Documentation ¶
Overview ¶
Package jwk implements JSON Web Key management capabilities
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens).
Index ¶
- Constants
- Variables
- func Asset(name string) ([]byte, error)
- func AssetDigest(name string) ([sha256.Size]byte, error)
- func AssetDir(name string) ([]string, error)
- func AssetInfo(name string) (os.FileInfo, error)
- func AssetNames() []string
- func AssetString(name string) (string, error)
- func AsymmetricKeypair(ctx context.Context, r InternalRegistry, g KeyGenerator, set string) (public, private *jose.JSONWebKey, err error)
- func Digests() (map[string][sha256.Size]byte, error)
- func EnsureAsymmetricKeypairExists(ctx context.Context, r InternalRegistry, g KeyGenerator, set string) error
- func FindKeyByPrefix(set *jose.JSONWebKeySet, prefix string) (key *jose.JSONWebKey, err error)
- func FindKeysByPrefix(set *jose.JSONWebKeySet, prefix string) (*jose.JSONWebKeySet, error)
- func First(keys []jose.JSONWebKey) *jose.JSONWebKey
- func GetOrCreateKey(ctx context.Context, r InternalRegistry, g KeyGenerator, set, prefix string) (*jose.JSONWebKey, error)
- func Ider(typ, id string) string
- func MustAsset(name string) []byte
- func MustAssetString(name string) string
- func MustRSAPrivate(key *jose.JSONWebKey) *rsa.PrivateKey
- func MustRSAPublic(key *jose.JSONWebKey) *rsa.PublicKey
- func PEMBlockForKey(key interface{}) (*pem.Block, error)
- func RandomBytes(n int) ([]byte, error)
- func RestoreAsset(dir, name string) error
- func RestoreAssets(dir, name string) error
- func TestHelperManagerKey(m Manager, keys *jose.JSONWebKeySet, suffix string) func(t *testing.T)
- func TestHelperManagerKeySet(m Manager, keys *jose.JSONWebKeySet, suffix string) func(t *testing.T)
- func ToRSAPrivate(key *jose.JSONWebKey) (*rsa.PrivateKey, error)
- func ToRSAPublic(key *jose.JSONWebKey) (*rsa.PublicKey, error)
- type AEAD
- type Configuration
- type ECDSA256Generator
- type ECDSA512Generator
- type HS256Generator
- type HS512Generator
- type Handler
- func (h *Handler) Create(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) DeleteKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) DeleteKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) GetKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) GetKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) SetRoutes(admin *x.RouterAdmin, public *x.RouterPublic, ...)
- func (h *Handler) UpdateKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) UpdateKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) WellKnown(w http.ResponseWriter, r *http.Request)
- type InternalRegistry
- type JWTStrategy
- type KeyGenerator
- type Manager
- type MemoryManager
- func (m *MemoryManager) AddKey(ctx context.Context, set string, key *jose.JSONWebKey) error
- func (m *MemoryManager) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error
- func (m *MemoryManager) DeleteKey(ctx context.Context, set, kid string) error
- func (m *MemoryManager) DeleteKeySet(ctx context.Context, set string) error
- func (m *MemoryManager) GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error)
- func (m *MemoryManager) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKeySet, error)
- type RS256Generator
- type RS256JWTStrategy
- func (j *RS256JWTStrategy) Decode(ctx context.Context, token string) (*jwt2.Token, error)
- func (j *RS256JWTStrategy) Generate(ctx context.Context, claims jwt2.Claims, header jwt.Mapper) (string, string, error)
- func (j *RS256JWTStrategy) GetPublicKeyID(ctx context.Context) (string, error)
- func (j *RS256JWTStrategy) GetSignature(ctx context.Context, token string) (string, error)
- func (j *RS256JWTStrategy) GetSigningMethodLength() int
- func (j *RS256JWTStrategy) Hash(ctx context.Context, in []byte) ([]byte, error)
- func (j *RS256JWTStrategy) Validate(ctx context.Context, token string) (string, error)
- type Registry
- type SQLManager
- func (m *SQLManager) AddKey(ctx context.Context, set string, key *jose.JSONWebKey) error
- func (m *SQLManager) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error
- func (m *SQLManager) CreateSchemas(dbName string) (int, error)
- func (m *SQLManager) DeleteKey(ctx context.Context, set, kid string) error
- func (m *SQLManager) DeleteKeySet(ctx context.Context, set string) error
- func (m *SQLManager) GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error)
- func (m *SQLManager) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKeySet, error)
- func (m *SQLManager) PlanMigration(dbName string) ([]*migrate.PlannedMigration, error)
Constants ¶
const ( KeyHandlerPath = "/keys" WellKnownKeysPath = "/.well-known/jwks.json" )
Variables ¶
var Migrations = map[string]*dbal.PackrMigrationSource{ dbal.DriverMySQL: dbal.NewMustPackerMigrationSource(logrus.New(), AssetNames(), Asset, []string{ "migrations/sql/shared", "migrations/sql/mysql", }, true), dbal.DriverPostgreSQL: dbal.NewMustPackerMigrationSource(logrus.New(), AssetNames(), Asset, []string{ "migrations/sql/shared", "migrations/sql/postgres", }, true), dbal.DriverCockroachDB: dbal.NewMustPackerMigrationSource(logrus.New(), AssetNames(), Asset, []string{ "migrations/sql/cockroach", }, true), }
Functions ¶
func Asset ¶
Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.
