jwt

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 22, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SigningMethodNone = jose.SignatureAlgorithm(JSONWebTokenAlgNone)

	// UnsafeAllowNoneSignatureType is unsafe to use and should be use to correctly sign and verify alg:none JWT tokens.
	UnsafeAllowNoneSignatureType unsafeNoneMagicConstant = "none signing method allowed"
)
View Source 
const (
	ClaimJWTID                               = consts.ClaimJWTID
	ClaimSessionID                           = consts.ClaimSessionID
	ClaimIssuedAt                            = consts.ClaimIssuedAt
	ClaimNotBefore                           = consts.ClaimNotBefore
	ClaimRequestedAt                         = consts.ClaimRequestedAt
	ClaimExpirationTime                      = consts.ClaimExpirationTime
	ClaimAuthenticationTime                  = consts.ClaimAuthenticationTime
	ClaimIssuer                              = consts.ClaimIssuer
	ClaimSubject                             = consts.ClaimSubject
	ClaimAudience                            = consts.ClaimAudience
	ClaimGroups                              = consts.ClaimGroups
	ClaimFullName                            = consts.ClaimFullName
	ClaimPreferredUsername                   = consts.ClaimPreferredUsername
	ClaimPreferredEmail                      = consts.ClaimPreferredEmail
	ClaimEmailVerified                       = consts.ClaimEmailVerified
	ClaimAuthorizedParty                     = consts.ClaimAuthorizedParty
	ClaimAuthenticationContextClassReference = consts.ClaimAuthenticationContextClassReference
	ClaimAuthenticationMethodsReference      = consts.ClaimAuthenticationMethodsReference
	ClaimClientIdentifier                    = consts.ClaimClientIdentifier
	ClaimScope                               = consts.ClaimScope
	ClaimScopeNonStandard                    = consts.ClaimScopeNonStandard
	ClaimExtra                               = consts.ClaimExtra
	ClaimActive                              = consts.ClaimActive
	ClaimUsername                            = consts.ClaimUsername
	ClaimTokenIntrospection                  = consts.ClaimTokenIntrospection
	ClaimAccessTokenHash                     = consts.ClaimAccessTokenHash
	ClaimCodeHash                            = consts.ClaimCodeHash
	ClaimStateHash                           = consts.ClaimStateHash
	ClaimNonce                               = consts.ClaimNonce
	ClaimAuthorizedActor                     = consts.ClaimAuthorizedActor
	ClaimActor                               = consts.ClaimActor
)
View Source 
const (
	JSONWebTokenHeaderKeyIdentifier        = consts.JSONWebTokenHeaderKeyIdentifier
	JSONWebTokenHeaderAlgorithm            = consts.JSONWebTokenHeaderAlgorithm
	JSONWebTokenHeaderEncryptionAlgorithm  = consts.JSONWebTokenHeaderEncryptionAlgorithm
	JSONWebTokenHeaderCompressionAlgorithm = consts.JSONWebTokenHeaderCompressionAlgorithm
	JSONWebTokenHeaderPBES2Count           = consts.JSONWebTokenHeaderPBES2Count

	JSONWebTokenHeaderType        = consts.JSONWebTokenHeaderType
	JSONWebTokenHeaderContentType = consts.JSONWebTokenHeaderContentType
)
View Source 
const (
	JSONWebTokenUseSignature  = consts.JSONWebTokenUseSignature
	JSONWebTokenUseEncryption = consts.JSONWebTokenUseEncryption
)
View Source 
const (
	JSONWebTokenTypeJWT                    = consts.JSONWebTokenTypeJWT
	JSONWebTokenTypeAccessToken            = consts.JSONWebTokenTypeAccessToken
	JSONWebTokenTypeAccessTokenAlternative = consts.JSONWebTokenTypeAccessTokenAlternative
	JSONWebTokenTypeTokenIntrospection     = consts.JSONWebTokenTypeTokenIntrospection
)
View Source 
const (
	ValidationErrorMalformed                        uint32 = 1 << iota // Token is malformed
	ValidationErrorMalformedNotCompactSerialized                       // Token is malformed specifically it does not have the compact serialized format.
	ValidationErrorUnverifiable                                        // Token could not be verified because of signing problems
	ValidationErrorSignatureInvalid                                    // Signature validation failed.
	ValidationErrorHeaderKeyIDInvalid                                  // Header KID invalid error.
	ValidationErrorHeaderAlgorithmInvalid                              // Header ALG invalid error.
	ValidationErrorHeaderTypeInvalid                                   // Header TYP invalid error.
	ValidationErrorHeaderEncryptionTypeInvalid                         // Header TYP invalid error (JWE).
	ValidationErrorHeaderContentTypeInvalid                            // Header TYP invalid error (JWE).
	ValidationErrorHeaderContentTypeInvalidMismatch                    // Header TYP invalid error (JWE).
	ValidationErrorHeaderEncryptionKeyIDInvalid                        // Header KID invalid error (JWE).
	ValidationErrorHeaderKeyAlgorithmInvalid                           // Header ALG invalid error (JWE).
	ValidationErrorHeaderContentEncryptionInvalid                      // Header ENC invalid error (JWE).
	ValidationErrorId                                                  // Claim JTI validation failed.
	ValidationErrorAudience                                            // Claim AUD validation failed.
	ValidationErrorExpired                                             // Claim EXP validation failed.
	ValidationErrorIssuedAt                                            // Claim IAT validation failed.
	ValidationErrorNotValidYet                                         // Claim NBF validation failed.
	ValidationErrorIssuer                                              // Claim ISS validation failed.
	ValidationErrorSubject                                             // Claim SUB validation failed.
	ValidationErrorClaimsInvalid                                       // Generic claims validation error.
)

Validation provides a backwards compatible error definition from `jwt-go` to `go-jose`.

View Source 
const (
	JSONWebTokenAlgNone = consts.JSONWebTokenAlgNone
)
View Source 
const (
	JWKLookupErrorClientNoJWKS uint32 = 1 << iota
)

Variables

View Source 
var (
	// SignatureAlgorithmsNone contain all algorithms including 'none'.
	SignatureAlgorithmsNone = []jose.SignatureAlgorithm{JSONWebTokenAlgNone, jose.HS256, jose.HS384, jose.HS512, jose.RS256, jose.RS384, jose.RS512, jose.PS256, jose.PS384, jose.PS512, jose.ES256, jose.ES384, jose.ES512}

	// SignatureAlgorithms contain all algorithms excluding 'none'.
	SignatureAlgorithms = []jose.SignatureAlgorithm{jose.HS256, jose.HS384, jose.HS512, jose.RS256, jose.RS384, jose.RS512, jose.PS256, jose.PS384, jose.PS512, jose.ES256, jose.ES384, jose.ES512}

	// EncryptionKeyAlgorithms contains all valid JWE's for OAuth 2.0 and OpenID Connect 1.0.
	EncryptionKeyAlgorithms = []jose.KeyAlgorithm{jose.RSA1_5, jose.RSA_OAEP, jose.RSA_OAEP_256, jose.A128KW, jose.A192KW, jose.A256KW, jose.DIRECT, jose.ECDH_ES, jose.ECDH_ES_A128KW, jose.ECDH_ES_A192KW, jose.ECDH_ES_A256KW, jose.A128GCMKW, jose.A192GCMKW, jose.A256GCMKW, jose.PBES2_HS256_A128KW, jose.PBES2_HS384_A192KW, jose.PBES2_HS512_A256KW}

