Ballerina library

jwt

Module jwt

API

decode
issue
validate

ClientSelfSignedJwtAuthProviderListenerJwtAuthProvider

Declarations

NONE
RS256
RS384
RS512

HttpVersion

Definitions

CertKey
ClientConfiguration
Header
IssuerConfig
IssuerSignatureConfig
Payload
SecureSocket
ValidatorConfig
ValidatorSignatureConfig

Error

SigningAlgorithm

ballerina/jwt Ballerina library

1.1.0-alpha8

Package Overview

This package provides a listener JWT authentication provider, which can be used to authenticate the provided credentials against the provided JWT validator configurations, and a client self-signed JWT authentication provider, which can be used to authenticate against an external endpoint with a self-signed JWT issued against the provided JWT issuer configurations. Also, this module provides the functionality related to issuing and validating a JWT.

For information on the operations, which you can perform with this module, see the below Functions. For examples on the usage of the operations, see the following.

Functions

decode

Isolated Function
function decode(string jwt) returns [Header, Payload]|Error

Decodes the provided JWT string.

Copy
[jwt:Header, jwt:Payload]|jwt:Error [header, payload] = jwt:decode(jwt);
Parameters
  • jwt stringJWT that needs to be decoded
Return Type
  • [Header, Payload]|ErrorThe jwt:Header and jwt:Payload as a tuple or else a jwt:Error if token decoding fails

issue

Isolated Function
function issue(IssuerConfig issuerConfig) returns string|Error

Issues a JWT based on the provided configurations. JWT will be signed (JWS) if crypto:KeyStore information is provided in the jwt:KeyStoreConfig and the jwt:SigningAlgorithm is not jwt:NONE.

Copy
string|jwt:Error jwt = jwt:issue(issuerConfig);
Parameters
Return Type
  • string|ErrorJWT as a string or else a jwt:Error if token issuing fails

validate

Isolated Function
function validate(string jwt, ValidatorConfig validatorConfig) returns Payload|Error

Validates the provided JWT, against the provided configurations.

Copy
jwt:Payload|jwt:Error result = jwt:validate(jwt, validatorConfig);
Parameters
  • jwt stringJWT that needs to be validated
Return Type
  • Payload|Errorjwt:Payload or else a jwt:Error if token validation fails

Classes

jwt: ClientSelfSignedJwtAuthProvider

Represents the client JWT Auth provider, which is used to authenticate with an external endpoint by issuing a self-signed JWT.

Copy
jwt:ClientSelfSignedJwtAuthProvider provider = new({
    issuer: "example",
    audience: ["ballerina"],
    keyStoreConfig: {
        keyAlias: "ballerina",
        keyPassword: "ballerina",
        keyStore: {
            path: "/path/to/keystore.p12",
            password: "ballerina"
        }
    }
});

Constructor

Provides authentication based on the provided JWT configurations.

init (IssuerConfig issuerConfig)

generateToken

Isolated Function
function generateToken() returns string|Error

Issues a self-signed JWT for authentication.

Copy
string|auth:Error token = provider.generateToken();
Return Type
  • string|ErrorGenerated token or else an auth:Error if token can't be generated

jwt: ListenerJwtAuthProvider

Represents the listener JWT Auth provider, which authenticates by validating a JWT.

Copy
jwt:ListenerJwtAuthProvider provider = new({
    issuer: "example",
    audience: "ballerina",
    signatureConfig: {
        certificateAlias: "ballerina",
        trustStore: {
            path: "/path/to/truststore.p12",
            password: "ballerina"
        }
    }
});

Constructor

Provides authentication based on the provided JWT.

init (ValidatorConfig validatorConfig)

authenticate

Isolated Function
function authenticate(string credential) returns Payload|Error

Authenticates provided JWT against jwt:ValidatorConfig.

Copy
boolean|auth:Error result = provider.authenticate("<credential>");
Parameters
  • credential stringJWT to be authenticated
Return Type
  • Payload|Errorjwt:Payload if authentication is successful or else an auth:Error if JWT validation failed

Constants

jwt: NONE

string "none"

Unsecured JWS (no signing).

jwt: RS256

string "RS256"

The RSA-SHA256 algorithm.

jwt: RS384

string "RS384"

The RSA-SHA384 algorithm.

jwt: RS512

string "RS512"

The RSA-SHA512 algorithm.