func AssetDigest ¶ added in v1.0.1
AssetDigest returns the digest of the file with the given name. It returns an error if the asset could not be found or the digest could not be loaded.
func AssetDir ¶
AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy:
data/ foo.txt img/ a.png b.png
then AssetDir("data") would return []string{"foo.txt", "img"}, AssetDir("data/img") would return []string{"a.png", "b.png"}, AssetDir("foo.txt") and AssetDir("notexist") would return an error, and AssetDir("") will return []string{"data"}.
func AssetInfo ¶
AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.
func AssetString ¶ added in v1.0.1
AssetString returns the asset contents as a string (instead of a []byte).
func AsymmetricKeypair ¶
func AsymmetricKeypair(ctx context.Context, r InternalRegistry, g KeyGenerator, set string) (public, private *jose.JSONWebKey, err error)
func EnsureAsymmetricKeypairExists ¶
func EnsureAsymmetricKeypairExists(ctx context.Context, r InternalRegistry, g KeyGenerator, set string) error
func FindKeyByPrefix ¶
func FindKeyByPrefix(set *jose.JSONWebKeySet, prefix string) (key *jose.JSONWebKey, err error)
func FindKeysByPrefix ¶
func FindKeysByPrefix(set *jose.JSONWebKeySet, prefix string) (*jose.JSONWebKeySet, error)
func First ¶
func First(keys []jose.JSONWebKey) *jose.JSONWebKey
func GetOrCreateKey ¶
func GetOrCreateKey(ctx context.Context, r InternalRegistry, g KeyGenerator, set, prefix string) (*jose.JSONWebKey, error)
func MustAsset ¶
MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.
func MustAssetString ¶ added in v1.0.1
MustAssetString is like AssetString but panics when Asset would return an error. It simplifies safe initialization of global variables.
func MustRSAPrivate ¶
func MustRSAPrivate(key *jose.JSONWebKey) *rsa.PrivateKey
func MustRSAPublic ¶
func MustRSAPublic(key *jose.JSONWebKey) *rsa.PublicKey
func PEMBlockForKey ¶
func RandomBytes ¶
func RestoreAsset ¶
RestoreAsset restores an asset under the given directory.
func RestoreAssets ¶
RestoreAssets restores an asset under the given directory recursively.
func TestHelperManagerKey ¶
func TestHelperManagerKeySet ¶
func ToRSAPrivate ¶
func ToRSAPrivate(key *jose.JSONWebKey) (*rsa.PrivateKey, error)
func ToRSAPublic ¶
func ToRSAPublic(key *jose.JSONWebKey) (*rsa.PublicKey, error)
Types ¶
type AEAD ¶
type AEAD struct {
// contains filtered or unexported fields
}
func NewAEAD ¶
func NewAEAD(c configuration.Provider) *AEAD
type Configuration ¶
type Configuration interface { configuration.Provider }
type ECDSA256Generator ¶
type ECDSA256Generator struct{}
func (*ECDSA256Generator) Generate ¶
func (g *ECDSA256Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)
type ECDSA512Generator ¶
type ECDSA512Generator struct{}
func (*ECDSA512Generator) Generate ¶
func (g *ECDSA512Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)
type HS256Generator ¶
type HS256Generator struct{}
func (*HS256Generator) Generate ¶
func (g *HS256Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)
type HS512Generator ¶
type HS512Generator struct{}
func (*HS512Generator) Generate ¶
func (g *HS512Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func NewHandler(r InternalRegistry, c Configuration) *Handler
func (*Handler) Create ¶
func (h *Handler) Create(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route POST /keys/{set} admin createJsonWebKeySet
Generate a new JSON Web Key ¶
This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 201: JSONWebKeySet 401: genericError 403: genericError 500: genericError
func (*Handler) DeleteKey ¶
func (h *Handler) DeleteKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route DELETE /keys/{set}/{kid} admin deleteJsonWebKey
Delete a JSON Web Key ¶
Use this endpoint to delete a single JSON Web Key.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 204: emptyResponse 401: genericError 403: genericError 500: genericError
func (*Handler) DeleteKeySet ¶
func (h *Handler) DeleteKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route DELETE /keys/{set} admin deleteJsonWebKeySet
Delete a JSON Web Key Set ¶
Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 204: emptyResponse 401: genericError 403: genericError 500: genericError
func (*Handler) GetKey ¶
func (h *Handler) GetKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route GET /keys/{set}/{kid} admin getJsonWebKey
Fetch a JSON Web Key ¶
This endpoint returns a singular JSON Web Key, identified by the set and the specific key ID (kid).
