#jwt #token #authorization

no-std jwt-compact

Minimalistic JWT implementation with focus on type safety and secure cryptographic primitives

8 releases (4 breaking)

0.5.0 Dec 29, 2021
0.5.0-beta.1 Oct 21, 2021
0.4.0 May 24, 2021
0.3.0 Nov 30, 2020
0.1.0 Jul 1, 2019

#107 in Cryptography

Download history 2/week @ 2021-10-02 16/week @ 2021-10-09 22/week @ 2021-10-16 17/week @ 2021-10-23 46/week @ 2021-10-30 63/week @ 2021-11-06 38/week @ 2021-11-13 36/week @ 2021-11-20 17/week @ 2021-11-27 83/week @ 2021-12-04 94/week @ 2021-12-11 31/week @ 2021-12-18 58/week @ 2021-12-25 279/week @ 2022-01-01 178/week @ 2022-01-08 173/week @ 2022-01-15

693 downloads per month
Used in 11 crates (2 directly)

Apache-2.0

150KB
3K SLoC

Compact JWT implementation in Rust

Build Status License: Apache-2.0 rust 1.51.0+ required no_std supported

Documentation: Docs.rs crate docs (master)

Minimalistic JSON web token (JWT) implementation with focus on type safety and secure cryptographic primitives.

Usage

Add this to your Crate.toml:

[dependencies]
jwt-compact = "0.5.0"

See the crate docs for the examples of usage.

Features

  • Algorithm-specific signing and verifying keys (i.e., type safety).
  • Key strength requirements from RFC 7518 are expressed with wrapper types.
  • Easy to extend to support new signing algorithms.
  • The crate supports more compact CBOR encoding of the claims.
  • Basic JWK functionality for key conversion from human-readable formats (JSON / YAML / TOML) and computing key thumbprints.
  • HS256, HS384 and HS512 algorithms are implemented via pure Rust sha2 crate.
  • The crate supports EdDSA algorithm with the Ed25519 elliptic curve, and ES256K algorithm with the secp256k1 elliptic curve. Both curves are widely used in crypto community and believed to be securely generated (there are some doubts about parameter generation for elliptic curves used in standard ES* algorithms).
  • RSA algorithms (RS* and PS*) are supported via pure Rust rsa crate.
  • Supports the no_std mode. No-std support and WASM compatibility are explicitly tested.

Missing features

  • Built-in checks of some claims (e.g., iss – the token issuer). This is intentional: depending on the use case, such claims can have different semantics and thus be represented by different datatypes (e.g., iss may be a human-readable short ID, a hex-encoded key digest, etc.)

Supported Rust Versions

The base crate is compatible with Rust 1.51+. The k256 cryptographic backend requires Rust 1.56+, while other backends are compatible with 1.51+.

Alternatives

jsonwebtoken, frank_jwt or biscuit may be viable alternatives depending on the use case (e.g., none of them seems to implement EdDSA or ES256K algorithms).

See also

  • justwebtoken.io – educational mini-website that uses this library packaged in a WASM module.

License

Licensed under the Apache-2.0 license.

Dependencies

~2.4–4.5MB
~89K SLoC

a