authentication

package
v1.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 17, 2024 License: MIT Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source
const (
	TlsClientAuth     = "tls_client_auth"
	PrivateKeyJwt     = "private_key_jwt"
	ClientSecretBasic = "client_secret_basic"
)

token_endpoint_auth_methods_supported

View Source
const (
	ClientAssertionType      = "client_assertion_type"
	ClientAssertionTypeValue = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
)
View Source
const (
	GrantType                  = "grant_type"
	GrantTypeAuthorizationCode = "authorization_code"
)
View Source
const (
	ClientAssertion = "client_assertion"
)

Variables

View Source
var (
	// ErrInvalidSignatureHeader is an error indicating that the signature being validated has errors in the header
	ErrInvalidSignatureHeader = errors.New("invalid signature header")
	// ErrInvalidSignatureKID is returned if a valid KID can not be retrieved from a signature during validation
	ErrInvalidSignatureKID = errors.New("invalid signature KID")
	// ErrSignatureCert is an error indicating a failure during the retrieval of a certificate for a given KID
	ErrSignatureCert = errors.New("failed to retrieve certificate")
)
View Source
var SigningMethodPS256 = &jwt.SigningMethodRSAPSS{
	SigningMethodRSA: jwt.SigningMethodPS256.SigningMethodRSA,
	Options: &rsa.PSSOptions{
		SaltLength: rsa.PSSSaltLengthEqualsHash,
		Hash:       crypto.SHA256,
	},
}

SigningMethodPS256 is a workaround for default PS256 signing parameter issue https://github.com/dgrijalva/jwt-go/issues/285

Functions

func CalcKid

func CalcKid(modulus string) (string, error)

func CalculateClientSecretBasicToken

func CalculateClientSecretBasicToken(clientID, clientSecret string) (string, error)

CalculateClientSecretBasicToken tests the generation of `client secret basic` value as a product of `client_id` and `client_secret` as per https://tools.ietf.org/html/rfc7617

func CreateSignature

func CreateSignature(t *jwt.Token, key interface{}, body string, b64encoded bool) (string, error)

CreateSignature Get the complete, signed token for jws usage Takes the token object, private key, payload body and b64encoding indicator Create the signing string which includes the token header and payload body Then signs this string using the key provided - the signing algorithm is part of the jwt.Token object

func DefaultAuthMethod

func DefaultAuthMethod(openIDConfigAuthMethods []string, logger *logrus.Entry) string

func GetB64Encoding

func GetB64Encoding(ctx ContextInterface) (bool, error)

GetB64Encoding returns - based on the API version - if the TPP signature should use base64 encoding for the payload

func GetB64Status

func GetB64Status() bool

func GetJWKSUri

func GetJWKSUri() string

func GetKID

func GetKID(ctx ContextInterface, modulus []byte) (string, error)

GetKID determines the value of the JWS Key ID

func GetSignatureToken30

func GetSignatureToken30(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

GetSignatureToken30 returns the Token for v3.0 versions of the R/W specification. Read/Write Data API Specification - v3.0 Specification: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/641992418/Read+Write+Data+API+Specification+-+v3.0. According to the spec this field `http://openbanking.org.uk/tan` should not be sent in the `x-jws-signature` header.

func GetSignatureToken313Minus

func GetSignatureToken313Minus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

GetSignatureToken313Minus returns the Token with correct headers for v3.1.3 and previous versions of the R/W Apis

func GetSignatureToken314Plus

func GetSignatureToken314Plus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

GetSignatureToken314Plus returns the Token with correct headers for v3.1.4 and above of the R/W Apis

func GetSigningAlg

func GetSigningAlg(alg string) (jwt.SigningMethod, error)

func JWSVerify

func JWSVerify(buf string, alg jwa.SignatureAlgorithm, key interface{}, b64 bool) (ret []byte, err error)

JWSVerify checks if the given JWS message is verifiable using `alg` and `key`. If the verification is successful, `err` is nil, and the content of the payload that was signed is returned.

func ModifyJWSHeaders

func ModifyJWSHeaders(jws string, ctx ContextInterface, opts ...JWSHeaderOpt) (string, error)

ModifyJWSHeaders allows the caller to mutate an existing JWS for testing purposes, re-signed with the new contents

func NewJWSSignature

func NewJWSSignature(requestBody string, ctx ContextInterface, alg jwt.SigningMethod) (string, error)

NewJWSSignature creates a signature to be used with TPP API calls

func PSUURLGenerate

func PSUURLGenerate(claims PSUConsentClaims) (*url.URL, error)

PSUURLGenerate generates a PSU Consent URL based on claims

func SigningString

func SigningString(t *jwt.Token, body string, b64encoded bool) (string, error)

