Documentation ¶
Index ¶
- Constants
- Variables
- func CalcKid(modulus string) (string, error)
- func CalculateCHash(alg string, code string) (string, error)
- func CalculateClientSecretBasicToken(clientID, clientSecret string) (string, error)
- func CreateSignature(t *jwt.Token, key interface{}, body string, b64encoded bool) (string, error)
- func DefaultAuthMethod(openIDConfigAuthMethods []string, logger *logrus.Entry) string
- func GetB64Encoding(ctx ContextInterface) (bool, error)
- func GetB64Status() bool
- func GetJWKSUri() string
- func GetKID(ctx ContextInterface, modulus []byte) (string, error)
- func GetSignatureToken30(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
- func GetSignatureToken313Minus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
- func GetSignatureToken314Plus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
- func GetSigningAlg(alg string) (jwt.SigningMethod, error)
- func JWSVerify(buf string, alg jwa.SignatureAlgorithm, key interface{}, b64 bool) (ret []byte, err error)
- func ModifyJWSHeaders(jws string, ctx ContextInterface, opts ...JWSHeaderOpt) (string, error)
- func NewJWSSignature(requestBody string, ctx ContextInterface, alg jwt.SigningMethod) (string, error)
- func PSUURLGenerate(claims PSUConsentClaims) (*url.URL, error)
- func SigningString(t *jwt.Token, body string, b64encoded bool) (string, error)
- func SplitJWSWithBody(token string) string
- func SuiteSupportedAuthMethodsMostSecureFirst() []string
- func ValidateSignature(jwtToken, body, jwksURI string, b64 bool) (bool, error)
- func ValidateSignatureHeader(token string, b64 bool) error
- type CachedOpenIdConfigGetter
- type Certificate
- type ContextInterface
- type JWK
- type JWKS
- type JWSHeaderOpt
- type OpenIDConfiguration
- type PSUConsentClaims
Constants ¶
const ( TlsClientAuth = "tls_client_auth" PrivateKeyJwt = "private_key_jwt" ClientSecretBasic = "client_secret_basic" )
token_endpoint_auth_methods_supported
const ( ClientAssertionType = "client_assertion_type" ClientAssertionTypeValue = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" )
const ( GrantType = "grant_type" GrantTypeAuthorizationCode = "authorization_code" )
const (
ClientAssertion = "client_assertion"
)
Variables ¶
var ( // ErrInvalidSignatureHeader is an error indicating that the signature being validated has errors in the header ErrInvalidSignatureHeader = errors.New("invalid signature header") // ErrInvalidSignatureKID is returned if a valid KID can not be retrieved from a signature during validation ErrInvalidSignatureKID = errors.New("invalid signature KID") // ErrSignatureCert is an error indicating a failure during the retrieval of a certificate for a given KID ErrSignatureCert = errors.New("failed to retrieve certificate") )
var SigningMethodPS256 = &jwt.SigningMethodRSAPSS{ SigningMethodRSA: jwt.SigningMethodPS256.SigningMethodRSA, Options: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: crypto.SHA256, }, }
SigningMethodPS256 is a workaround for default PS256 signing parameter issue https://github.com/dgrijalva/jwt-go/issues/285
Functions ¶
func CalculateCHash ¶ added in v1.1.16
CalculateCHash calculates the code hash (c_hash) value as described in section 3.3.2.11 (ID Token) https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken List of valid algorithms https://openid.net/specs/openid-financial-api-part-2.html#jws-algorithm-considerations At the time of writing, the list shows "PS256", "ES256" https://openbanking.atlassian.net/wiki/spaces/DZ/pages/83919096/Open+Banking+Security+Profile+-+Implementer+s+Draft+v1.1.2#OpenBankingSecurityProfile-Implementer'sDraftv1.1.2-Step2:FormtheJOSEHeader
func CalculateClientSecretBasicToken ¶
CalculateClientSecretBasicToken tests the generation of `client secret basic` value as a product of `client_id` and `client_secret` as per https://tools.ietf.org/html/rfc7617
func CreateSignature ¶ added in v1.5.1
CreateSignature Get the complete, signed token for jws usage Takes the token object, private key, payload body and b64encoding indicator Create the signing string which includes the token header and payload body Then signs this string using the key provided - the signing algorithm is part of the jwt.Token object
func DefaultAuthMethod ¶
func GetB64Encoding ¶ added in v1.5.1
func GetB64Encoding(ctx ContextInterface) (bool, error)
GetB64Encoding returns - based on the API version - if the TPP signature should use base64 encoding for the payload
func GetB64Status ¶ added in v1.5.1
func GetB64Status() bool
func GetJWKSUri ¶ added in v1.5.1
func GetJWKSUri() string
func GetKID ¶ added in v1.1.15
func GetKID(ctx ContextInterface, modulus []byte) (string, error)
GetKID determines the value of the JWS Key ID
func GetSignatureToken30 ¶ added in v1.5.1
func GetSignatureToken30(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
GetSignatureToken30 returns the Token for v3.0 versions of the R/W specification. Read/Write Data API Specification - v3.0 Specification: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/641992418/Read+Write+Data+API+Specification+-+v3.0. According to the spec this field `http://openbanking.org.uk/tan` should not be sent in the `x-jws-signature` header.