	ContentEncryptionAlgorithms = []jose.ContentEncryption{jose.A128CBC_HS256, jose.A192CBC_HS384, jose.A256CBC_HS512, jose.A128GCM, jose.A192GCM, jose.A256GCM}
)
View Source 
var (
	MarshalSingleStringAsArray = true
	TimePrecision              = time.Second
	TimeFunc                   = time.Now
)
View Source 
var (
	ErrInvalidType = errors.New("invalid type for claim")
)

Functions

func Copy 

func Copy(elements map[string]any) (result map[string]any)

Copy will copy all elements in a map and return a new representational map

func EncodeCompactSigned added in v0.2.0 

func EncodeCompactSigned(ctx context.Context, claims Claims, headers Mapper, key *jose.JSONWebKey) (tokenString string, signature string, err error)

EncodeCompactSigned helps to encode a token using a signature backed compact encoding.

func EncodeNestedCompactEncrypted added in v0.2.0 

func EncodeNestedCompactEncrypted(ctx context.Context, claims Claims, headers, headersJWE Mapper, keySig, keyEnc *jose.JSONWebKey, enc jose.ContentEncryption) (tokenString string, signature string, err error)

EncodeNestedCompactEncrypted helps to encode a token using a signature backed compact encoding, then nests that within an encrypted compact encoded JWT.

func Filter 

func Filter(elements map[string]any, keys ...string) map[string]any

Filter will filter out elements based on keys in a given input map na key-slice

func FindClientPublicJWK added in v0.2.0 

func FindClientPublicJWK(ctx context.Context, client BaseClient, fetcher JWKSFetcherStrategy, kid, alg, use string, strict bool) (key *jose.JSONWebKey, err error)

FindClientPublicJWK given a BaseClient, JWKSFetcherStrategy, and search parameters will return a *jose.JSONWebKey on a valid match. The *jose.JSONWebKey is guaranteed to match the alg and use values, and if strict is true it must match the kid value as well.

func IsEncryptedJWT added in v0.2.0 

func IsEncryptedJWT(tokenString string) (encrypted bool)

IsEncryptedJWT returns true if a given token string meets the basic criteria of a compact serialized encrypted JWT.

func IsEncryptedJWTClientSecretAlg added in v0.2.0 

func IsEncryptedJWTClientSecretAlg(alg string) (csa bool)

IsEncryptedJWTClientSecretAlg returns true if a given alg string is a client secret based encryption algorithm i.e. symmetric.

func IsEncryptedJWTPasswordBasedAlg added in v0.2.0 

func IsEncryptedJWTPasswordBasedAlg(alg jose.KeyAlgorithm) (pba bool)

IsEncryptedJWTPasswordBasedAlg returns true if a given jose.KeyAlgorithm is a Password Based Algorithm.

func IsSignedJWT added in v0.2.0 

func IsSignedJWT(tokenString string) (signed bool)

IsSignedJWT returns true if a given token string meets the basic criteria of a compact serialized signed JWT.

func IsSignedJWTClientSecretAlg added in v0.2.0 

func IsSignedJWTClientSecretAlg(alg jose.SignatureAlgorithm) (csa bool)

func IsSignedJWTClientSecretAlgStr added in v0.2.0 

func IsSignedJWTClientSecretAlgStr(alg string) (csa bool)

IsSignedJWTClientSecretAlgStr returns true if the given alg string is a client secret based signature algorithm.

func NewClientSecretJWK added in v0.2.0 

func NewClientSecretJWK(ctx context.Context, secret []byte, kid, alg, enc, use string) (jwk *jose.JSONWebKey, err error)

NewClientSecretJWK returns a client secret based JWK from a client secret value.

The symmetric encryption key is derived from the client_secret value by using the left-most bits of a truncated SHA-2 hash of the octets of the UTF-8 representation of the client_secret. For keys of 256 or fewer bits, SHA-256 is used; for keys of 257-384 bits, SHA-384 is used; for keys of 385-512 bits, SHA-512 is used. The hash value MUST be truncated retaining the left-most bits to the appropriate bit length for the AES key wrapping or direct encryption algorithm used, for instance, truncating the SHA-256 hash to 128 bits for A128KW. If a symmetric key with greater than 512 bits is needed, a different method of deriving the key from the client_secret would have to be defined by an extension. Symmetric encryption MUST NOT be used by public (non-confidential) Clients because of their inability to keep secrets.

func NewClientSecretJWKFromClient added in v0.2.0 

func NewClientSecretJWKFromClient(ctx context.Context, client BaseClient, kid, alg, enc, use string) (jwk *jose.JSONWebKey, err error)

NewClientSecretJWKFromClient returns a client secret based JWK from a client.

func SearchJWKS added in v0.2.0 

func SearchJWKS(jwks *jose.JSONWebKeySet, kid, alg, use string, strict bool) (key *jose.JSONWebKey, err error)

func StringSliceFromMap 

func StringSliceFromMap(value any) (values []string, ok bool)

StringSliceFromMap asserts a map any value to a []string provided it has a good type.

func ToString 

func ToString(i any) string

ToString will return a string representation of a map

func ToTime 

func ToTime(i any) time.Time

ToTime will try to convert a given input to a time.Time structure

func UnsafeParseSignedAny added in v0.2.0 

func UnsafeParseSignedAny(tokenString string, dest any) (token *jwt.JSONWebToken, err error)

UnsafeParseSignedAny is a function that will attempt to parse any signed token without any verification process. It's unsafe for production and should only be used for tests.

Types

type BaseClient added in v0.2.0 

type BaseClient interface {
	// GetID returns the client ID.
	GetID() string

	// GetClientSecretPlainText returns the ClientSecret as plaintext if available. The semantics of this function
	// return values are important.
	// If the client is not configured with a secret the return should be:
	//   - secret with value nil, ok with value false, and err with value of nil
	// If the client is configured with a secret but is hashed or otherwise not a plaintext value:
	//   - secret with value nil, ok with value true, and err with value of nil
	// If an error occurs retrieving the secret other than this:
	//   - secret with value nil, ok with value true, and err with value of the error
	// If the plaintext secret is successful:
	//   - secret with value of the bytes of the plaintext secret, ok with value true, and err with value of nil
	GetClientSecretPlainText() (secret []byte, ok bool, err error)

	// GetJSONWebKeys returns the JSON Web Key Set containing the public key used by the client to authenticate.
	GetJSONWebKeys() (jwks *jose.JSONWebKeySet)

	// GetJSONWebKeysURI returns the URL for lookup of JSON Web Key Set containing the
	// public key used by the client to authenticate.
	GetJSONWebKeysURI() (uri string)
}

BaseClient represents the base implementation for any JWT compatible client.

