token with all CAT-specific claims
70 TokenBuilder::new()
71 .algorithm(Algorithm::HmacSha256)
72 .protected_key_id(KeyId::string("example-key-id"))
73 .registered_claims(
74 RegisteredClaims::new()
75 .with_issuer("example-issuer")
76 .with_subject("example-subject")
77 .with_audience("example-audience")
78 .with_expiration(now as u64 + 3600) // 1 hour from now
79 .with_not_before(now as u64)
80 .with_issued_at(now as u64)
81 .with_cti(b"token-id-1234".to_vec()),
82 )
83 // Add CAT-specific claims
84 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
85 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
86 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
87 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
88 .sign(key)
89 .expect("Failed to sign token")
90}examples/extended_cat_claims.rs (line 32)
20fn main() {
21 let key = b"my-secret-key-for-hmac-sha256";
22 let now = current_timestamp();
23
24 println!("=== Extended CAT Claims Example ===\n");
25
26 // Example 1: Token with probability of rejection (CATPOR)
27 println!("1. Creating token with CATPOR (25% rejection probability)");
28 let token_with_catpor = TokenBuilder::new()
29 .algorithm(Algorithm::HmacSha256)
30 .protected_key_id(KeyId::string("key-1"))
31 .registered_claims(
32 RegisteredClaims::new()
33 .with_issuer("example-issuer")
34 .with_expiration(now + 3600),
35 )
36 .custom_cbor(cat_keys::CATPOR, catpor::create(25))
37 .sign(key)
38 .expect("Failed to sign token");
39
40 println!(" ✓ Token created with CATPOR: 25% rejection probability\n");
41
42 // Example 2: Token with network IP restrictions (CATNIP)
43 println!("2. Creating token with CATNIP (IP restrictions)");
44 let token_with_catnip = TokenBuilder::new()
45 .algorithm(Algorithm::HmacSha256)
46 .protected_key_id(KeyId::string("key-2"))
47 .registered_claims(
48 RegisteredClaims::new()
49 .with_issuer("example-issuer")
50 .with_expiration(now + 3600),
51 )
52 .custom_array(
53 cat_keys::CATNIP,
54 catnip::create(vec!["192.168.1.0/24", "10.0.0.0/8"]),
55 )
56 .sign(key)
57 .expect("Failed to sign token");
58
59 println!(" ✓ Token created with CATNIP: 192.168.1.0/24, 10.0.0.0/8\n");
60
61 // Example 3: Token with ALPN restrictions (CATALPN)
62 println!("3. Creating token with CATALPN (HTTP/2 only)");
63 let token_with_catalpn = TokenBuilder::new()
64 .algorithm(Algorithm::HmacSha256)
65 .protected_key_id(KeyId::string("key-3"))
66 .registered_claims(
67 RegisteredClaims::new()
68 .with_issuer("example-issuer")
69 .with_expiration(now + 3600),
70 )
71 .custom_array(cat_keys::CATALPN, catalpn::http2_only())
72 .sign(key)
73 .expect("Failed to sign token");
74
75 println!(" ✓ Token created with CATALPN: h2 only\n");
76
77 // Example 4: Token with HTTP header requirements (CATH)
78 println!("4. Creating token with CATH (custom headers)");
79 let mut headers = BTreeMap::new();
80 headers.insert("X-API-Key", "secret-api-key");
81 headers.insert("X-Client-Version", "1.0");
82
83 let token_with_cath = TokenBuilder::new()
84 .algorithm(Algorithm::HmacSha256)
85 .protected_key_id(KeyId::string("key-4"))
86 .registered_claims(
87 RegisteredClaims::new()
88 .with_issuer("example-issuer")
89 .with_expiration(now + 3600),
90 )
91 .custom_cbor(cat_keys::CATH, cath::create(headers))
92 .sign(key)
93 .expect("Failed to sign token");
94
95 println!(" ✓ Token created with CATH: X-API-Key, X-Client-Version\n");
96
97 // Example 5: Token with geographic restrictions (CATGEO*)
98 println!("5. Creating token with geographic restrictions");
99 let token_with_geo = TokenBuilder::new()
100 .algorithm(Algorithm::HmacSha256)
101 .protected_key_id(KeyId::string("key-5"))
102 .registered_claims(
103 RegisteredClaims::new()
104 .with_issuer("example-issuer")
105 .with_expiration(now + 3600),
106 )
107 // Country restriction
108 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
109 // Coordinate restriction (New York City with 5km radius)
110 .custom_cbor(
111 cat_keys::CATGEOCOORD,
112 catgeocoord::with_radius(40.7128, -74.0060, 5000),
113 )
114 // Altitude restriction (0-1000 meters)
115 .custom_cbor(cat_keys::CATGEOALT, catgeoalt::range(0, 1000))
116 .sign(key)
117 .expect("Failed to sign token");
118
119 println!(" ✓ Token created with CATGEOISO3166: US");
120 println!(" ✓ Token created with CATGEOCOORD: NYC (40.7128, -74.0060) ±5km");
121 println!(" ✓ Token created with CATGEOALT: 0-1000m\n");
122
123 // Example 6: Token with TLS public key pinning (CATTPK)
124 println!("6. Creating token with CATTPK (TLS key pinning)");
125 // In a real scenario, this would be the SHA-256 hash of a certificate's public key
126 let public_key_hash = vec![
127 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd,
128 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
129 0xcd, 0xef,
130 ];
131
132 let token_with_cattpk = TokenBuilder::new()
133 .algorithm(Algorithm::HmacSha256)
134 .protected_key_id(KeyId::string("key-6"))
135 .registered_claims(
136 RegisteredClaims::new()
137 .with_issuer("example-issuer")
138 .with_expiration(now + 3600),
139 )
140 .custom_cbor(cat_keys::CATTPK, cattpk::create(public_key_hash.clone()))
141 .sign(key)
142 .expect("Failed to sign token");
143
144 println!(" ✓ Token created with CATTPK: public key hash (32 bytes)\n");
145
146 // Example 7: Token with DPoP settings (CATDPOP)
147 println!("7. Creating token with CATDPOP (DPoP required)");
148 let token_with_catdpop = TokenBuilder::new()
149 .algorithm(Algorithm::HmacSha256)
150 .protected_key_id(KeyId::string("key-7"))
151 .registered_claims(
152 RegisteredClaims::new()
153 .with_issuer("example-issuer")
154 .with_expiration(now + 3600),
155 )
156 .custom_cbor(cat_keys::CATDPOP, catdpop::required())
157 .sign(key)
158 .expect("Failed to sign token");
159
160 println!(" ✓ Token created with CATDPOP: DPoP required\n");
161
162 // Example 8: Token with conditional logic (CATIF/CATIFDATA)
163 println!("8. Creating token with CATIF and CATIFDATA");
164 let mut condition = BTreeMap::new();
165 condition.insert(0, common_access_token::CborValue::Text("role".to_string()));
166 condition.insert(
167 1,
168 common_access_token::CborValue::Text("equals".to_string()),
169 );
170 condition.insert(2, common_access_token::CborValue::Text("admin".to_string()));
171
172 let mut if_data = BTreeMap::new();
173 if_data.insert(0, common_access_token::CborValue::Text("role".to_string()));
174 if_data.insert(1, common_access_token::CborValue::Text("admin".to_string()));
175
176 let token_with_catif = TokenBuilder::new()
177 .algorithm(Algorithm::HmacSha256)
178 .protected_key_id(KeyId::string("key-8"))
179 .registered_claims(
180 RegisteredClaims::new()
181 .with_issuer("example-issuer")
182 .with_expiration(now + 3600),
183 )
184 .custom_cbor(cat_keys::CATIF, catif::create(condition))
185 .custom_cbor(cat_keys::CATIFDATA, catifdata::create(if_data))
186 .sign(key)
187 .expect("Failed to sign token");
188
189 println!(" ✓ Token created with CATIF: conditional logic");
190 println!(" ✓ Token created with CATIFDATA: role=admin\n");
191
192 // Example 9: Comprehensive token with multiple CAT claims
193 println!("9. Creating comprehensive token with multiple CAT claims");
194 let comprehensive_token = TokenBuilder::new()
195 .algorithm(Algorithm::HmacSha256)
196 .protected_key_id(KeyId::string("comprehensive-key"))
197 .registered_claims(
198 RegisteredClaims::new()
199 .with_issuer("secure-service")
200 .with_subject("user-12345")
201 .with_audience("api.example.com")
202 .with_expiration(now + 7200),
203 )
204 .custom_cbor(cat_keys::CATV, catv::with_version(1))
205 .custom_cbor(cat_keys::CATPOR, catpor::create(10))
206 .custom_array(cat_keys::CATNIP, catnip::single("203.0.113.0/24"))
207 .custom_array(cat_keys::CATALPN, catalpn::create(vec!["h2", "http/1.1"]))
208 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
209 .sign(key)
210 .expect("Failed to sign token");
211
212 println!(" ✓ Comprehensive token created with:");
213 println!(" - CATV: version 1");
214 println!(" - CATPOR: 10% rejection probability");
215 println!(" - CATNIP: 203.0.113.0/24");
216 println!(" - CATALPN: h2, http/1.1");
217 println!(" - CATGEOISO3166: US");
218
219 // Verify all tokens can be encoded
220 println!("\n=== Verification ===");
221 let tokens = vec![
222 ("CATPOR", &token_with_catpor),
223 ("CATNIP", &token_with_catnip),
224 ("CATALPN", &token_with_catalpn),
225 ("CATH", &token_with_cath),
226 ("CATGEO*", &token_with_geo),
227 ("CATTPK", &token_with_cattpk),
228 ("CATDPOP", &token_with_catdpop),
229 ("CATIF", &token_with_catif),
230 ("Comprehensive", &comprehensive_token),
231 ];
232
233 for (name, token) in tokens {
234 let token_bytes = token.to_bytes().expect("Failed to encode token");
235 println!("✓ {} token encoded ({} bytes)", name, token_bytes.len());
236 }
237
238 println!("\n=== All Extended CAT Claims Examples Completed Successfully ===");
239}Sourcepub fn with_issuer<S: Into<String>>(self, iss: S) -> Self
pub fn with_issuer<S: Into<String>>(self, iss: S) -> Self
Sets the issuer claim.
The issuer claim identifies the principal that issued the token.
