gloak/verify

JWT verification helpers for the gloak Keycloak library.

This module is the only local verification seam. It delegates JOSE, JWKS, signature, algorithm pinning, and registered-claim validation to gose and only maps verified claims into compact Keycloak-friendly records. It does not fetch JWKS, read clocks, cache keys, or retry verification.

Examples

import gloak/verify

pub fn parse_keys(response) {
  verify.jwks_response(response)
}

Types

@superdocs Verification Models Verified ID-token claims commonly used by applications.

pub type VerifiedClaims {
  VerifiedClaims(
    issuer: String,
    subject: String,
    audience: option.Option(List(String)),
    preferred_username: option.Option(String),
    email: option.Option(String),
    email_verification: option.Option(gloak.EmailVerification),
  )
}

Constructors

Values

pub fn claims(
  token: jwt.Jwt(jwt.Verified),
) -> Result(VerifiedClaims, gloak.Error)

@superdocs Token Verification Decodes common claims from an already verified JWT.

pub fn id_token(
  verifier verifier: jwt.Verifier,
  token token: gloak.IdToken,
  now now: timestamp.Timestamp,
) -> Result(jwt.Jwt(jwt.Verified), gloak.Error)

@superdocs Token Verification Verifies an ID token with an already constructed verifier and caller clock.

pub fn jwks_response(
  response: response.Response(String),
) -> Result(key_set.JwkSet, gloak.Error)

@superdocs JWKS Decodes a successful JWKS HTTP response with gose.

pub fn rs256_verifier(
  jwks jwks: key_set.JwkSet,
  options options: jwt.JwtValidationOptions,
) -> Result(jwt.Verifier, gloak.Error)

@superdocs Verification Policy Builds an RS256 verifier from a decoded JWKS.

pub fn validation(
  issuer issuer: option.Option(String),
  audience audience: option.Option(String),
  clock_skew clock_skew: Int,
  expiration expiration: gloak.ExpirationRequirement,
  kid_policy kid_policy: jwt.KidPolicy,
) -> jwt.JwtValidationOptions

@superdocs Verification Policy Builds gose validation options with explicit issuer and audience policy.

pub fn verifier(
  algorithm algorithm: gose.SigningAlg,
  keys keys: List(gose.Key(String)),
  options options: jwt.JwtValidationOptions,
) -> Result(jwt.Verifier, gloak.Error)

@superdocs Verification Policy Builds an algorithm-pinned verifier from caller-provided gose keys.

Search Document