Did you know ... | Search Documentation: |
Pack jwt_io -- prolog/jwt_io.pl |
Generates and verifies Json Web Tokens.
The module requires libjwt to compile.
In addition to jwt_encode/3 and jwt_decode/3, the following settings are required for proper functionality:
jwt_io:clock_tolerance
: (default 60) number of seconds to tolerate differences between the encoding and decoding times.jwt_io:audience
: audience identifier for tokens - tokens that don't have this audience won't be decoded.jwt_io:jti_generator
: (default 'uuid') predicate for generating unique JTIsjwt_io:blacklist_check
: (default 'jwt_io:check_blacklist_default') predicate for checking JTIs against blacklisted JTIs.jwt_io:blacklist_add
: (default 'jwt_io:add_to_blacklist_default') predicate for adding to the list of blacklisted JTIs.jwt_io:keys
: list of keys to use. It consists of a list of dicts, consisting of:
kid
: key id for identifying the key to usetype
: type of the key, one of HMAC, RSA or ECDSA.algorithm
: algorithm to use, one of HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384 or ES512.key
: private key to use - string for HMAC, private key file for RSA and private PEM file for ECDSA. Optional for decoding, mandatory for encoding.public_key
: public key to use - irrelevant for HMAC, public key file for RSA and public PEM file for ECDSA.RSA keys can be generated by:
ssh-keygen -t rsa -b 4096 -f sample.key openssl rsa -in sample.key -pubout -outform PEM -out sample.key.pub
ECDSA keys can be generated by:
openssl ecparam -genkey -name secp256k1 -noout -out sample-private.pem openssl ec -in sample-private.pem -pubout -out sample-public.pem
jwt_io:keys
setting.jwt_io:audience
is set, aud
key is added to the token.iat
key is always added to the token.iss
key is added If it is defined in the jwt_io:keys
setting.kid
key is added from jwt_io:keys
setting.jti
key is added by making use of jwt_io:jwt_generator
setting.jti
is checked in the blacklist defined by jwt_id:blacklist_check
setting, and valid JWTs are added to blacklist defined by jwt_io:blacklist_add
setting.exp
is present, decoding fails if the time is past exp
.nbf
is present, decoding fails if the time is before nbf
.iat
is checked for validity.The following options are recognized:
The following predicates are exported, but not or incorrectly documented.