Commit graph

23 commits

Author SHA1 Message Date
Vincent Ambo
cc1ee9c81d fix: Allow trailing bits in base64 encodings
After upgrading the base64 library, tests were failing because the new
default of the library is to disallow trailing bits in JWTs.

Some JWT provider implementations do however use this "forgiving"
version of base64-encoding, hence it is required for token validation.

This adds a base64::Config with the appropriate settings and also
chains base64-errors separately from other token errors.
2019-02-13 14:18:07 +01:00
Vincent Ambo
4051fe0ec8 chore(Cargo): Update base64 dependency 2019-02-13 14:18:07 +01:00
Vincent Ambo
5eefd71bf1 chore: Add repository URL to Cargo manifest 2018-09-04 14:56:06 +02:00
Vincent Ambo
5cb7dd7ca0 feat(build): Configure Travis CI builds 2018-09-04 14:50:58 +02:00
Vincent Ambo
0c3cdee5ee chore: Make JWKS type Cloneable 2018-09-04 14:40:41 +02:00
Vincent Ambo
64a480ccb7 fix: validate() does not require ownership of the token string
Thanks to @bvs for pointing this out.
2018-09-04 13:01:14 +02:00
Vincent Ambo
89af12444a chore: License under GPL-3.0-or-later 2018-09-04 12:48:11 +02:00
Vincent Ambo
29dfb6826f docs: Update README to match new library API 2018-09-04 12:48:11 +02:00
Vincent Ambo
dd527ecdf1 feat: Implement claim validation
Implements initial validations of token claims. The included
validations are:

* validation of token issuer
* validation of token audience
* validation that a subject is set
* validation that a token is not expired
2018-09-04 12:45:27 +02:00
Vincent Ambo
ae409995ca fix: Handle warning about unused kty & alg fields
These fields are only used to constrain deserialisation to the
supported values, but have no further effect.

`rustc` throws warnings about them not being used, which this commit
disables.
2018-09-04 12:45:27 +02:00
Vincent Ambo
5f8f252f68 test: Ensure library doctest compiles & runs correctly 2018-09-04 12:45:27 +02:00
Vincent Ambo
7c99220723 refactor: Pass 'String' to token_kid instead of internal type 2018-09-04 12:45:27 +02:00
Vincent Ambo
b6eedbfe16 feat: Initial implementation of 'validate' function
Implements the logic for validating a token signature and returning
its decoded headers and claims.

This does not yet apply claim validations, as those have not been
specified yet.
2018-09-04 12:45:27 +02:00
Vincent Ambo
37652545b4 feat: Introduce ValidJWT type to represent validated & decoded JWT
Introduces a new struct type which contains the token's headers and
claims as JSON values. This is constructed by validating a token and
allows library users to deal with the deserialised values as they
please.
2018-09-04 12:45:27 +02:00
Vincent Ambo
b3e8f7a91f refactor: Introduce helper for deserialising token parts
There are multiple points in the code where a token part needs to be
deserialised (i.e. first base64-decoded, then JSON-deserialised). This
is extracted to a helper function in this commit.
2018-09-04 12:45:27 +02:00
Vincent Ambo
33c122f10e feat: Implement extraction of KIDs from unvalidated tokens 2018-09-04 12:45:27 +02:00
Vincent Ambo
5bd7a91d10 test: Add simple test for working JWT validation 2018-09-04 12:45:27 +02:00
Vincent Ambo
4b5dc17fc8 feat: Introduce validation of JWT signatures
Introduces the internal function for validating JWT signatures. The
process is relatively straightforward:

1. Create an OpenSSL signature verifier using the public key from the
   JWK.

2. Split the JWT into the data (header + claims) and signature parts.

3. Validate the data against the signature using the verifier from (1)

OpenSSL "cleanly" returns a boolean in case of an invalid signature,
but an otherwise successful operation.

This is represented differently in the returned error variant, with an
invalid signature being represented as `InvalidSignature`, and other
errors as the `OpenSSL` error variant which wraps the underlying
OpenSSL issue.

Successful validation returns an empty `Ok` result.
2018-09-04 12:45:27 +02:00
Vincent Ambo
17e3a6560a refactor: Move tests to separate file 2018-09-04 12:45:27 +02:00
Vincent Ambo
d3b200e820 refactor: Use error enum + result type alias for failures
This makes the library slightly more "rusty". Instead of returning a
validation result which also represents potential success, use an enum
representing the error variants and the standard library's
`Result`-type to represent success/failure.
2018-09-04 12:45:27 +02:00
Vincent Ambo
0f8231e990 feat: Add initial public API skeleton 2018-09-04 12:45:27 +02:00
Vincent Ambo
d0a52de5e8 docs: Add code of conduct 2018-09-04 12:45:26 +02:00
Vincent Ambo
b916554ac5 docs: Add initial README 2018-09-04 12:45:26 +02:00