§Example
use common_access_token::RegisteredClaims;
let claims = RegisteredClaims::new().with_issuer("https://auth.example.com");
assert_eq!(claims.iss, Some("https://auth.example.com".to_string()));Examples found in repository?
examples/basic_usage.rs (line 50)
41fn create_token_with_string_kid(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a token with string key ID
45 TokenBuilder::new()
46 .algorithm(Algorithm::HmacSha256)
47 .protected_key_id(KeyId::string("string-key-example"))
48 .registered_claims(
49 RegisteredClaims::new()
50 .with_issuer("example-issuer")
51 .with_subject("example-subject")
52 .with_audience("example-audience")
53 .with_expiration(now + 3600) // 1 hour from now
54 .with_not_before(now)
55 .with_issued_at(now)
56 .with_cti(b"token-id-1234".to_vec()),
57 )
58 .custom_string(100, "custom-string-value")
59 .custom_binary(101, b"custom-binary-value".to_vec())
60 .custom_int(102, 12345)
61 .sign(key)
62 .expect("Failed to sign token")
63}
64
65/// Create a token with a binary key ID
66fn create_token_with_binary_kid(key: &[u8]) -> common_access_token::Token {
67 let now = current_timestamp();
68 let binary_kid = vec![0x01, 0x02, 0x03, 0x04, 0x05];
69
70 // Create a token with binary key ID
71 TokenBuilder::new()
72 .algorithm(Algorithm::HmacSha256)
73 .protected_key_id(KeyId::binary(binary_kid))
74 .registered_claims(
75 RegisteredClaims::new()
76 .with_issuer("example-issuer")
77 .with_subject("example-subject")
78 .with_audience("example-audience")
79 .with_expiration(now + 3600) // 1 hour from now
80 .with_not_before(now)
81 .with_issued_at(now),
82 )
83 .sign(key)
84 .expect("Failed to sign token")
85}
86
87/// Create a token with a nested map claim
88fn create_token_with_nested_map(key: &[u8]) -> common_access_token::Token {
89 let now = current_timestamp();
90
91 // Create a nested map for the token
92 let mut nested_map = BTreeMap::new();
93 nested_map.insert(1, CborValue::Text("nested-text-value".to_string()));
94 nested_map.insert(2, CborValue::Integer(42));
95 nested_map.insert(3, CborValue::Bytes(vec![1, 2, 3, 4, 5]));
96
97 // Create a second level nested map
98 let mut second_level_map = BTreeMap::new();
99 second_level_map.insert(1, CborValue::Text("second-level-text".to_string()));
100 second_level_map.insert(2, CborValue::Integer(99));
101
102 // Add the second level map to the first level
103 nested_map.insert(4, CborValue::Map(second_level_map));
104
105 // Create a token with a nested map claim
106 TokenBuilder::new()
107 .algorithm(Algorithm::HmacSha256)
108 .protected_key_id(KeyId::string("nested-map-example"))
109 .registered_claims(
110 RegisteredClaims::new()
111 .with_issuer("example-issuer")
112 .with_subject("example-subject")
113 .with_audience("example-audience")
114 .with_expiration(now + 3600) // 1 hour from now
115 .with_not_before(now)
116 .with_issued_at(now),
117 )
118 .custom_map(200, nested_map)
119 .sign(key)
120 .expect("Failed to sign token")
121}More examples
examples/cat_specific_claims.rs (line 71)
41fn create_token_with_cat_claims(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a CATU claim (Common Access Token URI)
45 let mut catu_components = BTreeMap::new();
46
47 // Restrict to https scheme
48 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
49
50 // Restrict to example.com host
51 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
52
53 // Restrict to paths starting with /content
54 catu_components.insert(uri_components::PATH, catu::prefix_match("/content"));
55
56 // Restrict to .m3u8 files
57 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".m3u8"));
58
59 // Create a CATM claim (Common Access Token Methods)
60 let allowed_methods = vec!["GET", "HEAD"];
61
62 // Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some((now + 3000) as i64));
64
65 // Build the token with CAT-specific claims
66 TokenBuilder::new()
67 .algorithm(Algorithm::HmacSha256)
68 .protected_key_id(KeyId::string("example-key-id"))
69 .registered_claims(
70 RegisteredClaims::new()
71 .with_issuer("example-issuer")
72 .with_subject("example-subject")
73 .with_audience("example-audience")
74 .with_expiration(now + 3600) // 1 hour from now
75 .with_not_before(now)
76 .with_issued_at(now)
77 .with_cti(b"token-id-1234".to_vec()),
78 )
79 // Add CAT-specific claims
80 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
81 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
82 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
83 .custom_int(cat_keys::CATV, 1) // Version 1
84 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
85 .sign(key)
86 .expect("Failed to sign token")
87}examples/cat_validation.rs (line 75)
38fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
39 println!("Creating token with CAT-specific claims...");
40
41 // 1. Create a CATU claim (Common Access Token URI)
42 let mut catu_components = BTreeMap::new();
43
44 // Restrict to https scheme
45 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
46
47 // Restrict to example.com host
48 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
49
50 // Restrict to paths starting with /api
51 catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));
52
53 // Restrict to .json extension
54 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));
55
56 println!(" Added CATU claim with URI restrictions");
57
58 // 2. Create a CATM claim (Common Access Token Methods)
59 let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
60 println!(" Added CATM claim allowing methods: {:?}", allowed_methods);
61
62 // 3. Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
64 println!(" Added CATR claim with automatic renewal");
65
66 // 4. Create a CATREPLAY claim (prohibit token replay)
67 println!(" Added CATREPLAY claim prohibiting token replay");
68
69 // Build the token with all CAT-specific claims
70 TokenBuilder::new()
71 .algorithm(Algorithm::HmacSha256)
72 .protected_key_id(KeyId::string("example-key-id"))
73 .registered_claims(
74 RegisteredClaims::new()
75 .with_issuer("example-issuer")
76 .with_subject("example-subject")
77 .with_audience("example-audience")
78 .with_expiration(now as u64 + 3600) // 1 hour from now
79 .with_not_before(now as u64)
80 .with_issued_at(now as u64)
81 .with_cti(b"token-id-1234".to_vec()),
82 )
83 // Add CAT-specific claims
84 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
85 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
86 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
87 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
88 .sign(key)
89 .expect("Failed to sign token")
90}examples/extended_cat_claims.rs (line 33)
20fn main() {
21 let key = b"my-secret-key-for-hmac-sha256";
22 let now = current_timestamp();
23
24 println!("=== Extended CAT Claims Example ===\n");
25
26 // Example 1: Token with probability of rejection (CATPOR)
27 println!("1. Creating token with CATPOR (25% rejection probability)");
28 let token_with_catpor = TokenBuilder::new()
29 .algorithm(Algorithm::HmacSha256)
30 .protected_key_id(KeyId::string("key-1"))
31 .registered_claims(
32 RegisteredClaims::new()
33 .with_issuer("example-issuer")
34 .with_expiration(now + 3600),
35 )
36 .custom_cbor(cat_keys::CATPOR, catpor::create(25))
37 .sign(key)
38 .expect("Failed to sign token");
39
40 println!(" ✓ Token created with CATPOR: 25% rejection probability\n");
41
42 // Example 2: Token with network IP restrictions (CATNIP)
43 println!("2. Creating token with CATNIP (IP restrictions)");
44 let token_with_catnip = TokenBuilder::new()
45 .algorithm(Algorithm::HmacSha256)
46 .protected_key_id(KeyId::string("key-2"))
47 .registered_claims(
48 RegisteredClaims::new()
49 .with_issuer("example-issuer")
50 .with_expiration(now + 3600),
51 )
52 .custom_array(
53 cat_keys::CATNIP,
54 catnip::create(vec!["192.168.1.0/24", "10.0.0.0/8"]),
55 )
56 .sign(key)
57 .expect("Failed to sign token");
58
59 println!(" ✓ Token created with CATNIP: 192.168.1.0/24, 10.0.0.0/8\n");
60
61 // Example 3: Token with ALPN restrictions (CATALPN)
62 println!("3. Creating token with CATALPN (HTTP/2 only)");
63 let token_with_catalpn = TokenBuilder::new()
64 .algorithm(Algorithm::HmacSha256)
65 .protected_key_id(KeyId::string("key-3"))
66 .registered_claims(
67 RegisteredClaims::new()
68 .with_issuer("example-issuer")
69 .with_expiration(now + 3600),
70 )
71 .custom_array(cat_keys::CATALPN, catalpn::http2_only())
72 .sign(key)
73 .expect("Failed to sign token");
74
75 println!(" ✓ Token created with CATALPN: h2 only\n");
76
77 // Example 4: Token with HTTP header requirements (CATH)
78 println!("4. Creating token with CATH (custom headers)");
79 let mut headers = BTreeMap::new();
80 headers.insert("X-API-Key", "secret-api-key");
81 headers.insert("X-Client-Version", "1.0");
82
83 let token_with_cath = TokenBuilder::new()
84 .algorithm(Algorithm::HmacSha256)
85 .protected_key_id(KeyId::string("key-4"))
86 .registered_claims(
87 RegisteredClaims::new()
88 .with_issuer("example-issuer")
89 .with_expiration(now + 3600),
90 )
91 .custom_cbor(cat_keys::CATH, cath::create(headers))
92 .sign(key)
93 .expect("Failed to sign token");
94
95 println!(" ✓ Token created with CATH: X-API-Key, X-Client-Version\n");
96
97 // Example 5: Token with geographic restrictions (CATGEO*)
98 println!("5. Creating token with geographic restrictions");
99 let token_with_geo = TokenBuilder::new()
100 .algorithm(Algorithm::HmacSha256)
101 .protected_key_id(KeyId::string("key-5"))
102 .registered_claims(
103 RegisteredClaims::new()
104 .with_issuer("example-issuer")
105 .with_expiration(now + 3600),
106 )
107 // Country restriction
108 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
109 // Coordinate restriction (New York City with 5km radius)
110 .custom_cbor(
111 cat_keys::CATGEOCOORD,
112 catgeocoord::with_radius(40.7128, -74.0060, 5000),
113 )
114 // Altitude restriction (0-1000 meters)
115 .custom_cbor(cat_keys::CATGEOALT, catgeoalt::range(0, 1000))
116 .sign(key)
117 .expect("Failed to sign token");
118
119 println!(" ✓ Token created with CATGEOISO3166: US");
120 println!(" ✓ Token created with CATGEOCOORD: NYC (40.7128, -74.0060) ±5km");
121 println!(" ✓ Token created with CATGEOALT: 0-1000m\n");
122
123 // Example 6: Token with TLS public key pinning (CATTPK)
124 println!("6. Creating token with CATTPK (TLS key pinning)");
125 // In a real scenario, this would be the SHA-256 hash of a certificate's public key
126 let public_key_hash = vec![
127 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd,
128 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
129 0xcd, 0xef,
130 ];
131
132 let token_with_cattpk = TokenBuilder::new()
133 .algorithm(Algorithm::HmacSha256)
134 .protected_key_id(KeyId::string("key-6"))
135 .registered_claims(
136 RegisteredClaims::new()
137 .with_issuer("example-issuer")
138 .with_expiration(now + 3600),
139 )
140 .custom_cbor(cat_keys::CATTPK, cattpk::create(public_key_hash.clone()))
141 .sign(key)
142 .expect("Failed to sign token");
143
144 println!(" ✓ Token created with CATTPK: public key hash (32 bytes)\n");
145
146 // Example 7: Token with DPoP settings (CATDPOP)
147 println!("7. Creating token with CATDPOP (DPoP required)");
148 let token_with_catdpop = TokenBuilder::new()
149 .algorithm(Algorithm::HmacSha256)
150 .protected_key_id(KeyId::string("key-7"))
151 .registered_claims(
152 RegisteredClaims::new()
153 .with_issuer("example-issuer")
154 .with_expiration(now + 3600),
155 )
156 .custom_cbor(cat_keys::CATDPOP, catdpop::required())
157 .sign(key)
158 .expect("Failed to sign token");
159
160 println!(" ✓ Token created with CATDPOP: DPoP required\n");
161
162 // Example 8: Token with conditional logic (CATIF/CATIFDATA)
163 println!("8. Creating token with CATIF and CATIFDATA");
164 let mut condition = BTreeMap::new();
165 condition.insert(0, common_access_token::CborValue::Text("role".to_string()));
166 condition.insert(
167 1,
168 common_access_token::CborValue::Text("equals".to_string()),
169 );
170 condition.insert(2, common_access_token::CborValue::Text("admin".to_string()));
171
172 let mut if_data = BTreeMap::new();
173 if_data.insert(0, common_access_token::CborValue::Text("role".to_string()));
174 if_data.insert(1, common_access_token::CborValue::Text("admin".to_string()));
175
176 let token_with_catif = TokenBuilder::new()
177 .algorithm(Algorithm::HmacSha256)
178 .protected_key_id(KeyId::string("key-8"))
179 .registered_claims(
180 RegisteredClaims::new()
181 .with_issuer("example-issuer")
182 .with_expiration(now + 3600),
183 )
184 .custom_cbor(cat_keys::CATIF, catif::create(condition))
185 .custom_cbor(cat_keys::CATIFDATA, catifdata::create(if_data))
186 .sign(key)
187 .expect("Failed to sign token");
188
189 println!(" ✓ Token created with CATIF: conditional logic");
190 println!(" ✓ Token created with CATIFDATA: role=admin\n");
191
192 // Example 9: Comprehensive token with multiple CAT claims
193 println!("9. Creating comprehensive token with multiple CAT claims");
194 let comprehensive_token = TokenBuilder::new()
195 .algorithm(Algorithm::HmacSha256)
196 .protected_key_id(KeyId::string("comprehensive-key"))
197 .registered_claims(
198 RegisteredClaims::new()
199 .with_issuer("secure-service")
200 .with_subject("user-12345")
201 .with_audience("api.example.com")
202 .with_expiration(now + 7200),
203 )
204 .custom_cbor(cat_keys::CATV, catv::with_version(1))
205 .custom_cbor(cat_keys::CATPOR, catpor::create(10))
206 .custom_array(cat_keys::CATNIP, catnip::single("203.0.113.0/24"))
207 .custom_array(cat_keys::CATALPN, catalpn::create(vec!["h2", "http/1.1"]))
208 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
209 .sign(key)
210 .expect("Failed to sign token");
211
212 println!(" ✓ Comprehensive token created with:");
213 println!(" - CATV: version 1");
214 println!(" - CATPOR: 10% rejection probability");
215 println!(" - CATNIP: 203.0.113.0/24");
216 println!(" - CATALPN: h2, http/1.1");
217 println!(" - CATGEOISO3166: US");
218
219 // Verify all tokens can be encoded
220 println!("\n=== Verification ===");
221 let tokens = vec![
222 ("CATPOR", &token_with_catpor),
223 ("CATNIP", &token_with_catnip),
224 ("CATALPN", &token_with_catalpn),
225 ("CATH", &token_with_cath),
226 ("CATGEO*", &token_with_geo),
227 ("CATTPK", &token_with_cattpk),
228 ("CATDPOP", &token_with_catdpop),
229 ("CATIF", &token_with_catif),
230 ("Comprehensive", &comprehensive_token),
231 ];
232
233 for (name, token) in tokens {
234 let token_bytes = token.to_bytes().expect("Failed to encode token");
235 println!("✓ {} token encoded ({} bytes)", name, token_bytes.len());
236 }
237
238 println!("\n=== All Extended CAT Claims Examples Completed Successfully ===");
239}Sourcepub fn with_subject<S: Into<String>>(self, sub: S) -> Self
pub fn with_subject<S: Into<String>>(self, sub: S) -> Self
Sets the subject claim.
