gloak/verify
JWT verification helpers for the gloak Keycloak library.
This module is the only local verification seam. It delegates JOSE, JWKS,
signature, algorithm pinning, and registered-claim validation to gose and
only maps verified claims into compact Keycloak-friendly records. It does
not fetch JWKS, read clocks, cache keys, or retry verification.
Examples
import gloak/verify
pub fn parse_keys(response) {
verify.jwks_response(response)
}
Types
@superdocs Verification Models Verified ID-token claims commonly used by applications.
pub type VerifiedClaims {
VerifiedClaims(
issuer: String,
subject: String,
audience: option.Option(List(String)),
preferred_username: option.Option(String),
email: option.Option(String),
email_verification: option.Option(gloak.EmailVerification),
)
}
Constructors
-
VerifiedClaims( issuer: String, subject: String, audience: option.Option(List(String)), preferred_username: option.Option(String), email: option.Option(String), email_verification: option.Option(gloak.EmailVerification), )
Values
pub fn claims(
token: jwt.Jwt(jwt.Verified),
) -> Result(VerifiedClaims, gloak.Error)
@superdocs Token Verification Decodes common claims from an already verified JWT.
pub fn id_token(
verifier verifier: jwt.Verifier,
token token: gloak.IdToken,
now now: timestamp.Timestamp,
) -> Result(jwt.Jwt(jwt.Verified), gloak.Error)
@superdocs Token Verification Verifies an ID token with an already constructed verifier and caller clock.
pub fn jwks_response(
response: response.Response(String),
) -> Result(key_set.JwkSet, gloak.Error)
@superdocs JWKS
Decodes a successful JWKS HTTP response with gose.
pub fn rs256_verifier(
jwks jwks: key_set.JwkSet,
options options: jwt.JwtValidationOptions,
) -> Result(jwt.Verifier, gloak.Error)
@superdocs Verification Policy Builds an RS256 verifier from a decoded JWKS.
pub fn validation(
issuer issuer: option.Option(String),
audience audience: option.Option(String),
clock_skew clock_skew: Int,
expiration expiration: gloak.ExpirationRequirement,
kid_policy kid_policy: jwt.KidPolicy,
) -> jwt.JwtValidationOptions
@superdocs Verification Policy
Builds gose validation options with explicit issuer and audience policy.
pub fn verifier(
algorithm algorithm: gose.SigningAlg,
keys keys: List(gose.Key(String)),
options options: jwt.JwtValidationOptions,
) -> Result(jwt.Verifier, gloak.Error)
@superdocs Verification Policy
Builds an algorithm-pinned verifier from caller-provided gose keys.