Guardian

v1.0.0-beta.0

Guardian v1.0.0-beta.0 Guardian.Token.Jwt View Source

Deals with things JWT This module should not be used directly. It is intended to be used by Guardian on behalf of your implementation as it’s token module.

Token types are encoded in the typ field.

Configuration

Configuration should be added to the implementation module in either the configuration file or as options to use Guardian

Required

  • issuer - The issuer of the token. Your application name/id
  • secret_key - The secret key to use for the implementation module. This may be any resolvable value for Guardian.Config

Optional

  • token_verify_module - default Guardian.Token.Jwt.Verify. The module that verifies the claims
  • allowed_algos - The allowed algos to use for encoding and decoding. See JOSE for available. Default [“HS512”]
  • ttl - The default time to live for all tokens. See the type in Guardian.ttl
  • token_ttl a map of token_type to ttl. Set specific ttls for specific types of tokens
  • allowed_drift The drift that is allowed when decoding/verifying a token in milli seconds
  • verify_issuer Verify that the token was issued by the configured issuer. Default false

Options:

These options are available to encoding and decoding:

  • secret The secret key to use for signing
  • headers The Jose headers that should be used
  • allowed_algos
  • token_type - Override the default token type
  • token_ttl - The time to live. See Guardian.Token.ttl type

Example

# encode a simple token
{:ok, token, claims} =
  MyApp.Tokens.encode_and_sign(resource)

# encode a token with custom claims
{:ok, token, claims} =
  MyApp.Tokens.encode_and_sign(resource, %{some: "claim"})

# encode a token with a custom type
{:ok, token, claims} =
  MyApp.Tokens.encode_and_sign(resource, %{}, token_type: "refresh")

# encode a token with custom options
{:ok, token, claims} =
  MyApp.Tokens.encode_and_sign(
    resource,
    %{},
    secret: {MyModule, :get_my_secret},
    token_ttl: {4, :weeks},
    token_type: "refresh"
  )

# decode a token
{:ok, claims} =
  MyApp.Tokens.decode_and_verify(token)

# decode a token and check literal claims
{:ok, claims} =
  MyApp.Tokens.decode_and_verify(token, %{"typ" => "refresh"})

# decode a token and check literal claims with options
{:ok, claims} =
  MyApp.Tokens.decode_and_verify(token, %{"typ" => "refresh"} secret: {MyModule, :get_my_secret})

# exchange a token
{:ok, {old_token, old_claims}, {new_token, new_claims}} =
  MyApp.Tokens.exchange(old_token, ["access", "refresh"], "access")

# exchange a token with options
{:ok, {old_token, old_claims}, {new_token, new_claims}} =
  MyApp.Tokens.exchange(old_token, ["access", "refresh"], "access" secret: {MyModule, :get_my_secret}, token_ttl: {1, :hour})

# refresh a token using defaults
{:ok, {old_token, old_claims}, {new_token, new_claims}} = MyApp.Tokens.refresh(old_token)

# refresh a token using options
{:ok, {old_token, old_claims}, {new_token, new_claims}} =
  MyApp.Tokens.refresh(old_token, token_ttl: {1, :week}, secret: {MyMod, :get_secret})

Token verify module

The token verify module by default is Guardian.Token.Jwt.Verify.

This module implements the Guardian.Token.Verify behaviour. To customize your token validation you have 2 options.

  1. Implement the verify_claims callback on your implementation
  2. use Guardian.Token.Verify in your own module and use that.

To create your own verify module use Guardian.Token.Verify and configure your implementation to use it either through config files or when you setup your implementation.

defmodule MyApp.Tokens do
  use Guardian, otp_app: :my_app,
                token_verify_module: MyVerifyModule
  # ... snip
end

Link to this section Summary

Functions

build_claims(mod, resource, sub, claims \\ %{}, options \\ [])

Builds the default claims for all JWT tokens

create_token(mod, claims, options \\ [])

Create a token. Uses the claims, encodes and signs the token

decode_token(mod, token, options \\ [])

Decodes the token and validates the signature

exchange(mod, old_token, from_type, to_type, options)

Exchange a token of one type to another

peek(token)

Inspect the JWT without any validation or signature checking

refresh(mod, old_token, options)

Refresh the token

revoke(mod, claims, token, options)

Revoking a JWT by default does not do anything. You’ll need to track the token in storage in some way and revoke in your implementation callbacks. See GuardianDb for an example

token_id()

Generate unique token id

verify_claims(mod, claims, options)

Verifies the claims

Link to this section Functions

Link to this function build_claims(mod, resource, sub, claims \\ %{}, options \\ []) View Source

Builds the default claims for all JWT tokens.

Note:

  • aud is set to the configured issuer unless aud is set

Options:

Options may override the defaults found in the configuration.

  • token_type - Override the default token type
  • token_ttl - The time to live. See Guardian.Token.ttl type
Link to this function create_token(mod, claims, options \\ []) View Source

Create a token. Uses the claims, encodes and signs the token.

The signing secret will be found first from the options. If not specified the secret key from the configuration will be used.

Configuration:

  • secret_key The secret key to use for signing

Options:

  • secret The secret key to use for signing
  • headers The Jose headers that should be used
  • allowed_algos

The secret may be in the form of any resolved value from Guardian.Config

Link to this function decode_token(mod, token, options \\ []) View Source

Decodes the token and validates the signature.

Options:

  • secret - Override the configured secret. Guardian.Config.config_value is valid
  • allowed_algos - a list of allowable algos
Link to this function exchange(mod, old_token, from_type, to_type, options) View Source

Exchange a token of one type to another.

Type is encoded in the typ field.

Options:

  • secret - Override the configured secret. Guardian.Config.config_value is valid
  • allowed_algos - a list of allowable algos
  • token_ttl - The time to live. See Guardian.Token.ttl type
Link to this function peek(token) View Source

Inspect the JWT without any validation or signature checking.

Return an map with keys: headers and claims

Link to this function refresh(mod, old_token, options) View Source

Refresh the token

Options:

  • secret - Override the configured secret. Guardian.Config.config_value is valid
  • allowed_algos - a list of allowable algos
  • token_ttl - The time to live. See Guardian.Token.ttl type
Link to this function revoke(mod, claims, token, options) View Source

Revoking a JWT by default does not do anything. You’ll need to track the token in storage in some way and revoke in your implementation callbacks. See GuardianDb for an example.

Link to this function token_id() View Source

Generate unique token id

Link to this function verify_claims(mod, claims, options) View Source

Verifies the claims.

Configuration:

  • token_verify_module Default Guardian.Token.Jwt.Verify the module to use to verify the claims