The subject claim identifies the principal that is the subject of the token.
§Example
use common_access_token::RegisteredClaims;
let claims = RegisteredClaims::new().with_subject("user-123");
assert_eq!(claims.sub, Some("user-123".to_string()));Examples found in repository?
examples/basic_usage.rs (line 51)
41fn create_token_with_string_kid(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a token with string key ID
45 TokenBuilder::new()
46 .algorithm(Algorithm::HmacSha256)
47 .protected_key_id(KeyId::string("string-key-example"))
48 .registered_claims(
49 RegisteredClaims::new()
50 .with_issuer("example-issuer")
51 .with_subject("example-subject")
52 .with_audience("example-audience")
53 .with_expiration(now + 3600) // 1 hour from now
54 .with_not_before(now)
55 .with_issued_at(now)
56 .with_cti(b"token-id-1234".to_vec()),
57 )
58 .custom_string(100, "custom-string-value")
59 .custom_binary(101, b"custom-binary-value".to_vec())
60 .custom_int(102, 12345)
61 .sign(key)
62 .expect("Failed to sign token")
63}
64
65/// Create a token with a binary key ID
66fn create_token_with_binary_kid(key: &[u8]) -> common_access_token::Token {
67 let now = current_timestamp();
68 let binary_kid = vec![0x01, 0x02, 0x03, 0x04, 0x05];
69
70 // Create a token with binary key ID
71 TokenBuilder::new()
72 .algorithm(Algorithm::HmacSha256)
73 .protected_key_id(KeyId::binary(binary_kid))
74 .registered_claims(
75 RegisteredClaims::new()
76 .with_issuer("example-issuer")
77 .with_subject("example-subject")
78 .with_audience("example-audience")
79 .with_expiration(now + 3600) // 1 hour from now
80 .with_not_before(now)
81 .with_issued_at(now),
82 )
83 .sign(key)
84 .expect("Failed to sign token")
85}
86
87/// Create a token with a nested map claim
88fn create_token_with_nested_map(key: &[u8]) -> common_access_token::Token {
89 let now = current_timestamp();
90
91 // Create a nested map for the token
92 let mut nested_map = BTreeMap::new();
93 nested_map.insert(1, CborValue::Text("nested-text-value".to_string()));
94 nested_map.insert(2, CborValue::Integer(42));
95 nested_map.insert(3, CborValue::Bytes(vec![1, 2, 3, 4, 5]));
96
97 // Create a second level nested map
98 let mut second_level_map = BTreeMap::new();
99 second_level_map.insert(1, CborValue::Text("second-level-text".to_string()));
100 second_level_map.insert(2, CborValue::Integer(99));
101
102 // Add the second level map to the first level
103 nested_map.insert(4, CborValue::Map(second_level_map));
104
105 // Create a token with a nested map claim
106 TokenBuilder::new()
107 .algorithm(Algorithm::HmacSha256)
108 .protected_key_id(KeyId::string("nested-map-example"))
109 .registered_claims(
110 RegisteredClaims::new()
111 .with_issuer("example-issuer")
112 .with_subject("example-subject")
113 .with_audience("example-audience")
114 .with_expiration(now + 3600) // 1 hour from now
115 .with_not_before(now)
116 .with_issued_at(now),
117 )
118 .custom_map(200, nested_map)
119 .sign(key)
120 .expect("Failed to sign token")
121}More examples
examples/cat_specific_claims.rs (line 72)
41fn create_token_with_cat_claims(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a CATU claim (Common Access Token URI)
45 let mut catu_components = BTreeMap::new();
46
47 // Restrict to https scheme
48 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
49
50 // Restrict to example.com host
51 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
52
53 // Restrict to paths starting with /content
54 catu_components.insert(uri_components::PATH, catu::prefix_match("/content"));
55
56 // Restrict to .m3u8 files
57 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".m3u8"));
58
59 // Create a CATM claim (Common Access Token Methods)
60 let allowed_methods = vec!["GET", "HEAD"];
61
62 // Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some((now + 3000) as i64));
64
65 // Build the token with CAT-specific claims
66 TokenBuilder::new()
67 .algorithm(Algorithm::HmacSha256)
68 .protected_key_id(KeyId::string("example-key-id"))
69 .registered_claims(
70 RegisteredClaims::new()
71 .with_issuer("example-issuer")
72 .with_subject("example-subject")
73 .with_audience("example-audience")
74 .with_expiration(now + 3600) // 1 hour from now
75 .with_not_before(now)
76 .with_issued_at(now)
77 .with_cti(b"token-id-1234".to_vec()),
78 )
79 // Add CAT-specific claims
80 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
81 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
82 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
83 .custom_int(cat_keys::CATV, 1) // Version 1
84 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
85 .sign(key)
86 .expect("Failed to sign token")
87}examples/cat_validation.rs (line 76)
38fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
39 println!("Creating token with CAT-specific claims...");
40
41 // 1. Create a CATU claim (Common Access Token URI)
42 let mut catu_components = BTreeMap::new();
43
44 // Restrict to https scheme
45 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
46
47 // Restrict to example.com host
48 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
49
50 // Restrict to paths starting with /api
51 catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));
52
53 // Restrict to .json extension
54 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));
55
56 println!(" Added CATU claim with URI restrictions");
57
58 // 2. Create a CATM claim (Common Access Token Methods)
59 let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
60 println!(" Added CATM claim allowing methods: {:?}", allowed_methods);
61
62 // 3. Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
64 println!(" Added CATR claim with automatic renewal");
65
66 // 4. Create a CATREPLAY claim (prohibit token replay)
67 println!(" Added CATREPLAY claim prohibiting token replay");
68
69 // Build the token with all CAT-specific claims
70 TokenBuilder::new()
71 .algorithm(Algorithm::HmacSha256)
72 .protected_key_id(KeyId::string("example-key-id"))
73 .registered_claims(
74 RegisteredClaims::new()
75 .with_issuer("example-issuer")
76 .with_subject("example-subject")
77 .with_audience("example-audience")
78 .with_expiration(now as u64 + 3600) // 1 hour from now
79 .with_not_before(now as u64)
80 .with_issued_at(now as u64)
81 .with_cti(b"token-id-1234".to_vec()),
82 )
83 // Add CAT-specific claims
84 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
85 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
86 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
87 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
88 .sign(key)
89 .expect("Failed to sign token")
90}examples/extended_cat_claims.rs (line 200)
20fn main() {
21 let key = b"my-secret-key-for-hmac-sha256";
22 let now = current_timestamp();
23
24 println!("=== Extended CAT Claims Example ===\n");
25
26 // Example 1: Token with probability of rejection (CATPOR)
27 println!("1. Creating token with CATPOR (25% rejection probability)");
28 let token_with_catpor = TokenBuilder::new()
29 .algorithm(Algorithm::HmacSha256)
30 .protected_key_id(KeyId::string("key-1"))
31 .registered_claims(
32 RegisteredClaims::new()
33 .with_issuer("example-issuer")
34 .with_expiration(now + 3600),
35 )
36 .custom_cbor(cat_keys::CATPOR, catpor::create(25))
37 .sign(key)
38 .expect("Failed to sign token");
39
40 println!(" ✓ Token created with CATPOR: 25% rejection probability\n");
41
42 // Example 2: Token with network IP restrictions (CATNIP)
43 println!("2. Creating token with CATNIP (IP restrictions)");
44 let token_with_catnip = TokenBuilder::new()
45 .algorithm(Algorithm::HmacSha256)
46 .protected_key_id(KeyId::string("key-2"))
47 .registered_claims(
48 RegisteredClaims::new()
49 .with_issuer("example-issuer")
50 .with_expiration(now + 3600),
51 )
52 .custom_array(
53 cat_keys::CATNIP,
54 catnip::create(vec!["192.168.1.0/24", "10.0.0.0/8"]),
55 )
56 .sign(key)
57 .expect("Failed to sign token");
58
59 println!(" ✓ Token created with CATNIP: 192.168.1.0/24, 10.0.0.0/8\n");
60
61 // Example 3: Token with ALPN restrictions (CATALPN)
62 println!("3. Creating token with CATALPN (HTTP/2 only)");
63 let token_with_catalpn = TokenBuilder::new()
64 .algorithm(Algorithm::HmacSha256)
65 .protected_key_id(KeyId::string("key-3"))
66 .registered_claims(
67 RegisteredClaims::new()
68 .with_issuer("example-issuer")
69 .with_expiration(now + 3600),
70 )
71 .custom_array(cat_keys::CATALPN, catalpn::http2_only())
72 .sign(key)
73 .expect("Failed to sign token");
74
75 println!(" ✓ Token created with CATALPN: h2 only\n");
76
77 // Example 4: Token with HTTP header requirements (CATH)
78 println!("4. Creating token with CATH (custom headers)");
79 let mut headers = BTreeMap::new();
80 headers.insert("X-API-Key", "secret-api-key");
81 headers.insert("X-Client-Version", "1.0");
82
83 let token_with_cath = TokenBuilder::new()
84 .algorithm(Algorithm::HmacSha256)
85 .protected_key_id(KeyId::string("key-4"))
86 .registered_claims(
87 RegisteredClaims::new()
88 .with_issuer("example-issuer")
89 .with_expiration(now + 3600),
90 )
91 .custom_cbor(cat_keys::CATH, cath::create(headers))
92 .sign(key)
93 .expect("Failed to sign token");
94
95 println!(" ✓ Token created with CATH: X-API-Key, X-Client-Version\n");
96
97 // Example 5: Token with geographic restrictions (CATGEO*)
98 println!("5. Creating token with geographic restrictions");
99 let token_with_geo = TokenBuilder::new()
100 .algorithm(Algorithm::HmacSha256)
101 .protected_key_id(KeyId::string("key-5"))
102 .registered_claims(
103 RegisteredClaims::new()
104 .with_issuer("example-issuer")
105 .with_expiration(now + 3600),
106 )
107 // Country restriction
108 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
109 // Coordinate restriction (New York City with 5km radius)
110 .custom_cbor(
111 cat_keys::CATGEOCOORD,
112 catgeocoord::with_radius(40.7128, -74.0060, 5000),
113 )
114 // Altitude restriction (0-1000 meters)
115 .custom_cbor(cat_keys::CATGEOALT, catgeoalt::range(0, 1000))
116 .sign(key)
117 .expect("Failed to sign token");
118
119 println!(" ✓ Token created with CATGEOISO3166: US");
