Skip to content

A minimal jwt implementation for OIDC

License

Notifications You must be signed in to change notification settings

dmulder/compact-jwt

 
 

Repository files navigation

Compact JWT

Json Web Tokens (JWT) are a popular method for creating signed transparent tokens that can be verified by clients and servers. They are enshrined in standards like OpenID Connect which causes them to be a widespread and required component of many modern web authentication system.

JWT and Json Web Signature (JWS) however have a long track record of handling issues, which have led to security issues. This library will not be a complete implementation of JWT/JWS, instead focusing on a minimal subset that can be secured and audited for correctness more closely within a limited set of use cases.

When should I use this library?

If you are:

  • creating ECDSA signed JWT tokens, or verify ECDSA signed JWT tokens
  • implementing OIDC as a relying party or authorisation server
  • wanting to use HMAC signatures
  • needing a minimal secure JWS implementation, this library is for you
  • using TPM bound keys for signing JWTs

If you need non-compact JWS, or other complex use cases, this library is not for you.

Why another JWT library?

There are already many other libraries for JWT on crates.io however they each have a limitation or design that conflicts with the project goals in Kanidm. Examples are:

  • Incorrect Implementations - There are a number of JWT libraries in Rust that are incorrect to the RFC or do not have RFC vector tests
  • Ring as the sole cryptographic provider - we need to use OpenSSL
  • Only supporting RSA/Weak cryptographic algos - We want to use ECDSA
  • Full JWS implementation - As mentioned, JWS has a number of sharp edges like alg=none
  • No library supports pkcs11 or TPMS - We aim to allow hardware security modules to store private keys

As a result, nothing "fit" what we wanted, so we are making another library.

About

A minimal jwt implementation for OIDC

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Rust 100.0%