Guardian.Token.Jwt (Guardian v2.4.0)

View Source

Deals with things JWT. This module should not be used directly.

It is intended to be used by Guardian on behalf of your implementation as its token module.

Token types are encoded in the typ field.

Configuration

Configuration should be added to the implementation module in either the configuration file or as options to use Guardian

Required

  • issuer - The issuer of the token. Your application name/id
  • secret_key - The secret key to use for the implementation module. This may be any resolvable value for Guardian.Config

Optional

  • token_verify_module - default Guardian.Token.Jwt.Verify. The module that verifies the claims
  • allowed_algos - The allowed algos to use for encoding and decoding. See JOSE for available. Default ["HS512"]
  • ttl - The default time to live for all tokens. See the type in Guardian.ttl. The default by Guardian.Token.JWT is {4, :weeks}
  • token_ttl a map of token_type to ttl. Set specific ttls for specific types of tokens
  • allowed_drift The drift that is allowed when decoding/verifying a token in milli seconds
  • verify_issuer Verify that the token was issued by the configured issuer. Default false
  • secret_fetcher A module used to fetch the secret. Default: Guardian.Token.Jwt.SecretFetcher

Options:

These options are available to encoding and decoding:

  • secret The secret key to use for signing
  • headers The Jose headers that should be used
  • allowed_algos - A list of allowable algos
  • token_type - Override the default token type. The default is "access"
  • ttl - The time to live. See Guardian.Token.ttl type

Example

# encode a simple token
{:ok, token, claims} =
  MyApp.Tokens.encode_and_sign(resource)

# encode a token with custom claims
{:ok, token, claims} =
  MyApp.Tokens.encode_and_sign(resource, %{some: "claim"})

# encode a token with a custom type
{:ok, token, claims} =
  MyApp.Tokens.encode_and_sign(resource, %{}, token_type: "refresh")

# encode a token with custom options
{:ok, token, claims} =
  MyApp.Tokens.encode_and_sign(
    resource,
    %{},
    secret: {MyModule, :get_my_secret, ["some", "args"]},
    ttl: {4, :weeks},
    token_type: "refresh"
  )

# decode a token
{:ok, claims} =
  MyApp.Tokens.decode_and_verify(token)

# decode a token and check literal claims
{:ok, claims} =
  MyApp.Tokens.decode_and_verify(token, %{"typ" => "refresh"})

# decode a token and check literal claims with options
{:ok, claims} =
  MyApp.Tokens.decode_and_verify(token,
    %{"typ" => "refresh"}, secret: {MyModule, :get_my_secret, ["some", "args"]})

# exchange a token
{:ok, {old_token, old_claims}, {new_token, new_claims}} =
  MyApp.Tokens.exchange(old_token, ["access", "refresh"], "access")

# exchange a token with options
{:ok, {old_token, old_claims}, {new_token, new_claims}} =
  MyApp.Tokens.exchange(old_token,
    ["access", "refresh"],
    "access" secret: {MyModule, :get_my_secret, ["some", "args"]}, ttl: {1, :hour})

# refresh a token using defaults
{:ok, {old_token, old_claims}, {new_token, new_claims}} = MyApp.Tokens.refresh(old_token)

# refresh a token using options
{:ok, {old_token, old_claims}, {new_token, new_claims}} =
  MyApp.Tokens.refresh(old_token, ttl: {1, :week}, secret: {MyMod, :get_secret, ["some", "args"})

Token verify module

The token verify module by default is Guardian.Token.Jwt.Verify.

This module implements the Guardian.Token.Verify behaviour. To customize your token validation you have 2 options.

  1. Implement the verify_claims callback on your implementation
  2. use Guardian.Token.Verify in your own module and use that.

To create your own verify module use Guardian.Token.Verify and configure your implementation to use it either through config files or when you setup your implementation.

defmodule MyApp.Tokens do
  use Guardian, otp_app: :my_app,
                token_verify_module: MyVerifyModule
  # ... snip
end

SecretFetcher

When you need dynamic secret verification, you should use a custom Guardian.Token.Jwt.SecretFetcher module.

This will allow you to use the header values to determine dynamically the key that should be used.

defmodule MyCustomSecretFetcher do
  use Guardian.Token.Jwt.SecretFetcher

  def fetch_signing_secret(impl_module, opts) do
    # fetch the secret for signing
  end

  def fetch_verifying_secret(impl_module, token_headers, opts) do
    # fetch the secret for verifying the token
  end
end

If the signing secret contains a "kid" (https://tools.ietf.org/html/rfc7515#section-4.1.4) it will be passed along to the signature to provide a hint about which secret was used.

This can be useful for specifying which public key to use during verification if you're using a public/private key rotation strategy.

An example implementation of this can be found here: https://gist.github.com/mpinkston/469009001b694d3ca162894d74c9bfe3

Summary

Functions

build_claims(mod, resource, sub, claims \\ %{}, options \\ [])

Builds the default claims for all JWT tokens.

create_token(mod, claims, options \\ [])

Create a token. Uses the claims, encodes and signs the token.

decode_token(mod, token, options \\ [])

Decodes the token and validates the signature.

exchange(mod, old_token, from_type, to_type, options)

Exchange a token of one type to another.

peek(mod, token)

Inspect the JWT without any validation or signature checking.

refresh(mod, old_token, options)

Refresh the token

revoke(mod, claims, token, options)

Revoking a JWT by default does not do anything.

token_id()

Generate unique token id.

verify_claims(mod, claims, options)

Verifies the claims.

Functions

build_claims(mod, resource, sub, claims \\ %{}, options \\ [])

Builds the default claims for all JWT tokens.

Note:

  • aud is set to the configured issuer unless aud is set

Options:

Options may override the defaults found in the configuration.

  • token_type - Override the default token type
  • ttl - The time to live. See Guardian.Token.ttl type

create_token(mod, claims, options \\ [])

Create a token. Uses the claims, encodes and signs the token.

The signing secret will be found first from the options. If not specified the secret key from the configuration will be used.

Configuration:

  • secret_key The secret key to use for signing

Options:

  • secret The secret key to use for signing
  • headers The Jose headers that should be used
  • allowed_algos

The secret may be in the form of any resolved value from Guardian.Config.

decode_token(mod, token, options \\ [])

Decodes the token and validates the signature.

Options:

  • secret - Override the configured secret. Guardian.Config.config_value is valid
  • allowed_algos - A list of allowable algos

exchange(mod, old_token, from_type, to_type, options)

Exchange a token of one type to another.

Type is encoded in the typ field.

Options:

  • secret - Override the configured secret. Guardian.Config.config_value is valid
  • allowed_algos - A list of allowable algos
  • ttl - The time to live. See Guardian.Token.ttl type

peek(mod, token)

Inspect the JWT without any validation or signature checking.

Return an map with keys: headers and claims.

refresh(mod, old_token, options)

Refresh the token

Options:

  • secret - Override the configured secret. Guardian.Config.config_value is valid
  • allowed_algos - A list of allowable algos
  • ttl - The time to live. See Guardian.Token.ttl type

revoke(mod, claims, token, options)

Revoking a JWT by default does not do anything.

You'll need to track the token in storage in some way and revoke in your implementation callbacks.

See GuardianDb for an example.

token_id()

Generate unique token id.

verify_claims(mod, claims, options)

Verifies the claims.

Options: