Plack::Middleware::Auth::JWT - Token-based Auth (aka Bearer Token) using JSON Web Tokens (JWT)
version 0.907
# use Crypt::JWT to decode the JWT use Plack::Builder; builder { enable "Plack::Middleware::Auth::JWT", decode_args => { key => '12345' }, ; $app; }; # or provide your own decoder in a callback use Plack::Builder; builder { enable "Plack::Middleware::Auth::JWT", decode_callback => sub { my $token = shift; .... }, ; $app; }; # curl -H 'Authorization: Bearer eyJhbG...' # if the JWT is valid, two keys will be added to $env->{psgix} # $env->{'psgix.token'} = 'original_token' # $env->{'psgix.claims'} = { sub => 'bart' } # claims as hashref
Plack::Middleware::Auth::JWT helps you to use JSON Web Tokens (or JWT) for authentificating HTTP requests. Tokens can be provided in the Authorization HTTP Header, or as a query parameter (though passing the JWT via the header is the prefered method).
Plack::Middleware::Auth::JWT
Authorization
TODO
See "decode_jwt" in Crypt::JWT
Please note that key might has to be passed as a string-ref or an object, see Crypt::JWT
key
It is very much recommended that you only allow the algorithms you are actually using by setting accepted_alg! Per default, 'none' is not allowed.
accepted_alg
Hardcoded:
decode_payload = 1 decode_header = 0
Different defaults:
verify_exp = 1 leeway = 5
You either have to use decode_args, or provide a decode_callback.
decode_args
Callback to decode the token. Gets the token as a string and the psgi-env, has to return a hashref with claims.
You have to either provide a callback, or use decode_args.
Default: claims
claims
Name of the entry in psgix were the claims are stored, so you can get the (for example) sub claim via
psgix
sub
$env->{'psgix.claims'}->{sub}
Default: token
token
Name of the entry in psgix were the raw token is stored.
Default: false
false
If set to a true value, all requests need to include a valid JWT. Default false, so you have to check in your application code if a token was submitted.
If set to a true value, passing an invalid JWT will not abort the requerst with status 401. Instead the app will be called as if no token was passed at all.
You can use this to implement another token check in a later middleware, or even in your app. Of course you will then have to check for $env->{psgix.token} in your controller actions.
$env->{psgix.token}
Default: Bearer
Bearer
Name of the token in the HTTP Authorization header. If you set it to 0, headers will be ignored.
0
Name of the HTTP query param that contains the token. If you set it to 0, tokens in the query will be ignored.
TODO, in the meantime you can take a look at the tests.
Crypt::JWT - encode / decode JWTs using various algorithms. Very complete!
Introduction to JSON Web Tokens - good overview.
Plack::Middleware::Auth::AccessToken - a more generic solution handling any kind of token. Does not handle token payload (claims).
Thanks to
validad.com for supporting Open Source.
jwright for fixing a regression in the tests caused by an update in Crypt::JWT error messages. The same issue was also reported by SREZIC.
Michael R. Davis for fixing a typo.
+item * Balloon Metainfo XR GmbH for supporting Open Source and sponsoring some improvements.
Thomas Klausner <domm@plix.at>
This software is copyright (c) 2017 - 2022 by Thomas Klausner.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
To install Plack::Middleware::Auth::JWT, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Plack::Middleware::Auth::JWT
CPAN shell
perl -MCPAN -e shell install Plack::Middleware::Auth::JWT
For more information on module installation, please visit the detailed CPAN module installation guide.