livery_auth_jwks (livery v0.2.0)
View SourceJWKS fetching, parsing, and caching with key rotation.
keys/1,2 returns the JWK set for a jwks_uri, fetching it over
HTTP on first use and caching the result in persistent_term
with a TTL. refresh/1,2 forces a re-fetch — call it on a
no_matching_key verification failure to pick up a rotated key.
The HTTP fetch is pluggable via fetch => fun((Url) -> {ok, Body} | {error, _}) in the options, so deployments (and tests) can
supply their own client. The default uses hackney and verifies the
server's TLS certificate.
{ok, Keys} = livery_auth_jwks:keys(<<"https://issuer/.well-known/jwks.json">>),
{ok, Claims} = livery_auth:verify(Token, #{keys => Keys, issuer => Iss}).Summary
Functions
Default JWKS fetcher using hackney, verifying the server's TLS cert.
Parse a JWKS document (binary or decoded map) into a key list.
JWK set for JwksUri, cached with the default 5-minute TTL.
JWK set for JwksUri. Honors fetch and ttl options.
Force a re-fetch of JwksUri, replacing the cached entry.
Types
-type opts() :: #{fetch => fun((binary()) -> {ok, binary()} | {error, term()}), ttl => non_neg_integer()}.
Functions
Default JWKS fetcher using hackney, verifying the server's TLS cert.
-spec from_json(binary() | map()) -> {ok, [livery_auth:jwk()]} | {error, term()}.
Parse a JWKS document (binary or decoded map) into a key list.
-spec keys(binary()) -> {ok, [livery_auth:jwk()]} | {error, term()}.
JWK set for JwksUri, cached with the default 5-minute TTL.
-spec keys(binary(), opts()) -> {ok, [livery_auth:jwk()]} | {error, term()}.
JWK set for JwksUri. Honors fetch and ttl options.
-spec refresh(binary()) -> {ok, [livery_auth:jwk()]} | {error, term()}.
Force a re-fetch of JwksUri, replacing the cached entry.
-spec refresh(binary(), opts()) -> {ok, [livery_auth:jwk()]} | {error, term()}.