type ClaimStrings added in v0.2.0 

type ClaimStrings []string

func (ClaimStrings) MarshalJSON added in v0.2.0 

func (s ClaimStrings) MarshalJSON() (b []byte, err error)

func (*ClaimStrings) UnmarshalJSON added in v0.2.0 

func (s *ClaimStrings) UnmarshalJSON(data []byte) (err error)

func (ClaimStrings) Valid added in v0.2.0 

func (s ClaimStrings) Valid(cmp string, required bool) (valid bool)

func (ClaimStrings) ValidAll added in v0.2.0 

func (s ClaimStrings) ValidAll(cmp ClaimStrings, required bool) (valid bool)

func (ClaimStrings) ValidAny added in v0.2.0 

func (s ClaimStrings) ValidAny(cmp ClaimStrings, required bool) (valid bool)

type ClaimValidationOption added in v0.2.0 

type ClaimValidationOption func(opts *ClaimValidationOptions)

func ValidateAudienceAll added in v0.2.0 

func ValidateAudienceAll(aud ...string) ClaimValidationOption

func ValidateAudienceAny added in v0.2.0 

func ValidateAudienceAny(aud ...string) ClaimValidationOption

func ValidateIssuer added in v0.2.0 

func ValidateIssuer(iss string) ClaimValidationOption

func ValidateRequireExpiresAt added in v0.2.0 

func ValidateRequireExpiresAt() ClaimValidationOption

func ValidateRequireIssuedAt added in v0.2.0 

func ValidateRequireIssuedAt() ClaimValidationOption

func ValidateRequireNotBefore added in v0.2.0 

func ValidateRequireNotBefore() ClaimValidationOption

func ValidateSubject added in v0.2.0 

func ValidateSubject(sub string) ClaimValidationOption

func ValidateTimeFunc added in v0.2.0 

func ValidateTimeFunc(timef func() time.Time) ClaimValidationOption

type ClaimValidationOptions added in v0.2.0 

type ClaimValidationOptions struct {
	// contains filtered or unexported fields
}

type Claims 

type Claims interface {
	GetExpirationTime() (exp *NumericDate, err error)
	GetIssuedAt() (iat *NumericDate, err error)
	GetNotBefore() (nbf *NumericDate, err error)
	GetIssuer() (iss string, err error)
	GetSubject() (sub string, err error)
	GetAudience() (aud ClaimStrings, err error)
	ToMapClaims() MapClaims
	Valid(opts ...ClaimValidationOption) (err error)
}

type Client added in v0.2.0 

type Client interface {
	GetSigningKeyID() (kid string)
	GetSigningAlg() (alg string)
	GetEncryptionKeyID() (kid string)
	GetEncryptionAlg() (alg string)
	GetEncryptionEnc() (enc string)

	IsClientSigned() (is bool)

	BaseClient
}

Client represents a client which can be used to sign, verify, encrypt, and decrypt JWT's.

func NewIDTokenClient added in v0.2.0 

func NewIDTokenClient(client any) Client

NewIDTokenClient converts a type into a Client provided it implements the IDTokenClient.

func NewIntrospectionClient added in v0.2.0 

func NewIntrospectionClient(client any) Client

NewIntrospectionClient converts a type into a Client provided it implements the IntrospectionClient.

func NewJARClient added in v0.2.0 

func NewJARClient(client any) Client

NewJARClient converts a type into a Client provided it implements the JARClient.

func NewJARMClient added in v0.2.0 

func NewJARMClient(client any) Client

NewJARMClient converts a type into a Client provided it implements the JARMClient.

func NewJWTProfileAccessTokenClient added in v0.2.0 

func NewJWTProfileAccessTokenClient(client any) Client

NewJWTProfileAccessTokenClient converts a type into a Client provided it implements the JWTProfileAccessTokenClient.

func NewStatelessJWTProfileIntrospectionClient added in v0.2.0 

func NewStatelessJWTProfileIntrospectionClient(client any) Client

NewStatelessJWTProfileIntrospectionClient converts a type into a Client provided it implements either the IntrospectionClient or JWTProfileAccessTokenClient.

func NewUserInfoClient added in v0.2.0 

func NewUserInfoClient(client any) Client

NewUserInfoClient converts a type into a Client provided it implements the UserInfoClient.

type DefaultIssuer added in v0.2.0 

type DefaultIssuer struct {
	// contains filtered or unexported fields
}

func GenDefaultIssuer added in v0.2.0 

func GenDefaultIssuer() (issuer *DefaultIssuer, err error)

GenDefaultIssuer generates a *DefaultIssuer with a random RSA key.

func MustGenDefaultIssuer added in v0.2.0 

func MustGenDefaultIssuer() (issuer *DefaultIssuer)

MustGenDefaultIssuer is the same as GenDefaultIssuer but it panics on an error.

func MustNewDefaultIssuerRS256 added in v0.2.0 

func MustNewDefaultIssuerRS256(key any) (issuer *DefaultIssuer)

MustNewDefaultIssuerRS256 is the same as NewDefaultIssuerRS256 but it panics if an error occurs.

func NewDefaultIssuer added in v0.2.0 

func NewDefaultIssuer(keys ...jose.JSONWebKey) (issuer *DefaultIssuer, err error)

NewDefaultIssuer returns a new issuer and verifies that one RS256 key exists.

func NewDefaultIssuerFromJWKS added in v0.2.0 

func NewDefaultIssuerFromJWKS(jwks *jose.JSONWebKeySet) (issuer *DefaultIssuer, err error)

func NewDefaultIssuerRS256 added in v0.2.0 

func NewDefaultIssuerRS256(key any) (issuer *DefaultIssuer, err error)

NewDefaultIssuerRS256 returns an issuer with a single key and returns an error if it's not an RSA2048 or higher key.

func NewDefaultIssuerRS256Unverified added in v0.2.0 

func NewDefaultIssuerRS256Unverified(key any) (issuer *DefaultIssuer)

NewDefaultIssuerRS256Unverified returns an issuer with a single key asserting the type is an RSA key.

func NewDefaultIssuerUnverifiedFromJWKS added in v0.2.0 

func NewDefaultIssuerUnverifiedFromJWKS(jwks *jose.JSONWebKeySet) (issuer *DefaultIssuer)

NewDefaultIssuerUnverifiedFromJWKS returns a new issuer from a jose.JSONWebKeySet without verification.

func (*DefaultIssuer) GetIssuerJWK added in v0.2.0 

func (i *DefaultIssuer) GetIssuerJWK(ctx context.Context, kid, alg, use string) (jwk *jose.JSONWebKey, err error)

func (*DefaultIssuer) GetIssuerStrictJWK added in v0.2.0 

func (i *DefaultIssuer) GetIssuerStrictJWK(ctx context.Context, kid, alg, use string) (jwk *jose.JSONWebKey, err error)

type DefaultStrategy added in v0.2.0 

type DefaultStrategy struct {
	Config StrategyConfig
	Issuer Issuer
}

DefaultStrategy is responsible for providing JWK encoding and cryptographic functionality.