func GetSignatureToken313Minus ¶ added in v1.5.1
func GetSignatureToken313Minus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
GetSignatureToken313Minus returns the Token with correct headers for v3.1.3 and previous versions of the R/W Apis
func GetSignatureToken314Plus ¶ added in v1.5.1
func GetSignatureToken314Plus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
GetSignatureToken314Plus returns the Token with correct headers for v3.1.4 and above of the R/W Apis
func GetSigningAlg ¶ added in v1.1.15
func JWSVerify ¶ added in v1.6.7
func JWSVerify(buf string, alg jwa.SignatureAlgorithm, key interface{}, b64 bool) (ret []byte, err error)
JWSVerify checks if the given JWS message is verifiable using `alg` and `key`. If the verification is successful, `err` is nil, and the content of the payload that was signed is returned.
func ModifyJWSHeaders ¶ added in v1.6.2
func ModifyJWSHeaders(jws string, ctx ContextInterface, opts ...JWSHeaderOpt) (string, error)
ModifyJWSHeaders allows the caller to mutate an existing JWS for testing purposes, re-signed with the new contents
func NewJWSSignature ¶ added in v1.1.15
func NewJWSSignature(requestBody string, ctx ContextInterface, alg jwt.SigningMethod) (string, error)
NewJWSSignature creates a signature to be used with TPP API calls
func PSUURLGenerate ¶
func PSUURLGenerate(claims PSUConsentClaims) (*url.URL, error)
PSUURLGenerate generates a PSU Consent URL based on claims
func SigningString ¶ added in v1.1.15
SigningString takes the token, body string and b64 indicator if b64encoded=true - base64urlEncodes the payload string as part of the string to be signed if b64encoded=false - includes the payload unencoded (unmodified) in the string to be signed
func SplitJWSWithBody ¶ added in v1.1.15
func SuiteSupportedAuthMethodsMostSecureFirst ¶
func SuiteSupportedAuthMethodsMostSecureFirst() []string
SuiteSupportedAuthMethodsMostSecureFirst - We have made our own determination of security offered by each auth method. It is not from a formal definition.
func ValidateSignature ¶ added in v1.5.1
ValidateSignature takes the signature JWT and extracts the kid to lookup the public key in the JWKS
func ValidateSignatureHeader ¶ added in v1.5.1
ValidateSignatureHeader takes a token and performs the header validation taking the b64 parameter value in consideration.
Types ¶
type CachedOpenIdConfigGetter ¶ added in v1.6.4
type CachedOpenIdConfigGetter struct {
// contains filtered or unexported fields
}
func NewOpenIdConfigGetter ¶ added in v1.6.4
func NewOpenIdConfigGetter() *CachedOpenIdConfigGetter
func (CachedOpenIdConfigGetter) Get ¶ added in v1.6.4
func (g CachedOpenIdConfigGetter) Get(url string) (OpenIDConfiguration, error)
type Certificate ¶
type Certificate interface { PublicKey() *rsa.PublicKey PrivateKey() *rsa.PrivateKey TLSCert() tls.Certificate DN() (string, string, string, error) SignatureIssuer(bool) (string, error) }
Certificate - create new Certificate.
func NewCertificate ¶
func NewCertificate(publicKeyPem, privateKeyPem string) (Certificate, error)
NewCertificate - create new Certificate.
Parameters: * publicKeyPem=PEM encoded public key. * privateKeyPem=PEM encoded private key.
Returns Certificate, or nil with error set if something is invalid.
func NewPublicCertificate ¶ added in v1.5.1
func NewPublicCertificate(publicKeyPem string) (Certificate, error)
creates a certificate from only the public key, in the case of the aspsp public cert to validate signatures
func SigningCertFromContext ¶ added in v1.1.15
func SigningCertFromContext(ctx ContextInterface) (Certificate, error)
type ContextInterface ¶ added in v1.1.15
type ContextInterface interface { // GetString get the string value associated with key GetString(key string) (string, error) // Get the key form the Context map - currently assumes value converts easily to a string! Get(key string) (interface{}, bool) GetStringSlice(key string) ([]string, error) }
ContextInterface - avoid cycling dependency to `model.Context`.
type JWK ¶ added in v1.5.1
type JWK struct { Alg string `json:"alg,omitempty"` Kty string `json:"kty,omitempty"` X5c []string `json:"x5c,omitempty"` N string `json:"n,omitempty"` E string `json:"e,omitempty"` Kid string `json:"kid,omitempty"` X5t string `json:"x5t,omitempty"` X5u string `json:"x5u,omitempty"` Use string `json:"use,omitempty"` }
JWK is one entry in a JWKS
type JWSHeaderOpt ¶ added in v1.6.2
JWSHeaderOpt is a function signature which is used for altering JWS header when passed to ModifyJWSHeaders
func RemoveJWSHeader ¶ added in v1.6.2
func RemoveJWSHeader(removed []string) JWSHeaderOpt
RemoveJWSHeader provides an option which modifies an existing JWT by deleting specified keys from its header.
func SetJWSHeader ¶ added in v1.6.2
func SetJWSHeader(entries map[string]interface{}) JWSHeaderOpt
SetJWSHeader provides an option which modifies an existing JWT by setting specified keys on its header.
type OpenIDConfiguration ¶
type OpenIDConfiguration struct { TokenEndpoint string `json:"token_endpoint,omitempty"` TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"` RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"` AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"` Issuer string `json:"issuer,omitempty"` ResponseTypesSupported []string `json:"response_types_supported,omitempty"` AcrValuesSupported []string `json:"acr_values_supported,omitempty"` JwksURI string `json:"jwks_uri,omitempty"` }
OpenIDConfiguration - The OpenID Connect discovery document retrieved by calling /.well-known/openid-configuration. https://openid.net/specs/openid-connect-discovery-1_0.html