Documentation ¶
Index ¶
- func MakeRS256SignedToken(pvtKeyPemRep, subject, issuer, audience string, secondsBeforeExpiry uint32) (string, error)
- func ToRsaPubKey(pemRep string) (*rsa.PublicKey, error)
- func ToRsaPvtKey(pemRep string) (*rsa.PrivateKey, error)
- type Payload
- func (p Payload) AppAzfDomain() string
- func (p Payload) AppID() string
- func (p Payload) ExpirationTime() uint64
- func (p Payload) ExpiresIn() uint64
- func (p Payload) IsEmpty() bool
- func (p Payload) IsWithinAllowedTimeInterval() bool
- func (p Payload) Issuer() string
- func (p Payload) Membership() string
- func (p Payload) Roles() []string
- func (p Payload) Scopes() []string
- func (p Payload) SecProfile() map[string]string
- func (p Payload) SecProfileAuditLogging() string
- func (p Payload) Subject() string
- func (p Payload) SubjectCommonName() string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MakeRS256SignedToken ¶
func MakeRS256SignedToken(pvtKeyPemRep, subject, issuer, audience string, secondsBeforeExpiry uint32) (string, error)
MakeRS256SignedToken mints a JWT holding the specified standard claims signed with the given RSA 256 private key in PEM format.
func ToRsaPubKey ¶
ToRsaPubKey parses an RSA public key in PEM format.
func ToRsaPvtKey ¶
func ToRsaPvtKey(pemRep string) (*rsa.PrivateKey, error)
ToRsaPvtKey parses an RSA private key in PEM format.
Types ¶
type Payload ¶
type Payload map[string]interface{}
Payload holds JWT claims (token's payload block) in a map keyed by claim name.
func FromRaw ¶
FromRaw extracts the payload of the specified JWT without doing any signature validation. If the input JWT is malformed, the returned payload will be empty.
func Validate ¶
Validate the input JWT data and verify its provenance using the specified RSA public key in PEM format. Make sure the following is true:
- token is well-formed;
- token got signed with the private key paired to the input pub key;
- current time falls within the 'nbf' ("not before" claim) and 'exp' ("expiry time") bounds---see Payload.IsWithinAllowedTimeInterval for details.
func ValidateHMAC ¶
ValidateHMAC is a variant of Validate which uses an HMAC secret key for signature verification instead of an RSA public key. All the rest is the same.
func (Payload) AppAzfDomain ¶
AppAzfDomain reads the value of the 'app_azf_domain' from a KeyRock JWT. If the field isn't there or isn't a string, return empty.
func (Payload) AppID ¶
AppID reads the value of the 'app_id' from a KeyRock JWT. If the field isn't there or isn't a string, return empty.
func (Payload) ExpirationTime ¶
ExpirationTime reads the value of the 'exp' standard claim. If there's no 'exp' field or the value isn't a numeric date, then return 0. Any JSON number value counts as a numeric date (seconds since the epoch) as well as any string representation of a number---e.g. "2143" gets interpreted as 2143 seconds since the epoch but "21 43" does not.
func (Payload) ExpiresIn ¶
ExpiresIn tells for how many seconds from now the token is still valid by looking at the 'exp' standard claim. If there's no 'exp' field or the value isn't a numeric date, then return 0. Any JSON number value counts as a numeric date (seconds since the epoch) as well as any string representation of a number---e.g. "2143" gets interpreted as 2143 seconds since the epoch but "21 43" does not.
func (Payload) IsWithinAllowedTimeInterval ¶
IsWithinAllowedTimeInterval tells if the current time falls within the token's 'nbf' ("not before" claim) and 'exp' ("expiry time") bounds. More accurately, return true just in case both the below conditions hold
- 'exp' isn't present or, if it is, specifies a date in the future.
- 'nbf' isn't present or, if it is, doesn't specify a date in the future.
Notice that if either field is present but doesn't hold a numeric date value, then we return false since (1) and (2) don't hold true. Any JSON number value counts as a numeric date (seconds since the epoch) as well as any string representation of a number, e.g. "2143" gets interpreted as 2143 seconds since the epoch but "21 43" does not.
func (Payload) Issuer ¶
Issuer reads the value of the 'iss' standard claim. If there's no 'iss' field, then return empty.
func (Payload) Membership ¶
Membership reads the value of the IDS membership field as a string from a DAPS JWT. If the field isn't there, return empty.
func (Payload) Roles ¶
Roles returns all KeyRock role names in sight from the JWT payload of a KeyRock token, removing any duplicates and empty strings. More accurately, consider the set of all name attributes of role objects found in top level 'organizations' and 'roles' array. Out of this set, list those names having a non-empty string value, sorting them in ascending alphabetical order.
func (Payload) Scopes ¶
Scopes returns the 'scopes' array in the JWT payload of a DAPS token. If there's no 'scopes' array or none of its elements is a string, then return an empty slice. Otherwise, return a slice with the string elements found in the 'scopes' array, in the same order in which they appear.
func (Payload) SecProfile ¶
SecProfile extracts the IDS security profile block of a DAPS JWT as a map. If the block isn't there, return an empty map.
func (Payload) SecProfileAuditLogging ¶
SecProfileAuditLogging reads the value of the IDS audit logging field as a string from a DAPS JWT. If the field isn't there, return empty.
func (Payload) Subject ¶
Subject reads the value of the 'sub' standard claim. If there's no 'sub' field, then return empty.
func (Payload) SubjectCommonName ¶
SubjectCommonName extracts the subject common name in the JWT payload of a DAPS token. If there's no 'sub' field or it doesn't contain a parsable 'CN' element, return empty.