120 println!(" ✓ Token created with CATGEOCOORD: NYC (40.7128, -74.0060) ±5km");
121 println!(" ✓ Token created with CATGEOALT: 0-1000m\n");
122
123 // Example 6: Token with TLS public key pinning (CATTPK)
124 println!("6. Creating token with CATTPK (TLS key pinning)");
125 // In a real scenario, this would be the SHA-256 hash of a certificate's public key
126 let public_key_hash = vec![
127 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd,
128 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
129 0xcd, 0xef,
130 ];
131
132 let token_with_cattpk = TokenBuilder::new()
133 .algorithm(Algorithm::HmacSha256)
134 .protected_key_id(KeyId::string("key-6"))
135 .registered_claims(
136 RegisteredClaims::new()
137 .with_issuer("example-issuer")
138 .with_expiration(now + 3600),
139 )
140 .custom_cbor(cat_keys::CATTPK, cattpk::create(public_key_hash.clone()))
141 .sign(key)
142 .expect("Failed to sign token");
143
144 println!(" ✓ Token created with CATTPK: public key hash (32 bytes)\n");
145
146 // Example 7: Token with DPoP settings (CATDPOP)
147 println!("7. Creating token with CATDPOP (DPoP required)");
148 let token_with_catdpop = TokenBuilder::new()
149 .algorithm(Algorithm::HmacSha256)
150 .protected_key_id(KeyId::string("key-7"))
151 .registered_claims(
152 RegisteredClaims::new()
153 .with_issuer("example-issuer")
154 .with_expiration(now + 3600),
155 )
156 .custom_cbor(cat_keys::CATDPOP, catdpop::required())
157 .sign(key)
158 .expect("Failed to sign token");
159
160 println!(" ✓ Token created with CATDPOP: DPoP required\n");
161
162 // Example 8: Token with conditional logic (CATIF/CATIFDATA)
163 println!("8. Creating token with CATIF and CATIFDATA");
164 let mut condition = BTreeMap::new();
165 condition.insert(0, common_access_token::CborValue::Text("role".to_string()));
166 condition.insert(
167 1,
168 common_access_token::CborValue::Text("equals".to_string()),
169 );
170 condition.insert(2, common_access_token::CborValue::Text("admin".to_string()));
171
172 let mut if_data = BTreeMap::new();
173 if_data.insert(0, common_access_token::CborValue::Text("role".to_string()));
174 if_data.insert(1, common_access_token::CborValue::Text("admin".to_string()));
175
176 let token_with_catif = TokenBuilder::new()
177 .algorithm(Algorithm::HmacSha256)
178 .protected_key_id(KeyId::string("key-8"))
179 .registered_claims(
180 RegisteredClaims::new()
181 .with_issuer("example-issuer")
182 .with_expiration(now + 3600),
183 )
184 .custom_cbor(cat_keys::CATIF, catif::create(condition))
185 .custom_cbor(cat_keys::CATIFDATA, catifdata::create(if_data))
186 .sign(key)
187 .expect("Failed to sign token");
188
189 println!(" ✓ Token created with CATIF: conditional logic");
190 println!(" ✓ Token created with CATIFDATA: role=admin\n");
191
192 // Example 9: Comprehensive token with multiple CAT claims
193 println!("9. Creating comprehensive token with multiple CAT claims");
194 let comprehensive_token = TokenBuilder::new()
195 .algorithm(Algorithm::HmacSha256)
196 .protected_key_id(KeyId::string("comprehensive-key"))
197 .registered_claims(
198 RegisteredClaims::new()
199 .with_issuer("secure-service")
200 .with_subject("user-12345")
201 .with_audience("api.example.com")
202 .with_expiration(now + 7200),
203 )
204 .custom_cbor(cat_keys::CATV, catv::with_version(1))
205 .custom_cbor(cat_keys::CATPOR, catpor::create(10))
206 .custom_array(cat_keys::CATNIP, catnip::single("203.0.113.0/24"))
207 .custom_array(cat_keys::CATALPN, catalpn::create(vec!["h2", "http/1.1"]))
208 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
209 .sign(key)
210 .expect("Failed to sign token");
211
212 println!(" ✓ Comprehensive token created with:");
213 println!(" - CATV: version 1");
214 println!(" - CATPOR: 10% rejection probability");
215 println!(" - CATNIP: 203.0.113.0/24");
216 println!(" - CATALPN: h2, http/1.1");
217 println!(" - CATGEOISO3166: US");
218
219 // Verify all tokens can be encoded
220 println!("\n=== Verification ===");
221 let tokens = vec![
222 ("CATPOR", &token_with_catpor),
223 ("CATNIP", &token_with_catnip),
224 ("CATALPN", &token_with_catalpn),
225 ("CATH", &token_with_cath),
226 ("CATGEO*", &token_with_geo),
227 ("CATTPK", &token_with_cattpk),
228 ("CATDPOP", &token_with_catdpop),
229 ("CATIF", &token_with_catif),
230 ("Comprehensive", &comprehensive_token),
231 ];
232
233 for (name, token) in tokens {
234 let token_bytes = token.to_bytes().expect("Failed to encode token");
235 println!("✓ {} token encoded ({} bytes)", name, token_bytes.len());
236 }
237
238 println!("\n=== All Extended CAT Claims Examples Completed Successfully ===");
239}Sourcepub fn with_audience<S: Into<String>>(self, aud: S) -> Self
pub fn with_audience<S: Into<String>>(self, aud: S) -> Self
Sets the audience claim.
The audience claim identifies the recipients that the token is intended for.
§Example
use common_access_token::RegisteredClaims;
let claims = RegisteredClaims::new().with_audience("https://api.example.com");
assert_eq!(claims.aud, Some("https://api.example.com".to_string()));Examples found in repository?
examples/basic_usage.rs (line 52)
41fn create_token_with_string_kid(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a token with string key ID
45 TokenBuilder::new()
46 .algorithm(Algorithm::HmacSha256)
47 .protected_key_id(KeyId::string("string-key-example"))
48 .registered_claims(
49 RegisteredClaims::new()
50 .with_issuer("example-issuer")
51 .with_subject("example-subject")
52 .with_audience("example-audience")
53 .with_expiration(now + 3600) // 1 hour from now
54 .with_not_before(now)
55 .with_issued_at(now)
56 .with_cti(b"token-id-1234".to_vec()),
57 )
58 .custom_string(100, "custom-string-value")
59 .custom_binary(101, b"custom-binary-value".to_vec())
60 .custom_int(102, 12345)
61 .sign(key)
62 .expect("Failed to sign token")
63}
64
65/// Create a token with a binary key ID
66fn create_token_with_binary_kid(key: &[u8]) -> common_access_token::Token {
67 let now = current_timestamp();
68 let binary_kid = vec![0x01, 0x02, 0x03, 0x04, 0x05];
69
70 // Create a token with binary key ID
71 TokenBuilder::new()
72 .algorithm(Algorithm::HmacSha256)
73 .protected_key_id(KeyId::binary(binary_kid))
74 .registered_claims(
75 RegisteredClaims::new()
76 .with_issuer("example-issuer")
77 .with_subject("example-subject")
78 .with_audience("example-audience")
79 .with_expiration(now + 3600) // 1 hour from now
80 .with_not_before(now)
81 .with_issued_at(now),
82 )
83 .sign(key)
84 .expect("Failed to sign token")
85}
86
87/// Create a token with a nested map claim
88fn create_token_with_nested_map(key: &[u8]) -> common_access_token::Token {
89 let now = current_timestamp();
90
91 // Create a nested map for the token
92 let mut nested_map = BTreeMap::new();
93 nested_map.insert(1, CborValue::Text("nested-text-value".to_string()));
94 nested_map.insert(2, CborValue::Integer(42));
95 nested_map.insert(3, CborValue::Bytes(vec![1, 2, 3, 4, 5]));
96
97 // Create a second level nested map
98 let mut second_level_map = BTreeMap::new();
99 second_level_map.insert(1, CborValue::Text("second-level-text".to_string()));
100 second_level_map.insert(2, CborValue::Integer(99));
101
102 // Add the second level map to the first level
103 nested_map.insert(4, CborValue::Map(second_level_map));
104
105 // Create a token with a nested map claim
106 TokenBuilder::new()
107 .algorithm(Algorithm::HmacSha256)
108 .protected_key_id(KeyId::string("nested-map-example"))
109 .registered_claims(
110 RegisteredClaims::new()
111 .with_issuer("example-issuer")
112 .with_subject("example-subject")
113 .with_audience("example-audience")
114 .with_expiration(now + 3600) // 1 hour from now
115 .with_not_before(now)
116 .with_issued_at(now),
117 )
118 .custom_map(200, nested_map)
119 .sign(key)
120 .expect("Failed to sign token")
121}More examples
examples/cat_specific_claims.rs (line 73)
41fn create_token_with_cat_claims(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a CATU claim (Common Access Token URI)
45 let mut catu_components = BTreeMap::new();
46
47 // Restrict to https scheme
48 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
49
50 // Restrict to example.com host
51 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
52
53 // Restrict to paths starting with /content
54 catu_components.insert(uri_components::PATH, catu::prefix_match("/content"));
55
56 // Restrict to .m3u8 files
57 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".m3u8"));
58
59 // Create a CATM claim (Common Access Token Methods)
60 let allowed_methods = vec!["GET", "HEAD"];
61
62 // Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some((now + 3000) as i64));
64
65 // Build the token with CAT-specific claims
66 TokenBuilder::new()
67 .algorithm(Algorithm::HmacSha256)
68 .protected_key_id(KeyId::string("example-key-id"))
69 .registered_claims(
70 RegisteredClaims::new()
71 .with_issuer("example-issuer")
72 .with_subject("example-subject")
73 .with_audience("example-audience")
74 .with_expiration(now + 3600) // 1 hour from now
75 .with_not_before(now)
76 .with_issued_at(now)
77 .with_cti(b"token-id-1234".to_vec()),
78 )
79 // Add CAT-specific claims
80 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
81 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
82 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
83 .custom_int(cat_keys::CATV, 1) // Version 1
84 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
85 .sign(key)
86 .expect("Failed to sign token")
87}examples/cat_validation.rs (line 77)
38fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
39 println!("Creating token with CAT-specific claims...");
40
41 // 1. Create a CATU claim (Common Access Token URI)
42 let mut catu_components = BTreeMap::new();
43
44 // Restrict to https scheme
45 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
46
47 // Restrict to example.com host
48 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
49
50 // Restrict to paths starting with /api
51 catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));
52