func (*DefaultStrategy) Decode added in v0.2.0 

func (j *DefaultStrategy) Decode(ctx context.Context, tokenString string, opts ...StrategyOpt) (token *Token, err error)

func (*DefaultStrategy) Decrypt added in v0.2.0 

func (j *DefaultStrategy) Decrypt(ctx context.Context, tokenStringEnc string, opts ...StrategyOpt) (tokenString, signature string, jwe *jose.JSONWebEncryption, err error)

func (*DefaultStrategy) Encode added in v0.2.0 

func (j *DefaultStrategy) Encode(ctx context.Context, claims Claims, opts ...StrategyOpt) (tokenString string, signature string, err error)

func (*DefaultStrategy) Validate added in v0.2.0 

func (j *DefaultStrategy) Validate(ctx context.Context, token *Token, opts ...StrategyOpt) (err error)

type HeaderValidationOption added in v0.2.0 

type HeaderValidationOption func(opts *HeaderValidationOptions)

func ValidateAlgorithm added in v0.2.0 

func ValidateAlgorithm(alg string) HeaderValidationOption

func ValidateContentEncryption added in v0.2.0 

func ValidateContentEncryption(enc string) HeaderValidationOption

func ValidateEncryptionKeyID added in v0.2.0 

func ValidateEncryptionKeyID(kid string) HeaderValidationOption

func ValidateKeyAlgorithm added in v0.2.0 

func ValidateKeyAlgorithm(alg string) HeaderValidationOption

func ValidateKeyID added in v0.2.0 

func ValidateKeyID(kid string) HeaderValidationOption

func ValidateTypes added in v0.2.0 

func ValidateTypes(types ...string) HeaderValidationOption

type HeaderValidationOptions added in v0.2.0 

type HeaderValidationOptions struct {
	// contains filtered or unexported fields
}

type Headers 

type Headers struct {
	Extra map[string]any `json:"extra"`
}

Headers is the jwt headers

func NewHeaders 

func NewHeaders() *Headers

func (*Headers) Add 

func (h *Headers) Add(key string, value any)

Add will add a key-value pair to the extra field

func (*Headers) Get 

func (h *Headers) Get(key string) any

Get will get a value from the extra field based on a given key

func (*Headers) SetDefaultString 

func (h *Headers) SetDefaultString(key, value string)

func (*Headers) ToMap 

func (h *Headers) ToMap() map[string]any

ToMap will transform the headers to a map structure

func (Headers) ToMapClaims 

func (h Headers) ToMapClaims() MapClaims

ToMapClaims will return a jwt-go MapClaims representation

type IDTokenClaims 

type IDTokenClaims struct {
	JTI                                 string         `json:"jti"`
	Issuer                              string         `json:"iss"`
	Subject                             string         `json:"sub"`
	Audience                            []string       `json:"aud"`
	ExpirationTime                      *NumericDate   `json:"exp"`
	IssuedAt                            *NumericDate   `json:"iat"`
	AuthTime                            *NumericDate   `json:"auth_time,omitempty"`
	RequestedAt                         *NumericDate   `json:"rat,omitempty"`
	Nonce                               string         `json:"nonce,omitempty"`
	AuthenticationContextClassReference string         `json:"acr,omitempty"`
	AuthenticationMethodsReferences     []string       `json:"amr,omitempty"`
	AuthorizedParty                     string         `json:"azp,omitempty"`
	AccessTokenHash                     string         `json:"at_hash,omitempty"`
	CodeHash                            string         `json:"c_hash,omitempty"`
	StateHash                           string         `json:"s_hash,omitempty"`
	Extra                               map[string]any `json:"ext,omitempty"`
}

IDTokenClaims represent the claims used in open id connect requests

func (*IDTokenClaims) Add 

func (c *IDTokenClaims) Add(key string, value any)

Add will add a key-value pair to the extra field

func (*IDTokenClaims) Get 

func (c *IDTokenClaims) Get(key string) any

Get will get a value from the extra field based on a given key

func (*IDTokenClaims) GetAudience added in v0.2.0 

func (c *IDTokenClaims) GetAudience() (aud ClaimStrings, err error)

func (*IDTokenClaims) GetAuthTimeSafe added in v0.2.0 

func (c *IDTokenClaims) GetAuthTimeSafe() time.Time

func (*IDTokenClaims) GetExpirationTime added in v0.2.0 

func (c *IDTokenClaims) GetExpirationTime() (exp *NumericDate, err error)

func (*IDTokenClaims) GetExpirationTimeSafe added in v0.2.0 

func (c *IDTokenClaims) GetExpirationTimeSafe() time.Time

func (*IDTokenClaims) GetIssuedAt added in v0.2.0 

func (c *IDTokenClaims) GetIssuedAt() (iat *NumericDate, err error)

func (*IDTokenClaims) GetIssuedAtSafe added in v0.2.0 

func (c *IDTokenClaims) GetIssuedAtSafe() time.Time

func (*IDTokenClaims) GetIssuer added in v0.2.0 

func (c *IDTokenClaims) GetIssuer() (iss string, err error)

func (*IDTokenClaims) GetNotBefore added in v0.2.0 

func (c *IDTokenClaims) GetNotBefore() (nbf *NumericDate, err error)

func (*IDTokenClaims) GetRequestedAtSafe added in v0.2.0 

func (c *IDTokenClaims) GetRequestedAtSafe() time.Time

func (*IDTokenClaims) GetSubject added in v0.2.0 

func (c *IDTokenClaims) GetSubject() (sub string, err error)

func (*IDTokenClaims) ToMap 

func (c *IDTokenClaims) ToMap() map[string]any

ToMap will transform the headers to a map structure

func (IDTokenClaims) ToMapClaims 

func (c IDTokenClaims) ToMapClaims() MapClaims

ToMapClaims will return a jwt-go MapClaims representation

func (*IDTokenClaims) UnmarshalJSON added in v0.2.0 

func (c *IDTokenClaims) UnmarshalJSON(data []byte) error

func (IDTokenClaims) Valid added in v0.2.0 

func (c IDTokenClaims) Valid(opts ...ClaimValidationOption) (err error)

type IDTokenClient added in v0.2.0 

type IDTokenClient interface {
	// GetIDTokenSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the ID
	// Token specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetIDTokenSignedResponseKeyID() (kid string)

	// GetIDTokenSignedResponseAlg is equivalent to the 'id_token_signed_response_alg' client metadata value which
	// determines the JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The value none
	// MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token
	// from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted,
	// is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the
	// jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
	GetIDTokenSignedResponseAlg() (alg string)

	// GetIDTokenEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the ID
	// Token specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetIDTokenEncryptedResponseKeyID() (kid string)

	// GetIDTokenEncryptedResponseAlg is equivalent to the 'id_token_encrypted_response_alg' client metadata value which
	// determines the JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is
	// requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT].
	// The default, if omitted, is that no encryption is performed.
	GetIDTokenEncryptedResponseAlg() (alg string)

	// GetIDTokenEncryptedResponseEnc is equivalent to the 'id_token_encrypted_response_enc' client metadata value which
	// determines the JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If
	// id_token_encrypted_response_alg is specified, the default id_token_encrypted_response_enc value is A128CBC-HS256.
	// When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
	GetIDTokenEncryptedResponseEnc() (enc string)

	BaseClient
}

type IntrospectionClient added in v0.2.0 

type IntrospectionClient interface {
	// GetIntrospectionSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements for
	// OAuth 2.0 JWT introspection response specifications. If unspecified the other available parameters will be
	// utilized to select an appropriate key.
	GetIntrospectionSignedResponseKeyID() (kid string)

