Ring middleware for parsing, decoding and verifying a JWS-signed JWT token from the incoming request.
Built on top of the excellent auth0 JWT library.
Once wired into to your ring server, the middleware will:
- Search for a JWT token on each incoming request (see below for information on where it looks).
- Will add the claims it finds in the token as a clojure map against the
key on the incoming request. - Add an empty
map to the request if no token is found. - Respond with a
if the JWS signature in the token cannot be verified. - Respond with a
if the token has expired (i.e. the exp claim indicates a time in the past) - Respond with a
if the token will only be active in the future (i.e. the nbf claim indicates a time in the future)
Note that there is the option to specify a leeway for the exp
checks - see usage below.
[ovotech/ring-jwt "0.1.0"]
(require '[ring.middleware.jwt :refer [wrap-jwt]])
(defn handler [request]
(response {:foo "bar"}))
(jwt/wrap-jwt handler {:alg :HS256
:public-key "yoursecret"})
Depending upon the cryptographic algorithm that is selected for the middleware, a different map of options will be required. Note that, at the point your ring middleware is wired up, ring-jwt will throw an error if it detects that the given options are invalid.
Currently the following JWA algorithms are supported for the purposes of JWS:
Algorithm | Options |
RSASSA-PKCS-v1_5 using SHA-256 | {:alg :RS256 :public-key public-key} [1] |
{:alg :RS256 :jwk-endpoint "https://your/jwk/endpoint"} |
{:alg :RS256 :key-fn kid->pk } [2] |
HMAC using SHA-256 | {:alg :HS256 :public-key "your-secret"} |
[1] public-key
is of type java.security.PublicKey
[2] kid->pk
is a user-provided fn that takes a key id (^String from the "kid" header in the JWT) and returns a java.security.PublicKey
Additionally, the following optional options are supported:
: The number of seconds leeway to give when verifying the expiry/active from claims of the token (i.e. theexp
: The issuer of the token, if this does not match the issuer on a token a401
will be returned.finder
: A fn taking a ring request and returning the JWT to decode
By default the library looks in order from the following locations:
header bearer token (i.e. anAuthorization
HTTP header of the form "Bearer TOKEN")
If the token is in a different location, use the finder
option to extract the token from the Ring request.
(fn [req] (get-in req [:headers "x-authorization"]))
- JSON Web Tokens - JWT Specification
- JSON Web Signatures - JWS Specification
- JSON Web Algorithms - JWA Specification
- JSON Web Keys - JWK Specification
- jwt.io
