tvl-depot/net/alcoholic_jwt
Vincent Ambo a226639afa chore(alcoholic_jwt): update copyright header
The original copyright was released back in the day when Aprila and I
parted ways, and I'm happy with just assigning it to TVL.

Change-Id: I8fcba55bfa7f460b29e60f29e8fd24ffca2cd75b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5623
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2022-05-16 18:46:28 +00:00
..
src chore(alcoholic_jwt): update copyright header 2022-05-16 18:46:28 +00:00
.gitignore chore(alcoholic_jwt): Prepare for depot merge 2019-12-21 01:24:02 +00:00
Cargo.lock chore(alcoholic_jwt): base64: 0.10 -> 0.13 2022-05-16 18:45:33 +00:00
Cargo.toml chore(alcoholic_jwt): base64: 0.10 -> 0.13 2022-05-16 18:45:33 +00:00
default.nix feat(alcoholic_jwt): Add Nix build for crate 2021-08-15 14:18:59 +00:00
LICENSE chore(alcoholic_jwt): Prepare for depot merge 2019-12-21 01:24:02 +00:00
README.md docs(alcoholic_jwt): add 'contributing' section to docs 2022-05-16 18:45:33 +00:00

alcoholic_jwt

This is a library for validation of RS256 JWTs using keys from a JWKS. Nothing more, nothing less.

RS256 is the most commonly used asymmetric signature mechanism for JWTs, encountered in for example Google's or Aprila's APIs.

The name of the library stems from the potential side-effects of trying to use the other Rust libraries that are made for similar purposes.

Usage overview

You are retrieving JWTs from some authentication provider that uses RS256 signatures and provides its public keys in JWKS format.

Example for a token that provides the key ID used for signing in the kid claim:

extern crate alcoholic_jwt;

use alcoholic_jwt::{JWKS, Validation, validate, token_kid};

// The function implied here would usually perform an HTTP-GET
// on the JWKS-URL for an authentication provider and deserialize
// the result into the `alcoholic_jwt::JWKS`-struct.
let jwks: JWKS = jwks_fetching_function();

let token: String = some_token_fetching_function();

// Several types of built-in validations are provided:
let validations = vec![
  Validation::Issuer("auth.test.aprila.no".into()),
  Validation::SubjectPresent,
];

// If a JWKS contains multiple keys, the correct KID first
// needs to be fetched from the token headers.
let kid = token_kid(&token)
    .expect("Failed to decode token headers")
    .expect("No 'kid' claim present in token");

let jwk = jwks.find(&kid).expect("Specified key not found in set");

validate(token, jwk, validations).expect("Token validation has failed!");

Under the hood

This library aims to only use trustworthy off-the-shelf components to do the work. Cryptographic operations are provided by the openssl crate, JSON-serialisation is provided by serde_json.

Contributing

This project is developed in the TVL monorepo. To work on it, you can either use a local clone of the entire repository or clone just the alcoholic_jwt subtree:

https://code.tvl.fyi/depot.git:/net/alcoholic_jwt.git

Please follow the TVL contribution guidelines.