@curity/jwt-validation
v1.2.0
Published
Curity JWT Validation library
Downloads
8
Readme
JWT Validation
Simple JWT validation library without any external dependencies.
NOTE: if you plan to use the library in an environment without the browser you will need to use at least node version 15.0.0.
Add to project
Add to your project using npm
npm install @curity/jwt-validation
or yarn
yarn add @curity/jwt-validation
How to use in your project
Initialize the JWT Validator.
import JWTValidator from "@curity/jwt-validation";
// OR using require
// const JWTValidator = require("@curity/jwt-validation");
const allowed_jwt_algorithms= ['RS256', 'ES384'];
const jwt_sig_public_key= { // allowed formats are jwk | jwks_uri | pem | issuer | metadata_url | raw
format: 'issuer', // in case of issuer, the issuer value will be taken from jwt payload
value: null
};
const jwtValidator = new JWTValidator(
issuer,
audience, // audience is the client_id
allowed_jwt_algorithms,
jwt_sig_public_key,
);
Verify JWT using jwtValidator instance that you initialized as described above.
const options= {
accessToken : accessTokenValue, // optional, pass it if you want to validate at_hash
state : stateValue, // optional, pass it if you want to validate s_hash
nonce : nonceValue, // optional, pass it if you want to validate nonce
ignoreExpiration: true, // optional, default false
ignoreNotBefore : true, // optional, default false
clockTolerance : 0, // optional, default 0 seconds
subject : 'test', // optional, if provided, then jwt.sub should match it
jti : 'jti-value', // optional, if provided, then jwt.jti should match it
code : 'authorize-code' // optional, pass it if you want to validate c_hash
};
jwtValidator.verifyJWT(jwtString, options)
.then((payload) => {
// validation is successful, payload is parsed json payload of jwt.
// do the stuff here to save or use jwt.
}).catch(err => {
// validation failed, err.message contain the reason for failure
})
Allowed public key formats
jwk
A jwk can directly be passed as an object (and not a string), when format specified isjwk
.jwks_uri
A list of jwks can be retrieved from a specifiedjwks_uri
.pem
A pem key string can be provided using public key formatpem
.issuer
If the format specified isissuer
, then jwt issuer is used to retrieve metadata which in turn, is resolved to retrieve jwk from corresponding jwks_uri.metadata_url
If the format specified ismetadata_url
, then jwk is retrieved from corresponding jwks_uri of resolved metadata.raw
You can also provide the raw public key using formatraw
e.g: HMAC secret.
Supported Algorithms
Following is the list of supported algorithms.
HS256: {name: 'HMAC', hash: 'SHA-256'},
HS384: {name: 'HMAC', hash: 'SHA-384'},
HS512: {name: 'HMAC', hash: 'SHA-512'},
RS256: {name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256'},
RS384: {name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-384'},
RS512: {name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-512'},
ES256: {name: 'ECDSA', namedCurve: "P-256", hash: 'SHA-256'},
ES384: {name: 'ECDSA', namedCurve: "P-384", hash: 'SHA-384'},
ES512: {name: 'ECDSA', namedCurve: "P-521", hash: 'SHA-512'},
PS256: {name: 'RSA-PSS', saltLength: 256 / 8, hash: 'SHA-256'},
PS384: {name: 'RSA-PSS', saltLength: 384 / 8, hash: 'SHA-384'},
PS512: {name: 'RSA-PSS', saltLength: 512 / 8, hash: 'SHA-512'}