View Source JWT Common use cases

This is just a collection of common examples of working with tokens using Joken's API.

jwt-simplest-configuration

JWT simplest configuration

We will start from the simplest configuration possible:

defmodule Token do
  use Joken.Config
end

With this configuration you can:

  • Generate a token with aud, iss, exp, jti, iat, nbf.
  • Validate a token with those claims.
  • Use a default signer configuration.

custom-static-iss-claim

Custom static iss claim

defmodule Token do
  use Joken.Config

  @impl true
  def token_config do
    default_claims(skip: [:iss])
    |> add_claim("iss", fn -> "My issuer" end, &(&1 == "My issuer"))
  end
end

Since iss is a default claim, we can pass that value to default_claims directly:

defmodule Token do
  use Joken.Config

  @impl true
  def token_config do
    default_claims(iss: "My custom issuer")
  end
end

custom-dynamic-aud-claim

Custom dynamic aud claim

In this scenario we don't want a function for generating the claim value. We will generate it according to some business context. So, we skip static generation BUT we provide the claim validation all the same.

defmodule Token do
  use Joken.Config

  @impl true
  def token_config do
    default_claims(skip: [:aud])
    |> add_claim("aud", nil, &(&1 in ["My audience", "Your audience", "Her audience"]))
  end
end

# Defined at call site
Token.generate_and_sign(%{"aud" => "My audience"})

custom-validation-cross-claims

Custom validation cross claims

Sometimes you need the value of another claim to validate some other claim. For example, you need the value of the role claim to validate the audience. That is fine. The validate function can receive up to 3 arguments: 1) the claim value, 2) &1, all the claims, 3) &1, &2, context.

defmodule Token do
  use Joken.Config

  @impl true
  def token_config do
    default_claims(skip: [:aud])
    |> add_claim("aud", nil, &validate_audience/2)
  end

  defp validate_audience(value, claims) do
    case claims["role"] do
      "admin" ->
        "http://myserver.com/admin"

      "user" ->
        "http://myserver.com"
    end
  end
end

signer-fetched-from-another-server

Signer fetched from another server

It is common to use OpenID Connect authentication servers to federate login. In this scenario, the signer configuration is usually available in what is called a well known URL.

This URL has a JWKS configuration. This tells the world that tokens generated by these servers can be validated with these keys. Normally, the key id is a claim in the token header.

We can use Joken easily in this scenario. We can abstract all the logic of fetching the signer configuration from the URL in a Hook and configure our claims validation without generation. Let's see an example:

defmodule Token do
  use Joken.Config, default_signer: nil # no signer

  # This hook implements a before_verify callback that checks whether it has a signer configuration
  # cached. If it does not, it tries to fetch it from the jwks_url.
  add_hook(JokenJwks, jwks_url: "https://someurl.com")

  @impl true
  def token_config do
    default_claims(skip: [:aud, :iss])
    |> add_claim("roles", nil, &(&1 in ["admin", "user"]))
    |> add_claim("iss", nil, &(&1 == "some server iss"))
    |> add_claim("aud", nil, &(&1 == "some server aud"))
  end
end

# We can call this by
Token.verify_and_validate(jwt)

generate-a-token-with-the-user-id-as-subject

Generate a token with the user id as subject

Another common need is to generate a token with some specific data. We can even validate that data format when we receive a token. As an example, we will validate the claim "sub" as being a valid UUID but will not generate this value in Joken. This is just an example of a dynamic claim value.

defmodule Token do
  use Joken.Config

  @impl true
  def token_config do
    default_claims()
    |> add_claim("sub", nil, &is_valid_uuid/1)
  end

  # ... implementation of UUID validation
end

# We can pass the subject as extra claims
Token.generate_and_sign(%{"sub" => "uuid"})