README
¶
keyfunc
The sole purpose of this package is to provide a
jwt.KeyFunc for the
github.com/dgrijalva/jwt-go package using a JSON Web Key Set (JWKS) for parsing
JSON Web Tokens (JWTs).
It's common for an identity provider, such as Keycloak to expose a JWKS via an HTTPS
endpoint. This package has the ability to consume that JWKS and produce a
jwt.KeyFunc. It is important that a JWKS
endpoint is using HTTPS to ensure the keys are from the correct trusted source.
There are no dependencies other than github.com/dgrijalva/jwt-go for this repository.
Supported Algorithms
It is recommended to only use this package for asymmetric signing keys, If you are using HMAC signing keys, this Go package may be unnecessary as the algorithm is symmetric, meaning the key is pre-shared. In this case a JWKS is likely not be the best solution.
Currently, this package supports JWTs signed with an alg that matches one of the following:
ES256ES384ES512PS256PS384PS512RS256RS384RS512
Additionally, the supported elliptical curve types are below:
P-256P-384P-521
If there are cryptographic algorithms, curve types, or something else already standardized that you'd like supported in this Go package, please open an issue or pull request.
Basic usage
Please also see the examples directory.
import "github.com/chrisUsick/keyfunc"
Step 1: Acquire the JWKS URL (optional)
A JWKS URL is not required, one can be created directly from JSON with the
keyfunc.New function.
// Get the JWKS URL from an environment variable.
jwksURL := os.Getenv("JWKS_URL")
// Confirm the environment variable is not empty.
if jwksURL == "" {
log.Fatalln("JWKS_URL environment variable must be populated.")
}
Step 2: Get the JWKS via HTTP
// Create the JWKS from the resource at the given URL.
jwks, err := keyfunc.Get(jwksURL)
if err != nil {
log.Fatalf("Failed to get the JWKS from the given URL.\nError: %s", err.Error())
}
Additional options can be passed to the keyfunc.Get function
via variadic arguments. See keyfunc.Options.
Step 3: Use the keyfunc.JWKS 's JWKS.KeyFunc method as the jwt.KeyFunc when parsing tokens
// Parse the JWT.
token, err := jwt.Parse(jwtB64, jwks.KeyFunc)
if err != nil {
return nil, fmt.Errorf("failed to parse token: %w", err)
}
The JWKS.KeyFunc method will automatically select
the key with the matching kid (if present) and return its public key as the correct Go type to its caller.
Test coverage
Test coverage is currently at 84.3%.
This is with current and expired JWTs, but the hard coded ones are now expired. Using non-expired JWTs would require signing JWTs during testing and would allow for additional error checking. But a bit overkill since I've already done that error checking when the JWTs were valid with no changes. A PR for this that does not introduce any dependencies is welcome though.
Additional features
- A background refresh of the JWKS keys can be performed. This is possible by passing
keyfunc.Optionsvia a variadic argument to thekeyfunc.Getfunction.- A custom background refresh interval can be specified.
- A custom background refresh request context timeout can be specified. Defaults to one minute.
- A custom background refresh error handling function can be specified. If none is specified, errors go unhandled silently.
- JWTs with a previously unseen
kidcan prompt an automatic refresh of the remote JWKS resource. - A custom HTTP client can be used. This is possible by passing
keyfunc.Optionsvia a variadic argument to thekeyfunc.Getfunction.
TODO
- Add HMAC support?
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrKIDNotFound indicates that the given key ID was not found in the JWKS. ErrKIDNotFound = errors.New("the given key ID was not found in the JWKS") // ErrMissingAssets indicates there are required assets missing to create a public key. ErrMissingAssets = errors.New("required assets are missing to create a public key") )
var ( // ErrKID indicates that the JWT had an invalid kid. ErrKID = errors.New("the JWT has an invalid kid") // ErrUnsupportedKeyType indicates the JWT key type is an unsupported type. ErrUnsupportedKeyType = errors.New("the JWT key type is unsupported") )
Functions ¶
This section is empty.
Types ¶
type ErrorHandler ¶
type ErrorHandler func(err error)
ErrorHandler is a function signature that consumes an error.
type JSONKey ¶
type JSONKey struct {
Curve string `json:"crv"`
Exponent string `json:"e"`
ID string `json:"kid"`
Modulus string `json:"n"`
X string `json:"x"`
Y string `json:"y"`
// contains filtered or unexported fields
}
JSONKey represents a raw key inside a JWKS.
type JWKS ¶
JWKS represents a JSON Web Key Set.
func New ¶
func New(jwksBytes json.RawMessage) (jwks *JWKS, err error)
New creates a new JWKS from a raw JSON message.
func (*JWKS) EndBackground ¶
func (j *JWKS) EndBackground()
EndBackground ends the background goroutine to update the JWKs. It can only happen once and is only effective if the JWKS has a background goroutine refreshing the JWKS keys.
type Options ¶
type Options struct {
// Client is the HTTP client used to get the JWKS via HTTP.
Client *http.Client
// RefreshInterval is the duration to refresh the JWKS in the background via a new HTTP request. If this is not nil,
// then a background refresh will be performed in a separate goroutine until the JWKS method EndBackground is
// called.
RefreshInterval *time.Duration
// RefreshTimeout is the duration for the context used to create the HTTP request for a refresh of the JWKS. This
// defaults to one minute. This is only effectual if RefreshInterval is not nil.
RefreshTimeout *time.Duration
// RefreshErrorHandler is a function that consumes errors that happen during a JWKS refresh. This is only effectual
// if RefreshInterval is not nil.
RefreshErrorHandler ErrorHandler
// RefreshUnknownKID indicates that the JWKS should be refreshed via HTTP every time a kid that isn't know is found.
// This means the
RefreshUnknownKID *bool
}
Options represents the configuration options for a JWKS.
Source Files
Directories