Crate compact_jwt

Json Web Tokens (JWT) are a popular method for creating signed transparent tokens that can be verified by clients and servers. They are enshrined in standards like OpenID Connect which causes them to be a widespread and required component of many modern web authentication system.

This is a minimal implementation of JWTs and Oidc Tokens that aims for auditability and correctness.

Examples

use std::str::FromStr;
use std::convert::TryFrom;
use std::time::SystemTime;
use url::Url;
use compact_jwt::{
    OidcToken,
    OidcSubject,
    OidcUnverified,
    JwsEs256Signer,
    // Traits
    JwsSigner,
    JwsSignerToVerifier,
    JwsVerifier,
};

let oidc = OidcToken {
        iss: Url::parse("https://oidc.example.com").unwrap(),
        sub: OidcSubject::S("UniqueId".to_string()),
    };

let mut jws_es256_signer =
    JwsEs256Signer::generate_es256().unwrap();

let oidc_signed = jws_es256_signer.sign(&oidc)
    .unwrap();

// Get the signed formatted token string
let token_str = oidc_signed.to_string();

// Build a validator from the public key of the signer. In a client scenario
// you would get this public jwk from the oidc authorisation server.
let mut jwk_es256_verifier = jws_es256_signer
    .get_verifier()
    .expect("failed to get verifier from signer");

// Assuming we have the token_str, we parse it to an unverified state.
let oidc_unverified = OidcUnverified::from_str(&token_str)
    .unwrap();

let curtime = SystemTime::now()
    .duration_since(SystemTime::UNIX_EPOCH)
    .expect("Failed to retrieve current time")
    .as_secs() as i64;

let oidc_validated = jwk_es256_verifier
    .verify(&oidc_unverified)
    .and_then(|oidc_exp| oidc_exp.verify_exp(curtime))
    .unwrap();

// Prove we got back the same content.
assert!(oidc_validated == oidc);

Re-exports

• pub use crate::crypto::JwsEs256Signer;
• pub use crate::crypto::JwsEs256Verifier;
• pub use crate::crypto::JwsHs256Signer;
• pub use crate::compact::JwaAlg;
• pub use crate::compact::Jwk;
• pub use crate::compact::JwkKeySet;
• pub use crate::compact::JwkUse;
• pub use crate::compact::JwsCompact;
• pub use crate::error::JwtError;
• pub use crate::jws::Jws;
• pub use crate::jws::JwsSigned;
• pub use crate::jwt::Jwt;
• pub use crate::jwt::JwtSigned;
• pub use crate::jwt::JwtUnverified;
• pub use crate::oidc::OidcClaims;
• pub use crate::oidc::OidcSigned;
• pub use crate::oidc::OidcSubject;
• pub use crate::oidc::OidcToken;
• pub use crate::oidc::OidcUnverified;
• pub use crate::traits::JwsSigner;
• pub use crate::traits::JwsSignerToVerifier;
• pub use crate::traits::JwsVerifier;

Modules

• compact
• crypto
  JWS Signing and Verification Structures
• dangernoverify
  A dangerous verification type that allows bypassing cryptographic checking of the content of JWS tokens.
• error
  Error types.
• jwe
  JWE Implementation
• jws
  JWS Implementation
• jwt
  Jwt implementation
• oidc
  Oidc token implementation
• traits
  Traits that define behaviour of JWS signing and verification types.