53 // Restrict to .json extension
54 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));
55
56 println!(" Added CATU claim with URI restrictions");
57
58 // 2. Create a CATM claim (Common Access Token Methods)
59 let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
60 println!(" Added CATM claim allowing methods: {:?}", allowed_methods);
61
62 // 3. Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
64 println!(" Added CATR claim with automatic renewal");
65
66 // 4. Create a CATREPLAY claim (prohibit token replay)
67 println!(" Added CATREPLAY claim prohibiting token replay");
68
69 // Build the token with all CAT-specific claims
70 TokenBuilder::new()
71 .algorithm(Algorithm::HmacSha256)
72 .protected_key_id(KeyId::string("example-key-id"))
73 .registered_claims(
74 RegisteredClaims::new()
75 .with_issuer("example-issuer")
76 .with_subject("example-subject")
77 .with_audience("example-audience")
78 .with_expiration(now as u64 + 3600) // 1 hour from now
79 .with_not_before(now as u64)
80 .with_issued_at(now as u64)
81 .with_cti(b"token-id-1234".to_vec()),
82 )
83 // Add CAT-specific claims
84 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
85 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
86 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
87 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
88 .sign(key)
89 .expect("Failed to sign token")
90}examples/extended_cat_claims.rs (line 201)
20fn main() {
21 let key = b"my-secret-key-for-hmac-sha256";
22 let now = current_timestamp();
23
24 println!("=== Extended CAT Claims Example ===\n");
25
26 // Example 1: Token with probability of rejection (CATPOR)
27 println!("1. Creating token with CATPOR (25% rejection probability)");
28 let token_with_catpor = TokenBuilder::new()
29 .algorithm(Algorithm::HmacSha256)
30 .protected_key_id(KeyId::string("key-1"))
31 .registered_claims(
32 RegisteredClaims::new()
33 .with_issuer("example-issuer")
34 .with_expiration(now + 3600),
35 )
36 .custom_cbor(cat_keys::CATPOR, catpor::create(25))
37 .sign(key)
38 .expect("Failed to sign token");
39
40 println!(" ✓ Token created with CATPOR: 25% rejection probability\n");
41
42 // Example 2: Token with network IP restrictions (CATNIP)
43 println!("2. Creating token with CATNIP (IP restrictions)");
44 let token_with_catnip = TokenBuilder::new()
45 .algorithm(Algorithm::HmacSha256)
46 .protected_key_id(KeyId::string("key-2"))
47 .registered_claims(
48 RegisteredClaims::new()
49 .with_issuer("example-issuer")
50 .with_expiration(now + 3600),
51 )
52 .custom_array(
53 cat_keys::CATNIP,
54 catnip::create(vec!["192.168.1.0/24", "10.0.0.0/8"]),
55 )
56 .sign(key)
57 .expect("Failed to sign token");
58
59 println!(" ✓ Token created with CATNIP: 192.168.1.0/24, 10.0.0.0/8\n");
60
61 // Example 3: Token with ALPN restrictions (CATALPN)
62 println!("3. Creating token with CATALPN (HTTP/2 only)");
63 let token_with_catalpn = TokenBuilder::new()
64 .algorithm(Algorithm::HmacSha256)
65 .protected_key_id(KeyId::string("key-3"))
66 .registered_claims(
67 RegisteredClaims::new()
68 .with_issuer("example-issuer")
69 .with_expiration(now + 3600),
70 )
71 .custom_array(cat_keys::CATALPN, catalpn::http2_only())
72 .sign(key)
73 .expect("Failed to sign token");
74
75 println!(" ✓ Token created with CATALPN: h2 only\n");
76
77 // Example 4: Token with HTTP header requirements (CATH)
78 println!("4. Creating token with CATH (custom headers)");
79 let mut headers = BTreeMap::new();
80 headers.insert("X-API-Key", "secret-api-key");
81 headers.insert("X-Client-Version", "1.0");
82
83 let token_with_cath = TokenBuilder::new()
84 .algorithm(Algorithm::HmacSha256)
85 .protected_key_id(KeyId::string("key-4"))
86 .registered_claims(
87 RegisteredClaims::new()
88 .with_issuer("example-issuer")
89 .with_expiration(now + 3600),
90 )
91 .custom_cbor(cat_keys::CATH, cath::create(headers))
92 .sign(key)
93 .expect("Failed to sign token");
94
95 println!(" ✓ Token created with CATH: X-API-Key, X-Client-Version\n");
96
97 // Example 5: Token with geographic restrictions (CATGEO*)
98 println!("5. Creating token with geographic restrictions");
99 let token_with_geo = TokenBuilder::new()
100 .algorithm(Algorithm::HmacSha256)
101 .protected_key_id(KeyId::string("key-5"))
102 .registered_claims(
103 RegisteredClaims::new()
104 .with_issuer("example-issuer")
105 .with_expiration(now + 3600),
106 )
107 // Country restriction
108 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
109 // Coordinate restriction (New York City with 5km radius)
110 .custom_cbor(
111 cat_keys::CATGEOCOORD,
112 catgeocoord::with_radius(40.7128, -74.0060, 5000),
113 )
114 // Altitude restriction (0-1000 meters)
115 .custom_cbor(cat_keys::CATGEOALT, catgeoalt::range(0, 1000))
116 .sign(key)
117 .expect("Failed to sign token");
118
119 println!(" ✓ Token created with CATGEOISO3166: US");
120 println!(" ✓ Token created with CATGEOCOORD: NYC (40.7128, -74.0060) ±5km");
121 println!(" ✓ Token created with CATGEOALT: 0-1000m\n");
122
123 // Example 6: Token with TLS public key pinning (CATTPK)
124 println!("6. Creating token with CATTPK (TLS key pinning)");
125 // In a real scenario, this would be the SHA-256 hash of a certificate's public key
126 let public_key_hash = vec![
127 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd,
128 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
129 0xcd, 0xef,
130 ];
131
132 let token_with_cattpk = TokenBuilder::new()
133 .algorithm(Algorithm::HmacSha256)
134 .protected_key_id(KeyId::string("key-6"))
135 .registered_claims(
136 RegisteredClaims::new()
137 .with_issuer("example-issuer")
138 .with_expiration(now + 3600),
139 )
140 .custom_cbor(cat_keys::CATTPK, cattpk::create(public_key_hash.clone()))
141 .sign(key)
142 .expect("Failed to sign token");
143
144 println!(" ✓ Token created with CATTPK: public key hash (32 bytes)\n");
145
146 // Example 7: Token with DPoP settings (CATDPOP)
147 println!("7. Creating token with CATDPOP (DPoP required)");
148 let token_with_catdpop = TokenBuilder::new()
149 .algorithm(Algorithm::HmacSha256)
150 .protected_key_id(KeyId::string("key-7"))
151 .registered_claims(
152 RegisteredClaims::new()
153 .with_issuer("example-issuer")
154 .with_expiration(now + 3600),
155 )
156 .custom_cbor(cat_keys::CATDPOP, catdpop::required())
157 .sign(key)
158 .expect("Failed to sign token");
159
160 println!(" ✓ Token created with CATDPOP: DPoP required\n");
161
162 // Example 8: Token with conditional logic (CATIF/CATIFDATA)
163 println!("8. Creating token with CATIF and CATIFDATA");
164 let mut condition = BTreeMap::new();
165 condition.insert(0, common_access_token::CborValue::Text("role".to_string()));
166 condition.insert(
167 1,
168 common_access_token::CborValue::Text("equals".to_string()),
169 );
170 condition.insert(2, common_access_token::CborValue::Text("admin".to_string()));
171
172 let mut if_data = BTreeMap::new();
173 if_data.insert(0, common_access_token::CborValue::Text("role".to_string()));
174 if_data.insert(1, common_access_token::CborValue::Text("admin".to_string()));
175
176 let token_with_catif = TokenBuilder::new()
177 .algorithm(Algorithm::HmacSha256)
178 .protected_key_id(KeyId::string("key-8"))
179 .registered_claims(
180 RegisteredClaims::new()
181 .with_issuer("example-issuer")
182 .with_expiration(now + 3600),
183 )
184 .custom_cbor(cat_keys::CATIF, catif::create(condition))
185 .custom_cbor(cat_keys::CATIFDATA, catifdata::create(if_data))
186 .sign(key)
187 .expect("Failed to sign token");
188
189 println!(" ✓ Token created with CATIF: conditional logic");
190 println!(" ✓ Token created with CATIFDATA: role=admin\n");
191
192 // Example 9: Comprehensive token with multiple CAT claims
193 println!("9. Creating comprehensive token with multiple CAT claims");
194 let comprehensive_token = TokenBuilder::new()
195 .algorithm(Algorithm::HmacSha256)
196 .protected_key_id(KeyId::string("comprehensive-key"))
197 .registered_claims(
198 RegisteredClaims::new()
199 .with_issuer("secure-service")
200 .with_subject("user-12345")
201 .with_audience("api.example.com")
202 .with_expiration(now + 7200),
203 )
204 .custom_cbor(cat_keys::CATV, catv::with_version(1))
205 .custom_cbor(cat_keys::CATPOR, catpor::create(10))
206 .custom_array(cat_keys::CATNIP, catnip::single("203.0.113.0/24"))
207 .custom_array(cat_keys::CATALPN, catalpn::create(vec!["h2", "http/1.1"]))
208 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
209 .sign(key)
210 .expect("Failed to sign token");
211
212 println!(" ✓ Comprehensive token created with:");
213 println!(" - CATV: version 1");
214 println!(" - CATPOR: 10% rejection probability");
215 println!(" - CATNIP: 203.0.113.0/24");
216 println!(" - CATALPN: h2, http/1.1");
217 println!(" - CATGEOISO3166: US");
218
219 // Verify all tokens can be encoded
220 println!("\n=== Verification ===");
221 let tokens = vec![
222 ("CATPOR", &token_with_catpor),
223 ("CATNIP", &token_with_catnip),
224 ("CATALPN", &token_with_catalpn),
225 ("CATH", &token_with_cath),
226 ("CATGEO*", &token_with_geo),
227 ("CATTPK", &token_with_cattpk),
228 ("CATDPOP", &token_with_catdpop),
229 ("CATIF", &token_with_catif),
230 ("Comprehensive", &comprehensive_token),
231 ];
232
233 for (name, token) in tokens {
234 let token_bytes = token.to_bytes().expect("Failed to encode token");
235 println!("✓ {} token encoded ({} bytes)", name, token_bytes.len());
236 }
237
238 println!("\n=== All Extended CAT Claims Examples Completed Successfully ===");
239}Sourcepub fn with_expiration(self, exp: u64) -> Self
pub fn with_expiration(self, exp: u64) -> Self
Sets the expiration time claim.
The expiration time claim identifies the time on or after which the token MUST NOT be accepted for processing. The value is a Unix timestamp (seconds since the Unix epoch).
§Example
use common_access_token::RegisteredClaims;
use common_access_token::current_timestamp;
let now = current_timestamp();
let claims = RegisteredClaims::new().with_expiration(now + 3600); // 1 hour from now
assert_eq!(claims.exp, Some(now + 3600));Examples found in repository?