	// GetIntrospectionSignedResponseAlg is equivalent to the 'introspection_signed_response_alg' client metadata
	// value which determines the JWS [RFC7515] algorithm (alg value) as defined in JWA [RFC7518] for signing
	// introspection responses. If this is specified, the response will be signed using JWS and the configured
	// algorithm. The default, if omitted, is RS256.
	GetIntrospectionSignedResponseAlg() (alg string)

	// GetIntrospectionEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements for
	// OAuth 2.0 JWT introspection response specifications. If unspecified the other available parameters will be
	// utilized to select an appropriate key.
	GetIntrospectionEncryptedResponseKeyID() (kid string)

	// GetIntrospectionEncryptedResponseAlg is equivalent to the 'introspection_encrypted_response_alg' client metadata
	// value which determines the JWE [RFC7516] algorithm (alg value) as defined in JWA [RFC7518] for content key
	// encryption. If this is specified, the response will be encrypted using JWE and the configured content encryption
	// algorithm (introspection_encrypted_response_enc). The default, if omitted, is that no encryption is performed.
	// If both signing and encryption are requested, the response will be signed then encrypted, with the result being
	// a Nested JWT, as defined in JWT [RFC7519].
	GetIntrospectionEncryptedResponseAlg() (alg string)

	// GetIntrospectionEncryptedResponseEnc is equivalent to the 'introspection_encrypted_response_enc' client metadata
	// value which determines the  JWE [RFC7516] algorithm (enc value) as defined in JWA [RFC7518] for content
	// encryption of introspection responses. The default, if omitted, is A128CBC-HS256. Note: This parameter MUST NOT
	// be specified without setting introspection_encrypted_response_alg.
	GetIntrospectionEncryptedResponseEnc() (enc string)

	BaseClient
}

type Issuer added in v0.2.0 

type Issuer interface {
	GetIssuerJWK(ctx context.Context, kid, alg, use string) (jwk *jose.JSONWebKey, err error)
	GetIssuerStrictJWK(ctx context.Context, kid, alg, use string) (jwk *jose.JSONWebKey, err error)
}

type JARClient added in v0.2.0 

type JARClient interface {
	// GetRequestObjectSigningKeyID returns the specific key identifier used to satisfy JWS requirements of the request
	// object specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetRequestObjectSigningKeyID() (kid string)

	// GetRequestObjectSigningAlg is equivalent to the 'request_object_signing_alg' client metadata
	// value which determines the JWS alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP.
	// All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are
	// described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the
	// Request Object is passed by value (using the request parameter) and when it is passed by reference (using the
	// request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is
	// that any algorithm supported by the OP and the RP MAY be used.
	GetRequestObjectSigningAlg() (alg string)

	// GetRequestObjectEncryptionKeyID returns the specific key identifier used to satisfy JWE requirements of the
	// request object specifications. If unspecified the other available parameters will be utilized to select an
	// appropriate key.
	GetRequestObjectEncryptionKeyID() (kid string)

	// GetRequestObjectEncryptionAlg is equivalent to the 'request_object_encryption_alg' client metadata value which
	// determines the JWE alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to
	// the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP
	// that a client_secret value needs to be returned from which the symmetric key will be derived, that might not
	// otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request
	// Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object
	// will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted,
	// is that the RP is not declaring whether it might encrypt any Request Objects.
	GetRequestObjectEncryptionAlg() (alg string)

	// GetRequestObjectEncryptionEnc is equivalent to the 'request_object_encryption_enc' client metadata value which
	// determines the JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to
	// the OP. If request_object_encryption_alg is specified, the default request_object_encryption_enc value is
	// A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be
	// provided.
	GetRequestObjectEncryptionEnc() (enc string)

	BaseClient
}

JARClient represents the implementation for any JWT Authorization Request compatible client.

type JARMClaims 

type JARMClaims struct {
	Issuer         string         `json:"iss"`
	Audience       ClaimStrings   `json:"aud"`
	JTI            string         `json:"jti"`
	IssuedAt       *NumericDate   `json:"iat,omitempty"`
	ExpirationTime *NumericDate   `json:"exp,omitempty"`
	Extra          map[string]any `json:"-"`
}

JARMClaims represent a token's claims.

func NewJARMClaims added in v0.2.0 

func NewJARMClaims(issuer string, aud ClaimStrings, lifespan time.Duration) *JARMClaims

func (*JARMClaims) Add 

func (c *JARMClaims) Add(key string, value any)

Add will add a key-value pair to the extra field

func (*JARMClaims) FromMap 

func (c *JARMClaims) FromMap(m map[string]any)

FromMap will set the claims based on a mapping

func (*JARMClaims) FromMapClaims 

func (c *JARMClaims) FromMapClaims(mc MapClaims)

FromMapClaims will populate claims from a jwt-go MapClaims representation

func (JARMClaims) Get 

func (c JARMClaims) Get(key string) any

Get will get a value from the extra field based on a given key

func (*JARMClaims) GetAudience added in v0.2.0 

func (c *JARMClaims) GetAudience() (aud ClaimStrings, err error)

func (*JARMClaims) GetExpirationTime added in v0.2.0 

func (c *JARMClaims) GetExpirationTime() (exp *NumericDate, err error)

func (*JARMClaims) GetIssuedAt added in v0.2.0 

func (c *JARMClaims) GetIssuedAt() (iat *NumericDate, err error)

func (*JARMClaims) GetIssuer added in v0.2.0 

func (c *JARMClaims) GetIssuer() (iss string, err error)

func (*JARMClaims) GetNotBefore added in v0.2.0 

func (c *JARMClaims) GetNotBefore() (nbf *NumericDate, err error)

func (*JARMClaims) GetSubject added in v0.2.0 

func (c *JARMClaims) GetSubject() (sub string, err error)

func (*JARMClaims) ToMap 

func (c *JARMClaims) ToMap() map[string]any

ToMap will transform the headers to a map structure

func (JARMClaims) ToMapClaims 

func (c JARMClaims) ToMapClaims() MapClaims

ToMapClaims will return a jwt-go MapClaims representation

func (*JARMClaims) Valid added in v0.2.0 

func (c *JARMClaims) Valid(opts ...ClaimValidationOption) (err error)

type JARMClient added in v0.2.0 

type JARMClient interface {
	// GetAuthorizationSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the
	// JWT-secured Authorization Response Method (JARM) specifications. If unspecified the other available parameters
	// will be utilized to select an appropriate key.
	GetAuthorizationSignedResponseKeyID() (kid string)

	// GetAuthorizationSignedResponseAlg is equivalent to the 'authorization_signed_response_alg' client metadata
	// value which determines the JWS [RFC7515] alg algorithm JWA [RFC7518] REQUIRED for signing authorization
	// responses. If this is specified, the response will be signed using JWS and the configured algorithm. The
	// algorithm none is not allowed. The default, if omitted, is RS256.
	GetAuthorizationSignedResponseAlg() (alg string)

	// GetAuthorizationEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of
	// the JWT-secured Authorization Response Method (JARM) specifications. If unspecified the other available parameters will be
	// utilized to select an appropriate key.
	GetAuthorizationEncryptedResponseKeyID() (kid string)

