Documentation ¶
Overview ¶
Package jwt implements JSON Web Tokens as described in https://tools.ietf.org/html/rfc7519
Index ¶
- Constants
- func Equal(t1, t2 Token) bool
- func RegisterCustomField(name string, object interface{})
- func Settings(options ...GlobalOption)
- func Sign(t Token, alg jwa.SignatureAlgorithm, key interface{}, options ...SignOption) ([]byte, error)
- func Validate(t Token, options ...ValidateOption) error
- type ClaimPair
- type Clock
- type ClockFunc
- type DecodeCtx
- type DecryptParameters
- type EncryptOption
- type GlobalOption
- type Iterator
- type Option
- type ParseOption
- func UseDefaultKey(value bool) ParseOption
- func WithDecrypt(alg jwa.KeyEncryptionAlgorithm, key interface{}) ParseOption
- func WithKeySet(set jwk.Set) ParseOption
- func WithPedantic(v bool) ParseOption
- func WithToken(t Token) ParseOption
- func WithTypedClaim(name string, object interface{}) ParseOption
- func WithValidate(b bool) ParseOption
- func WithVerify(alg jwa.SignatureAlgorithm, key interface{}) ParseOption
- type ParseRequestOption
- type ReadFileOption
- type SerializeCtx
- type SerializeStep
- type Serializer
- func (s *Serializer) Encrypt(keyalg jwa.KeyEncryptionAlgorithm, key interface{}, ...) *Serializer
- func (s *Serializer) Reset() *Serializer
- func (s *Serializer) Serialize(t Token) ([]byte, error)
- func (s *Serializer) Sign(alg jwa.SignatureAlgorithm, key interface{}, options ...SignOption) *Serializer
- func (s *Serializer) Step(step SerializeStep) *Serializer
- type SignOption
- type Token
- func New() Token
- func Parse(s []byte, options ...ParseOption) (Token, error)
- func ParseForm(values url.Values, name string, options ...ParseOption) (Token, error)
- func ParseHeader(hdr http.Header, name string, options ...ParseOption) (Token, error)
- func ParseReader(src io.Reader, options ...ParseOption) (Token, error)
- func ParseRequest(req *http.Request, options ...ParseOption) (Token, error)
- func ParseString(s string, options ...ParseOption) (Token, error)
- func ReadFile(path string, options ...ReadFileOption) (Token, error)
- type TokenWithDecodeCtx
- type ValidateOption
- func WithAcceptableSkew(dur time.Duration) ValidateOption
- func WithAudience(s string) ValidateOption
- func WithClaimValue(name string, v interface{}) ValidateOption
- func WithClock(c Clock) ValidateOption
- func WithIssuer(s string) ValidateOption
- func WithJwtID(s string) ValidateOption
- func WithMaxDelta(dur time.Duration, c1, c2 string) ValidateOption
- func WithMinDelta(dur time.Duration, c1, c2 string) ValidateOption
- func WithRequiredClaim(name string) ValidateOption
- func WithSubject(s string) ValidateOption
- type VerifyParameters
- type Visitor
- type VisitorFunc
Constants ¶
const ( AudienceKey = "aud" ExpirationKey = "exp" IssuedAtKey = "iat" IssuerKey = "iss" JwtIDKey = "jti" NotBeforeKey = "nbf" SubjectKey = "sub" )
Variables ¶
This section is empty.
Functions ¶
func Equal ¶ added in v1.1.0
Equal compares two JWT tokens. Do not use `reflect.Equal` or the like to compare tokens as they will also compare extra detail such as sync.Mutex objects used to control concurrent access.
The comparison for values is currently done using a simple equality ("=="), except for time.Time, which uses time.Equal after dropping the monotonic clock and truncating the values to 1 second accuracy.
if both t1 and t2 are nil, returns true
func RegisterCustomField ¶ added in v1.1.2
func RegisterCustomField(name string, object interface{})
RegisterCustomField allows users to specify that a private field be decoded as an instance of the specified type. This option has a global effect.
For example, suppose you have a custom field `x-birthday`, which you want to represent as a string formatted in RFC3339 in JSON, but want it back as `time.Time`.
