JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred
between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON)
object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext
of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed
and/or encrypted.
Added support for RSA256 Public Key verification. This in turn means that some
methods are available to verify that are not available to encode; causing a
breaking API change. The toVerify method and the new EncodeSigner and VerifySigner
are the major changes.
2021-12-02 0.10.1
Add support for Aeson 2.x
2019-03-25 0.10.0
Add “kid” and allow specifying JOSEHeader
Clean up docs and remove confusing JSON type alias
2018-01-04 0.9.0
Switch from RSA and HsOpenSSL to x509-store
Add Semigroup instances for GHC 8.6 compatibility
2018-03-21 0.8.0
Support RS256 algorithm
Add Monoid for ClaimsMap
Thanks to Patrick Brisbin and Brian McKenna for adding support for RS256.
2016-06-02 0.7.2
Add missing Data.ByteString.ExtendedTests (Thanks to nomeata for reporting
this).
Support GHC 8 by raising the upper bound of base (GHC8 ships with base-4.9)
(Thanks to Utku Demir).
2016-04-11 0.7.1
Add binarySecret function to enable providing a secret based on a ByteString
(fixes #21 - Thanks to Joe Nelson for reporting this).
2016-02-20 0.7.0
Update JWT to match RFC 7519. This is a backward compatible change with
deprecation warnings added for types and functions to be removed in the
future.
Add NumericDate as a replacement for IntDate (and numericDate as a
replacement for intDate)
Add JOSEHeader as a replacement for JWTHeader.
Use Stack and LTS 4.0
Use cryptonite instead of cryptohash (Thanks to Greg V)
Remove Web.Base64 in favour of using memory (Thanks to Greg V)
2015-04-22 0.6.0
Execute doctests in addition to the testsuite when using ‘make test’.
Export ClaimsMap type alias (fixes #12)
Allow base 4.8
Lowered required cabal library version (to 1.16) to workaround build
issues in a consumer project.
Add 7.10.1 to the travis config
2015-01-19 0.5.3
Add the missing other-modules field to the .cabal file so that
all the tests are present in the source distribution. Thanks to
Richard Wallace for reporting this.
2015-01-17 0.5.2
Tim McLean pointed out that comparing signatures may be susceptible to
a timing attack in the way the signatures were compared (using the default
Eq instance). Both Signature and Secret now have an Eq instance that
uses a constant time comparison function. Thanks Tim for reporting this.
2015-01-03 0.5.1
Fix the encoding of the aud part of the claim.
Thanks to Aaron Levin for reporting and implementing the change.
In addition to the fix we now also verify the shape fo the generated
payload.
2014-12-01 0.5.0
Rev. 17 of the JWT Draft changed the audience claim from being an
optional String to being either an optional StringOrURIs or an optional list of
StringOrURIs. Thanks to Aaron Levin for reporting and implementing the
change. This change breaks backwards compatibility (in regard to 0.4.x).
2014-10-15 0.4.2
Fix the build problems introduced in 0.4.1 to work with the
split network package. Thanks to Richard Wallace for
fixing this and to Jeremy Shaw for reporting this at the same time.
2014-09-17 0.4.1
Update jwt.cabal to work with the new split network package.
Thanks to Jeremy Shaw for reporting this.
2014-08-02 0.4.0
Change the upper boundary of base from 4.7 to 4.8 (#5)
2014-06-02 0.3.0
Add verify function (thanks to Robert Massaioli) to allow verifying an
already decoded JWT token
2014-03-10 0.2.1
Add Decoding/Encoding sections
Make the examples runnable by doctest
Fix hlint warnings
Add ‘secondsSinceEpoch’ to extract the seconds from epoch from an IntDate
2014-03-10 0.2.0
Export the IntDate and StringOrURI types #5a1137b
2014-03-03 0.1.1
Verify that invalid input to the decode* functions fails as expected