	// GetAuthorizationEncryptedResponseAlg is equivalent to the 'authorization_encrypted_response_alg' client metadata
	// value which determines the JWE [RFC7516] alg algorithm JWA [RFC7518] REQUIRED for encrypting authorization
	// responses. If both signing and encryption are requested, the response will be signed then encrypted, with the
	// result being a Nested JWT, as defined in JWT [RFC7519]. The default, if omitted, is that no encryption is
	// performed.
	GetAuthorizationEncryptedResponseAlg() (alg string)

	// GetAuthorizationEncryptedResponseEnc is equivalent to the 'authorization_encrypted_response_enc' client
	// metadata value which determines the JWE [RFC7516] enc algorithm JWA [RFC7518] REQUIRED for encrypting
	// authorization responses. If authorization_encrypted_response_alg is specified, the default for this value is
	// A128CBC-HS256. When authorization_encrypted_response_enc is included, authorization_encrypted_response_alg MUST
	// also be provided.
	GetAuthorizationEncryptedResponseEnc() (alg string)

	BaseClient
}

type JWKLookupError added in v0.2.0 

type JWKLookupError struct {
	Description string
	Errors      uint32 // bitfield.  see JWKLookupError... constants
}

func (*JWKLookupError) Error added in v0.2.0 

func (e *JWKLookupError) Error() string

func (*JWKLookupError) GetDescription added in v0.2.0 

func (e *JWKLookupError) GetDescription() string

type JWKSFetcherStrategy added in v0.2.0 

type JWKSFetcherStrategy interface {
	// Resolve returns the JSON Web Key Set, or an error if something went wrong. The forceRefresh, if true, forces
	// the strategy to fetch the key from the remote. If forceRefresh is false, the strategy may use a caching strategy
	// to fetch the key.
	Resolve(ctx context.Context, location string, ignoreCache bool) (jwks *jose.JSONWebKeySet, err error)
}

type JWTClaims 

type JWTClaims struct {
	Subject    string
	Issuer     string
	Audience   []string
	JTI        string
	IssuedAt   time.Time
	NotBefore  time.Time
	ExpiresAt  time.Time
	Scope      []string
	Extra      map[string]any
	ScopeField JWTScopeFieldEnum
}

JWTClaims represent a token's claims.

func (*JWTClaims) Add 

func (c *JWTClaims) Add(key string, value any)

Add will add a key-value pair to the extra field

func (*JWTClaims) FromMap 

func (c *JWTClaims) FromMap(m map[string]any)

FromMap will set the claims based on a mapping.

TODO: Refactor time permitting.

func (*JWTClaims) FromMapClaims 

func (c *JWTClaims) FromMapClaims(mc MapClaims)

FromMapClaims will populate claims from a jwt-go MapClaims representation

func (JWTClaims) Get 

func (c JWTClaims) Get(key string) any

Get will get a value from the extra field based on a given key

func (*JWTClaims) Sanitize 

func (c *JWTClaims) Sanitize() JWTClaimsContainer

func (*JWTClaims) ToMap 

func (c *JWTClaims) ToMap() map[string]any

ToMap will transform the headers to a map structure

func (JWTClaims) ToMapClaims 

func (c JWTClaims) ToMapClaims() MapClaims

ToMapClaims will return a jwt-go MapClaims representation

func (*JWTClaims) With 

func (c *JWTClaims) With(expiry time.Time, scope, audience []string) JWTClaimsContainer

func (*JWTClaims) WithDefaults 

func (c *JWTClaims) WithDefaults(iat, nbf time.Time, issuer string) JWTClaimsContainer

func (*JWTClaims) WithScopeField 

func (c *JWTClaims) WithScopeField(scopeField JWTScopeFieldEnum) JWTClaimsContainer

type JWTClaimsContainer 

type JWTClaimsContainer interface {
	// Sanitize should clear the IssuedAt and NotBefore values.
	Sanitize() JWTClaimsContainer

	// With returns a copy of itself with expiresAt, scope, audience set to the given values.
	With(expiry time.Time, scope, audience []string) JWTClaimsContainer

	// WithDefaults returns a copy of itself with issuedAt and issuer set to the given default values. If those
	// values are already set in the claims, they will not be updated.
	WithDefaults(iat, nbf time.Time, issuer string) JWTClaimsContainer

	// WithScopeField configures how a scope field should be represented in JWT.
	WithScopeField(scopeField JWTScopeFieldEnum) JWTClaimsContainer

	// ToMapClaims returns the claims as a MapClaims type.
	ToMapClaims() MapClaims
}

type JWTClaimsDefaults 

type JWTClaimsDefaults struct {
	ExpiresAt time.Time
	IssuedAt  time.Time
	Issuer    string
	Scope     []string
}

type JWTProfileAccessTokenClient added in v0.2.0 

type JWTProfileAccessTokenClient interface {
	// GetAccessTokenSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements for
	// JWT Profile for OAuth 2.0 Access Tokens specifications. If unspecified the other available parameters will be
	// utilized to select an appropriate key.
	GetAccessTokenSignedResponseKeyID() (kid string)

	// GetAccessTokenSignedResponseAlg determines the JWS [RFC7515] algorithm (alg value) as defined in JWA [RFC7518]
	// for signing JWT Profile Access Token responses. If this is specified, the response will be signed using JWS and
	// the configured algorithm. The default, if omitted, is none; i.e. unsigned responses unless the
	// GetEnableJWTProfileOAuthAccessTokens receiver returns true in which case the default is RS256.
	GetAccessTokenSignedResponseAlg() (alg string)

	// GetAccessTokenEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements for
	// JWT Profile for OAuth 2.0 Access Tokens specifications. If unspecified the other available parameters will be
	// utilized to select an appropriate key.
	GetAccessTokenEncryptedResponseKeyID() (kid string)

	// GetAccessTokenEncryptedResponseAlg determines the JWE [RFC7516] algorithm (alg value) as defined in JWA [RFC7518]
	// for content key encryption. If this is specified, the response will be encrypted using JWE and the configured
	// content encryption algorithm (access_token_encrypted_response_enc). The default, if omitted, is that no
	// encryption is performed. If both signing and encryption are requested, the response will be signed then
	// encrypted, with the result being a Nested JWT, as defined in JWT [RFC7519].
	GetAccessTokenEncryptedResponseAlg() (alg string)

	// GetAccessTokenEncryptedResponseEnc determines the JWE [RFC7516] algorithm (enc value) as defined in JWA [RFC7518]
	// for content encryption of access token responses. The default, if omitted, is A128CBC-HS256. Note: This parameter
	// MUST NOT be specified without setting access_token_encrypted_response_alg.
	GetAccessTokenEncryptedResponseEnc() (alg string)

	// GetEnableJWTProfileOAuthAccessTokens indicates this client should or should not issue JWT Profile Access Tokens.
	GetEnableJWTProfileOAuthAccessTokens() (enforce bool)

	BaseClient
}

type JWTScopeFieldEnum 

type JWTScopeFieldEnum int

Enum for different types of scope encoding. 