examples/basic_usage.rs (line 53)
41fn create_token_with_string_kid(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a token with string key ID
45 TokenBuilder::new()
46 .algorithm(Algorithm::HmacSha256)
47 .protected_key_id(KeyId::string("string-key-example"))
48 .registered_claims(
49 RegisteredClaims::new()
50 .with_issuer("example-issuer")
51 .with_subject("example-subject")
52 .with_audience("example-audience")
53 .with_expiration(now + 3600) // 1 hour from now
54 .with_not_before(now)
55 .with_issued_at(now)
56 .with_cti(b"token-id-1234".to_vec()),
57 )
58 .custom_string(100, "custom-string-value")
59 .custom_binary(101, b"custom-binary-value".to_vec())
60 .custom_int(102, 12345)
61 .sign(key)
62 .expect("Failed to sign token")
63}
64
65/// Create a token with a binary key ID
66fn create_token_with_binary_kid(key: &[u8]) -> common_access_token::Token {
67 let now = current_timestamp();
68 let binary_kid = vec![0x01, 0x02, 0x03, 0x04, 0x05];
69
70 // Create a token with binary key ID
71 TokenBuilder::new()
72 .algorithm(Algorithm::HmacSha256)
73 .protected_key_id(KeyId::binary(binary_kid))
74 .registered_claims(
75 RegisteredClaims::new()
76 .with_issuer("example-issuer")
77 .with_subject("example-subject")
78 .with_audience("example-audience")
79 .with_expiration(now + 3600) // 1 hour from now
80 .with_not_before(now)
81 .with_issued_at(now),
82 )
83 .sign(key)
84 .expect("Failed to sign token")
85}
86
87/// Create a token with a nested map claim
88fn create_token_with_nested_map(key: &[u8]) -> common_access_token::Token {
89 let now = current_timestamp();
90
91 // Create a nested map for the token
92 let mut nested_map = BTreeMap::new();
93 nested_map.insert(1, CborValue::Text("nested-text-value".to_string()));
94 nested_map.insert(2, CborValue::Integer(42));
95 nested_map.insert(3, CborValue::Bytes(vec![1, 2, 3, 4, 5]));
96
97 // Create a second level nested map
98 let mut second_level_map = BTreeMap::new();
99 second_level_map.insert(1, CborValue::Text("second-level-text".to_string()));
100 second_level_map.insert(2, CborValue::Integer(99));
101
102 // Add the second level map to the first level
103 nested_map.insert(4, CborValue::Map(second_level_map));
104
105 // Create a token with a nested map claim
106 TokenBuilder::new()
107 .algorithm(Algorithm::HmacSha256)
108 .protected_key_id(KeyId::string("nested-map-example"))
109 .registered_claims(
110 RegisteredClaims::new()
111 .with_issuer("example-issuer")
112 .with_subject("example-subject")
113 .with_audience("example-audience")
114 .with_expiration(now + 3600) // 1 hour from now
115 .with_not_before(now)
116 .with_issued_at(now),
117 )
118 .custom_map(200, nested_map)
119 .sign(key)
120 .expect("Failed to sign token")
121}More examples
examples/cat_specific_claims.rs (line 74)
41fn create_token_with_cat_claims(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a CATU claim (Common Access Token URI)
45 let mut catu_components = BTreeMap::new();
46
47 // Restrict to https scheme
48 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
49
50 // Restrict to example.com host
51 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
52
53 // Restrict to paths starting with /content
54 catu_components.insert(uri_components::PATH, catu::prefix_match("/content"));
55
56 // Restrict to .m3u8 files
57 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".m3u8"));
58
59 // Create a CATM claim (Common Access Token Methods)
60 let allowed_methods = vec!["GET", "HEAD"];
61
62 // Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some((now + 3000) as i64));
64
65 // Build the token with CAT-specific claims
66 TokenBuilder::new()
67 .algorithm(Algorithm::HmacSha256)
68 .protected_key_id(KeyId::string("example-key-id"))
69 .registered_claims(
70 RegisteredClaims::new()
71 .with_issuer("example-issuer")
72 .with_subject("example-subject")
73 .with_audience("example-audience")
74 .with_expiration(now + 3600) // 1 hour from now
75 .with_not_before(now)
76 .with_issued_at(now)
77 .with_cti(b"token-id-1234".to_vec()),
78 )
79 // Add CAT-specific claims
80 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
81 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
82 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
83 .custom_int(cat_keys::CATV, 1) // Version 1
84 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
85 .sign(key)
86 .expect("Failed to sign token")
87}examples/cat_validation.rs (line 78)
38fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
39 println!("Creating token with CAT-specific claims...");
40
41 // 1. Create a CATU claim (Common Access Token URI)
42 let mut catu_components = BTreeMap::new();
43
44 // Restrict to https scheme
45 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
46
47 // Restrict to example.com host
48 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
49
50 // Restrict to paths starting with /api
51 catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));
52
53 // Restrict to .json extension
54 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));
55
56 println!(" Added CATU claim with URI restrictions");
57
58 // 2. Create a CATM claim (Common Access Token Methods)
59 let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
60 println!(" Added CATM claim allowing methods: {:?}", allowed_methods);
61
62 // 3. Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
64 println!(" Added CATR claim with automatic renewal");
65
66 // 4. Create a CATREPLAY claim (prohibit token replay)
67 println!(" Added CATREPLAY claim prohibiting token replay");
68
69 // Build the token with all CAT-specific claims
70 TokenBuilder::new()
71 .algorithm(Algorithm::HmacSha256)
72 .protected_key_id(KeyId::string("example-key-id"))
73 .registered_claims(
74 RegisteredClaims::new()
75 .with_issuer("example-issuer")
76 .with_subject("example-subject")
77 .with_audience("example-audience")
78 .with_expiration(now as u64 + 3600) // 1 hour from now
79 .with_not_before(now as u64)
80 .with_issued_at(now as u64)
81 .with_cti(b"token-id-1234".to_vec()),
82 )
83 // Add CAT-specific claims
84 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
85 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
86 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
87 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
88 .sign(key)
89 .expect("Failed to sign token")
90}examples/extended_cat_claims.rs (line 34)
20fn main() {
21 let key = b"my-secret-key-for-hmac-sha256";
22 let now = current_timestamp();
23
24 println!("=== Extended CAT Claims Example ===\n");
25
26 // Example 1: Token with probability of rejection (CATPOR)
27 println!("1. Creating token with CATPOR (25% rejection probability)");
28 let token_with_catpor = TokenBuilder::new()
29 .algorithm(Algorithm::HmacSha256)
30 .protected_key_id(KeyId::string("key-1"))
31 .registered_claims(
32 RegisteredClaims::new()
33 .with_issuer("example-issuer")
34 .with_expiration(now + 3600),
35 )
36 .custom_cbor(cat_keys::CATPOR, catpor::create(25))
37 .sign(key)
38 .expect("Failed to sign token");
39
40 println!(" ✓ Token created with CATPOR: 25% rejection probability\n");
41
42 // Example 2: Token with network IP restrictions (CATNIP)
43 println!("2. Creating token with CATNIP (IP restrictions)");
44 let token_with_catnip = TokenBuilder::new()
45 .algorithm(Algorithm::HmacSha256)
46 .protected_key_id(KeyId::string("key-2"))
47 .registered_claims(
48 RegisteredClaims::new()
49 .with_issuer("example-issuer")
50 .with_expiration(now + 3600),
51 )
52 .custom_array(
53 cat_keys::CATNIP,
54 catnip::create(vec!["192.168.1.0/24", "10.0.0.0/8"]),
55 )
56 .sign(key)
57 .expect("Failed to sign token");
58
59 println!(" ✓ Token created with CATNIP: 192.168.1.0/24, 10.0.0.0/8\n");
60
61 // Example 3: Token with ALPN restrictions (CATALPN)
62 println!("3. Creating token with CATALPN (HTTP/2 only)");
63 let token_with_catalpn = TokenBuilder::new()
64 .algorithm(Algorithm::HmacSha256)
65 .protected_key_id(KeyId::string("key-3"))
66 .registered_claims(
67 RegisteredClaims::new()
68 .with_issuer("example-issuer")
69 .with_expiration(now + 3600),
70 )
71 .custom_array(cat_keys::CATALPN, catalpn::http2_only())
72 .sign(key)
73 .expect("Failed to sign token");
74
75 println!(" ✓ Token created with CATALPN: h2 only\n");
76
77 // Example 4: Token with HTTP header requirements (CATH)
78 println!("4. Creating token with CATH (custom headers)");
79 let mut headers = BTreeMap::new();
80 headers.insert("X-API-Key", "secret-api-key");
81 headers.insert("X-Client-Version", "1.0");
82
83 let token_with_cath = TokenBuilder::new()
84 .algorithm(Algorithm::HmacSha256)
85 .protected_key_id(KeyId::string("key-4"))
86 .registered_claims(
87 RegisteredClaims::new()
88 .with_issuer("example-issuer")
89 .with_expiration(now + 3600),
90 )
91 .custom_cbor(cat_keys::CATH, cath::create(headers))
92 .sign(key)
93 .expect("Failed to sign token");
94
95 println!(" ✓ Token created with CATH: X-API-Key, X-Client-Version\n");
96
97 // Example 5: Token with geographic restrictions (CATGEO*)
98 println!("5. Creating token with geographic restrictions");
99 let token_with_geo = TokenBuilder::new()
100 .algorithm(Algorithm::HmacSha256)
101 .protected_key_id(KeyId::string("key-5"))
102 .registered_claims(
103 RegisteredClaims::new()
104 .with_issuer("example-issuer")
105 .with_expiration(now + 3600),
106 )
107 // Country restriction
108 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
109 // Coordinate restriction (New York City with 5km radius)
110 .custom_cbor(
111 cat_keys::CATGEOCOORD,
112 catgeocoord::with_radius(40.7128, -74.0060, 5000),
113 )
114 // Altitude restriction (0-1000 meters)
115 .custom_cbor(cat_keys::CATGEOALT, catgeoalt::range(0, 1000))
116 .sign(key)
117 .expect("Failed to sign token");
118
119 println!(" ✓ Token created with CATGEOISO3166: US");
120 println!(" ✓ Token created with CATGEOCOORD: NYC (40.7128, -74.0060) ±5km");
121 println!(" ✓ Token created with CATGEOALT: 0-1000m\n");
122
123 // Example 6: Token with TLS public key pinning (CATTPK)
124 println!("6. Creating token with CATTPK (TLS key pinning)");
125 // In a real scenario, this would be the SHA-256 hash of a certificate's public key
126 let public_key_hash = vec![
127 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd,
128 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
129 0xcd, 0xef,
130 ];
131
132 let token_with_cattpk = TokenBuilder::new()
133 .algorithm(Algorithm::HmacSha256)
134 .protected_key_id(KeyId::string("key-6"))
135 .registered_claims(
136 RegisteredClaims::new()
137 .with_issuer("example-issuer")
138 .with_expiration(now + 3600),
139 )
140 .custom_cbor(cat_keys::CATTPK, cattpk::create(public_key_hash.clone()))
141 .sign(key)
142 .expect("Failed to sign token");
143
144 println!(" ✓ Token created with CATTPK: public key hash (32 bytes)\n");
145
146 // Example 7: Token with DPoP settings (CATDPOP)
147 println!("7. Creating token with CATDPOP (DPoP required)");
148 let token_with_catdpop = TokenBuilder::new()
149 .algorithm(Algorithm::HmacSha256)
150 .protected_key_id(KeyId::string("key-7"))
151 .registered_claims(
152 RegisteredClaims::new()
153 .with_issuer("example-issuer")
154 .with_expiration(now + 3600),
155 )
156 .custom_cbor(cat_keys::CATDPOP, catdpop::required())
157 .sign(key)
158 .expect("Failed to sign token");
159
160 println!(" ✓ Token created with CATDPOP: DPoP required\n");
161
162 // Example 8: Token with conditional logic (CATIF/CATIFDATA)
163 println!("8. Creating token with CATIF and CATIFDATA");
164 let mut condition = BTreeMap::new();
165 condition.insert(0, common_access_token::CborValue::Text("role".to_string()));
166 condition.insert(
167 1,
168 common_access_token::CborValue::Text("equals".to_string()),
169 );
170 condition.insert(2, common_access_token::CborValue::Text("admin".to_string()));
171
172 let mut if_data = BTreeMap::new();
173 if_data.insert(0, common_access_token::CborValue::Text("role".to_string()));
174 if_data.insert(1, common_access_token::CborValue::Text("admin".to_string()));
175
176 let token_with_catif = TokenBuilder::new()
177 .algorithm(Algorithm::HmacSha256)
178 .protected_key_id(KeyId::string("key-8"))
179 .registered_claims(
180 RegisteredClaims::new()
181 .with_issuer("example-issuer")
182 .with_expiration(now + 3600),
183 )
184 .custom_cbor(cat_keys::CATIF, catif::create(condition))
185 .custom_cbor(cat_keys::CATIFDATA, catifdata::create(if_data))
186 .sign(key)
187 .expect("Failed to sign token");
188
189 println!(" ✓ Token created with CATIF: conditional logic");
190 println!(" ✓ Token created with CATIFDATA: role=admin\n");
191
192 // Example 9: Comprehensive token with multiple CAT claims
193 println!("9. Creating comprehensive token with multiple CAT claims");
194 let comprehensive_token = TokenBuilder::new()
195 .algorithm(Algorithm::HmacSha256)
196 .protected_key_id(KeyId::string("comprehensive-key"))
197 .registered_claims(
198 RegisteredClaims::new()
199 .with_issuer("secure-service")
200 .with_subject("user-12345")
201 .with_audience("api.example.com")
202 .with_expiration(now + 7200),
203 )
204 .custom_cbor(cat_keys::CATV, catv::with_version(1))
205 .custom_cbor(cat_keys::CATPOR, catpor::create(10))
206 .custom_array(cat_keys::CATNIP, catnip::single("203.0.113.0/24"))
207 .custom_array(cat_keys::CATALPN, catalpn::create(vec!["h2", "http/1.1"]))
208 .custom_array(cat_keys::CATGEOISO3166, catgeoiso3166::create(vec!["US"]))
209 .sign(key)
210 .expect("Failed to sign token");
211
212 println!(" ✓ Comprehensive token created with:");
213 println!(" - CATV: version 1");
214 println!(" - CATPOR: 10% rejection probability");
215 println!(" - CATNIP: 203.0.113.0/24");
216 println!(" - CATALPN: h2, http/1.1");
217 println!(" - CATGEOISO3166: US");
218
219 // Verify all tokens can be encoded
220 println!("\n=== Verification ===");
221 let tokens = vec![
222 ("CATPOR", &token_with_catpor),
223 ("CATNIP", &token_with_catnip),
224 ("CATALPN", &token_with_catalpn),
225 ("CATH", &token_with_cath),
226 ("CATGEO*", &token_with_geo),
227 ("CATTPK", &token_with_cattpk),
228 ("CATDPOP", &token_with_catdpop),
229 ("CATIF", &token_with_catif),
230 ("Comprehensive", &comprehensive_token),
231 ];
232
233 for (name, token) in tokens {
234 let token_bytes = token.to_bytes().expect("Failed to encode token");
235 println!("✓ {} token encoded ({} bytes)", name, token_bytes.len());
236 }
237
238 println!("\n=== All Extended CAT Claims Examples Completed Successfully ===");
239}Sourcepub fn with_not_before(self, nbf: u64) -> Self
pub fn with_not_before(self, nbf: u64) -> Self
Sets the not before claim.
