Documentation
¶
Overview ¶
Package jwtclaim provides claim structs and maps for convenience.
ffjson encoder supported
See README.md for more info. http://self-issued.info/docs/draft-jones-json-web-token.html
Index ¶
- Constants
- Variables
- type HeadSegments
- type Map
- func (m Map) Expires() (exp time.Duration)
- func (m Map) Get(key string) (interface{}, error)
- func (m Map) Keys() []string
- func (m Map) Set(key string, value interface{}) error
- func (m Map) String() string
- func (m Map) Valid() error
- func (m Map) VerifyAudience(cmp string, req bool) bool
- func (m Map) VerifyExpiresAt(cmp int64, req bool) bool
- func (m Map) VerifyIssuedAt(cmp int64, req bool) bool
- func (m Map) VerifyIssuer(cmp string, req bool) bool
- func (m Map) VerifyNotBefore(cmp int64, req bool) bool
- type Standard
- func (s *Standard) Expires() (exp time.Duration)
- func (s *Standard) Get(key string) (interface{}, error)
- func (s *Standard) Keys() []string
- func (s *Standard) Set(key string, value interface{}) (err error)
- func (s *Standard) String() string
- func (s *Standard) Valid() error
- func (s *Standard) VerifyAudience(cmp string, req bool) bool
- func (s *Standard) VerifyExpiresAt(cmp int64, req bool) bool
- func (s *Standard) VerifyIssuedAt(cmp int64, req bool) bool
- func (s *Standard) VerifyIssuer(cmp string, req bool) bool
- func (s *Standard) VerifyNotBefore(cmp int64, req bool) bool
- type Store
Constants ¶
const ( KeyAudience = "aud" KeyExpiresAt = "exp" KeyID = "jti" KeyIssuedAt = "iat" KeyIssuer = "iss" KeyNotBefore = "nbf" KeySubject = "sub" KeyTimeSkew = "skew" // not marshalled, internal usage. )
Key constants define the main claims used for Set() and Get() functions. Those constants are implemented in the StandardClaims type.
const ( HeaderAlg = "alg" HeaderTyp = "typ" )
Header constants define the main headers used for Set() and Get() functions. Those constants are implemented in the HeaderSegments type. TODO(cs) add more constants
const ( KeyStore = "store" KeyUserID = "userid" )
Key.... are available claims in struct Store. KeyStore is equal to github.com/corestoreio/pkg/store/storenet.ParamName
const ContentTypeJWT = `JWT`
ContentTypeJWT defines the content type of a token. At the moment only JWT is supported. JWE may be added in the future JSON Web Encryption (JWE). https://tools.ietf.org/html/rfc7519
Variables ¶
var TimeFunc = time.Now
TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time). You can override it to use another time value. This is useful for testing or if your server uses a different time zone than your tokens.
Functions ¶
This section is empty.
Types ¶
type HeadSegments ¶
type HeadSegments struct {
// Alg (algorithm) header parameter identifies the cryptographic algorithm
// used to secure the JWT. A list of reserved alg values is in Table 4. The
// processing of the "alg" (algorithm) header parameter, if present,
// requires that the value of the "alg" header parameter MUST be one that is
// both supported and for which there exists a key for use with that
// algorithm associated with the issuer of the JWT. This header parameter is
// REQUIRED.
Algorithm string `json:"alg,omitempty"`
// Typ (type) header parameter is used to declare that this data structure
// is a JWT. If a "typ" parameter is present, it is RECOMMENDED that its
// value be "JWT". This header parameter is OPTIONAL.
Type string `json:"typ,omitempty"`
// JKU (JSON Key URL) header parameter is a URL that points to JSON-encoded
// public key certificates that can be used to validate the signature. The
// specification for this encoding is TBD. This header parameter is
// OPTIONAL.
JKU string `json:"jku,omitempty"`
// KID (key ID) header parameter is a hint indicating which specific key
// owned by the signer should be used to validate the signature. This allows
// signers to explicitly signal a change of key to recipients. Omitting this
// parameter is equivalent to setting it to an empty string. The
// interpretation of the contents of the "kid" parameter is unspecified.
// This header parameter is OPTIONAL.
KID string `json:"kid,omitempty"`
// X5U (X.509 URL) header parameter is a URL that points to an X.509 public
// key certificate that can be used to validate the signature. This
// certificate MUST conform to RFC 5280 [RFC5280]. This header parameter is
// OPTIONAL.
X5U string `json:"x5u,omitempty"`
// X5T (x.509 certificate thumbprint) header parameter provides a base64url
// encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an
// X.509 certificate that can be used to match a certificate. This header
// parameter is OPTIONAL.
X5T string `json:"x5t,omitempty"`
}
HeadSegments represents a structured version of Header Section, as referenced at http://self-issued.info/docs/draft-jones-json-web-token-01.html#anchor5
func NewHeadSegments ¶
func NewHeadSegments(alg ...string) *HeadSegments
NewHeadSegments creates a new header with an optional algorithm. Algorithm may be set later depending on the signing method.
func (*HeadSegments) Alg ¶
func (s *HeadSegments) Alg() string
Alg returns the underlying algorithm.
func (*HeadSegments) Get ¶
func (s *HeadSegments) Get(key string) (value string, err error)
Get returns a value or nil or an error. Key must be one of the constants Header*. Error behaviour: NotSupported.
func (*HeadSegments) Set ¶
func (s *HeadSegments) Set(key, value string) (err error)
Set sets a value. Key must be one of the constants Header*. Error behaviour: NotSupported
type Map ¶
type Map map[string]interface{}
Map default type for the Claim field in a token. Slowest but most flexible type. For speed, use a custom struct type with embedding StandardClaims and generated en-/decoder.
func (Map) Valid ¶
Validates time based claims "exp, iat, nbf". There is no accounting for clock skew. As well, if any of the above claims are not in the token, it will still be considered a valid claim.
func (Map) VerifyAudience ¶
VerifyAudience compares the aud claim against cmp. If required is false, this method will return true if the value matches or is unset
func (Map) VerifyExpiresAt ¶
Compares the exp claim against cmp. If required is false, this method will return true if the value matches or is unset
func (Map) VerifyIssuedAt ¶
Compares the iat claim against cmp. If required is false, this method will return true if the value matches or is unset.
func (Map) VerifyIssuer ¶
Compares the iss claim against cmp. If required is false, this method will return true if the value matches or is unset.
type Standard ¶
type Standard struct {
// TimeSkew duration of time skew we allow between signer and verifier.