const (
	JWTScopeFieldUnset JWTScopeFieldEnum = iota
	JWTScopeFieldList
	JWTScopeFieldString
	JWTScopeFieldBoth
)

type KeyFuncJWE added in v0.2.0 

type KeyFuncJWE func(ctx context.Context, jwe *jose.JSONWebEncryption, kid, alg string) (jwk *jose.JSONWebKey, err error)

type KeyFuncJWS added in v0.2.0 

type KeyFuncJWS func(ctx context.Context, token *jwt.JSONWebToken, claims MapClaims) (jwk *jose.JSONWebKey, err error)

type Keyfunc 

type Keyfunc func(token *Token) (key any, err error)

Keyfunc is used by parsing methods to supply the key for verification. The function receives the parsed, but unverified Token. This allows you to use properties in the Header of the token (such as `kid`) to identify which key to use.

type MapClaims 

type MapClaims map[string]any

MapClaims is a simple map based claims structure.

func NewMapClaims added in v0.2.0 

func NewMapClaims(obj any) (claims MapClaims)

NewMapClaims returns a set of MapClaims from an object that has the appropriate JSON tags.

func (MapClaims) GetAudience added in v0.2.0 

func (m MapClaims) GetAudience() (aud ClaimStrings, err error)

GetAudience returns the 'aud' claim.

func (MapClaims) GetExpirationTime added in v0.2.0 

func (m MapClaims) GetExpirationTime() (exp *NumericDate, err error)

GetExpirationTime returns the 'exp' claim.

func (MapClaims) GetIssuedAt added in v0.2.0 

func (m MapClaims) GetIssuedAt() (iat *NumericDate, err error)

GetIssuedAt returns the 'iat' claim.

func (MapClaims) GetIssuer added in v0.2.0 

func (m MapClaims) GetIssuer() (iss string, err error)

GetIssuer returns the 'iss' claim.

func (MapClaims) GetNotBefore added in v0.2.0 

func (m MapClaims) GetNotBefore() (nbf *NumericDate, err error)

GetNotBefore returns the 'nbf' claim.

func (MapClaims) GetSubject added in v0.2.0 

func (m MapClaims) GetSubject() (sub string, err error)

GetSubject returns the 'sub' claim.

func (MapClaims) ToMap added in v0.2.0 

func (m MapClaims) ToMap() map[string]any

func (MapClaims) ToMapClaims added in v0.2.0 

func (m MapClaims) ToMapClaims() MapClaims

func (MapClaims) UnmarshalJSON 

func (m MapClaims) UnmarshalJSON(data []byte) error

func (MapClaims) Valid 

func (m MapClaims) Valid(opts ...ClaimValidationOption) (err error)

Valid validates the given claims. By default it only validates time based claims "exp, iat, nbf"; there is no accounting for clock skew, and if any of the above claims are not in the token, the claims will still be considered valid. However all of these options can be tuned by the opts.

func (MapClaims) VerifyAudience 

func (m MapClaims) VerifyAudience(cmp string, required bool) (ok bool)

VerifyAudience compares the aud claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifyAudienceAll added in v0.2.0 

func (m MapClaims) VerifyAudienceAll(cmp []string, required bool) (ok bool)

VerifyAudienceAll compares the aud claim against cmp. If required is false, this method will return true if the value matches or is unset. This variant requires all of the audience values in the cmp.

func (MapClaims) VerifyAudienceAny added in v0.2.0 

func (m MapClaims) VerifyAudienceAny(cmp []string, required bool) (ok bool)

VerifyAudienceAny compares the aud claim against cmp. If required is false, this method will return true if the value matches or is unset. This variant requires any of the audience values in the cmp.

func (MapClaims) VerifyExpirationTime added in v0.2.0 

func (m MapClaims) VerifyExpirationTime(cmp int64, required bool) (ok bool)

VerifyExpirationTime compares the exp claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifyIssuedAt 

func (m MapClaims) VerifyIssuedAt(cmp int64, required bool) (ok bool)

VerifyIssuedAt compares the iat claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifyIssuer 

func (m MapClaims) VerifyIssuer(cmp string, required bool) (ok bool)

VerifyIssuer compares the iss claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifyNotBefore 

func (m MapClaims) VerifyNotBefore(cmp int64, required bool) (ok bool)

VerifyNotBefore compares the nbf claim against cmp. If required is false, this method will return true if the value matches or is unset

func (MapClaims) VerifySubject added in v0.2.0 

func (m MapClaims) VerifySubject(cmp string, required bool) (ok bool)

VerifySubject compares the syv claim against cmp. If required is false, this method will return true if the value matches or is unset

type Mapper 

type Mapper interface {
	ToMap() map[string]any
	Add(key string, value any)
	Get(key string) any
}

Mapper is the interface used internally to map key-value pairs

type NumericDate added in v0.2.0 

type NumericDate struct {
	time.Time
}

func NewNumericDate added in v0.2.0 

func NewNumericDate(t time.Time) *NumericDate

func Now added in v0.2.0 

func Now() *NumericDate

func (*NumericDate) Int64 added in v0.2.0 

func (date *NumericDate) Int64() (val int64)

Int64 returns the time value with UTC as the location, truncated with TimePrecision; as a number of since the Unix epoch.

func (NumericDate) MarshalJSON added in v0.2.0 

func (date NumericDate) MarshalJSON() (b []byte, err error)

func (*NumericDate) UnmarshalJSON added in v0.2.0 

func (date *NumericDate) UnmarshalJSON(b []byte) (err error)

type PrivateKey added in v0.2.0 

type PrivateKey interface {
	Public() crypto.PublicKey
	Equal(x crypto.PrivateKey) bool
}

PrivateKey properly describes crypto.PrivateKey.

type Strategy added in v0.2.0 

type Strategy interface {
	// Encode a JWT as either a JWS or JWE nested JWS.
	Encode(ctx context.Context, claims Claims, opts ...StrategyOpt) (tokenString string, signature string, err error)

	// Decrypt a JWT or if the provided JWT is a JWS just return it.
	Decrypt(ctx context.Context, tokenStringEnc string, opts ...StrategyOpt) (tokenString, signature string, jwe *jose.JSONWebEncryption, err error)

	// Decode a JWT. This performs decryption as well as basic signature validation. Optionally the signature validation
	// can be skipped and validated later using Validate.
	Decode(ctx context.Context, tokenString string, opts ...StrategyOpt) (token *Token, err error)

	// Validate allows performing the signature validation step after using the Decode function without a client while
	// also using WithAllowUnverified.
	Validate(ctx context.Context, token *Token, opts ...StrategyOpt) (err error)
}

Strategy represents the strategy for encoding and decoding JWT's. It's important to note that this is an interface specifically so it can be mocked and the opts values have very important semantics which are difficult to document.

