jwt

package
v0.1.17 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 1, 2024 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SigningMethodNone = jose.SignatureAlgorithm(consts.JSONWebTokenAlgNone)
	// This key should be use to correctly sign and verify alg:none JWT tokens
	UnsafeAllowNoneSignatureType unsafeNoneMagicConstant = "none signing method allowed"

	JWTHeaderType = jose.HeaderKey(consts.JSONWebTokenHeaderType)
)
View Source 
const (
	JWTHeaderTypeValueJWT            = consts.JSONWebTokenTypeJWT
	JWTHeaderTypeValueAccessTokenJWT = consts.JSONWebTokenTypeAccessToken
)
View Source 
const (
	ValidationErrorMalformed        uint32 = 1 << iota // Token is malformed
	ValidationErrorUnverifiable                        // Token could not be verified because of signing problems
	ValidationErrorSignatureInvalid                    // Signature validation failed

	// Standard Claim validation errors
	ValidationErrorAudience      // AUD validation failed
	ValidationErrorExpired       // EXP validation failed
	ValidationErrorIssuedAt      // IAT validation failed
	ValidationErrorIssuer        // ISS validation failed
	ValidationErrorNotValidYet   // NBF validation failed
	ValidationErrorId            // JTI validation failed
	ValidationErrorClaimsInvalid // Generic claims validation error
)

Validation provides a backwards compatible error definition from `jwt-go` to `go-jose`. The sourcecode was taken from https://github.com/dgrijalva/jwt-go/blob/master/errors.go

> The errors that might occur when parsing and validating a token

View Source 
const (
	JWTHeaderKeyValueType = consts.JSONWebTokenHeaderType
)

Variables

View Source 
var SHA256HashSize = crypto.SHA256.Size()
View Source 
var TimeFunc = time.Now

Functions

func Copy 

func Copy(elements map[string]any) (result map[string]any)

Copy will copy all elements in a map and return a new representational map

func Filter 

func Filter(elements map[string]any, keys ...string) map[string]any

Filter will filter out elements based on keys in a given input map na key-slice

func StringSliceFromMap 

func StringSliceFromMap(value any) (values []string, ok bool)

StringSliceFromMap asserts a map any value to a []string provided it has a good type.

func ToString 

func ToString(i any) string

ToString will return a string representation of a map

func ToTime 

func ToTime(i any) time.Time

ToTime will try to convert a given input to a time.Time structure

Types

type Claims 

type Claims interface {
	Valid() error
}

Claims is a port from https://github.com/dgrijalva/jwt-go/blob/master/claims.go including its validation methods, which are not available in go-jose library

> For a type to be a Claims object, it must just have a Valid method that determines if the token is invalid for any supported reason

type DefaultSigner 

type DefaultSigner struct {
	GetPrivateKey GetPrivateKeyFunc
}

DefaultSigner is responsible for generating and validating JWT challenges

func (*DefaultSigner) Decode 

func (j *DefaultSigner) Decode(ctx context.Context, token string) (*Token, error)

Decode will decode a JWT token

func (*DefaultSigner) Generate 

func (j *DefaultSigner) Generate(ctx context.Context, claims MapClaims, header Mapper) (string, string, error)

Generate generates a new authorize code or returns an error. set secret

func (*DefaultSigner) GetSignature 

func (j *DefaultSigner) GetSignature(ctx context.Context, token string) (string, error)

GetSignature will return the signature of a token

func (*DefaultSigner) GetSigningMethodLength 

func (j *DefaultSigner) GetSigningMethodLength(ctx context.Context) int

GetSigningMethodLength will return the length of the signing method

func (*DefaultSigner) Hash 

func (j *DefaultSigner) Hash(ctx context.Context, in []byte) ([]byte, error)

Hash will return a given hash based on the byte input or an error upon fail

func (*DefaultSigner) Validate 

func (j *DefaultSigner) Validate(ctx context.Context, token string) (string, error)

Validate validates a token and returns its signature or an error if the token is not valid.

type GetPrivateKeyFunc 

type GetPrivateKeyFunc func(ctx context.Context) (any, error)

type Headers 

type Headers struct {
	Extra map[string]any `json:"extra"`
}

Headers is the jwt headers

func NewHeaders 

func NewHeaders() *Headers

func (*Headers) Add 

func (h *Headers) Add(key string, value any)

Add will add a key-value pair to the extra field

func (*Headers) Get 

func (h *Headers) Get(key string) any

Get will get a value from the extra field based on a given key

func (*Headers) SetDefaultString 

func (h *Headers) SetDefaultString(key, value string)

func (*Headers) ToMap 

func (h *Headers) ToMap() map[string]any

ToMap will transform the headers to a map structure

func (Headers) ToMapClaims 

func (h Headers) ToMapClaims() MapClaims

ToMapClaims will return a jwt-go MapClaims representation

type IDTokenClaims 

type IDTokenClaims struct {
	JTI                                 string         `json:"jti"`
	Issuer                              string         `json:"iss"`
	Subject                             string         `json:"sub"`
	Audience                            []string       `json:"aud"`
	Nonce                               string         `json:"nonce"`
	ExpiresAt                           time.Time      `json:"exp"`
	IssuedAt                            time.Time      `json:"iat"`
	RequestedAt                         time.Time      `json:"rat"`
	AuthTime                            time.Time      `json:"auth_time"`
	AccessTokenHash                     string         `json:"at_hash"`
	AuthenticationContextClassReference string         `json:"acr"`
	AuthenticationMethodsReferences     []string       `json:"amr"`
	CodeHash                            string         `json:"c_hash"`
	StateHash                           string         `json:"s_hash"`
	Extra                               map[string]any `json:"ext"`
}

