Key-derived JOSE signing algorithm helpers.
Attesto treats the algorithm as metadata of the trusted key selected by
kid, never as policy learned from the presented token. RSA keys default
to RS256 for backwards compatibility, while EC/OKP keys infer their JOSE
algorithm from the public JWK curve. RSA deployments that intentionally
use PS256 can label the key through the keystore's alg metadata.
Summary
Functions
Algorithms Attesto can sign/verify when backed by a matching key.
Resolve the algorithm for a key in keystore.
Return the digest algorithm used by an ID Token hash claim.
Return the number of left-most bytes used for OIDC hash claims.
Infer the default algorithm from a parsed JWK's public members.
Validate that alg is one of Attesto's supported asymmetric JOSE algorithms.
Types
@type alg() :: String.t()
Functions
@spec allowed() :: [alg()]
Algorithms Attesto can sign/verify when backed by a matching key.
Resolve the algorithm for a key in keystore.
Resolution order:
- per-key metadata from
key_algs/0, keyed by RFC 7638kid signing_alg/0for the current signing key only- inference from the JWK type/curve
@spec hash_alg(alg()) :: :sha256 | :sha384 | :sha512
Return the digest algorithm used by an ID Token hash claim.
@spec hash_half_bytes(alg()) :: pos_integer()
Return the number of left-most bytes used for OIDC hash claims.
@spec infer(JOSE.JWK.t()) :: alg()
Infer the default algorithm from a parsed JWK's public members.
Validate that alg is one of Attesto's supported asymmetric JOSE algorithms.