type StrategyConfig added in v0.2.0 

type StrategyConfig interface {
	// GetJWKSFetcherStrategy returns the JWKS fetcher strategy.
	GetJWKSFetcherStrategy(ctx context.Context) (strategy JWKSFetcherStrategy)
}

type StrategyOpt added in v0.2.0 

type StrategyOpt func(opts *StrategyOpts) (err error)

func WithAllowUnverified added in v0.2.0 

func WithAllowUnverified() StrategyOpt

func WithClient added in v0.2.0 

func WithClient(client Client) StrategyOpt

func WithContentEncryption added in v0.2.0 

func WithContentEncryption(enc ...jose.ContentEncryption) StrategyOpt

func WithHeaders added in v0.2.0 

func WithHeaders(headers Mapper) StrategyOpt

func WithHeadersJWE added in v0.2.0 

func WithHeadersJWE(headers Mapper) StrategyOpt

func WithIDTokenClient added in v0.2.0 

func WithIDTokenClient(client any) StrategyOpt

func WithIntrospectionClient added in v0.2.0 

func WithIntrospectionClient(client any) StrategyOpt

func WithJARClient added in v0.2.0 

func WithJARClient(client any) StrategyOpt

func WithJARMClient added in v0.2.0 

func WithJARMClient(client any) StrategyOpt

func WithJWTProfileAccessTokenClient added in v0.2.0 

func WithJWTProfileAccessTokenClient(client any) StrategyOpt

func WithKeyAlgorithm added in v0.2.0 

func WithKeyAlgorithm(algs ...jose.KeyAlgorithm) StrategyOpt

func WithKeyFunc added in v0.2.0 

func WithKeyFunc(f KeyFuncJWS) StrategyOpt

func WithKeyFuncJWE added in v0.2.0 

func WithKeyFuncJWE(f KeyFuncJWE) StrategyOpt

func WithSigAlgorithm added in v0.2.0 

func WithSigAlgorithm(algs ...jose.SignatureAlgorithm) StrategyOpt

func WithStatelessJWTProfileIntrospectionClient added in v0.2.0 

func WithStatelessJWTProfileIntrospectionClient(client any) StrategyOpt

func WithUserInfoClient added in v0.2.0 

func WithUserInfoClient(client any) StrategyOpt

type StrategyOpts added in v0.2.0 

type StrategyOpts struct {
	// contains filtered or unexported fields
}

type Token 

type Token struct {
	KeyID                string
	SignatureAlgorithm   jose.SignatureAlgorithm // alg (JWS)
	EncryptionKeyID      string
	KeyAlgorithm         jose.KeyAlgorithm         // alg (JWE)
	ContentEncryption    jose.ContentEncryption    // enc (JWE)
	CompressionAlgorithm jose.CompressionAlgorithm // zip (JWE)

	Header    map[string]any
	HeaderJWE map[string]any

	Claims Claims
	// contains filtered or unexported fields
}

Token represets a JWT Token.

func New added in v0.2.0 

func New() *Token

New returns a new Token.

func NewWithClaims 

func NewWithClaims(alg jose.SignatureAlgorithm, claims MapClaims) *Token

NewWithClaims creates an unverified Token with the given claims and signing method

func Parse 

func Parse(tokenString string, keyFunc Keyfunc) (*Token, error)

Parse is an overload for ParseCustom which accepts all normal algs including 'none'.

func ParseCustom 

func ParseCustom(tokenString string, keyFunc Keyfunc, algs ...jose.SignatureAlgorithm) (token *Token, err error)

ParseCustom parses, validates, and returns a token. The keyFunc will receive the parsed token and should return the key for validating. If everything is kosher, err will be nil.

func ParseCustomWithClaims 

func ParseCustomWithClaims(tokenString string, claims MapClaims, keyFunc Keyfunc, algs ...jose.SignatureAlgorithm) (token *Token, err error)

ParseCustomWithClaims parses, validates, and returns a token with its respective claims. The keyFunc will receive the parsed token and should return the key for validating. If everything is kosher, err will be nil.

func ParseWithClaims 

func ParseWithClaims(tokenString string, claims MapClaims, keyFunc Keyfunc) (token *Token, err error)

ParseWithClaims is an overload for ParseCustomWithClaims which accepts all normal algs including 'none'.

func (*Token) AssignJWE added in v0.2.0 

func (t *Token) AssignJWE(jwe *jose.JSONWebEncryption)

AssignJWE assigns values derived from the JWE decryption process to the Token.

func (*Token) CompactEncrypted added in v0.2.0 

func (t *Token) CompactEncrypted(keySig, keyEnc any) (tokenString, signature string, err error)

CompactEncrypted serializes this token as a Compact Encrypted string, and returns the token string, signature, and an error if one occurred.

func (*Token) CompactSigned added in v0.2.0 

func (t *Token) CompactSigned(k any) (tokenString, signature string, err error)

CompactSigned serializes this token as a Compact Signed string, and returns the token string, signature, and an error if one occurred.

func (*Token) CompactSignedString added in v0.2.0 

func (t *Token) CompactSignedString(k any) (tokenString string, err error)

CompactSignedString provides a compatible `jwt-go` Token.CompactSigned method

> Get the complete, signed token

func (*Token) IsJWTProfileAccessToken added in v0.2.0 

func (t *Token) IsJWTProfileAccessToken() (ok bool)

IsJWTProfileAccessToken returns true if the token is a JWT Profile Access Token.

func (*Token) IsSignatureValid added in v0.2.0 

func (t *Token) IsSignatureValid() bool

IsSignatureValid informs if the token was verified against a given verification key and claims are valid

func (*Token) SetJWE added in v0.2.0 

func (t *Token) SetJWE(header Mapper, kid string, alg jose.KeyAlgorithm, enc jose.ContentEncryption, zip jose.CompressionAlgorithm)

SetJWE sets the JWE output values.

func (*Token) SetJWS added in v0.2.0 

func (t *Token) SetJWS(header Mapper, claims Claims, kid string, alg jose.SignatureAlgorithm)

SetJWS sets the JWS output values.

func (*Token) Valid 

func (t *Token) Valid(opts ...HeaderValidationOption) (err error)

Valid validates the token headers given various input options. This does not validate any claims.

type UserInfoClient added in v0.2.0 

type UserInfoClient interface {
	// GetUserinfoSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the User
	// Info specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetUserinfoSignedResponseKeyID() (kid string)

	// GetUserinfoSignedResponseAlg is equivalent to the 'userinfo_signed_response_alg' client metadata value which
	// determines the JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the
	// response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo
	// Response to return the Claims as a UTF-8 [RFC3629] encoded JSON object using the application/json content-type.
	GetUserinfoSignedResponseAlg() (alg string)

	// GetUserinfoEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the
	// User Info specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetUserinfoEncryptedResponseKeyID() (kid string)

	// GetUserinfoEncryptedResponseAlg is equivalent to the 'userinfo_encrypted_response_alg' client metadata value
	// which determines the JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If
	// this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in
	// [JWT]. The default, if omitted, is that no encryption is performed.
	GetUserinfoEncryptedResponseAlg() (alg string)

	// GetUserinfoEncryptedResponseEnc is equivalent to the 'userinfo_encrypted_response_enc' client metadata value
	// which determines the JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If
	// userinfo_encrypted_response_alg is specified, the default userinfo_encrypted_response_enc value is A128CBC-HS256.
	// When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
	GetUserinfoEncryptedResponseEnc() (enc string)

	BaseClient
}

type ValidationError 

type ValidationError struct {
	Inner  error  // stores the error returned by external dependencies, i.e.: KeyFunc
	Errors uint32 // bitfield.  see ValidationError... constants
	// contains filtered or unexported fields
}

The ValidationError is an error implementation from Parse if token is not valid.

func (ValidationError) Error 

func (e ValidationError) Error() string

Validation error is an error type

func (*ValidationError) Has 

func (e *ValidationError) Has(verr uint32) bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.