In that case you would register a custom field as follows
jwt.RegisterCustomField(`x-birthday`, timeT)
Then `token.Get("x-birthday")` will still return an `interface{}`, but you can convert its type to `time.Time`
bdayif, _ := token.Get(`x-birthday`) bday := bdayif.(time.Time)
func Settings ¶ added in v1.2.0
func Settings(options ...GlobalOption)
Settings controls global settings that are specific to JWTs.
func Sign ¶ added in v1.0.0
func Sign(t Token, alg jwa.SignatureAlgorithm, key interface{}, options ...SignOption) ([]byte, error)
Sign is a convenience function to create a signed JWT token serialized in compact form.
It accepts either a raw key (e.g. rsa.PrivateKey, ecdsa.PrivateKey, etc) or a jwk.Key, and the name of the algorithm that should be used to sign the token.
If the key is a jwk.Key and the key contains a key ID (`kid` field), then it is added to the protected header generated by the signature
The algorithm specified in the `alg` parameter must be able to support the type of key you provided, otherwise an error is returned.
The protected header will also automatically have the `typ` field set to the literal value `JWT`, unless you provide a custom value for it by jwt.WithHeaders option.
func Validate ¶ added in v1.0.6
func Validate(t Token, options ...ValidateOption) error
Validate makes sure that the essential claims stand.
See the various `WithXXX` functions for optional parameters that can control the behavior of this method.
Types ¶
type DecryptParameters ¶ added in v1.2.2
type DecryptParameters interface { Algorithm() jwa.KeyEncryptionAlgorithm Key() interface{} }
type EncryptOption ¶ added in v1.2.2
type EncryptOption interface { Option // contains filtered or unexported methods }
EncryptOption describes an Option that can be passed to Encrypt() or (jwt.Serializer).Encrypt
func WithJweHeaders ¶ added in v1.2.2
func WithJweHeaders(hdrs jwe.Headers) EncryptOption
WithJweHeaders is passed to "jwt.Serializer".Encrypt() method to allow specifying arbitrary header values to be included in the protected header of the JWE message
type GlobalOption ¶ added in v1.2.0
type GlobalOption interface { Option // contains filtered or unexported methods }
GlobalOption describes an Option that can be passed to `Settings()`.
func WithFlattenAudience ¶ added in v1.2.0
func WithFlattenAudience(v bool) GlobalOption
WithFlattenAudience specifies if the "aud" claim should be flattened to a single string upon the token being serialized to JSON.
This is sometimes important when a JWT consumer does not understand that the "aud" claim can actually take the form of an array of strings.
The default value is `false`, which means that "aud" claims are always rendered as a arrays of strings. This setting has a global effect, and will change the behavior for all JWT serialization.
type ParseOption ¶ added in v1.0.6
type ParseOption interface { ReadFileOption // contains filtered or unexported methods }
ParseOption describes an Option that can be passed to `Parse()`. ParseOption also implements ReadFileOption, therefore it may be safely pass them to `jwt.ReadFile()`
func UseDefaultKey ¶ added in v1.0.6
func UseDefaultKey(value bool) ParseOption
UseDefaultKey is used in conjunction with the option WithKeySet to instruct the Parse method to default to the single key in a key set when no Key ID is included in the JWT. If the key set contains multiple keys then the behaviour is unchanged.
func WithDecrypt ¶ added in v1.2.2
func WithDecrypt(alg jwa.KeyEncryptionAlgorithm, key interface{}) ParseOption
WithDecrypt allows users to specify parameters for decryption using `jwe.Decrypt`. You must specify this if your JWT is encrypted.
func WithKeySet ¶ added in v1.0.3
func WithKeySet(set jwk.Set) ParseOption
WithKeySet forces the Parse method to verify the JWT message using one of the keys in the given key set. The key to be used is chosen by matching the Key ID of the JWT and the ID of the given keys.
When using this option, keys MUST have a properly 'alg' field set. This is because we need to know the exact algorithm that you (the user) wants to use to verify the token. We do NOT trust the token's headers, because they can easily be tampered with.
func WithPedantic ¶ added in v1.2.2
func WithPedantic(v bool) ParseOption
WithPedantic enables pedantic mode for parsing JWTs. Currently this only applies to checking for the correct `typ` and/or `cty` when necessary.
func WithToken ¶ added in v1.0.0
func WithToken(t Token) ParseOption
WithToken specifies the token instance that is used when parsing JWT tokens.
func WithTypedClaim ¶ added in v1.2.1
func WithTypedClaim(name string, object interface{}) ParseOption
WithTypedClaim allows a private claim to be parsed into the object type of your choice. It works much like the RegisterCustomField, but the effect is only applicable to the jwt.Parse function call which receives this option.
While this can be extremely useful, this option should be used with caution: There are many caveats that your entire team/user-base needs to be aware of, and therefore in general its use is discouraged. Only use it when you know what you are doing, and you document its use clearly for others.
First and foremost, this is a "per-object" option. Meaning that given the same serialized format, it is possible to generate two objects whose internal representations may differ. That is, if you parse one _WITH_ the option, and the other _WITHOUT_, their internal representation may completely differ. This could potentially lead to problems.
Second, specifying this option will slightly slow down the decoding process as it needs to consult multiple definitions sources (global and local), so be careful if you are decoding a large number of tokens, as the effects will stack up.
Finally, this option will also NOT work unless the tokens themselves support such parsing mechanism. For example, while tokens obtained from `jwt.New()` and `openid.New()` will respect this option, if you provide your own custom token type, it will need to implement the TokenWithDecodeCtx interface.
func WithValidate ¶ added in v1.0.6
func WithValidate(b bool) ParseOption
WithValidate is passed to `Parse()` method to denote that the validation of the JWT token should be performed after a successful parsing of the incoming payload.
func WithVerify ¶
func WithVerify(alg jwa.SignatureAlgorithm, key interface{}) ParseOption
WithVerify forces the Parse method to verify the JWT message using the given key. XXX Should have been named something like WithVerificationKey
type ParseRequestOption ¶ added in v1.1.4
type ParseRequestOption interface { ParseOption // contains filtered or unexported methods }
ParseRequestOption describes an Option that can be passed to `ParseRequest()`.
func WithFormKey ¶ added in v1.1.4
func WithFormKey(v string) ParseRequestOption
WithFormKey is used to specify header keys to search for tokens.
While the type system allows this option to be passed to jwt.Parse() directly, doing so will have no effect. Only use it for HTTP request parsing functions
func WithHeaderKey ¶ added in v1.1.4
func WithHeaderKey(v string) ParseRequestOption
WithHeaderKey is used to specify header keys to search for tokens.
While the type system allows this option to be passed to jwt.Parse() directly, doing so will have no effect. Only use it for HTTP request parsing functions
type ReadFileOption ¶ added in v1.1.0
type ReadFileOption interface { Option // contains filtered or unexported methods }
ReadFileOption describes options that can be passed to ReadFile.
type SerializeCtx ¶ added in v1.2.2
type SerializeStep ¶ added in v1.2.2
type SerializeStep interface {
Serialize(SerializeCtx, interface{}) (interface{}, error)
}
type Serializer ¶ added in v1.2.2
type Serializer struct {
// contains filtered or unexported fields
}
Serializer is a generic serializer for JWTs. Whereas other conveinience functions can only do one thing (such as generate a JWS signed JWT), Using this construct you can serialize the token however you want.
By default the serializer only marshals the token into a JSON payload. You must set up the rest of the steps that should be taken by the serializer.
For example, to marshal the token into JSON, then apply JWS and JWE in that order, you would do:
serialized, err := jwt.NewSerialer(). Sign(jwa.RS256, key). Encrypt(jwa.RSA_OAEP, key.PublicKey). Serialize(token)
The `jwt.Sign()` function is equivalent to
serialized, err := jwt.NewSerializer(). Sign(...args...). Serialize(token)
func NewSerializer ¶ added in v1.2.2
func NewSerializer() *Serializer
NewSerializer creates a new empty serializer.
func (*Serializer) Encrypt ¶ added in v1.2.2
func (s *Serializer) Encrypt(keyalg jwa.KeyEncryptionAlgorithm, key interface{}, contentalg jwa.ContentEncryptionAlgorithm, compressalg jwa.CompressionAlgorithm, options ...EncryptOption) *Serializer
func (*Serializer) Reset ¶ added in v1.2.2
func (s *Serializer) Reset() *Serializer
Reset clears all of the registered steps.
func (*Serializer) Serialize ¶ added in v1.2.2
func (s *Serializer) Serialize(t Token) ([]byte, error)
func (*Serializer) Sign ¶ added in v1.2.2
func (s *Serializer) Sign(alg jwa.SignatureAlgorithm, key interface{}, options ...SignOption) *Serializer
func (*Serializer) Step ¶ added in v1.2.2
func (s *Serializer) Step(step SerializeStep) *Serializer
Step adds a new Step to the serialization process
type SignOption ¶ added in v1.2.2
type SignOption interface { Option // contains filtered or unexported methods }
SignOption describes an Option that can be passed to Sign() or (jwt.Serializer).Sign
func WithHeaders ¶ added in v1.0.3
func WithHeaders(hdrs jws.Headers) SignOption
WithHeaders is passed to `jwt.Sign()` function, to allow specifying arbitrary header values to be included in the header section of the jws message
This option will be deprecated in the next major version. Use jwt.WithJwsHeaders() instead.
func WithJwsHeaders ¶ added in v1.2.2
func WithJwsHeaders(hdrs jws.Headers) SignOption
WithJwsHeaders is passed to `jwt.Sign()` function or "jwt.Serializer".Sign() method, to allow specifying arbitrary header values to be included in the header section of the JWE message
type Token ¶
type Token interface { Audience() []string Expiration() time.Time IssuedAt() time.Time Issuer() string JwtID() string NotBefore() time.Time Subject() string PrivateClaims() map[string]interface{} Get(string) (interface{}, bool) Set(string, interface{}) error Remove(string) error Clone() (Token, error) Iterate(context.Context) Iterator Walk(context.Context, Visitor) error AsMap(context.Context) (map[string]interface{}, error) }
Token represents a generic JWT token. which are type-aware (to an extent). Other claims may be accessed via the `Get`/`Set` methods but their types are not taken into consideration at all. If you have non-standard claims that you must frequently access, consider creating accessors functions like the following
func SetFoo(tok jwt.Token) error func GetFoo(tok jwt.Token) (*Customtyp, error)
Embedding jwt.Token into another struct is not recommended, becase jwt.Token needs to handle private claims, and this really does not work well when it is embedded in other structure
func New ¶
func New() Token
New creates a standard token, with minimal knowledge of possible claims. Standard claims include"aud", "exp", "iat", "iss", "jti", "nbf" and "sub". Convenience accessors are provided for these standard claims
func Parse ¶
func Parse(s []byte, options ...ParseOption) (Token, error)
Parse parses the JWT token payload and creates a new `jwt.Token` object. The token must be encoded in either JSON format or compact format.
This function can work with encrypted and/or signed tokens. Any combination of JWS and JWE may be applied to the token, but this function will only attempt to verify/decrypt up to 2 levels (i.e. JWS only, JWE only, JWS then JWE, or JWE then JWS)
If the token is signed and you want to verify the payload matches the signature, you must pass the jwt.WithVerify(alg, key) or jwt.WithKeySet(jwk.Set) option. If you do not specify these parameters, no verification will be performed.
If you also want to assert the validity of the JWT itself (i.e. expiration and such), use the `Validate()` function on the returned token, or pass the `WithValidate(true)` option. Validate options can also be passed to `Parse`
This function takes both ParseOption and ValidateOption types: ParseOptions control the parsing behavior, and ValidateOptions are passed to `Validate()` when `jwt.WithValidate` is specified.
func ParseHeader ¶ added in v1.1.4
ParseHeader parses a JWT stored in a http.Header.
For the header "Authorization", it will strip the prefix "Bearer " and will treat the remaining value as a JWT.
func ParseReader ¶ added in v1.1.0
func ParseReader(src io.Reader, options ...ParseOption) (Token, error)
ParseReader calls Parse against an io.Reader
func ParseRequest ¶ added in v1.1.4
func ParseRequest(req *http.Request, options ...ParseOption) (Token, error)
ParseRequest searches a http.Request object for a JWT token.
Specifying WithHeaderKey() will tell it to search under a specific header key. Specifying WithFormKey() will tell it to search under a specific form field.
By default, "Authorization" header will be searched.
If WithHeaderKey() is used, you must explicitly re-enable searching for "Authorization" header.
# searches for "Authorization" jwt.ParseRequest(req) # searches for "x-my-token" ONLY. jwt.ParseRequest(req, http.WithHeaderKey("x-my-token")) # searches for "Authorization" AND "x-my-token" jwt.ParseRequest(req, http.WithHeaderKey("Authorization"), http.WithHeaderKey("x-my-token"))
func ParseString ¶
func ParseString(s string, options ...ParseOption) (Token, error)
ParseString calls Parse against a string
type TokenWithDecodeCtx ¶ added in v1.2.1
type TokenWithDecodeCtx = json.DecodeCtxContainer
type ValidateOption ¶ added in v1.0.6
type ValidateOption interface { ParseOption // contains filtered or unexported methods }
ValidateOption describes an Option that can be passed to Validate(). ValidateOption also implements ParseOption, therefore it may be safely passed to `Parse()` (and thus `jwt.ReadFile()`)
func WithAcceptableSkew ¶
func WithAcceptableSkew(dur time.Duration) ValidateOption
WithAcceptableSkew specifies the duration in which exp and nbf claims may differ by. This value should be positive
func WithAudience ¶
func WithAudience(s string) ValidateOption
WithAudience specifies that expected audience value. `Validate()` will return true if one of the values in the `aud` element matches this value. If not specified, the value of issuer is not verified at all.
func WithClaimValue ¶ added in v0.9.2
func WithClaimValue(name string, v interface{}) ValidateOption
WithClaimValue specifies that expected any claim value.
func WithClock ¶
func WithClock(c Clock) ValidateOption
WithClock specifies the `Clock` to be used when verifying claims exp and nbf.
func WithIssuer ¶
func WithIssuer(s string) ValidateOption
WithIssuer specifies that expected issuer value. If not specified, the value of issuer is not verified at all.
func WithJwtID ¶
func WithJwtID(s string) ValidateOption
WithJwtID specifies that expected jti value. If not specified, the value of jti is not verified at all.
func WithMaxDelta ¶ added in v1.2.2
func WithMaxDelta(dur time.Duration, c1, c2 string) ValidateOption
WithMaxDelta specifies that given two claims `c1` and `c2` that represent time, the difference in time.Duration must be less than equal to the value specified by `d`. If `c1` or `c2` is the empty string, the current time (as computed by `time.Now` or the object passed via `WithClock()`) is used for the comparison.
`c1` and `c2` are also assumed to be required, therefore not providing either claim in the token will result in an error.
Because there is no way of reliably knowing how to parse private claims, we currently only support `iat`, `exp`, and `nbf` claims.
If the empty string is passed to c1 or c2, then the current time (as calculated by time.Now() or the clock object provided via WithClock()) is used.
For example, in order to specify that `exp` - `iat` < 10*time.Second, you would write
jwt.Validate(token, jwt.WithMaxDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey))
If AcceptableSkew of 2 second is specified, the above will return valid for any value of `exp` - `iat` between 8 (10-2) and 12 (10+2).
func WithMinDelta ¶ added in v1.2.2
func WithMinDelta(dur time.Duration, c1, c2 string) ValidateOption
WithMinDelta is almost exactly the same as WithMaxDelta, but force validation to fail if the difference between time claims are less than dur.
For example, in order to specify that `exp` - `iat` > 10*time.Second, you would write
jwt.Validate(token, jwt.WithMinDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey))
func WithRequiredClaim ¶ added in v1.2.2
func WithRequiredClaim(name string) ValidateOption
WithRequiredClaim specifies that the claim identified the given name must exist in the token. Only the existence of the claim is checked: the actual value associated with that field is not checked.
func WithSubject ¶
func WithSubject(s string) ValidateOption
WithSubject specifies that expected subject value. If not specified, the value of subject is not verified at all.
type VerifyParameters ¶
type VerifyParameters interface { Algorithm() jwa.SignatureAlgorithm Key() interface{} }
type Visitor ¶ added in v0.9.1
type Visitor = iter.MapVisitor
type VisitorFunc ¶ added in v1.0.0
type VisitorFunc = iter.MapVisitorFunc
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
internal
|
|
Package openid provides a specialized token that provides utilities to work with OpenID JWT tokens.
|
Package openid provides a specialized token that provides utilities to work with OpenID JWT tokens. |