IDTokenClaims represent the claims used in open id connect requests

func (*IDTokenClaims) Add 

func (c *IDTokenClaims) Add(key string, value any)

Add will add a key-value pair to the extra field

func (*IDTokenClaims) Get 

func (c *IDTokenClaims) Get(key string) any

Get will get a value from the extra field based on a given key

func (*IDTokenClaims) ToMap 

func (c *IDTokenClaims) ToMap() map[string]any

ToMap will transform the headers to a map structure

func (IDTokenClaims) ToMapClaims 

func (c IDTokenClaims) ToMapClaims() MapClaims

ToMapClaims will return a jwt-go MapClaims representation

type JARMClaims 

type JARMClaims struct {
	Issuer    string
	Audience  []string
	JTI       string
	IssuedAt  time.Time
	ExpiresAt time.Time
	Extra     map[string]any
}

JARMClaims represent a token's claims.

func (*JARMClaims) Add 

func (c *JARMClaims) Add(key string, value any)

Add will add a key-value pair to the extra field

func (*JARMClaims) FromMap 

func (c *JARMClaims) FromMap(m map[string]any)

FromMap will set the claims based on a mapping

func (*JARMClaims) FromMapClaims 

func (c *JARMClaims) FromMapClaims(mc MapClaims)

FromMapClaims will populate claims from a jwt-go MapClaims representation

func (JARMClaims) Get 

func (c JARMClaims) Get(key string) any

Get will get a value from the extra field based on a given key

func (*JARMClaims) ToMap 

func (c *JARMClaims) ToMap() map[string]any

ToMap will transform the headers to a map structure

func (JARMClaims) ToMapClaims 

func (c JARMClaims) ToMapClaims() MapClaims

ToMapClaims will return a jwt-go MapClaims representation

type JWTClaims 

type JWTClaims struct {
	Subject    string
	Issuer     string
	Audience   []string
	JTI        string
	IssuedAt   time.Time
	NotBefore  time.Time
	ExpiresAt  time.Time
	Scope      []string
	Extra      map[string]any
	ScopeField JWTScopeFieldEnum
}

JWTClaims represent a token's claims.

func (*JWTClaims) Add 

func (c *JWTClaims) Add(key string, value any)

Add will add a key-value pair to the extra field

func (*JWTClaims) FromMap 

func (c *JWTClaims) FromMap(m map[string]any)

FromMap will set the claims based on a mapping.

TODO: Refactor time permitting.

func (*JWTClaims) FromMapClaims 

func (c *JWTClaims) FromMapClaims(mc MapClaims)

FromMapClaims will populate claims from a jwt-go MapClaims representation

func (JWTClaims) Get 

func (c JWTClaims) Get(key string) any

Get will get a value from the extra field based on a given key

func (*JWTClaims) Sanitize 

func (c *JWTClaims) Sanitize() JWTClaimsContainer

func (*JWTClaims) ToMap 

func (c *JWTClaims) ToMap() map[string]any

ToMap will transform the headers to a map structure

func (JWTClaims) ToMapClaims 

func (c JWTClaims) ToMapClaims() MapClaims

ToMapClaims will return a jwt-go MapClaims representation

func (*JWTClaims) With 

func (c *JWTClaims) With(expiry time.Time, scope, audience []string) JWTClaimsContainer

func (*JWTClaims) WithDefaults 

func (c *JWTClaims) WithDefaults(iat, nbf time.Time, issuer string) JWTClaimsContainer

func (*JWTClaims) WithScopeField 

func (c *JWTClaims) WithScopeField(scopeField JWTScopeFieldEnum) JWTClaimsContainer

type JWTClaimsContainer 

type JWTClaimsContainer interface {
	// Sanitize should clear the IssuedAt and NotBefore values.
	Sanitize() JWTClaimsContainer

	// With returns a copy of itself with expiresAt, scope, audience set to the given values.
	With(expiry time.Time, scope, audience []string) JWTClaimsContainer

	// WithDefaults returns a copy of itself with issuedAt and issuer set to the given default values. If those
	// values are already set in the claims, they will not be updated.
	WithDefaults(iat, nbf time.Time, issuer string) JWTClaimsContainer

	// WithScopeField configures how a scope field should be represented in JWT.
	WithScopeField(scopeField JWTScopeFieldEnum) JWTClaimsContainer

