mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
6 commits 5 branches 0 tags 172 MiB
CSS 33%
Nix 26.8%
Rust 19.3%
Haskell 5.8%
Emacs Lisp 4.5%
Other 10.1%
Find a file
Vincent Ambo 4b5dc17fc8 feat: Introduce validation of JWT signatures 
Introduces the internal function for validating JWT signatures. The
process is relatively straightforward:

1. Create an OpenSSL signature verifier using the public key from the
   JWK.

2. Split the JWT into the data (header + claims) and signature parts.

3. Validate the data against the signature using the verifier from (1)

OpenSSL "cleanly" returns a boolean in case of an invalid signature,
but an otherwise successful operation.

This is represented differently in the returned error variant, with an
invalid signature being represented as `InvalidSignature`, and other
errors as the `OpenSSL` error variant which wraps the underlying
OpenSSL issue.

Successful validation returns an empty `Ok` result.
2018-09-04 12:45:27 +02:00
src feat: Introduce validation of JWT signatures 2018-09-04 12:45:27 +02:00
.gitignore feat: Add initial public API skeleton 2018-09-04 12:45:27 +02:00
Cargo.toml feat: Add initial public API skeleton 2018-09-04 12:45:27 +02:00
CODE_OF_CONDUCT.md docs: Add code of conduct 2018-09-04 12:45:26 +02:00
README.md docs: Add initial README 2018-09-04 12:45:26 +02:00

README.md

alcoholic_jwt

This is a barebones library for validation of RS256 JWTs using keys from a JWKS. Nothing more, nothing less.

The name of the library stems from the potential side-effects of trying to use the other Rust libraries that are made for similar purposes.

Usage overview

You are retrieving JWTs from some authentication provider that uses RS256 signatures and provides its public keys in JWKS format.

Example for a token that provides the key ID used for signing in the kid claim:

extern crate alcoholic_jwt;

use alcoholic_jwt::{JWKS, Validation, validate, token_kid};

fn validate_token() {
    // serde instances provided
    let jwks: JWKS = some_http_client(jwks_url).json();

    let token: String = some_token_fetcher();

    // Several types of built-in validations are provided:
    let validations = vec![
      Validation::Issuer("some-issuer"),
      Validation::Audience("some-audience"),
      Validation::SubjectPresent,
    ];

    // Extracting a KID is about the only safe operation that can be
    // done on a JWT before validating it.
    let kid = token_kid(token).expect("No 'kid' claim present in token");

    let jwk = jwks.find(kid).expect("Specified key not found in set");

    match validate(token, jwk, validations) {
      Valid => println!("Token is valid!"),
      InvalidSignature(reason) => println!("Token signature invalid: {}", reason),
      InvalidClaims(reasons) => {
          println!("Token claims are totally invalid!");
          for reason in reasons {
              println!("Validation failure: {}", reason);
          }
      },
    }
}

Under the hood

This library aims to only use trustworthy off-the-shelf components to do the work. Cryptographic operations are provided by the openssl crate, JSON-serialisation is provided by serde_json.