Documentation ¶
Index ¶
- Variables
- func KeySelectorFirst(multiJWKS *MultipleJWKS, token *jwt.Token) (key interface{}, err error)
- func NewGivenKeysFromJSON(jwksBytes json.RawMessage) (map[string]GivenKey, error)
- func ResponseExtractorStatusAny(ctx context.Context, resp *http.Response) (json.RawMessage, error)
- func ResponseExtractorStatusOK(ctx context.Context, resp *http.Response) (json.RawMessage, error)
- type ErrorHandler
- type GivenKey
- func NewGivenCustom(key interface{}, options GivenKeyOptions) (givenKey GivenKey)
- func NewGivenECDSA(key *ecdsa.PublicKey, options GivenKeyOptions) (givenKey GivenKey)
- func NewGivenEdDSA(key ed25519.PublicKey, options GivenKeyOptions) (givenKey GivenKey)
- func NewGivenHMAC(key []byte, options GivenKeyOptions) (givenKey GivenKey)
- func NewGivenRSA(key *rsa.PublicKey, options GivenKeyOptions) (givenKey GivenKey)
- type GivenKeyOptions
- type JWKS
- func (j *JWKS) EndBackground()
- func (j *JWKS) KIDs() (kids []string)
- func (j *JWKS) Keyfunc(token *jwt.Token) (interface{}, error)
- func (j *JWKS) Len() int
- func (j *JWKS) RawJWKS() []byte
- func (j *JWKS) ReadOnlyKeys() map[string]interface{}
- func (j *JWKS) Refresh(ctx context.Context, options RefreshOptions) error
- type JWKUse
- type MultipleJWKS
- type MultipleOptions
- type Options
- type RefreshOptions
Constants ¶
This section is empty.
Variables ¶
var ( // ErrJWKAlgMismatch indicates that the given JWK was found, but its "alg" parameter's value did not match that of // the JWT. ErrJWKAlgMismatch = errors.New(`the given JWK was found, but its "alg" parameter's value did not match the expected algorithm`) // ErrJWKUseWhitelist indicates that the given JWK was found, but its "use" parameter's value was not whitelisted. ErrJWKUseWhitelist = errors.New(`the given JWK was found, but its "use" parameter's value was not whitelisted`) // ErrKIDNotFound indicates that the given key ID was not found in the JWKS. ErrKIDNotFound = errors.New("the given key ID was not found in the JWKS") // ErrMissingAssets indicates there are required assets are missing to create a public key. ErrMissingAssets = errors.New("required assets are missing to create a public key") )
var ( // ErrECDSACurve indicates an error with the ECDSA curve. ErrECDSACurve = errors.New("invalid ECDSA curve") )
var ErrInvalidHTTPStatusCode = errors.New("invalid HTTP status code")
ErrInvalidHTTPStatusCode indicates that the HTTP status code is invalid.
var ( // ErrKID indicates that the JWT had an invalid kid. ErrKID = errors.New("the JWT has an invalid kid") )
var ErrMultipleJWKSSize = errors.New("multiple JWKS must have two or more remote JWK Set resources")
ErrMultipleJWKSSize is returned when the number of JWKS given are not enough to make a MultipleJWKS.
var ( // ErrRefreshImpossible is returned when a refresh is attempted on a JWKS that was not created from a remote // resource. ErrRefreshImpossible = errors.New("refresh impossible: JWKS was not created from a remote resource") )
Functions ¶
func KeySelectorFirst ¶
func KeySelectorFirst(multiJWKS *MultipleJWKS, token *jwt.Token) (key interface{}, err error)
KeySelectorFirst returns the first key found in the multiple JWK Sets.
func NewGivenKeysFromJSON ¶
func NewGivenKeysFromJSON(jwksBytes json.RawMessage) (map[string]GivenKey, error)
NewGivenKeysFromJSON parses a raw JSON message into a map of key IDs (`kid`) to GivenKeys. The returned map is suitable for passing to `NewGiven()` or as `Options.GivenKeys` to `Get()`
func ResponseExtractorStatusAny ¶
ResponseExtractorStatusAny is meant to be used as the ResponseExtractor field for Options. It returns the raw JSON from the response body regardless of the response status code.
func ResponseExtractorStatusOK ¶
ResponseExtractorStatusOK is meant to be used as the ResponseExtractor field for Options. It confirms that response status code is 200 OK and returns the raw JSON from the response body.
Types ¶
type ErrorHandler ¶
type ErrorHandler func(err error)
ErrorHandler is a function signature that consumes an error.
type GivenKey ¶
type GivenKey struct {
// contains filtered or unexported fields
}
GivenKey represents a cryptographic key that resides in a JWKS. In conjuncture with Options.
func NewGivenCustom ¶
func NewGivenCustom(key interface{}, options GivenKeyOptions) (givenKey GivenKey)
NewGivenCustom creates a new GivenKey given an untyped variable. The key argument is expected to be a type supported by the jwt package used.