TimeSkew time.Duration `json:"-"`
// Audience claim identifies the recipients that the JWT is intended for.
// Each principal intended to process the JWT MUST identify itself with a
// value in the audience claim. If the principal processing the claim does
// not identify itself with a value in the "aud" claim when this claim is
// present, then the JWT MUST be rejected. In the general case, the "aud"
// value is an array of case- sensitive strings, each containing a
// StringOrURI value. In the special case when the JWT has one audience,
// the "aud" value MAY be a single case-sensitive string containing a
// StringOrURI value. The interpretation of audience values is generally
// application specific. Use of this claim is OPTIONAL.
Audience string `json:"aud,omitempty"`
// ExpiresAt claim identifies the expiration time on or after which the JWT
// MUST NOT be accepted for processing. The processing of the "exp" claim
// requires that the current date/time MUST be before the expiration
// date/time listed in the "exp" claim. Implementers MAY provide for some
// small leeway, usually no more than a few minutes, to account for clock
// skew. Its value MUST be a number containing a NumericDate value. Use of
// this claim is OPTIONAL.
ExpiresAt int64 `json:"exp,omitempty"`
// ID claim provides a unique identifier for the JWT. The identifier value
// MUST be assigned in a manner that ensures that there is a negligible
// probability that the same value will be accidentally assigned to a
// different data object; if the application uses multiple issuers,
// collisions MUST be prevented among values produced by different issuers
// as well. The "jti" claim can be used to prevent the JWT from being
// replayed. The "jti" value is a case- sensitive string. Use of this
// claim is OPTIONAL.
ID string `json:"jti,omitempty"`
// IssuedAt claim identifies the time at which the JWT was issued. This
// claim can be used to determine the age of the JWT. Its value MUST be a
// number containing a NumericDate value. Use of this claim is OPTIONAL.
IssuedAt int64 `json:"iat,omitempty"`
// Issuer claim identifies the principal that issued the JWT. The
// processing of this claim is generally application specific. The "iss"
// value is a case-sensitive string containing a StringOrURI value. Use of
// this claim is OPTIONAL.
Issuer string `json:"iss,omitempty"`
// NotBefore claim identifies the time before which the JWT MUST NOT be
// accepted for processing. The processing of the "nbf" claim requires that
// the current date/time MUST be after or equal to the not-before date/time
// listed in the "nbf" claim. Implementers MAY provide for some small
// leeway, usually no more than a few minutes, to account for clock skew.
// Its value MUST be a number containing a NumericDate value. Use of this
// claim is OPTIONAL.
NotBefore int64 `json:"nbf,omitempty"`
// Subject claim identifies the principal that is the subject of the JWT.
// The claims in a JWT are normally statements about the subject. The
// subject value MUST either be scoped to be locally unique in the context
// of the issuer or be globally unique. The processing of this claim is
// generally application specific. The "sub" value is a case-sensitive
// string containing a StringOrURI value. Use of this claim is OPTIONAL.
Subject string `json:"sub,omitempty"`
}
Standard represents a structured version of Claims Section, as referenced at https://tools.ietf.org/html/rfc7519#section-4.1
func (*Standard) Get ¶
Get returns a value or nil or an error. Key must be one of the constants Claim*. Error behaviour: NotSupported
func (*Standard) Set ¶
Set sets a value. Key must be one of the constants Claim*. Error behaviour: NotSupported, NotValid
func (*Standard) Valid ¶
Valid validates time based claims "exp, iat, nbf". There is no accounting for clock skew. As well, if any of the above claims are not in the token, it will still be considered a valid claim. Error behaviour: NotValid
func (*Standard) VerifyAudience ¶
VerifyAudience compares the aud claim against cmp. If required is false, this method will return true if the value matches or is unset.
func (*Standard) VerifyExpiresAt ¶
VerifyExpiresAt compares the exp claim against cmp. If required is false, this method will return true if the value matches or is unset.
func (*Standard) VerifyIssuedAt ¶
VerifyIssuedAt compares the iat claim against cmp. If required is false, this method will return true if the value matches or is unset.
func (*Standard) VerifyIssuer ¶
VerifyIssuer compares the iss claim against cmp. If required is false, this method will return true if the value matches or is unset.
type Store ¶
type Store struct {
Standard
Store string `json:"store,omitempty"`
// UserID add here any user ID you might will be but always bear in mind
// that when adding a numeric auto increment ID, like customer_id from the
// MySQL table customer_entity or admin_user you might leak sensitive
// information.
UserID string `json:"userid,omitempty"`
}
Store extends the StandardClaim with important fields for requesting the correct store view, user ID and maybe some more useful fields. This struct is for your convenience.
func NewStore ¶
func NewStore() *Store
NewStore creates a new Store pointer and makes sure that all sub pointer types will also be created.
func (*Store) Get ¶
Get retrieves StoreClaim specific fields and then falls back to the StandardClaims Get function.
Source Files