Note: There is a newer version (2.15.1) of this package available. Click here to view docs for the latest version.

ballerina/jwt Ballerina library

2.14.0

Functions

decode

Isolated Function

function decode(string jwt) returns [Header, Payload]|Error

Decodes the provided JWT into the header and payload.


[jwt:Header, jwt:Payload] [header, payload] = check jwt:decode(jwt);

Parameters

jwt string - JWT that needs to be decoded

Return Type

[Header, Payload]|Error - The jwt:Header and jwt:Payload as a tuple or else a jwt:Error if an error occurred

issue

Isolated Function

function issue(IssuerConfig issuerConfig) returns string|Error

Issues a JWT based on the provided configurations. JWT will be signed (JWS) if crypto:KeyStore information is provided in the jwt:KeyStoreConfig and the jwt:SigningAlgorithm is not jwt:NONE.


string jwt = check jwt:issue(issuerConfig);

Parameters

issuerConfig IssuerConfig - JWT issuer configurations

Return Type

string|Error - JWT as a string or else a jwt:Error if an error occurred

validate

Isolated Function

function validate(string jwt, ValidatorConfig validatorConfig) returns Payload|Error

Validates the provided JWT, against the provided configurations.


jwt:Payload result = check jwt:validate(jwt, validatorConfig);

Parameters

jwt string - JWT that needs to be validated

validatorConfig ValidatorConfig - JWT validator configurations

Return Type

Payload|Error - jwt:Payload or else a jwt:Error if an error occurred

Classes

jwt: ClientSelfSignedJwtAuthProvider

Isolated

Represents the client JWT Auth provider, which is used to authenticate with an external endpoint by issuing a self-signed JWT against the provided JWT issuer configurations.


jwt:ClientSelfSignedJwtAuthProvider provider = new({
    issuer: "wso2",
    audience: "ballerina",
    keyStoreConfig: {
        keyAlias: "ballerina",
        keyPassword: "ballerina",
        keyStore: {
            path: "/path/to/keystore.p12",
            password: "ballerina"
        }
    }
});

Constructor

Provides authentication based on the provided JWT configurations.

init (IssuerConfig issuerConfig)

issuerConfig IssuerConfig - JWT issuer configurations

generateToken

Isolated Function

function generateToken() returns string|Error

Issues a self-signed JWT for authentication.


string token = check provider.generateToken();

Return Type

string|Error - Generated token or else a jwt:Error if an error occurred

jwt: ListenerJwtAuthProvider

Isolated

Represents the listener JWT Auth provider, which is used to authenticate the provided credentials (JWT) against the provided JWT validator configurations.


jwt:ListenerJwtAuthProvider provider = new({
    issuer: "example",
    audience: "ballerina",
    signatureConfig: {
        certificateAlias: "ballerina",
        trustStore: {
            path: "/path/to/truststore.p12",
            password: "ballerina"
        }
    }
});

Constructor

Provides authentication based on the provided JWT.

init (ValidatorConfig validatorConfig)

validatorConfig ValidatorConfig - JWT validator configurations

authenticate

Isolated Function

function authenticate(string credential) returns Payload|Error

Authenticates the provided JWT.


boolean result = check provider.authenticate("<credential>");

Parameters

credential string - JWT to be authenticated

Return Type

Payload|Error - jwt:Payload if authentication is successful or else a jwt:Error if an error occurred

Constants

jwt: HS256

string "HS256"

The HMAC-SHA256 algorithm.

jwt: HS384

string "HS384"

The HMAC-SHA384 algorithm.

jwt: HS512

string "HS512"

The HMAC-SHA512 algorithm.

jwt: NONE

string "none"

Unsecured JWS (no signing).

jwt: RS256

string "RS256"

The RSA-SHA256 algorithm.

jwt: RS384

string "RS384"

The RSA-SHA384 algorithm.

jwt: RS512

string "RS512"

The RSA-SHA512 algorithm.

Enums

jwt: HttpVersion

Represents the HTTP versions.

Members

HTTP_1_1

HTTP_2

Records

jwt: CertKey

Closed record

Represents the combination of the certificate file path, private key file path, and private key password if encrypted.

Fields

certFile string - A file containing the certificate

keyFile string - A file containing the private key

keyPassword? string - Password of the private key (if encrypted)

jwt: ClientConfiguration

Closed record

Represents the configurations of the client used to call the JWKS endpoint.

Fields

httpVersion HttpVersion(default HTTP_1_1) - The HTTP version of the client

secureSocket? SecureSocket - SSL/TLS-related configurations

Represents JWT header.

Fields

alg? SigningAlgorithm - Cryptographic algorithm used to secure the JWS

typ? string - Media type of the JWT

cty? string - Content type, convey structural information about the JWT

kid? string - Key ID, hint indicating which key was used to secure the JWS

jwt: IssuerConfig

Closed record

Represents JWT issuer configurations.