Consider the options carefully as each field may have a security implication.
See the https://pkg.go.dev/github.com/golang-jwt/jwt/v5#RegisterSigningMethod function for registering an unsupported signing method.
func NewGivenECDSA ¶
func NewGivenECDSA(key *ecdsa.PublicKey, options GivenKeyOptions) (givenKey GivenKey)
NewGivenECDSA creates a new GivenKey given an ECDSA public key.
Consider the options carefully as each field may have a security implication.
func NewGivenEdDSA ¶
func NewGivenEdDSA(key ed25519.PublicKey, options GivenKeyOptions) (givenKey GivenKey)
NewGivenEdDSA creates a new GivenKey given an EdDSA public key.
Consider the options carefully as each field may have a security implication.
func NewGivenHMAC ¶
func NewGivenHMAC(key []byte, options GivenKeyOptions) (givenKey GivenKey)
NewGivenHMAC creates a new GivenKey given an HMAC key in a byte slice.
Consider the options carefully as each field may have a security implication.
func NewGivenRSA ¶
func NewGivenRSA(key *rsa.PublicKey, options GivenKeyOptions) (givenKey GivenKey)
NewGivenRSA creates a new GivenKey given an RSA public key.
Consider the options carefully as each field may have a security implication.
type GivenKeyOptions ¶
type GivenKeyOptions struct { // Algorithm is the given key's signing algorithm. Its value will be compared to unverified tokens' "alg" header. // // See RFC 8725 Section 3.1 for details. // https://www.rfc-editor.org/rfc/rfc8725#section-3.1 // // For a list of possible values, please see: // https://www.rfc-editor.org/rfc/rfc7518#section-3.1 // https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms Algorithm string }
GivenKeyOptions represents the configuration options for a GivenKey.
type JWKS ¶
type JWKS struct {
// contains filtered or unexported fields
}
JWKS represents a JSON Web Key Set (JWK Set).
func NewJSON ¶
func NewJSON(jwksBytes json.RawMessage) (jwks *JWKS, err error)
NewJSON creates a new JWKS from a raw JSON message.
func (*JWKS) EndBackground ¶
func (j *JWKS) EndBackground()
EndBackground ends the background goroutine to update the JWKS. It can only happen once and is only effective if the JWKS has a background goroutine refreshing the JWKS keys.
func (*JWKS) Keyfunc ¶
Keyfunc matches the signature of github.com/golang-jwt/jwt/v5's jwt.Keyfunc function.
func (*JWKS) ReadOnlyKeys ¶
ReadOnlyKeys returns a read-only copy of the mapping of key IDs (`kid`) to cryptographic keys.
func (*JWKS) Refresh ¶
func (j *JWKS) Refresh(ctx context.Context, options RefreshOptions) error
Refresh manually refreshes the JWKS with the remote resource. It can bypass the rate limit if configured to do so. This function will return an ErrRefreshImpossible if the JWKS was created from a static source like given keys or raw JSON, because there is no remote resource to refresh from.
This function will block until the refresh is finished or an error occurs.
type JWKUse ¶
type JWKUse string
JWKUse is a set of values for the "use" parameter of a JWK. See https://tools.ietf.org/html/rfc7517#section-4.2.
const ( // UseEncryption is a JWK "use" parameter value indicating the JSON Web Key is to be used for encryption. UseEncryption JWKUse = "enc" // UseOmitted is a JWK "use" parameter value that was not specified or was empty. UseOmitted JWKUse = "" // UseSignature is a JWK "use" parameter value indicating the JSON Web Key is to be used for signatures. UseSignature JWKUse = "sig" )
type MultipleJWKS ¶
type MultipleJWKS struct {
// contains filtered or unexported fields
}
MultipleJWKS manages multiple JWKS and has a field for jwt.Keyfunc.
func GetMultiple ¶
func GetMultiple(multiple map[string]Options, options MultipleOptions) (multiJWKS *MultipleJWKS, err error)
GetMultiple creates a new MultipleJWKS. A map of length two or more JWKS URLs to Options is required.
