NAME
Catalyst::Plugin::OAuth2::ResourceServer::Server - bearer-JWT verification engine for the ResourceServer plugin
DESCRIPTION
Pure-logic engine (a Moo object) that holds the verification parameters and performs bearer-JWT validation independently of Catalyst. Attributes: signing_key (required), resource (required: scalar or arrayref), issuer (required), jwt_alg (default HS256), leeway (default 0).
The engine is constructed per request by the Catalyst seam (Catalyst::Plugin::OAuth2::ResourceServer) from the app config, so there is no persistent state between requests.
METHODS
verify_token( $jwt )
my $claims = $engine->verify_token($bearer_token_string);
Verifies a bearer JWT string. Steps performed:
Signature verification using
signing_keyand the HS-alg allowlist (HS256,HS384,HS512only:alg=noneand asymmetric algorithms are always rejected).Expiry (
exp) check with optionalleewayseconds of clock-skew tolerance.expis required: a token carrying no expiry is rejected.Not-before (
nbf) and issued-at (iat) checks, also honouringleeway. Both claims are optional (RFC 7519 4.1.5 and 4.1.6), so they are validated only when present: a token whosenbfis in the future, or whoseiatis in the future, is rejected, but a token omitting either verifies normally. This matches what Catalyst::Plugin::OAuth2::AuthorizationServer mints, which stampsiss,aud,iatandexpbut nonbf.Issuer (
iss) match against the configuredissuer. The match is an exact string comparison, not a substring or prefix match: anissofhttps://as.exampleEVILdoes not satisfy a configured issuer ofhttps://as.example.Payload type guard: the decoded payload must be a claims hashref.
Audience (
aud) membership check: at least oneaudvalue must match one of the configuredresourceidentifiers.
Returns the claims hashref on success. Throws a 401 Catalyst::Plugin::OAuth2::ResourceServer::Error with error = 'invalid_token' on any failure; the error description is never forwarded to clients.