Trying to use hs-jwt to validate an AAF Rapid Connect assertion.

TestWithHsJWT.hs

{-# LANGUAGE OverloadedStrings #-}

module TestWithHsJWT where

import qualified Data.Text as T
import qualified Crypto.JWT as JWT
import qualified Crypto.JOSE as JOSE
import qualified Data.HashMap.Lazy as HM

import Data.Aeson
import Control.Applicative ((<$>), (<*>))
import Control.Monad (mzero)

-- For a description of these attributes, see https://rapid.aaf.edu.au/developers
data AAFAttributes = AAFAttributes
    { aafEdupersontargetedid        :: T.Text
    , aafDisplayname                :: T.Text
    , aafCn                         :: T.Text
    , aafEdupersonscopedaffiliation :: T.Text
    , aafEdupersonprincipalname     :: T.Text
    , aafMail                       :: T.Text
    , aafSurname                    :: T.Text
    , aafGivenname                  :: T.Text
    }
    deriving (Show, Eq)

instance FromJSON AAFAttributes where
  parseJSON (Object v) = AAFAttributes <$>
                         v .: "edupersontargetedid" <*>
                         v .: "displayname" <*>
                         v .: "cn" <*>
                         v .: "edupersonscopedaffiliation" <*>
                         v .: "edupersonprincipalname" <*>
                         v .: "mail" <*>
                         v .: "surname" <*>
                         v .: "givenname"

  parseJSON _          = mzero

blah :: T.Text -> T.Text -> Bool
blah assertion secret = isvalid
  where
    jwt :: JWT.JWT
    jwt = undefined

    jwk :: JOSE.JWK
    jwk = undefined

    -- How do I use the privately defined secret string
    -- to validate the jwt that was provided via AAF's service?

    -- Things that I have to look up:
    claimset = JWT.jwtClaimsSet jwt
    iss      = JWT.claimIss claimset
    aud      = JWT.claimAud claimset

    -- In the unregistered claims I will find things about
    -- the user's institutional email, staff/student affiliation, etc.
    unregisteredClaims = JWT.unregisteredClaims claimset
    attributes         = HM.lookup "https://aaf.edu.au/attributes" unregisteredClaims

    -- I guess that jwk should be a function of the secret?
    isvalid = JWT.validateJWSJWT jwk jwt -- ????

jwk = JWK k z z z z z z z z
where
    z = Nothing
    k = OctKeyMaterial Oct (OctKeyParameters (Base64Octets secret))
    -- secret needs to be decoded from Text to ByteString

I see that there is a use case for constructing a minimal key based on existing key material (i.e. as opposed to decoding from JSON or generating a key). I will add this to the Key type class (which in unreleased - will try to release that within next week)

use decodeCompact to decode the JWT from a compact representation