	// ToMapClaims returns the claims as a github.com/dgrijalva/jwt-go.MapClaims type.
	ToMapClaims() MapClaims
}

type JWTClaimsDefaults 

type JWTClaimsDefaults struct {
	ExpiresAt time.Time
	IssuedAt  time.Time
	Issuer    string
	Scope     []string
}

type JWTScopeFieldEnum 

type JWTScopeFieldEnum int

Enum for different types of scope encoding. 

const (
	JWTScopeFieldUnset JWTScopeFieldEnum = iota
	JWTScopeFieldList
	JWTScopeFieldString
	JWTScopeFieldBoth
)

type Keyfunc 

type Keyfunc func(*Token) (any, error)

Keyfunc is used by parsing methods to supply the key for verification. The function receives the parsed, but unverified Token. This allows you to use properties in the Header of the token (such as `kid`) to identify which key to use.

type MapClaims 

type MapClaims map[string]any

MapClaims provides backwards compatible validations not available in `go-jose`. It was taken from [here](https://raw.githubusercontent.com/form3tech-oss/jwt-go/master/map_claims.go).

Claims type that uses the map[string]any for JSON decoding This is the default claims type if you don't supply one

func (MapClaims) UnmarshalJSON 

func (m MapClaims) UnmarshalJSON(b []byte) error

func (MapClaims) Valid 

func (m MapClaims) Valid() error

Valid validates time based claims "exp, iat, nbf". There is no accounting for clock skew. As well, if any of the above claims are not in the token, it will still be considered a valid claim.

func (MapClaims) VerifyAudience 

func (m MapClaims) VerifyAudience(cmp string, req bool) bool

VerifyAudience compares the aud claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifyExpiresAt 

func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool

VerifyExpiresAt compares the exp claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifyIssuedAt 

func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool

VerifyIssuedAt compares the iat claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifyIssuer 

func (m MapClaims) VerifyIssuer(cmp string, req bool) bool

VerifyIssuer compares the iss claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifyNotBefore 

func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool

VerifyNotBefore compares the nbf claim against cmp. If required is false, this method will return true if the value matches or is unset

type Mapper 

type Mapper interface {
	ToMap() map[string]any
	Add(key string, value any)
	Get(key string) any
}

Mapper is the interface used internally to map key-value pairs

type Signer 

type Signer interface {
	Generate(ctx context.Context, claims MapClaims, header Mapper) (tokenString string, signature string, err error)
	Validate(ctx context.Context, tokenString string) (signature string, err error)
	Hash(ctx context.Context, in []byte) ([]byte, error)
	Decode(ctx context.Context, tokenString string) (token *Token, err error)
	GetSignature(ctx context.Context, token string) (signature string, err error)
	GetSigningMethodLength(ctx context.Context) (length int)
}

type Token 

type Token struct {
	Header map[string]any // The first segment of the token
	Claims MapClaims      // The second segment of the token
	Method jose.SignatureAlgorithm
	// contains filtered or unexported fields
}

Token represets a JWT Token This token provide an adaptation to transit from [jwt-go](https://github.com/dgrijalva/jwt-go) to [go-jose](https://github.com/square/go-jose) It provides method signatures compatible with jwt-go but implemented using go-json

func NewWithClaims 

func NewWithClaims(method jose.SignatureAlgorithm, claims MapClaims) *Token

NewWithClaims creates an unverified Token with the given claims and signing method

func Parse 

func Parse(tokenString string, keyFunc Keyfunc) (*Token, error)

Parse is an overload for ParseCustom which accepts all normal algs including 'none'.

func ParseCustom 

func ParseCustom(tokenString string, keyFunc Keyfunc, algs ...jose.SignatureAlgorithm) (*Token, error)

ParseCustom parses, validates, and returns a token. The keyFunc will receive the parsed token and should return the key for validating. If everything is kosher, err will be nil.

func ParseCustomWithClaims 

func ParseCustomWithClaims(rawToken string, claims MapClaims, keyFunc Keyfunc, algs ...jose.SignatureAlgorithm) (*Token, error)

ParseCustomWithClaims parses, validates, and returns a token with its respective claims. The keyFunc will receive the parsed token and should return the key for validating. If everything is kosher, err will be nil.

func ParseWithClaims 

func ParseWithClaims(rawToken string, claims MapClaims, keyFunc Keyfunc) (*Token, error)

ParseWithClaims is an overload for ParseCustomWithClaims which accepts all normal algs including 'none'.

func (*Token) SignedString 

func (t *Token) SignedString(k any) (rawToken string, err error)

SignedString provides a compatible `jwt-go` Token.SignedString method

> Get the complete, signed token

func (*Token) Valid 

func (t *Token) Valid() bool

Valid informs if the token was verified against a given verification key and claims are valid

type ValidationError 

type ValidationError struct {
	Inner  error  // stores the error returned by external dependencies, i.e.: KeyFunc
	Errors uint32 // bitfield.  see ValidationError... constants
	// contains filtered or unexported fields
}

The error from Parse if token is not valid

func (ValidationError) Error 

func (e ValidationError) Error() string

Validation error is an error type

func (*ValidationError) Has 

func (e *ValidationError) Has(verr uint32) bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.