Fields

issuer? string - JWT issuer, which is mapped to the iss

username? string - JWT username, which is mapped to the sub

audience? string|string[] - JWT audience, which is mapped to the aud

jwtId? string - JWT ID, which is mapped to the jti

keyId? string - JWT key ID, which is mapped the kid

customClaims? map<json> - Map of custom claims

expTime decimal(default 300) - Expiry time in seconds

signatureConfig? IssuerSignatureConfig - JWT signature configurations

jwt: IssuerSignatureConfig

Closed record

Represents JWT signature configurations.

Fields

algorithm SigningAlgorithm(default RS256) - Cryptographic signing algorithm for JWS

config? record {| keyStore KeyStore, keyAlias string, keyPassword string |}|record {| keyFile string, keyPassword string |}|PrivateKey|string - KeyStore configurations, private key configurations, crypto:PrivateKey or shared key configurations

jwt: Payload

Represents JWT payload.

Fields

iss? string - Issuer, identifies the principal that issued the JWT

sub? string - Subject, identifies the principal that is the subject of the JWT

aud? string|string[] - Audience, identifies the recipients that the JWT is intended for

exp? int - Expiration time, identifies the expiration time (seconds since the Epoch) on or after which the JWT must not be accepted

nbf? int - Not before, identifies the time (seconds since the Epoch) before which the JWT must not be accepted

iat? int - Issued at, identifies the time (seconds since the Epoch) at which the JWT was issued

jti? string - JWT ID, unique identifier for the JWT

jwt: SecureSocket

Closed record

Represents the SSL/TLS configurations.

Fields

disable boolean(default false) - Disable SSL validation

cert? TrustStore|string - Configurations associated with the crypto:TrustStore or single certificate file that the client trusts

key? KeyStore|CertKey - Configurations associated with the crypto:KeyStore or combination of certificate and private key of the client

jwt: ValidatorConfig

Represents JWT validator configurations.

Fields

issuer? string - Expected issuer, which is mapped to the iss

username? string - Expected username, which is mapped to the sub

audience? string|string[] - Expected audience, which is mapped to the aud

jwtId? string - Expected JWT ID, which is mapped to the jti

keyId? string - Expected JWT key ID, which is mapped the kid

customClaims? map<json> - Expected map of custom claims

clockSkew decimal(default 0) - Clock skew (in seconds) that can be used to avoid token validation failures due to clock synchronization problems

signatureConfig? ValidatorSignatureConfig - JWT signature configurations

cacheConfig? CacheConfig - Configurations related to the cache, which are used to store parsed JWT information

jwt: ValidatorSignatureConfig

Closed record

Represents JWT signature configurations.

Fields

jwksConfig? record {| url string, cacheConfig CacheConfig, clientConfig ClientConfiguration |} - JWKS configurations

certFile? string|PublicKey - Public certificate file path or a crypto:PublicKey

trustStoreConfig? record {| trustStore TrustStore, certAlias string |} - JWT TrustStore configurations

secret? string - HMAC secret configuration

Errors

jwt: Error

Distinct

Represents the error type of the module. This will be returned if an error occurred while issuing/validating a JWT or any operation related to JWT auth providers.

Union types

jwt: SigningAlgorithm

RS256|RS384|RS512|HS256|HS384|HS512|NONE

SigningAlgorithm

Represents the cryptographic algorithms used to secure the JWS.

Import

import ballerina/jwt;

Other versions

2.15.1 2.15.0

2.14.0

2.13.0 2.12.1

Metadata

Released date: 11 months ago

Version: 2.14.0

License: Apache-2.0

Compatibility

Platform: java21

Ballerina version: 2201.11.0-20241209-162400-0c015833

GraalVM compatible: Yes

Pull count

Total: 82636

Current verison: 0

Weekly downloads

Source repository

Keywords

security

authentication

jwt

jwk

jws

Contributors

Dependencies

ballerina/io/1.7.0 ballerina/time/2.6.0 ballerina/crypto/2.8.0

Dependents

ballerina/http/2.13.0 ballerina/grpc/1.13.0 ballerina/websocket/2.13.0

Cookie policy

Delete policy

functions

classes

constants

enums

records

errors

unionTypes

ballerina/jwt Ballerina library

Functions

decode

Parameters

Return Type

issue

Parameters

Return Type

validate

Parameters

Return Type

Classes

jwt: ClientSelfSignedJwtAuthProvider

Constructor

generateToken

Return Type

jwt: ListenerJwtAuthProvider

Constructor

authenticate

Parameters

Return Type

Constants

jwt: HS256

jwt: HS384

jwt: HS512

jwt: NONE

jwt: RS256

jwt: RS384

jwt: RS512

Enums

jwt: HttpVersion

Members

Records

jwt: CertKey

Fields

jwt: ClientConfiguration

Fields

jwt: Header

Fields

jwt: IssuerConfig

Fields

jwt: IssuerSignatureConfig

Fields

jwt: Payload

Fields

jwt: SecureSocket

Fields

jwt: ValidatorConfig

Fields

jwt: ValidatorSignatureConfig

Fields

Errors

jwt: Error

Union types

jwt: SigningAlgorithm