Did you know ... Search Documentation:
Pack jwt_io -- prolog/jwt_io.pl
PublicShow source

Generates and verifies Json Web Tokens.

The module requires libjwt to compile.

In addition to jwt_encode/3 and jwt_decode/3, the following settings are required for proper functionality:

  • jwt_io:clock_tolerance: (default 60) number of seconds to tolerate differences between the encoding and decoding times.
  • jwt_io:audience: audience identifier for tokens - tokens that don't have this audience won't be decoded.
  • jwt_io:jti_generator: (default 'uuid') predicate for generating unique JTIs
  • jwt_io:blacklist_check: (default 'jwt_io:check_blacklist_default') predicate for checking JTIs against blacklisted JTIs.
  • jwt_io:blacklist_add: (default 'jwt_io:add_to_blacklist_default') predicate for adding to the list of blacklisted JTIs.
  • jwt_io:keys: list of keys to use. It consists of a list of dicts, consisting of:
    • kid: key id for identifying the key to use
    • type: type of the key, one of HMAC, RSA or ECDSA.
    • algorithm: algorithm to use, one of HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384 or ES512.
    • key: private key to use - string for HMAC, private key file for RSA and private PEM file for ECDSA.
    • public_key: public key to use - irrelevant for HMAC, public key file for RSA and public PEM file for ECDSA.

RSA keys can be generated by:

ssh-keygen -t rsa -b 4096 -f sample.key
openssl rsa -in sample.key -pubout -outform PEM -out sample.key.pub

ECDSA keys can be generated by:

openssl ecparam -genkey -name secp256k1 -noout -out sample-private.pem
openssl ec -in sample-private.pem -pubout -out sample-public.pem
author
- Can Bican
See also
- https://jwt.io/
- https://github.com/benmcollins/libjwt
license
- BSD
 jwt_encode(+KeyId:atom, +Claims:dict, -Token:string) is semidet
Generates a JWT token.
  • Algorithm and keys are chosen from jwt_io:keys setting.
  • If jwt_io:audience is set, aud key is added to the token.
  • iat key is always added to the token.
  • iss key is added If it is defined in the jwt_io:keys setting.
  • kid key is added from jwt_io:keys setting.
  • jti key is added by making use of jwt_io:jwt_generator setting.
Arguments:
KeyId- the key to use for signing the token
Claims- contents of the key
Token- resulting token
 jwt_decode(+Data:atom, -Payload:dict, +Options:options) is semidet
Decodes a generated JWT token.
  • jti is checked in the blacklist defined by jwt_id:blacklist_check setting, and valid JWTs are added to blacklist defined by jwt_io:blacklist_add setting.
  • If exp is present, decoding fails if the time is past exp.
  • If nbf is present, decoding fails if the time is before nbf.
  • iat is checked for validity.

The following options are recognized:

aud(+Audience)
Audience for the token - if the audiences don't match, decoding fails.
iss(+Issuer)
Issuer for the token - if the issuers don't match, decoding fails.
Arguments:
Data- signed JWT token
Payload- contents of the token
Options- options