SigningString takes the token, body string and b64 indicator if b64encoded=true - base64urlEncodes the payload string as part of the string to be signed if b64encoded=false - includes the payload unencoded (unmodified) in the string to be signed

func SplitJWSWithBody

func SplitJWSWithBody(token string) string

func SuiteSupportedAuthMethodsMostSecureFirst

func SuiteSupportedAuthMethodsMostSecureFirst() []string

SuiteSupportedAuthMethodsMostSecureFirst - We have made our own determination of security offered by each auth method. It is not from a formal definition.

func ValidateSignature

func ValidateSignature(jwtToken, body, jwksURI string, b64 bool) (bool, error)

ValidateSignature takes the signature JWT and extracts the kid to lookup the public key in the JWKS

func ValidateSignatureHeader

func ValidateSignatureHeader(token string, b64 bool) error

ValidateSignatureHeader takes a token and performs the header validation taking the b64 parameter value in consideration.

Types

type CachedOpenIdConfigGetter

type CachedOpenIdConfigGetter struct {
	// contains filtered or unexported fields
}

func NewOpenIdConfigGetter

func NewOpenIdConfigGetter() *CachedOpenIdConfigGetter

func (CachedOpenIdConfigGetter) Get

type Certificate

type Certificate interface {
	PublicKey() *rsa.PublicKey
	PrivateKey() *rsa.PrivateKey
	TLSCert() tls.Certificate
	DN() (string, string, string, error)
	SignatureIssuer(bool) (string, error)
}

Certificate - create new Certificate.

func NewCertificate

func NewCertificate(publicKeyPem, privateKeyPem string) (Certificate, error)

NewCertificate - create new Certificate.

Parameters: * publicKeyPem=PEM encoded public key. * privateKeyPem=PEM encoded private key.

Returns Certificate, or nil with error set if something is invalid.

func NewPublicCertificate

func NewPublicCertificate(publicKeyPem string) (Certificate, error)

creates a certificate from only the public key, in the case of the aspsp public cert to validate signatures

func SigningCertFromContext

func SigningCertFromContext(ctx ContextInterface) (Certificate, error)

type ContextInterface

type ContextInterface interface {
	// GetString get the string value associated with key
	GetString(key string) (string, error)
	// Get the key form the Context map - currently assumes value converts easily to a string!
	Get(key string) (interface{}, bool)
	GetStringSlice(key string) ([]string, error)
}

ContextInterface - avoid cycling dependency to `model.Context`.

type JWK

type JWK struct {
	Alg string   `json:"alg,omitempty"`
	Kty string   `json:"kty,omitempty"`
	X5c []string `json:"x5c,omitempty"`
	N   string   `json:"n,omitempty"`
	E   string   `json:"e,omitempty"`
	Kid string   `json:"kid,omitempty"`
	X5t string   `json:"x5t,omitempty"`
	X5u string   `json:"x5u,omitempty"`
	Use string   `json:"use,omitempty"`
}

JWK is one entry in a JWKS

type JWKS

type JWKS struct {
	Keys []JWK
}

JWKS is a JSON Web Key Set

type JWSHeaderOpt

type JWSHeaderOpt func(map[string]interface{}) map[string]interface{}

JWSHeaderOpt is a function signature which is used for altering JWS header when passed to ModifyJWSHeaders

func RemoveJWSHeader

func RemoveJWSHeader(removed []string) JWSHeaderOpt

RemoveJWSHeader provides an option which modifies an existing JWT by deleting specified keys from its header.

func SetJWSHeader

func SetJWSHeader(entries map[string]interface{}) JWSHeaderOpt

SetJWSHeader provides an option which modifies an existing JWT by setting specified keys on its header.

type OpenIDConfiguration

type OpenIDConfiguration struct {
	TokenEndpoint                          string   `json:"token_endpoint,omitempty"`
	TokenEndpointAuthMethodsSupported      []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
	AuthorizationEndpoint                  string   `json:"authorization_endpoint,omitempty"`
	Issuer                                 string   `json:"issuer,omitempty"`
	ResponseTypesSupported                 []string `json:"response_types_supported,omitempty"`
	AcrValuesSupported                     []string `json:"acr_values_supported,omitempty"`
	JwksURI                                string   `json:"jwks_uri,omitempty"`
}

OpenIDConfiguration - The OpenID Connect discovery document retrieved by calling /.well-known/openid-configuration. https://openid.net/specs/openid-connect-discovery-1_0.html

type PSUConsentClaims

type PSUConsentClaims struct {
	AuthorizationEndpoint string
	Aud                   string // Audience
	Iss                   string // ClientID
	ResponseType          string // "code id_token"
	Scope                 string // "openid accounts"
	RedirectURI           string
	ConsentId             string
	State                 string // {test_id}
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL