#jwt #authentication

compact_jwt

Minimal implementation of JWT for OIDC

19 releases

0.2.9 Nov 7, 2022
0.2.4 Jul 27, 2022
0.2.0 Mar 16, 2022
0.1.9 Dec 29, 2021
0.1.7 Nov 13, 2021

#3 in #jwt-authentication

Download history 3192/week @ 2023-02-02 2854/week @ 2023-02-09 3019/week @ 2023-02-16 3058/week @ 2023-02-23 2917/week @ 2023-03-02 2888/week @ 2023-03-09 3280/week @ 2023-03-16 3716/week @ 2023-03-23 3951/week @ 2023-03-30 4412/week @ 2023-04-06 5964/week @ 2023-04-13 4906/week @ 2023-04-20 4869/week @ 2023-04-27 5472/week @ 2023-05-04 3822/week @ 2023-05-11 3415/week @ 2023-05-18

18,244 downloads per month
Used in 4 crates (2 directly)

MPL-2.0 license

99KB
2K SLoC

Compact JWT

Json Web Tokens (JWT) are a popular method for creating signed transparent tokens that can be verified by clients and servers. They are enshrined in standards like OpenID Connect which causes them to be a widespread and required component of many modern web authentication system.

JWT and Json Web Signature (JWS) however have a long track record of handling issues, which have led to security issues. This library will not be a complete implementation of JWT/JWS, instead focusing on a minimal subset that can be secured and audited for correctness more closely within a limited set of use cases.

When should I use this library?

If you wish to create ECDSA signed JWT tokens, or verify ECDSA signed JWT tokens, this library is for you.

If you are implementing OIDC as a relying party or authorisation server, this library is for you.

If you want to use HMAC signatures, have a full JWS implementation, or have the non-compact (JSON) serialisation support, this library is not what you want.

Why another JWT library?

There are already many other libraries for JWT on crates.io however they each have a limitation or design that conflicts with the project goals in Kanidm. Examples are:

  • Incorrect Implementations - There are a number of JWT libraries in Rust that are incorrect to the RFC or do not have RFC vector tests
  • Ring as the sole cryptographic provider - we need to use OpenSSL
  • Only supporting RSA/Weak cryptographic algos - We want to use ECDSA
  • Full JWS implementation - As mentioned, JWS has a number of sharp edges like alg=none

As a result, nothing "fit" what we wanted, so we are making another library.

Dependencies

~4.5–6MB
~146K SLoC