Guardian v0.1.0 Guardian.Token.Jwe View Source
Deals with all things JWE.
This module should not be used directly. It is intended to be used by Guardian on behalf of your implementation as it’s token module.
The usage is exactly the same as JWTs, but JWE encryption is more strict about secret key sizes.
The secret_key
bit sizes must be exact for AnnnGCMKW
algorithms.
Specifically sized secrets can be generated by running mix guardian.gen.secret <byte_size>
.
For secrets < 32 bytes, generate the secret and trim the result.
A128GCMKW - 128 bits/16 bytes A192GCMKW - 192 bits/24 bytes A256GCMKW - 256 bits/32 bytes A512GCMKW - 512 bits/64 bytes
Supported algorithms: A128GCMKW A192GCMKW A256GCMKW A512GCMKW PBES2-HS256+A128KW PBES2-HS384+A192KW PBES2-HS512+A256KW
Link to this section Summary
Functions
Builds the default claims for all JWT tokens
Create a token. Uses the claims and encrypts the token
Decodes the token and validates the signature
Exchange a token of one type to another
Peek is not implemented for JWE as the claims are encrypted
Refresh the token
Revoking a JWT by default does not do anything.
You’ll need to track the token in storage in some way
and revoke in your implementation callbacks.
See GuardianDb
for an example
Generate unique token id
Verifies the claims
Link to this section Functions
Builds the default claims for all JWT tokens.
Note:
aud
is set to the configuredissuer
unlessaud
is set
Options:
Options may override the defaults found in the configuration.
token_type
- Override the default token typetoken_ttl
- The time to live. SeeGuardian.Token.ttl
type
Create a token. Uses the claims and encrypts the token.
The signing secret will be found first from the options. If not specified the secret key from the configuration will be used.
Configuration:
secret_key
The secret key to use for signing
Options:
secret
The secret key to use for signingheaders
The Jose headers that should be usedallowed_algos
The secret may be in the form of any resolved value from Guardian.Config
claims
must be a JSON-serializable structure.
Decodes the token and validates the signature.
Options:
secret
- Override the configured secret.Guardian.Config.config_value
is validallowed_algos
- a list of allowable algos
Exchange a token of one type to another.
Type is encoded in the typ
field.
Options:
secret
- Override the configured secret.Guardian.Config.config_value
is validallowed_algos
- a list of allowable algostoken_ttl
- The time to live. SeeGuardian.Token.ttl
type
Peek is not implemented for JWE as the claims are encrypted.
Refresh the token
Options:
secret
- Override the configured secret.Guardian.Config.config_value
is validallowed_algos
- a list of allowable algostoken_ttl
- The time to live. SeeGuardian.Token.ttl
type
Revoking a JWT by default does not do anything.
You’ll need to track the token in storage in some way
and revoke in your implementation callbacks.
See GuardianDb
for an example.
Generate unique token id
Verifies the claims.
Configuration:
token_verify_module
DefaultGuardian.Token.Jwt.Verify
the module to use to verify the claims