Guardian v0.1.0 Guardian.Token.Jwe View Source

Deals with all things JWE.

This module should not be used directly. It is intended to be used by Guardian on behalf of your implementation as it’s token module.

The usage is exactly the same as JWTs, but JWE encryption is more strict about secret key sizes.

The secret_key bit sizes must be exact for AnnnGCMKW algorithms.

Specifically sized secrets can be generated by running mix guardian.gen.secret <byte_size>. For secrets < 32 bytes, generate the secret and trim the result.

A128GCMKW - 128 bits/16 bytes A192GCMKW - 192 bits/24 bytes A256GCMKW - 256 bits/32 bytes A512GCMKW - 512 bits/64 bytes

Supported algorithms: A128GCMKW A192GCMKW A256GCMKW A512GCMKW PBES2-HS256+A128KW PBES2-HS384+A192KW PBES2-HS512+A256KW

Link to this section Summary

Functions

build_claims(mod, resource, sub, claims, options)

Builds the default claims for all JWT tokens

create_token(mod, claims, opts)

Create a token. Uses the claims and encrypts the token

decode_token(mod, token, opts \\ [])

Decodes the token and validates the signature

exchange(mod, old_token, from_type, to_type, options)

Exchange a token of one type to another

peek(mod, token)

Peek is not implemented for JWE as the claims are encrypted

refresh(mod, old_token, options)

Refresh the token

revoke(mod, claims, token, opts)

Revoking a JWT by default does not do anything. You’ll need to track the token in storage in some way and revoke in your implementation callbacks. See GuardianDb for an example

token_id()

Generate unique token id

verify_claims(mod, claims, options)

Verifies the claims

Link to this section Functions

build_claims(mod, resource, sub, claims, options)

Builds the default claims for all JWT tokens.

Note:

aud is set to the configured issuer unless aud is set

Options:

Options may override the defaults found in the configuration.

token_type - Override the default token type
token_ttl - The time to live. See Guardian.Token.ttl type

create_token(mod, claims, opts)

Create a token. Uses the claims and encrypts the token.

The signing secret will be found first from the options. If not specified the secret key from the configuration will be used.

Configuration:

secret_key The secret key to use for signing

Options:

secret The secret key to use for signing
headers The Jose headers that should be used
allowed_algos

The secret may be in the form of any resolved value from Guardian.Config

claims must be a JSON-serializable structure.

decode_token(mod, token, opts \\ [])

Decodes the token and validates the signature.

Options:

secret - Override the configured secret. Guardian.Config.config_value is valid
allowed_algos - a list of allowable algos

exchange(mod, old_token, from_type, to_type, options)

Exchange a token of one type to another.

Type is encoded in the typ field.

Options:

secret - Override the configured secret. Guardian.Config.config_value is valid
allowed_algos - a list of allowable algos
token_ttl - The time to live. See Guardian.Token.ttl type

peek(mod, token)

Peek is not implemented for JWE as the claims are encrypted.

refresh(mod, old_token, options)

Refresh the token

Options:

secret - Override the configured secret. Guardian.Config.config_value is valid
allowed_algos - a list of allowable algos
token_ttl - The time to live. See Guardian.Token.ttl type

revoke(mod, claims, token, opts)

Revoking a JWT by default does not do anything. You’ll need to track the token in storage in some way and revoke in your implementation callbacks. See GuardianDb for an example.

token_id()

Generate unique token id

verify_claims(mod, claims, options)

Verifies the claims.

Configuration:

token_verify_module Default Guardian.Token.Jwt.Verify the module to use to verify the claims