0.0
The project is in a healthy, maintained state
Utilize AWS KMS to handle the signing and verification of JWT tokens
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

>= 2.9
 Project Readme

JWT::Aws::KMS

AWS KMS algorithm extensions for ruby-jwt.

Installation

Add this line to your application's Gemfile:

gem 'jwt-aws-kms'

And require the gem in your code.

require `jwt-aws-kms`

Supported algorithms

The gem supports the following AWS KMS algorithms:

Algorithm Name Description JWA Name
RSASSA_PKCS1_V1_5_SHA_256 RSASSA PKCS1 v1.5 using SHA-256 RS256
RSASSA_PKCS1_V1_5_SHA_384 RSASSA PKCS1 v1.5 using SHA-384 RS384
RSASSA_PKCS1_V1_5_SHA_512 RSASSA PKCS1 v1.5 using SHA-512 RS512
RSASSA_PSS_SHA_256 RSASSA PSS using SHA-256 PS256
RSASSA_PSS_SHA_384 RSASSA PSS using SHA-384 PS384
RSASSA_PSS_SHA_512 RSASSA PSS using SHA-512 PS512
ECDSA_SHA_256 ECDSA using P-256 and SHA-256 ES256
ECDSA_SHA_384 ECDSA using P-384 and SHA-384 ES384
ECDSA_SHA_512 ECDSA using P-521 and SHA-512 ES512

Usage

Basic usage

# Create a key, for example with the ruby AWS SDK
key = Aws::KMS::Client.new.create_key(key_spec: "HMAC_512", key_usage: "GENERATE_VERIFY_MAC")

algo = ::JWT::Aws::KMS.for(algorithm: "HS512")

token = JWT.encode(payload, key.key_metadata.key_id, algo)
decoded_token = JWT.decode(token, key.key_metadata.key_id, true, algorithm: algo)

Replace default algorithms

You can swap the default algorithms in the JWT gem to AWS backed ones by calling ::JWT::Aws::KMS.replace_defaults!.

::JWT::Aws::KMS.replace_defaults! # Called in a initializer of some kind

token = JWT.encode(payload, "e25c502b-a383-44ac-a778-0d97e8688cb7", "HS512") # Encode payload with KMS key e25c502b-a383-44ac-a778-0d97e8688cb7

Development

Localstack can be used to simulate the AWS KMS environment.

docker run \
  --rm -it \
  -p 127.0.0.1:4566:4566 \
  -p 127.0.0.1:4510-4559:4510-4559 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  localstack/localstack

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/anakinj/jwt-aws-kms. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the Jwt::Kms project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.