JWT authentication primitive. More...
#include <jwt_authenticator.hpp>
Public Member Functions | |
| std::expected< jwt_claims, jwt_error > | validate (const std::string &token) const |
| Validates a JWT token and extracts claims. | |
| std::expected< jwt_claims, jwt_error > | validate_allow_expired (const std::string &token) const |
| Validates a JWT token and extracts claims, ignoring expiry. | |
| std::optional< std::string > | create_token (const jwt_claims &claims) const |
| Creates a new JWT token with the given claims. | |
| bool | is_configured () const |
| Checks if the authenticator is properly configured. | |
| std::string | get_public_key_pem () const |
| Extracts the RSA public key PEM from the private key. | |
Static Public Member Functions | |
| static jwt_authenticator | create_hs256 (const std::string &secret, const std::string &issuer="", const std::string &audience="") |
| Creates an authenticator using a symmetric secret (HS256). | |
| static jwt_authenticator | create_rs256_signer (const std::string &private_key_pem, const std::string &issuer="", const std::string &audience="") |
| Creates an RS256 signer using an RSA private key (PEM). | |
| static jwt_authenticator | create_rs256_verifier (const std::string &public_key_pem, const std::string &issuer="", const std::string &audience="") |
| Creates an RS256 verifier using an RSA public key (PEM). | |
Detailed Description
JWT authentication primitive.
Supports HS256 (symmetric) for backward compatibility and RS256 (asymmetric) for distributed service authentication. In RS256 mode, only the IAM service holds the private key and mints tokens; all other services use the public key to verify tokens independently.
Factory methods:
- create_hs256() — symmetric signing and verification
- create_rs256_signer() — RS256 signing (IAM service only)
- create_rs256_verifier()— RS256 verification (all other services)
Member Function Documentation
◆ create_hs256()
|
static |
Creates an authenticator using a symmetric secret (HS256).
Supports both token creation and validation.
◆ create_rs256_signer()
|
static |
Creates an RS256 signer using an RSA private key (PEM).
Used by the IAM service to mint tokens. The private key must never leave the IAM service configuration.
◆ create_rs256_verifier()
|
static |
Creates an RS256 verifier using an RSA public key (PEM).
Used by all services other than IAM to validate tokens. Token creation is not supported on this instance.
◆ validate_allow_expired()
| std::expected< jwt_claims, jwt_error > validate_allow_expired | ( | const std::string & | token | ) | const |
Validates a JWT token and extracts claims, ignoring expiry.
Used by the refresh handler: the token may be near or just past its expiry time but is still trusted for identity (signature is verified).
◆ create_token()
| std::optional< std::string > create_token | ( | const jwt_claims & | claims | ) | const |
Creates a new JWT token with the given claims.
Supported for HS256 and RS256 signer instances. Returns nullopt if the authenticator is not configured for signing.
◆ get_public_key_pem()
| std::string get_public_key_pem | ( | ) | const |
Extracts the RSA public key PEM from the private key.
Only supported on RS256 signer instances. Returns an empty string if the authenticator is not an RS256 signer.
