Documentation ¶
Overview ¶
caddyjwt is a Caddy Module - who facilitates JWT authentication.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrMissingKeys = errors.New("missing sign_key and jwk_url") ErrInvalidPublicKey = errors.New("invalid PEM-formatted public key") ErrInvalidSignAlgorithm = errors.New("invalid sign_alg") ErrInvalidIssuer = errors.New("invalid issuer") ErrInvalidAudience = errors.New("invalid audience") ErrEmptyUserClaim = errors.New("user claim is empty") )
Functions ¶
func ClaimContainsString ¶
ClaimContainsString can be used to check if the claim called `name`, which is expected to be a list of strings, contains `value`. Currently because of the implementation this will probably only work for `aud` fields.
Types ¶
type JWTAuth ¶
type JWTAuth struct { // SignKey is the key used by the signing algorithm to verify the signature. // // For symmetric algorithems, use the key directly. e.g. // // "<secret_key_bytes_in_base64_format>". // // For asymmetric algorithems, use the public key in x509 PEM format. e.g. // // -----BEGIN PUBLIC KEY----- // ... // -----END PUBLIC KEY----- // This is an optional field. You can instead provide JWKURL to use JWKs. SignKey string `json:"sign_key"` // JWKURL is the URL where a provider publishes their JWKs. The URL must // publish the JWKs in the standard format as described in // https://tools.ietf.org/html/rfc7517. // If you'd like to use JWK, set this field and leave SignKey unset. JwkUrls []string `json:"jwk_url"` // SignAlgorithm is the the signing algorithm used. Available values are defined in // https://www.rfc-editor.org/rfc/rfc7518#section-3.1 // This is an optional field, which is used for determining the signing algorithm. // We will try to determine the algorithm automatically from the following sources: // 1. The "alg" field in the JWT header. // 2. The "alg" field in the matched JWK (if JWKURL is provided). // 3. The value set here. SignAlgorithm string `json:"sign_alg"` // FromQuery defines a list of names to get tokens from the query parameters // of an HTTP request. // // If multiple keys were given, all the corresponding query // values will be treated as candidate tokens. And we will verify each of // them until we got a valid one. // // Priority: from_query > from_header > from_cookies. FromQuery []string `json:"from_query"` // FromHeader works like FromQuery. But defines a list of names to get // tokens from the HTTP header. FromHeader []string `json:"from_header"` // FromCookie works like FromQuery. But defines a list of names to get tokens // from the HTTP cookies. FromCookies []string `json:"from_cookies"` // IssuerWhitelist defines a list of issuers. A non-empty list turns on "iss // verification": the "iss" claim must exist in the given JWT payload. And // the value of the "iss" claim must be on the whitelist in order to pass // the verification. IssuerWhitelist []string `json:"issuer_whitelist"` // AudienceWhitelist defines a list of audiences. A non-empty list turns on // "aud verification": the "aud" claim must exist in the given JWT payload. // The verification will pass as long as one of the "aud" values is on the // whitelist. AudienceWhitelist []string `json:"audience_whitelist"` // UserClaims defines a list of names to find the ID of the authenticated user. // // By default, this config will be set to []string{"sub"}. // // If multiple names were given, we will use the first non-empty value of the key // in the JWT payload as the ID of the authenticated user. i.e. The placeholder // {http.auth.user.id} will be set to the ID. // // For example, []string{"uid", "username"} will set "eva" as the final user ID // from JWT payload: { "username": "eva" }. // // If no non-empty values found, leaves it unauthenticated. UserClaims []string `json:"user_claims"` // MetaClaims defines a map to populate {http.auth.user.*} metadata placeholders. // The key is the claim in the JWT payload, the value is the placeholder name. // e.g. {"IsAdmin": "is_admin"} can populate {http.auth.user.is_admin} with // the value of `IsAdmin` in the JWT payload if found, otherwise "". // // NOTE: The name in the placeholder should be adhere to Caddy conventions // (snake_casing). // // Caddyfile: // Use syntax `<claim>[-> <placeholder>]` to define a map item. The placeholder is // optional, if not specified, use the same name as the claim. // e.g. // // meta_claims "IsAdmin -> is_admin" "group" // // is equal to {"IsAdmin": "is_admin", "group": "group"}. // // Since v0.6.0, nested claim path is also supported, e.g. // For the following JWT payload: // // { ..., "user_info": { "role": "admin" }} // // If you want to populate {http.auth.user.role} with "admin", you can use // // meta_claims "user_info.role -> role" // // Use dot notation to access nested claims. MetaClaims map[string]string `json:"meta_claims"` VerifyClaims map[string]string `json:"verify_claims"` // contains filtered or unexported fields }
JWTAuth facilitates JWT (JSON Web Token) authentication.
func (*JWTAuth) Authenticate ¶
Authenticate validates the JWT in the request and returns the user, if valid.
func (JWTAuth) CaddyModule ¶
func (JWTAuth) CaddyModule() caddy.ModuleInfo
CaddyModule implements caddy.Module interface.
func (*JWTAuth) Error ¶
Error implements httprc.ErrSink interface. It is used to log the error message provided by other modules, e.g. jwk.
Click to show internal directories.
Click to hide internal directories.