ns_crypto::JWT instproc encode

ns_crypto::JWT method encode (public)

 <instance of ns_crypto::JWT> encode -alg alg  [ -key key ] \
    [ -jwk jwk ] [ -secret secret ] [ -kid kid ] [ -typ typ ] \
    [ -cty cty ] [ -extraheader extraheader ] [ -iss iss ] \
    [ -sub sub ] [ -aud aud ] [ -exp exp ] [ -nbf nbf ] [ -iat iat ] \
    [ -jti jti ] [ extrapayload ]

Defined in
Create a JSON Web Token (JWT) in compact serialization format. The method builds a protected header and payload, encodes both as base64url, and signs the resulting input using the specified algorithm. The payload is constructed from standard JWT claims provided as named parameters and optional additional claims in triple form.

Switches:

-alg (required)
Signature algorithm (e.g., EdDSA, ES256, ES256K, ES384, ES512, RS256, RS384, RS512, or "none"). When "none" is specified, no signature is added.
-key (optional)
Private key in PEM format (string or file) used for signing.
-jwk (optional)
JWK representation of the private key. Support for signing from JWK is reserved for future use and is not implemented yet.
-secret (optional)
Shared secret used for HS256, HS384, and HS512.
-kid (optional)
Optional key identifier to be included in the JWT header.
-typ (optional, defaults to "JWT")
Optional type header (defaults to "JWT").
-cty (optional)
Optional content type header.
-extraheader (optional)
Additional header fields in triple form (name type value ...), merged into the protected header.
-iss (optional)
Issuer claim.
-sub (optional)
Subject claim.
-aud (optional)
Audience claim. May be a single value or a list of values. Multiple values are encoded as a JSON array.
-exp (optional)
Expiration time (numeric, seconds since epoch).
-nbf (optional)
Not-before time (numeric, seconds since epoch).
-iat (optional)
Issued-at time (numeric, seconds since epoch).
-jti (optional)
JWT ID claim.

Parameters:

extrapayload (optional)
Additional payload fields in triple form (name type value ...), appended to the payload.

Returns:
A JWT string in compact form "header.payload.signature". When alg is "none", the signature part is empty.

Testcases:
No testcase defined.

Source code:
set headerJson [:build_protected_header  -alg $alg  -kid $kid  -typ $typ  -cty $cty  -extraheader $extraheader]
set triples {}
foreach field {iss sub aud exp nbf iat jti} {
    if {![info exists $field]} continue
    switch $field {
        exp -
        nbf -
        iat { lappend triples $field number [set $field] }
        aud {
            if {[llength $aud] == 1} {
                lappend triples aud string $aud
            } else {
                set array [lmap a $aud {list 1 string $a}]
                lappend triples aud array [concat {*}$array]
            }
        }
        default { lappend triples $field string [set $field] }
    }
}
lappend triples {*}$extrapayload

set payloadJson [ns_json value -type object $triples]
#ns_log notice payloadJson $payloadJson

set headerB64  [ns_base64urlencode -- $headerJson]
set payloadB64 [ns_base64urlencode -- $payloadJson]
set signingInput "${headerB64}.${payloadB64}"

if {$alg in {HS256 HS384 HS512}} {
    if {$secret eq ""} {
        error "missing shared secret; provide -secret"
    }
    set signature [:hmac_sign -alg $alg -secret $secret -data $signingInput]
} elseif {$alg eq "none"} {
    # "-alg none" can be useful for decoding tests/debugging,
    return "${signingInput}."
} else {
    set pem [:resolve_signing_key_pem  -alg $alg  -key $key  -jwk $jwk]
    set signature [:sign -alg $alg -pem $pem -data $signingInput]
}

set sigB64 [ns_base64urlencode -binary -- $signature]

return "${signingInput}.${sigB64}"
XQL Not present:
Generic, PostgreSQL, Oracle

[ hide source ] | [ make this the default ]