jwt

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 23 Imported by: 0

Documentation

Overview

Package jwt is used to sign and verify JWT tokens used by application access.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckNotBefore 

func CheckNotBefore(now time.Time, leeway time.Duration, token *oidc.IDToken) error

CheckNotBefore ensures the token was not issued in the future. https://www.rfc-editor.org/rfc/rfc7519#section-4.1.5 4.1.5. "nbf" (Not Before) Claim TODO(strideynet): upstream support for `nbf` into the go-oidc lib.

func GenerateKeyPair 

func GenerateKeyPair() ([]byte, []byte, error)

GenerateKeyPair generates and return a PEM encoded private and public key in the format used by this package.

func UnmarshalJWK 

func UnmarshalJWK(jwk JWK) (crypto.PublicKey, error)

UnmarshalJWK will unmarshal JWK into a crypto.PublicKey that can be used to validate signatures.

Types

type AWSOIDCVerifyParams 

type AWSOIDCVerifyParams struct {
	RawToken string
	Issuer   string
}

AWSOIDCVerifyParams are the params required to verify an AWS OIDC Token.

func (*AWSOIDCVerifyParams) Check 

func (p *AWSOIDCVerifyParams) Check() error

Check ensures all the required fields are present.

type AzureTokenClaims 

type AzureTokenClaims struct {
	// TenantID represents TenantID; this is read by az CLI.
	TenantID string `json:"tid"`
	// Resource records the resource requested by az CLI. This will be used in backend to request real token with appropriate scope.
	Resource string `json:"resource"`
}

AzureTokenClaims represent a minimal set of claims that will be encoded as JWT in Azure access token and passed back to az CLI.

type Claims 

type Claims struct {
	// Claims represents public claim values (as specified in RFC 7519).
	jwt.Claims

	// Username returns the Teleport identity of the user.
	Username string `json:"username"`

	// Roles returns the list of roles assigned to the user within Teleport.
	Roles []string `json:"roles"`

	// Traits returns the traits assigned to the user within Teleport.
	Traits wrappers.Traits `json:"traits"`
}

Claims represents public and private claims for a JWT token.

type Config 

type Config struct {
	// Clock is used to control expiry time.
	Clock clockwork.Clock

	// PublicKey is used to verify a signed token.
	PublicKey crypto.PublicKey

	// PrivateKey is used to sign and verify tokens.
	PrivateKey crypto.Signer

	// Algorithm is algorithm used to sign JWT tokens.
	Algorithm jose.SignatureAlgorithm

	// ClusterName is the name of the cluster that will be signing the JWT tokens.
	ClusterName string
}

Config defines the clock and PEM encoded bytes of a public and private key that form a *jwt.Key.

func (*Config) CheckAndSetDefaults 

func (c *Config) CheckAndSetDefaults() error

CheckAndSetDefaults validates the values of a *Config.

type JSONTime 

type JSONTime time.Time

JSONTime unmarshaling sourced from https://github.com/gravitational/go-oidc/blob/master/oidc.go#L295 TODO(strideynet): upstream support for `nbf` into the go-oidc lib.

func (*JSONTime) UnmarshalJSON 

func (j *JSONTime) UnmarshalJSON(b []byte) error

type JWK 

type JWK struct {
	// KeyType is the type of asymmetric key used.
	KeyType string `json:"kty"`
	// Algorithm used to sign.
	Algorithm string `json:"alg"`
	// N is the modulus of the public key.
	N string `json:"n"`
	// E is the exponent of the public key.
	E string `json:"e"`
	// Use identifies the intended use of the public key.
	// This field is required for the AWS OIDC Integration.
	// https://www.rfc-editor.org/rfc/rfc7517#section-4.2
	Use string `json:"use"`
	// KeyID identifies the key to use.
	// This field is required (even if empty) for the AWS OIDC Integration.
	// https://www.rfc-editor.org/rfc/rfc7517#section-4.5
	KeyID string `json:"kid"`
}

JWK is a JSON Web Key, described in detail in RFC 7517.

func MarshalJWK 

func MarshalJWK(bytes []byte) (JWK, error)