Be careful when choosing Options for each JWKS in the map. If RefreshUnknownKID is set to true for all JWKS in the map then many refresh requests would take place each time a JWT is processed, this should be rate limited by RefreshRateLimit.
func (*MultipleJWKS) JWKSets ¶
func (m *MultipleJWKS) JWKSets() map[string]*JWKS
JWKSets returns a copy of the map of JWK Sets. The map itself is a copy, but the JWKS are not and should be treated as read-only.
func (*MultipleJWKS) Keyfunc ¶
func (m *MultipleJWKS) Keyfunc(token *jwt.Token) (interface{}, error)
Keyfunc matches the signature of github.com/golang-jwt/jwt/v5's jwt.Keyfunc function.
type MultipleOptions ¶
type MultipleOptions struct { // KeySelector is a function that selects the key to use for a given token. It will be used in the implementation // for jwt.Keyfunc. If implementing this custom selector extract the key ID and algorithm from the token's header. // Use the key ID to select a token and confirm the key's algorithm before returning it. // // This value defaults to KeySelectorFirst. KeySelector func(multiJWKS *MultipleJWKS, token *jwt.Token) (key interface{}, err error) }
MultipleOptions is used to configure the behavior when multiple JWKS are used by MultipleJWKS.
type Options ¶
type Options struct { // Client is the HTTP client used to get the JWKS via HTTP. Client *http.Client // Ctx is the context for the keyfunc's background refresh. When the context expires or is canceled, the background // goroutine will end. Ctx context.Context // GivenKeys is a map of JWT key IDs, `kid`, to their given keys. If the JWKS has a background refresh goroutine, // these values persist across JWKS refreshes. By default, if the remote JWKS resource contains a key with the same // `kid` any given keys with the same `kid` will be overwritten by the keys from the remote JWKS. Use the // GivenKIDOverride option to flip this behavior. GivenKeys map[string]GivenKey // GivenKIDOverride will make a GivenKey override any keys with the same ID (`kid`) in the remote JWKS. The is only // effectual if GivenKeys is provided. GivenKIDOverride bool // JWKUseWhitelist is a whitelist of JWK `use` parameter values that will restrict what keys can be returned for // jwt.Keyfunc. The assumption is that jwt.Keyfunc is only used for JWT signature verification. // The default behavior is to only return a JWK if its `use` parameter has the value `"sig"`, an empty string, or if // the parameter was omitted entirely. JWKUseWhitelist []JWKUse // JWKUseNoWhitelist overrides the JWKUseWhitelist field and its default behavior. If set to true, all JWKs will be // returned regardless of their `use` parameter value. JWKUseNoWhitelist bool // RefreshErrorHandler is a function that consumes errors that happen during a JWKS refresh. This is only effectual // if a background refresh goroutine is active. RefreshErrorHandler ErrorHandler // RefreshInterval is the duration to refresh the JWKS in the background via a new HTTP request. If this is not zero, // then a background goroutine will be used to refresh the JWKS once per the given interval. Make sure to call the // JWKS.EndBackground method to end this goroutine when it's no longer needed. RefreshInterval time.Duration // RefreshRateLimit limits the rate at which refresh requests are granted. Only one refresh request can be queued // at a time any refresh requests received while there is already a queue are ignored. It does not make sense to // have RefreshInterval's value shorter than this. RefreshRateLimit time.Duration // RefreshTimeout is the duration for the context timeout used to create the HTTP request for a refresh of the JWKS. // This defaults to one minute. This is used for the HTTP request and any background goroutine refreshes. RefreshTimeout time.Duration // RefreshUnknownKID indicates that the JWKS refresh request will occur every time a kid that isn't cached is seen. // This is done through a background goroutine. Without specifying a RefreshInterval a malicious client could // self-sign X JWTs, send them to this service, then cause potentially high network usage proportional to X. Make // sure to call the JWKS.EndBackground method to end this goroutine when it's no longer needed. // // It is recommended this option is not used when in MultipleJWKS. This is because KID collisions SHOULD be uncommon // meaning nearly any JWT SHOULD trigger a refresh for the number of JWKS in the MultipleJWKS minus one. RefreshUnknownKID bool // RequestFactory creates HTTP requests for the remote JWKS resource located at the given url. For example, an // HTTP header could be added to indicate a User-Agent. RequestFactory func(ctx context.Context, url string) (*http.Request, error) // ResponseExtractor consumes a *http.Response and produces the raw JSON for the JWKS. By default, the // ResponseExtractorStatusOK function is used. The default behavior changed in v1.4.0. ResponseExtractor func(ctx context.Context, resp *http.Response) (json.RawMessage, error) }
Options represents the configuration options for a JWKS.
If either RefreshInterval is non-zero or RefreshUnknownKID is true, then a background goroutine will be launched to refresh the remote JWKS under the specified circumstances.
When using a background refresh goroutine, make sure to use RefreshRateLimit if paired with RefreshUnknownKID. Also make sure to end the background refresh goroutine with the JWKS.EndBackground method when it's no longer needed.
type RefreshOptions ¶
type RefreshOptions struct {
IgnoreRateLimit bool
}
RefreshOptions are used to specify manual refresh behavior.