Documentation ¶
Overview ¶
Package jwkkeys verifies JWTs using keys published at known URLs. This is mostly intended as an internal package, but might be useful to others
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrKeyNotFound = errors.New("key not found")
ErrKeyNotFound is the error returned by KeySet.Get when the key ID is not found.
var GoogleIssuers = []string{"accounts.google.com", "https://accounts.google.com"}
GoogleIssuers contains the value of the iss field in Google ID tokens. When using Google Sign-In via the JavaScript API, it seems to use accounts.google.com, but when using a service account, it uses https://accounts.google.com. See: https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
Functions ¶
This section is empty.
Types ¶
type CachedSet ¶
type CachedSet struct {
// contains filtered or unexported fields
}
CachedSet fetches and parses keys from a URL, caching them for as long as permitted. It is safe to be used by multiple Goroutines since all accesses are locked.
type GoogleExtraClaims ¶
type GoogleExtraClaims struct { // https://developers.google.com/identity/protocols/OpenIDConnect#hd-param HostedDomain string `json:"hd,omitempty"` Email string `json:"email,omitempty"` }
GoogleExtraClaims stores the JSON for Google Sign-In's extra claims that are not included in the basic OpenID claims.
type Set ¶
type Set interface { // Get returns the key matching keyID, or an error indicating what happened. Must return // ErrKeyNotFound if the key does not exist. Get(keyID string) (*jose.JSONWebKey, error) }
Set retrieves keys in JWK format to validate tokens.
type ValidatedGoogleToken ¶
type ValidatedGoogleToken struct { // The raw token that was validated. IDToken string // The standard JWT claims. StandardClaims jwt.Claims // The parsed Google-specific JWT claims. GoogleClaims GoogleExtraClaims }
ValidatedGoogleToken stores a parsed and validated Google ID token.
func ValidateGoogleClaims ¶
func ValidateGoogleClaims( keys Set, serializedJWT string, audience string, issuers []string, ) (*ValidatedGoogleToken, error)
ValidateGoogleClaims parses the JWT, verifies its signature and claims, then returns the Google-specific claims and the expiration time.