The not before claim identifies the time before which the token MUST NOT be accepted for processing. The value is a Unix timestamp (seconds since the Unix epoch).
§Example
use common_access_token::RegisteredClaims;
use common_access_token::current_timestamp;
let now = current_timestamp();
let claims = RegisteredClaims::new().with_not_before(now); // Valid from now
assert_eq!(claims.nbf, Some(now));Examples found in repository?
examples/basic_usage.rs (line 54)
41fn create_token_with_string_kid(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a token with string key ID
45 TokenBuilder::new()
46 .algorithm(Algorithm::HmacSha256)
47 .protected_key_id(KeyId::string("string-key-example"))
48 .registered_claims(
49 RegisteredClaims::new()
50 .with_issuer("example-issuer")
51 .with_subject("example-subject")
52 .with_audience("example-audience")
53 .with_expiration(now + 3600) // 1 hour from now
54 .with_not_before(now)
55 .with_issued_at(now)
56 .with_cti(b"token-id-1234".to_vec()),
57 )
58 .custom_string(100, "custom-string-value")
59 .custom_binary(101, b"custom-binary-value".to_vec())
60 .custom_int(102, 12345)
61 .sign(key)
62 .expect("Failed to sign token")
63}
64
65/// Create a token with a binary key ID
66fn create_token_with_binary_kid(key: &[u8]) -> common_access_token::Token {
67 let now = current_timestamp();
68 let binary_kid = vec![0x01, 0x02, 0x03, 0x04, 0x05];
69
70 // Create a token with binary key ID
71 TokenBuilder::new()
72 .algorithm(Algorithm::HmacSha256)
73 .protected_key_id(KeyId::binary(binary_kid))
74 .registered_claims(
75 RegisteredClaims::new()
76 .with_issuer("example-issuer")
77 .with_subject("example-subject")
78 .with_audience("example-audience")
79 .with_expiration(now + 3600) // 1 hour from now
80 .with_not_before(now)
81 .with_issued_at(now),
82 )
83 .sign(key)
84 .expect("Failed to sign token")
85}
86
87/// Create a token with a nested map claim
88fn create_token_with_nested_map(key: &[u8]) -> common_access_token::Token {
89 let now = current_timestamp();
90
91 // Create a nested map for the token
92 let mut nested_map = BTreeMap::new();
93 nested_map.insert(1, CborValue::Text("nested-text-value".to_string()));
94 nested_map.insert(2, CborValue::Integer(42));
95 nested_map.insert(3, CborValue::Bytes(vec![1, 2, 3, 4, 5]));
96
97 // Create a second level nested map
98 let mut second_level_map = BTreeMap::new();
99 second_level_map.insert(1, CborValue::Text("second-level-text".to_string()));
100 second_level_map.insert(2, CborValue::Integer(99));
101
102 // Add the second level map to the first level
103 nested_map.insert(4, CborValue::Map(second_level_map));
104
105 // Create a token with a nested map claim
106 TokenBuilder::new()
107 .algorithm(Algorithm::HmacSha256)
108 .protected_key_id(KeyId::string("nested-map-example"))
109 .registered_claims(
110 RegisteredClaims::new()
111 .with_issuer("example-issuer")
112 .with_subject("example-subject")
113 .with_audience("example-audience")
114 .with_expiration(now + 3600) // 1 hour from now
115 .with_not_before(now)
116 .with_issued_at(now),
117 )
118 .custom_map(200, nested_map)
119 .sign(key)
120 .expect("Failed to sign token")
121}More examples
examples/cat_specific_claims.rs (line 75)
41fn create_token_with_cat_claims(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a CATU claim (Common Access Token URI)
45 let mut catu_components = BTreeMap::new();
46
47 // Restrict to https scheme
48 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
49
50 // Restrict to example.com host
51 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
52
53 // Restrict to paths starting with /content
54 catu_components.insert(uri_components::PATH, catu::prefix_match("/content"));
55
56 // Restrict to .m3u8 files
57 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".m3u8"));
58
59 // Create a CATM claim (Common Access Token Methods)
60 let allowed_methods = vec!["GET", "HEAD"];
61
62 // Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some((now + 3000) as i64));
64
65 // Build the token with CAT-specific claims
66 TokenBuilder::new()
67 .algorithm(Algorithm::HmacSha256)
68 .protected_key_id(KeyId::string("example-key-id"))
69 .registered_claims(
70 RegisteredClaims::new()
71 .with_issuer("example-issuer")
72 .with_subject("example-subject")
73 .with_audience("example-audience")
74 .with_expiration(now + 3600) // 1 hour from now
75 .with_not_before(now)
76 .with_issued_at(now)
77 .with_cti(b"token-id-1234".to_vec()),
78 )
79 // Add CAT-specific claims
80 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
81 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
82 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
83 .custom_int(cat_keys::CATV, 1) // Version 1
84 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
85 .sign(key)
86 .expect("Failed to sign token")
87}examples/cat_validation.rs (line 79)
38fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
39 println!("Creating token with CAT-specific claims...");
40
41 // 1. Create a CATU claim (Common Access Token URI)
42 let mut catu_components = BTreeMap::new();
43
44 // Restrict to https scheme
45 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
46
47 // Restrict to example.com host
48 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
49
50 // Restrict to paths starting with /api
51 catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));
52
53 // Restrict to .json extension
54 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));
55
56 println!(" Added CATU claim with URI restrictions");
57
58 // 2. Create a CATM claim (Common Access Token Methods)
59 let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
60 println!(" Added CATM claim allowing methods: {:?}", allowed_methods);
61
62 // 3. Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
64 println!(" Added CATR claim with automatic renewal");
65
66 // 4. Create a CATREPLAY claim (prohibit token replay)
67 println!(" Added CATREPLAY claim prohibiting token replay");
68
69 // Build the token with all CAT-specific claims
70 TokenBuilder::new()
71 .algorithm(Algorithm::HmacSha256)
72 .protected_key_id(KeyId::string("example-key-id"))
73 .registered_claims(
74 RegisteredClaims::new()
75 .with_issuer("example-issuer")
76 .with_subject("example-subject")
77 .with_audience("example-audience")
78 .with_expiration(now as u64 + 3600) // 1 hour from now
79 .with_not_before(now as u64)
80 .with_issued_at(now as u64)
81 .with_cti(b"token-id-1234".to_vec()),
82 )
83 // Add CAT-specific claims
84 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
85 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
86 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
87 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
88 .sign(key)
89 .expect("Failed to sign token")
90}Sourcepub fn with_issued_at(self, iat: u64) -> Self
pub fn with_issued_at(self, iat: u64) -> Self
Sets the issued at claim.
The issued at claim identifies the time at which the token was issued. The value is a Unix timestamp (seconds since the Unix epoch).
§Example
use common_access_token::RegisteredClaims;
use common_access_token::current_timestamp;
let now = current_timestamp();
let claims = RegisteredClaims::new().with_issued_at(now);
assert_eq!(claims.iat, Some(now));Examples found in repository?
examples/basic_usage.rs (line 55)
41fn create_token_with_string_kid(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a token with string key ID
45 TokenBuilder::new()
46 .algorithm(Algorithm::HmacSha256)
47 .protected_key_id(KeyId::string("string-key-example"))
48 .registered_claims(
49 RegisteredClaims::new()
50 .with_issuer("example-issuer")
51 .with_subject("example-subject")
52 .with_audience("example-audience")
53 .with_expiration(now + 3600) // 1 hour from now
54 .with_not_before(now)
55 .with_issued_at(now)
56 .with_cti(b"token-id-1234".to_vec()),
57 )
58 .custom_string(100, "custom-string-value")
59 .custom_binary(101, b"custom-binary-value".to_vec())
60 .custom_int(102, 12345)
61 .sign(key)
62 .expect("Failed to sign token")
63}
64
65/// Create a token with a binary key ID
66fn create_token_with_binary_kid(key: &[u8]) -> common_access_token::Token {
67 let now = current_timestamp();
68 let binary_kid = vec![0x01, 0x02, 0x03, 0x04, 0x05];
69
70 // Create a token with binary key ID
71 TokenBuilder::new()
72 .algorithm(Algorithm::HmacSha256)
73 .protected_key_id(KeyId::binary(binary_kid))
74 .registered_claims(
75 RegisteredClaims::new()
76 .with_issuer("example-issuer")
77 .with_subject("example-subject")
78 .with_audience("example-audience")
79 .with_expiration(now + 3600) // 1 hour from now
80 .with_not_before(now)
81 .with_issued_at(now),
82 )
83 .sign(key)
84 .expect("Failed to sign token")
85}
86
87/// Create a token with a nested map claim
88fn create_token_with_nested_map(key: &[u8]) -> common_access_token::Token {
89 let now = current_timestamp();
90
91 // Create a nested map for the token
92 let mut nested_map = BTreeMap::new();
93 nested_map.insert(1, CborValue::Text("nested-text-value".to_string()));
94 nested_map.insert(2, CborValue::Integer(42));
95 nested_map.insert(3, CborValue::Bytes(vec![1, 2, 3, 4, 5]));
96
97 // Create a second level nested map
98 let mut second_level_map = BTreeMap::new();
99 second_level_map.insert(1, CborValue::Text("second-level-text".to_string()));
100 second_level_map.insert(2, CborValue::Integer(99));
101
102 // Add the second level map to the first level
103 nested_map.insert(4, CborValue::Map(second_level_map));
104
105 // Create a token with a nested map claim
106 TokenBuilder::new()
107 .algorithm(Algorithm::HmacSha256)
108 .protected_key_id(KeyId::string("nested-map-example"))
109 .registered_claims(
110 RegisteredClaims::new()
111 .with_issuer("example-issuer")
112 .with_subject("example-subject")
113 .with_audience("example-audience")
114 .with_expiration(now + 3600) // 1 hour from now
115 .with_not_before(now)
116 .with_issued_at(now),
117 )
118 .custom_map(200, nested_map)
119 .sign(key)
120 .expect("Failed to sign token")
121}More examples
examples/cat_specific_claims.rs (line 76)
41fn create_token_with_cat_claims(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a CATU claim (Common Access Token URI)
45 let mut catu_components = BTreeMap::new();
46
47 // Restrict to https scheme
48 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
49
50 // Restrict to example.com host
51 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
52
53 // Restrict to paths starting with /content
54 catu_components.insert(uri_components::PATH, catu::prefix_match("/content"));
55
56 // Restrict to .m3u8 files
57 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".m3u8"));
58
59 // Create a CATM claim (Common Access Token Methods)
60 let allowed_methods = vec!["GET", "HEAD"];
61
62 // Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some((now + 3000) as i64));
64
65 // Build the token with CAT-specific claims
66 TokenBuilder::new()
67 .algorithm(Algorithm::HmacSha256)
68 .protected_key_id(KeyId::string("example-key-id"))
69 .registered_claims(
70 RegisteredClaims::new()
71 .with_issuer("example-issuer")
72 .with_subject("example-subject")
73 .with_audience("example-audience")
74 .with_expiration(now + 3600) // 1 hour from now
75 .with_not_before(now)
76 .with_issued_at(now)
77 .with_cti(b"token-id-1234".to_vec()),
78 )
79 // Add CAT-specific claims
80 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
81 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
82 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
83 .custom_int(cat_keys::CATV, 1) // Version 1
84 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
85 .sign(key)
86 .expect("Failed to sign token")
87}examples/cat_validation.rs (line 80)
38fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
39 println!("Creating token with CAT-specific claims...");
40
41 // 1. Create a CATU claim (Common Access Token URI)
42 let mut catu_components = BTreeMap::new();
43
44 // Restrict to https scheme
45 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
46
47 // Restrict to example.com host
48 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
49
50 // Restrict to paths starting with /api
51 catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));
52
53 // Restrict to .json extension
54 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));
55
56 println!(" Added CATU claim with URI restrictions");
57
58 // 2. Create a CATM claim (Common Access Token Methods)
59 let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
60 println!(" Added CATM claim allowing methods: {:?}", allowed_methods);
61
62 // 3. Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
64 println!(" Added CATR claim with automatic renewal");
65
66 // 4. Create a CATREPLAY claim (prohibit token replay)
67 println!(" Added CATREPLAY claim prohibiting token replay");
68
69 // Build the token with all CAT-specific claims
70 TokenBuilder::new()
71 .algorithm(Algorithm::HmacSha256)
72 .protected_key_id(KeyId::string("example-key-id"))
73 .registered_claims(
74 RegisteredClaims::new()
75 .with_issuer("example-issuer")
76 .with_subject("example-subject")
77 .with_audience("example-audience")
78 .with_expiration(now as u64 + 3600) // 1 hour from now
79 .with_not_before(now as u64)
80 .with_issued_at(now as u64)
81 .with_cti(b"token-id-1234".to_vec()),
82 )
83 // Add CAT-specific claims
84 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
85 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
86 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
87 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
88 .sign(key)
89 .expect("Failed to sign token")
90}Sourcepub fn with_cti<T: Into<Vec<u8>>>(self, cti: T) -> Self
pub fn with_cti<T: Into<Vec<u8>>>(self, cti: T) -> Self
Sets the CWT ID claim.
