Safe Haskell	None
Language	Haskell2010

SDJWT.Internal.JWT

Description

JWT signing and verification using jose library.

This module provides functions for signing and verifying JWTs using the jose library. It supports both Text-based JWK strings and jose JWK objects.

Synopsis

signJWT :: JWKLike jwk => jwk -> Value -> IO (Either SDJWTError Text)
signJWTWithOptionalTyp :: JWKLike jwk => Maybe Text -> jwk -> Value -> IO (Either SDJWTError Text)
signJWTWithHeaders :: JWKLike jwk => Maybe Text -> Maybe Text -> jwk -> Value -> IO (Either SDJWTError Text)
signJWTWithTyp :: JWKLike jwk => Text -> jwk -> Value -> IO (Either SDJWTError Text)
verifyJWT :: JWKLike jwk => jwk -> Text -> Maybe Text -> IO (Either SDJWTError Value)
parseJWKFromText :: Text -> Either SDJWTError JWK
class JWKLike a where
- toJWK :: a -> Either SDJWTError JWK

Documentation

signJWT Source #

Arguments

:: JWKLike jwk
=> jwk	Private key JWK (Text or jose JWK object)
-> Value	JWT payload
-> IO (Either SDJWTError Text)

Sign a JWT payload using a private key.

Returns the signed JWT as a compact string, or an error. Automatically detects key type and uses:

PS256 for RSA keys (default, RS256 also supported via JWK "alg" field)
EdDSA for Ed25519 keys
ES256 for EC P-256 keys

signJWTWithOptionalTyp Source #

Arguments

:: JWKLike jwk
=> Maybe Text	Optional typ header value (RFC 9901 Section 9.11 recommends explicit typing)
-> jwk	Private key JWK (Text or jose JWK object)
-> Value	JWT payload
-> IO (Either SDJWTError Text)

Sign a JWT payload with optional typ header parameter.

This function allows setting a typ header for issuer-signed JWTs (RFC 9901 Section 9.11 recommends explicit typing, e.g., "sd-jwt" or "example+sd-jwt"). Use signJWT for default behavior (no typ header).

Returns the signed JWT as a compact string, or an error.

signJWTWithHeaders Source #

Arguments

:: JWKLike jwk
=> Maybe Text	Optional typ header value (RFC 9901 Section 9.11 recommends explicit typing, e.g., "sd-jwt")
-> Maybe Text	Optional kid header value (Key ID for key management)
-> jwk	Private key JWK (Text or jose JWK object)
-> Value	JWT payload
-> IO (Either SDJWTError Text)

Sign a JWT payload with optional typ and kid header parameters.

This function allows setting typ and kid headers for issuer-signed JWTs. Both headers are supported natively through jose's API.

Returns the signed JWT as a compact string, or an error.

signJWTWithTyp Source #

Arguments

:: JWKLike jwk
=> Text	typ header value (e.g., "kb+jwt" for KB-JWT)
-> jwk	Private key JWK (Text or jose JWK object)
-> Value	JWT payload
-> IO (Either SDJWTError Text)

Sign a JWT payload with a custom typ header parameter.

This function constructs the JWT header with the specified typ value, then signs the JWT. This is needed for KB-JWT which requires typ: "kb+jwt" (RFC 9901 Section 4.3).

Supports all algorithms: EC P-256 (ES256), RSA (PS256 default, RS256 also supported), and Ed25519 (EdDSA).

Returns the signed JWT as a compact string, or an error.

verifyJWT Source #

Arguments

:: JWKLike jwk
=> jwk	Public key JWK (Text or jose JWK object)
-> Text	JWT to verify as a compact string
-> Maybe Text	Required typ header value (Nothing = allow any/none, Just "sd-jwt" = require exactly "sd-jwt")
-> IO (Either SDJWTError Value)

Verify a JWT signature using a public key.

Returns the decoded payload if verification succeeds, or an error.

parseJWKFromText :: Text -> Either SDJWTError JWK Source #

Parse a JWK from JSON Text.

Parses a JSON Web Key (JWK) from its JSON representation. Supports RSA, Ed25519, and EC P-256 keys.

The JWK JSON format follows RFC 7517. Examples:

RSA public key: {"kty":RSA,"n":"...","e":"..."}
Ed25519 public key: {"kty":OKP,"crv":Ed25519,"x":"..."}
EC P-256 public key: {"kty":EC,"crv":"P-256","x":"...","y":"..."}
RSA private key: {"kty":RSA,"n":"...","e":"...","d":"...","p":"...","q":"..."}
Ed25519 private key: {"kty":OKP,"crv":Ed25519,"d":"...","x":"..."}
EC P-256 private key: {"kty":EC,"crv":"P-256","d":"...","x":"...","y":"..."}

class JWKLike a where Source #

Type class for types that can be converted to a jose JWK.

This allows functions to accept both Text (JWK JSON strings) and jose JWK objects. Users can pass JWK strings directly without importing jose, or pass jose JWK objects if they're already working with the jose library.

Methods

toJWK :: a -> Either SDJWTError JWK Source #

Convert to a jose JWK object.

Instances

Instances details

JWKLike JWK Source #	JWK instance: identity conversion (already a JWK).
Instance details Defined in SDJWT.Internal.JWT Methods toJWK :: JWK -> Either SDJWTError JWK Source #
JWKLike Text Source #	Text instance: parse JWK from JSON string.
Instance details Defined in SDJWT.Internal.JWT Methods toJWK :: Text -> Either SDJWTError JWK Source #