Enums

jwt: HttpVersion

Represents HTTP versions.

Members

HTTP_1_1
HTTP_2

Records

jwt: CertKey

Closed record

Represents combination of certificate, private key and private key password if encrypted.

Fields
  • certFile string - A file containing the certificate
  • keyFile string - A file containing the private key
  • keyPassword string? - Password of the private key (if encrypted)

jwt: ClientConfiguration

Closed record

Represents the configurations of the client used to call the JWKS endpoint.

Fields
  • httpVersion HttpVersion(default HTTP_1_1) - The HTTP version of the client

Represents JWT header.

Fields
  • typ string? - Media type of the JWT
  • cty string? - Content type, convey structural information about the JWT
  • kid string? - Key ID, hint indicating which key was used to secure the JWS

jwt: IssuerConfig

Closed record

Represents JWT issuer configurations.

Fields
  • username string? - JWT username, which is mapped to the sub
  • issuer string? - JWT issuer, which is mapped to the iss
  • audience string|string[]? - JWT audience, which is mapped to the aud
  • jwtId string? - JWT ID, which is mapped to the jti
  • keyId string? - JWT key ID, which is mapped the kid
  • customClaims map<json>? - Map of custom claims
  • expTime decimal(default 300) - Expiry time in seconds

jwt: IssuerSignatureConfig

Closed record

Represents JWT signature configurations.

Fields
  • algorithm SigningAlgorithm(default RS256) - Cryptographic signing algorithm for JWS
  • config record {| crypto:KeyStore keyStore; string keyAlias; string keyPassword; |} |record {| string keyFile; string keyPassword?; |} ? - KeyStore configurations or private key configurations

jwt: Payload

Represents JWT payload.

Fields
  • iss string? - Issuer, identifies the principal that issued the JWT
  • sub string? - Subject, identifies the principal that is the subject of the JWT
  • aud string|string[]? - Audience, identifies the recipients that the JWT is intended for
  • jti string? - JWT ID, unique identifier for the JWT
  • exp int? - Expiration time, identifies the expiration time (seconds since the Epoch) on or after which the JWT must not be accepted
  • nbf int? - Not before, identifies the time (seconds since the Epoch) before which the JWT must not be accepted
  • iat int? - Issued at, identifies the time (seconds since the Epoch) at which the JWT was issued

jwt: SecureSocket

Closed record

Represents the SSL/TLS configurations.

Fields
  • disable boolean(default false) - Disable SSL validation
  • cert TrustStore|string - Configurations associated with the crypto:TrustStore or single certificate file that the client trusts
  • key KeyStore|CertKey? - Configurations associated with the crypto:KeyStore or combination of certificate and private key of the client

jwt: ValidatorConfig

Represents JWT validator configurations.

Fields
  • issuer string? - Expected issuer, which is mapped to the iss
  • audience string|string[]? - Expected audience, which is mapped to the aud
  • clockSkew decimal(default 0) - Clock skew (in seconds) that can be used to avoid token validation failures due to clock synchronization problems
  • cacheConfig CacheConfig? - Configurations related to the cache, which are used to store parsed JWT information

jwt: ValidatorSignatureConfig

Closed record

Represents JWT signature configurations.

Fields
  • jwksConfig record {| string url; cache:CacheConfig cacheConfig?; ClientConfiguration clientConfig = {}; |} ? - JWKS configurations
  • certFile string? - Public certificate file
  • trustStoreConfig record {| crypto:TrustStore trustStore; string certAlias; |} ? - JWT TrustStore configurations

Errors

jwt: Error

Represents the JWT error. This will be returned if an error occurred while issuing/validating a JWT or any operation related to JWT.

Union types

jwt: SigningAlgorithm

RS256|RS384|RS512|NONE

The cryptographic algorithms used to secure the JWS.

Import

import ballerina/jwt;Copy

Metadata

Released date: over 2 years ago

Version: 1.1.0-alpha8

Compatibility

Platform: java11

Ballerina version: slalpha5

GraalVM compatible: Yes

Stats

Pull count: 1167

Other versions

2.10.02.9.02.8.02.7.02.6.0
See more...

Terms of service

Privacy policy

Cookie policy

© 2023 WSO2 LLC