This library provides Json Web Token (JWT) APIs. JWT is defined in RFC 7519.
The following example shows how to consume JWT
(import (rnrs)
(rfc jwt)
(rfc jwk)
(rfc jwe)
(rfc jws)
(rfc uuid)
(crypto)
(srfi :19)
(sagittarius combinators))
(define keypair (generate-key-pair Ed25519))
(define alg 'EdDSA)
;; (define keypair (generate-key-pair ECDSA :ec-parameter NIST-P-256))
;; (define alg 'ES256)
;; (define keypair (generate-key-pair RSA :size 2048))
;; (define alg 'PS512)
(define claims
(jwt-claims-builder
(iss "Sagittarius Scheme")
(aud "All saints")
(sub "Use Sagittarius")
(iat (current-time))
(nbf (add-duration (current-time) (make-time time-duration 0 -1)))
(exp (add-duration (current-time) (make-time time-duration 0 600)))
(jti (uuid->string (make-v4-uuid)))))
(define jws-header
(jws-header-builder
(alg alg)))
(define payload (string->utf8 (jwt-claims->json-string claims)))
(define jws-object (make-jws-object jws-header payload))
(define signer (private-key->jws-signer (keypair-private keypair)))
(define jwk
(public-key->jwk (keypair-public keypair)
(jwk-config-builder (kid "my key"))))
(define jwks (make-jwk-set (list jwk)))
(let ((jwt-object (jws:sign jws-object signer)))
;; Share the JWT to 3rd party
;; (jws:serialize jwt-object)
;; (jwk-set->json-string jwks)
;; Verify the JWT token with the public key
(let* ((kid-matcher (jwk-matcher:kid "my key"))
(verifier (public-key->jws-verifier
(jwk-set:find-key jwks kid-matcher)))
(jwt-consumer (jwt-consumer-builder
(verifier verifier)
(claims-validator
;; Validate claims
(compose jwt:iss-required-validator
jwt:sub-required-validator
jwt:aud-required-validator
jwt:exp-required-validator
jwt:nbf-required-validator
jwt:iat-required-validator
jwt:jti-required-validator
(jwt:iss-value-validator "Sagittarius Scheme"
"Sagittarius")
(jwt:sub-value-validator "Use Sagittarius")
(jwt:aud-value-validator "All saints")
(jwt:nbf-validator)
(jwt:exp-validator)))))
(claims (jwt:consume jwt-consumer jwt-object)))
;; use the user claim
(jwt-claims-aud claims))) ;; retrieve 'aud' field
By definition, JWT is either JWE or JWS. To create JWT, users need to
use either (rfc jwe) or (rfc jws) library. For more details,
please refer the respective section of the document.
Returns JWT claims after decrypt and/or verify the given jwt-string/object.
jwt-consumer must be a JWT consumer object.
jwt-string/object must be either a string of valid JWT format or JWE/JWS object.
JWT consumer is an object decrypts and/or verifies the JWT and validates the claims. JWT consumer contains the below fields:
decryptor: JWE decryptor
verifier: JWS verifier
claims-validator: Claims validator, see below section for more details
Returns #t if the given obj is a JWT consumer otherwise #f.
A builder macro of JWT consumer. The macro is generated by
(record builder). see (record builder)for more details.
JWT consumer execute validation if the claims-validator field is
set. The field must hold claims validator, which is a procedure takes
one argument, claims, and returns the given claims or raises
an error if the validation failed.
Claims validator to validate required field of the given claims.
Creates claims validator to validate iss, aud and
sub, respectively.
The first 2 procedures may take multiple argument and checks if one of the value matches or not.
Creates claims validator to validate exp field is expired or nor.
clock-skew must be an integer represents seconds of clock skew.
future-bound-seconds must be an integer represents seconds of maximum
boundary that exp can be. (e.g. exp can't be more than 10 mins
of future)
Creates claims validator to validate if the current time is earlier than nbf field.
clock-skew must be an integer represents seconds of clock skew.
Creates claims validator to validate if the iat is in between
not-before and not-after__not-before and not-after must be a time object.
clock-skew must be an integer represents seconds of clock skew.
JWT claims is an object which contains claims of the JWT.
Record type of JWT claims object.
The object contains the following fields:
iss: Issuer
sub: Subject
aud: Audience
exp: Expiration time
nbf: Not before
iat: Issued at
jti: JWT ID
custom-claims: User defined claims, hashtable
Returns #t if the obj is JWT claims otherwise #f.
A builder macro of JWT claims. The macro is generated by
(record builder). see (record builder)for more details.
Retrieves the field value of jwt-claims.
Construct JWT claims from S-exp JSON representation of obj, from input port port or a string string.
If the first form of read-jwt-claims is used, then it reads from
current input port.
Serialize the given jwt-claims to a S-exp representaion, to port or string.
If first form of write-jwt-claims is used, then it writes the
serialized JWT claims to current output port.