The CWT ID claim provides a unique identifier for the token.
§Example
use common_access_token::RegisteredClaims;
let id = vec![1, 2, 3, 4];
let claims = RegisteredClaims::new().with_cti(id.clone());
assert_eq!(claims.cti, Some(id));Examples found in repository?
examples/basic_usage.rs (line 56)
41fn create_token_with_string_kid(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a token with string key ID
45 TokenBuilder::new()
46 .algorithm(Algorithm::HmacSha256)
47 .protected_key_id(KeyId::string("string-key-example"))
48 .registered_claims(
49 RegisteredClaims::new()
50 .with_issuer("example-issuer")
51 .with_subject("example-subject")
52 .with_audience("example-audience")
53 .with_expiration(now + 3600) // 1 hour from now
54 .with_not_before(now)
55 .with_issued_at(now)
56 .with_cti(b"token-id-1234".to_vec()),
57 )
58 .custom_string(100, "custom-string-value")
59 .custom_binary(101, b"custom-binary-value".to_vec())
60 .custom_int(102, 12345)
61 .sign(key)
62 .expect("Failed to sign token")
63}More examples
examples/cat_specific_claims.rs (line 77)
41fn create_token_with_cat_claims(key: &[u8]) -> common_access_token::Token {
42 let now = current_timestamp();
43
44 // Create a CATU claim (Common Access Token URI)
45 let mut catu_components = BTreeMap::new();
46
47 // Restrict to https scheme
48 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
49
50 // Restrict to example.com host
51 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
52
53 // Restrict to paths starting with /content
54 catu_components.insert(uri_components::PATH, catu::prefix_match("/content"));
55
56 // Restrict to .m3u8 files
57 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".m3u8"));
58
59 // Create a CATM claim (Common Access Token Methods)
60 let allowed_methods = vec!["GET", "HEAD"];
61
62 // Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some((now + 3000) as i64));
64
65 // Build the token with CAT-specific claims
66 TokenBuilder::new()
67 .algorithm(Algorithm::HmacSha256)
68 .protected_key_id(KeyId::string("example-key-id"))
69 .registered_claims(
70 RegisteredClaims::new()
71 .with_issuer("example-issuer")
72 .with_subject("example-subject")
73 .with_audience("example-audience")
74 .with_expiration(now + 3600) // 1 hour from now
75 .with_not_before(now)
76 .with_issued_at(now)
77 .with_cti(b"token-id-1234".to_vec()),
78 )
79 // Add CAT-specific claims
80 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
81 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
82 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
83 .custom_int(cat_keys::CATV, 1) // Version 1
84 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
85 .sign(key)
86 .expect("Failed to sign token")
87}examples/cat_validation.rs (line 81)
38fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
39 println!("Creating token with CAT-specific claims...");
40
41 // 1. Create a CATU claim (Common Access Token URI)
42 let mut catu_components = BTreeMap::new();
43
44 // Restrict to https scheme
45 catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));
46
47 // Restrict to example.com host
48 catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));
49
50 // Restrict to paths starting with /api
51 catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));
52
53 // Restrict to .json extension
54 catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));
55
56 println!(" Added CATU claim with URI restrictions");
57
58 // 2. Create a CATM claim (Common Access Token Methods)
59 let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
60 println!(" Added CATM claim allowing methods: {:?}", allowed_methods);
61
62 // 3. Create a CATR claim (Common Access Token Renewal)
63 let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
64 println!(" Added CATR claim with automatic renewal");
65
66 // 4. Create a CATREPLAY claim (prohibit token replay)
67 println!(" Added CATREPLAY claim prohibiting token replay");
68
69 // Build the token with all CAT-specific claims
70 TokenBuilder::new()
71 .algorithm(Algorithm::HmacSha256)
72 .protected_key_id(KeyId::string("example-key-id"))
73 .registered_claims(
74 RegisteredClaims::new()
75 .with_issuer("example-issuer")
76 .with_subject("example-subject")
77 .with_audience("example-audience")
78 .with_expiration(now as u64 + 3600) // 1 hour from now
79 .with_not_before(now as u64)
80 .with_issued_at(now as u64)
81 .with_cti(b"token-id-1234".to_vec()),
82 )
83 // Add CAT-specific claims
84 .custom_cbor(cat_keys::CATU, catu::create(catu_components))
85 .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
86 .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
87 .custom_array(cat_keys::CATM, catm::create(allowed_methods))
88 .sign(key)
89 .expect("Failed to sign token")
90}Sourcepub fn with_lifetime_secs(self, seconds: u64) -> Self
pub fn with_lifetime_secs(self, seconds: u64) -> Self
Set token lifetime with issued-at, not-before, and expiration claims
This is a convenience method that sets all three time-related claims:
iat(issued at) is set to the current timenbf(not before) is set to the current timeexp(expiration) is set to current time plus the specified seconds
§Example
use common_access_token::{RegisteredClaims, current_timestamp};
// Token valid for 1 hour
let claims = RegisteredClaims::new().with_lifetime_secs(3600);
let now = current_timestamp();
assert_eq!(claims.iat, Some(now));
assert_eq!(claims.nbf, Some(now));
assert_eq!(claims.exp, Some(now + 3600));Sourcepub fn with_lifetime(self, duration: Duration) -> Self
pub fn with_lifetime(self, duration: Duration) -> Self
Set token lifetime with issued-at, not-before, and expiration claims using a Duration
This is a convenience method that sets all three time-related claims:
iat(issued at) is set to the current timenbf(not before) is set to the current timeexp(expiration) is set to current time plus the specified duration
§Example
use common_access_token::{RegisteredClaims, current_timestamp};
use std::time::Duration;
// Token valid for 1 hour
let claims = RegisteredClaims::new().with_lifetime(Duration::from_secs(3600));
let now = current_timestamp();
assert_eq!(claims.iat, Some(now));
assert_eq!(claims.nbf, Some(now));
assert_eq!(claims.exp, Some(now + 3600));Sourcepub fn is_expired(&self) -> bool
pub fn is_expired(&self) -> bool
Check if the claims have expired
Returns true if there’s an expiration claim and the current time is at or after it.
Returns false if there’s no expiration claim or it hasn’t expired yet.
§Example
use common_access_token::{RegisteredClaims, current_timestamp};
let now = current_timestamp();
let claims = RegisteredClaims::new().with_expiration(now + 3600);
assert!(!claims.is_expired());
let expired = RegisteredClaims::new().with_expiration(now - 100);
assert!(expired.is_expired());Sourcepub fn is_valid_yet(&self) -> bool
pub fn is_valid_yet(&self) -> bool
Check if the claims are valid based on the not-before claim
Returns true if there’s no nbf claim or if the current time is at or after it.
Returns false if there’s an nbf claim and the current time is before it.
§Example
use common_access_token::{RegisteredClaims, current_timestamp};
let now = current_timestamp();
let claims = RegisteredClaims::new().with_not_before(now);
assert!(claims.is_valid_yet());
let future = RegisteredClaims::new().with_not_before(now + 3600);
assert!(!future.is_valid_yet());Sourcepub fn to_map(&self) -> ClaimsMap
pub fn to_map(&self) -> ClaimsMap
Converts registered claims to a claims map.
This method is primarily used internally for token encoding.
§Example
use common_access_token::RegisteredClaims;
use common_access_token::header::CborValue;
use common_access_token::claims::keys;
let claims = RegisteredClaims::new()
.with_issuer("example-issuer")
.with_subject("user-123");
let map = claims.to_map();
assert!(matches!(map.get(&keys::ISS), Some(CborValue::Text(s)) if s == "example-issuer"));
assert!(matches!(map.get(&keys::SUB), Some(CborValue::Text(s)) if s == "user-123"));Sourcepub fn from_map(map: &ClaimsMap) -> Self
pub fn from_map(map: &ClaimsMap) -> Self
Extracts registered claims from a claims map.
This method is primarily used internally for token decoding.
§Example
use common_access_token::{RegisteredClaims, CborValue};
use common_access_token::claims::{keys, ClaimsMap};
let mut map = ClaimsMap::new();
map.insert(keys::ISS, CborValue::Text("example-issuer".to_string()));
map.insert(keys::SUB, CborValue::Text("user-123".to_string()));
let claims = RegisteredClaims::from_map(&map);
assert_eq!(claims.iss, Some("example-issuer".to_string()));
assert_eq!(claims.sub, Some("user-123".to_string()));Trait Implementations§
Source§impl Clone for RegisteredClaims
impl Clone for RegisteredClaims
Source§fn clone(&self) -> RegisteredClaims
fn clone(&self) -> RegisteredClaims
Returns a duplicate of the value. Read more
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
Performs copy-assignment from
source. Read moreSource§impl Debug for RegisteredClaims
impl Debug for RegisteredClaims
Source§impl Default for RegisteredClaims
impl Default for RegisteredClaims
Source§fn default() -> RegisteredClaims
fn default() -> RegisteredClaims
Returns the “default value” for a type. Read more
Auto Trait Implementations§
impl Freeze for RegisteredClaims
impl RefUnwindSafe for RegisteredClaims
impl Send for RegisteredClaims
impl Sync for RegisteredClaims
impl Unpin for RegisteredClaims
impl UnwindSafe for RegisteredClaims
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more