Luke Boswell (Aug 28 2024 at 10:14): Luke Boswell (Aug 28 2024 at 10:14):I would like to verify a JWT using basic-webserver... but from my limited amount of research and the particular Identity Provider I've been testing with I think I would need to be able to work with the RS256 signing algorithm. We have some work in progress for the Cypto builtin (SHA256 thank you @Matthew Heath), but I suspect getting something in pure roc may take some time to fully shake out.
I propose adding a simple wrapper around something like https://docs.rs/jwt/latest/jwt/ so the platform can provide primitives for working with tokens.
How does this sound?
Luke Boswell (Aug 28 2024 at 10:23):I'm doing some research to see if I can find a crate that doesn't use serde -- nvm, it looks like we have dependencies that already use it.
Luke Boswell (Aug 28 2024 at 10:57):Ok, this is what I've got so far by the way of design... https://gist.github.com/lukewilliamboswell/ce5f6c622013b3c4937a1db936edf877
Looking for any preliminary comments
verify ok, or should we choose something like decode or decodeAndVerify?Dict Str Str for the JWT claims ok, or should we return something like List {name: Str, value: Str}?Other.None to Unsecured which is what it is called in the spec and I think it is clearer. Luke Boswell (Sep 02 2024 at 05:39):Luke Boswell said:
basic-webserver #72 adds support for verifying Json Web Tokens.
Only supports the HS256, HS384, and HS512 algorithms for now.
After playing with this some more, I think I need to add support for the other algorithms, and also I would like it to detect the algorithm inside the platform and instead tell me after decoding.
Luke Boswell (Sep 02 2024 at 08:47):I just pushed an upgrade to also support the RS256, RS384, and RS512 variants. It now also detects the algorithm from the header, so that doesn't need to be provided.
I want to do some more testing, I found a really nice ID provider sebadob/rauthy which has a convenient Docker container.
Would it be helpful to make a fully worked example that implements Authentication for basic-webserver using OID Connect? using Docker would be a requirement, and there would have to be a couple of manual steps.
Luke Boswell (Sep 02 2024 at 08:49):Also, I added a new dependency on OpenSSL. In increases the binary size somewhat, but for a webserver I figure it's pretty important to have the right crypto available.
Notification Bot (Sep 02 2024 at 08:50):3 messages were moved here from #contributing > Pull Request for Review by Luke Boswell.
Sam Mohr (Sep 02 2024 at 09:04):It seems like that could be useful, but also a maintenance burden.
Sam Mohr (Sep 02 2024 at 09:04):How much effort do you think it would be to keep updated, relative to other examples?
Luke Boswell (Sep 02 2024 at 09:08):Well, I wasn't thinking of necessarily keeping it updated or adding to roc-lang/examples... maybe just a blog post or a #show and tell post or something.
Luke Boswell (Sep 02 2024 at 09:08):I've had to do a bit of research to figure it out, so maybe it would help the next person who comes along and needs to do something similar.
Luke Boswell (Sep 02 2024 at 11:03):I'm thinking OpenSSL is a bit much to pull in just for this... I think I'm going to investigate using another library (pure rust preferably) and manually implement the trait to verify tokens for RSA.
Luke Boswell (Sep 02 2024 at 11:18):Or I might revisit the idea of using pure Roc. :thinking:
MatthewJHeath and Sam have been working on the Sha256 builtin. I wonder how hard it will be to add RSA256 in afterwards.
Luke Boswell (Sep 02 2024 at 11:19):That might be easier**, and way cooler than just implementing this in a single platform.
**well almost as easy
Last updated: Jun 16 2026 at 16:19 UTC