jwt-lab
JWT crate for Rust. Decode, verify, sign, mutate, select keys from JWKS by kid, validate times with leeway, and choose algorithms with feature flags.
Features
- Multiple Algorithms: HS256/384/512, RS256/384/512, ES256/384/512, EdDSA
- JWK/JWKS Support: Verify tokens using JSON Web Key Sets
- Algorithm Validation: Prevent algorithm confusion attacks
- Time Validation: Configurable leeway for
expandnbfclaims - Claims Mutation: Modify JWT claims using JSON pointer paths
- Feature Flags: Fine-grained control over included algorithms
- Strong Error Types: Comprehensive error handling with clear messages
Usage
Add to your Cargo.toml:
[]
= "0.1"
Basic Usage
use ;
// Decode and verify a JWT
let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
let jwt = decode?;
// Always validate the algorithm to prevent alg confusion attacks
jwt.verify?;
JWKS Verification
use ;
let jwks = from_str?;
let jwt = decode?;
jwt.verify_with_jwks?;
Signing Tokens
use ;
use sign;
use json;
let header = Header ;
let claims = Claims;
let token = sign?;
Security Considerations
⚠️ Important Security Notes:
- Always validate the algorithm to prevent algorithm confusion attacks
- Never accept tokens with
alg: "none" - Set appropriate expiration times and use minimal leeway
- Validate issuer and audience claims when possible
- Use strong, random secrets for HMAC algorithms
- Keep private keys secure and rotate them regularly
Feature Flags
hs- Enable HMAC algorithms (HS256, HS384, HS512)rs- Enable RSA algorithms (RS256, RS384, RS512)es- Enable ECDSA algorithms (ES256, ES384, ES512)eddsa- Enable EdDSA algorithmjwk- Enable JWK/JWKS supportexplain- Enable detailed error explanations
License
Licensed under the MIT License (LICENSE-MIT or http://opensource.org/licenses/MIT).