MarshalJWK will marshal a supported public key into JWK format.

type Key 

type Key struct {
	// contains filtered or unexported fields
}

Key is a JWT key that can be used to sign and/or verify a token.

func New 

func New(config *Config) (*Key, error)

New creates a JWT key that can be used to sign and verify tokens.

func (*Key) Sign 

func (k *Key) Sign(p SignParams) (string, error)

func (*Key) SignAWSOIDC 

func (k *Key) SignAWSOIDC(p SignParams) (string, error)

SignAWSOIDC signs a JWT with claims specific to AWS OIDC Integration. Required Params: - Username: stored as OnBehalfOf (obo) claim with `user:` prefix - Issuer: stored as Issuer (iss) claim - Subject: stored as Subject (sub) claim - Audience: stored as Audience (aud) claim - Expiries: stored as Expiry (exp) claim

func (*Key) SignAzureToken 

func (k *Key) SignAzureToken(claims AzureTokenClaims) (string, error)

SignAzureToken signs AzureTokenClaims

func (*Key) SignPROXYJWT 

func (k *Key) SignPROXYJWT(p PROXYSignParams) (string, error)

SignPROXYJwt will create short lived signed JWT that is used in signed PROXY header

func (*Key) SignSnowflake 

func (k *Key) SignSnowflake(p SignParams, issuer string) (string, error)

func (*Key) Verify 

func (k *Key) Verify(p VerifyParams) (*Claims, error)

Verify will validate the passed in JWT token.

func (*Key) VerifyAWSOIDC 

func (k *Key) VerifyAWSOIDC(p AWSOIDCVerifyParams) (*Claims, error)

VerifyAWSOIDC will validate the passed in JWT token for the AWS OIDC Integration

func (*Key) VerifyAzureToken 

func (k *Key) VerifyAzureToken(rawToken string) (*AzureTokenClaims, error)

func (*Key) VerifyPROXY 

func (k *Key) VerifyPROXY(p PROXYVerifyParams) (*Claims, error)

VerifyPROXY will validate the passed JWT for signed PROXY header

func (*Key) VerifySnowflake 

func (k *Key) VerifySnowflake(p SnowflakeVerifyParams) (*Claims, error)

VerifySnowflake will validate the passed in JWT token.

type PROXYSignParams 

type PROXYSignParams struct {
	ClusterName        string
	SourceAddress      string
	DestinationAddress string
}

type PROXYVerifyParams 

type PROXYVerifyParams struct {
	ClusterName        string
	SourceAddress      string
	DestinationAddress string
	RawToken           string
}

func (*PROXYVerifyParams) Check 

func (p *PROXYVerifyParams) Check() error

type SignParams 

type SignParams struct {
	// Username is the Teleport identity.
	Username string

	// Roles are the roles assigned to the user within Teleport.
	Roles []string

	// Traits are the traits assigned to the user within Teleport.
	Traits wrappers.Traits

	// Expiry is time to live for the token.
	Expires time.Time

	// URI is the URI of the recipient application.
	URI string

	// Audience is the Audience for the Token.
	Audience string

	// Issuer is the issuer of the token.
	Issuer string

	// Subject is the system that is going to use the token.
	Subject string
}

SignParams are the claims to be embedded within the JWT token.

func (*SignParams) Check 

func (p *SignParams) Check() error

Check verifies all the values are valid.

type SnowflakeVerifyParams 

type SnowflakeVerifyParams struct {
	AccountName string
	LoginName   string
	RawToken    string
}

func (*SnowflakeVerifyParams) Check 

func (p *SnowflakeVerifyParams) Check() error

type VerifyParams 

type VerifyParams struct {
	// Username is the Teleport identity.
	Username string

	// RawToken is the JWT token.
	RawToken string

	// URI is the URI of the recipient application.
	URI string

	// Audience is the Audience for the token
	Audience string
}

VerifyParams are the parameters needed to pass the token and data needed to verify.

func (*VerifyParams) Check 

func (p *VerifyParams) Check() error

Check verifies all the values are valid.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.