const class crypto::Jwt
sys::Obj crypto::Jwt
Models a JSON Web Token (JWT) as specified by RFC7519
A JWT includes three sections:
- Javascript Object Signing and Encryption (JOSE) Header
- Claims
- Signature
11111111111.22222222222.33333333333
These sections are encoded as base64url strings and are separated by dot (.) characters.
The (alg) parameter must be set to a supported JWS algorithm.
The following JWS algorithms are supported:
- HS256 - HMAC using SHA-256
- HS384 - HMAC using SHA-384
- HS512 - HMAC using SHA-512
- RS256 - RSASSA-PKCS1-v1_5 using SHA-256
- RS384 - RSASSA-PKCS1-v1_5 using SHA-384
- RS512 - RSASSA-PKCS1-v1_5 using SHA-512
- ES256 - ECDSA using P-256 and SHA-256
- ES384 - ECDSA using P-256 and SHA-384
- ES512 - ECDSA using P-256 and SHA-512
- none - No digital signature or MAC performed
- alg
-
const Str algAlgorithm header
- aud
-
const Obj? audAudience claim for this token (Str or Str[])
If value is a Str it will converted to a Str[] of size 1
- claims
-
const Str:Obj claims := [Str:Obj][:]JWT Claims
- decode
-
static new decode(Str encoded, Key key, Duration clockDrift := 1min)Decode a
Jwtfrom an encoded StrProvide a
Key(PubKeyorSymKey) to verify the signatureIf the exp and/or nbf claims exist, those will be verified
jwk := [ "kty": "EC", "use": "sig", "crv": "P-256", "kid": "abcd", "x": "I59TOAdnJ7uPgPOdIxj-BhWSQBXKS3lsRZJwj5eIYAo", "y": "8FJEvVIZDjVBnrBJPRUCwtgS86rHoFl1kBfbjX9rOng", "alg": "ES256", ] ecJwk := Crypto.cur.loadJwk(jwk) jwt := Jwt.decode("1111.2222.3333", ecJwk.key) - encode
-
Provide a
Key(PrivKeyorSymKey) to sign and return the base64 encodedJwtNull key will return an unsigned base64 encoded JWT
The alg field must be set to a supported JWS algorithm
The following JWS Algorithms are supported:
- HS256 - HMAC using SHA-256
- HS384 - HMAC using SHA-384
- HS512 - HMAC using SHA-512
- RS256 - RSASSA-PKCS1-v1_5 using SHA-256
- RS384 - RSASSA-PKCS1-v1_5 using SHA-384
- RS512 - RSASSA-PKCS1-v1_5 using SHA-512
- ES256 - ECDSA using P-256 and SHA-256
- ES384 - ECDSA using P-256 and SHA-384
- ES512 - ECDSA using P-256 and SHA-512
- none - No digital signature or MAC performed
pair := Crypto.cur.genKeyPair("RSA", 2048) priv := pair.priv jwtStr := Jwt { it.alg = "RS256" it.claims = ["myClaim": "ClaimValue"] it.exp = DateTime.nowUtc + 10min it.iss = "https://fantom.accounts.dev" }.encode(priv) - exp
-
const DateTime? expExpiration claim for this token
When encoded, the value will be converted to UTC, the epoch const will be subtracted from this value and it will be converted to seconds
- header
-
const Str:Obj header := [Str:Obj][:]JOSE Header
- iat
-
const DateTime? iatIssued at claim for this token
When encoded, the value will be converted to UTC, the epoch const will be subtracted from this value and it will be converted to seconds
- iss
-
const Str? issIssuer claim for this token
- jti
-
const Str? jtiJWT ID claim for this token
- kid
-
const Str? kidKey ID header
When encoding this value will take precedent if the kid parameter is also set in the JOSE header
- make
-
new make(|This| f)It-block constructor
- nbf
-
const DateTime? nbfNot before claim for this token
When encoded, the value will be converted to UTC, the epoch const will be subtracted from this value and it will be converted to seconds
- sub
-
const Str? subSubject claim for this token
- verifyClaim
-
This verifyClaim(Str claim, Obj? expectedValue := null)Convenience function to check the value of a claim
If value of JWT claim is a List, this function checks that the expectedValue is contained in the List.
If expectedValue is null, just checks if the claim exists
Throws Err if claim does not exist or expectedValue does not match (or is not contained in the List)
jwt := Jwt.decode("1111.2222.3333", pubKey) .verifyClaim("iss", "https://fantom.accounts.dev")