/ 
Catalyst-Plugin-OpenIDConnect-0.09
/ Catalyst::Plugin::OpenIDConnect::Utils::JWT

NAME

Catalyst::Plugin::OpenIDConnect::Utils::JWT - JWT handling for OpenID Connect

DESCRIPTION

Provides JWT signing and verification functionality using RS256 (RSA SHA-256) algorithm for OpenID Connect token creation and validation.

ATTRIBUTES

private_key

The RSA private key for signing tokens.

public_key

The RSA public key for verifying tokens.

key_id

The key ID (kid) used in JWT headers.

issuer

The issuer URL/identifier for the iss claim.

logger

Optional logger instance for debug/info logging.

METHODS

sign_token(%payload)

Signs a JWT token with the configured private key using RS256 algorithm.

Returns the complete JWT (header.payload.signature).

verify_token($token, %opts)

Verifies a JWT token with the configured public key.

Mandatory claims exp and iss are always validated. The nbf claim is validated when present. Pass expected_audience to also validate the aud claim:

$jwt->verify_token($token, expected_audience => 'my-client-id');

Returns a hashref with decoded claims on success. Raises an exception on verification failure.

create_id_token(%claims)

Creates a signed ID token with the specified claims.

create_access_token(%claims)

Creates a signed access token with the specified claims.

create_refresh_token(%claims)

Creates a signed refresh token with the specified claims.

decode_id_token_hint($token)

Decodes a JWT passed as an id_token_hint during logout.

Verifies the token signature against the configured public key to confirm it was genuinely issued by this server, but deliberately skips expiry validation; hint tokens are frequently expired at logout time by design.

Returns a hashref of the token's claims on success, or undef if the token is malformed or the signature cannot be verified.

AUTHOR

Tim F. Rayner

LICENSE

This library is free software; you can redistribute it and/or modify it under the terms of The Artistic License 2.0.