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 200: JSONWebKeySet 404: genericError 500: genericError
func (*Handler) GetKeySet ¶
func (h *Handler) GetKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route GET /keys/{set} admin getJsonWebKeySet
Retrieve a JSON Web Key Set ¶
This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 200: JSONWebKeySet 401: genericError 403: genericError 500: genericError
func (*Handler) SetRoutes ¶
func (h *Handler) SetRoutes(admin *x.RouterAdmin, public *x.RouterPublic, corsMiddleware func(http.Handler) http.Handler)
func (*Handler) UpdateKey ¶
func (h *Handler) UpdateKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route PUT /keys/{set}/{kid} admin updateJsonWebKey
Update a JSON Web Key ¶
Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 200: JSONWebKey 401: genericError 403: genericError 500: genericError
func (*Handler) UpdateKeySet ¶
func (h *Handler) UpdateKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route PUT /keys/{set} admin updateJsonWebKeySet
Update a JSON Web Key Set ¶
Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 200: JSONWebKeySet 401: genericError 403: genericError 500: genericError
func (*Handler) WellKnown ¶
func (h *Handler) WellKnown(w http.ResponseWriter, r *http.Request)
swagger:route GET /.well-known/jwks.json public wellKnown
JSON Web Keys Discovery ¶
This endpoint returns JSON Web Keys to be used as public keys for verifying OpenID Connect ID Tokens and, if enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like [node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) among others.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 200: JSONWebKeySet 500: genericError
type InternalRegistry ¶
type InternalRegistry interface { x.RegistryWriter x.RegistryLogger Registry }
type JWTStrategy ¶
type KeyGenerator ¶
type KeyGenerator interface {
Generate(id, use string) (*jose.JSONWebKeySet, error)
}
type Manager ¶
type Manager interface { AddKey(ctx context.Context, set string, key *jose.JSONWebKey) error AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKeySet, error) DeleteKey(ctx context.Context, set, kid string) error DeleteKeySet(ctx context.Context, set string) error }
type MemoryManager ¶
type MemoryManager struct { Keys map[string]*jose.JSONWebKeySet sync.RWMutex }
func NewMemoryManager ¶
func NewMemoryManager() *MemoryManager
func (*MemoryManager) AddKey ¶
func (m *MemoryManager) AddKey(ctx context.Context, set string, key *jose.JSONWebKey) error
func (*MemoryManager) AddKeySet ¶
func (m *MemoryManager) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error
func (*MemoryManager) DeleteKey ¶
func (m *MemoryManager) DeleteKey(ctx context.Context, set, kid string) error
func (*MemoryManager) DeleteKeySet ¶
func (m *MemoryManager) DeleteKeySet(ctx context.Context, set string) error
func (*MemoryManager) GetKey ¶
func (m *MemoryManager) GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error)
func (*MemoryManager) GetKeySet ¶
func (m *MemoryManager) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKeySet, error)
type RS256Generator ¶
type RS256Generator struct {
KeyLength int
}
func (*RS256Generator) Generate ¶
func (g *RS256Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)
type RS256JWTStrategy ¶
type RS256JWTStrategy struct { sync.RWMutex RS256JWTStrategy *jwt.RS256JWTStrategy // contains filtered or unexported fields }
func NewRS256JWTStrategy ¶
func NewRS256JWTStrategy(r InternalRegistry, rs func() string) (*RS256JWTStrategy, error)
func (*RS256JWTStrategy) GetPublicKeyID ¶
func (j *RS256JWTStrategy) GetPublicKeyID(ctx context.Context) (string, error)
func (*RS256JWTStrategy) GetSignature ¶
func (*RS256JWTStrategy) GetSigningMethodLength ¶
func (j *RS256JWTStrategy) GetSigningMethodLength() int
GetSigningMethodLength will return the length of the signing method
type Registry ¶
type Registry interface { KeyManager() Manager KeyGenerators() map[string]KeyGenerator KeyCipher() *AEAD }
type SQLManager ¶
type SQLManager struct { DB *sqlx.DB R InternalRegistry }
func NewSQLManager ¶
func NewSQLManager(db *sqlx.DB, r InternalRegistry) *SQLManager
func (*SQLManager) AddKey ¶
func (m *SQLManager) AddKey(ctx context.Context, set string, key *jose.JSONWebKey) error
func (*SQLManager) AddKeySet ¶
func (m *SQLManager) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error
func (*SQLManager) CreateSchemas ¶
func (m *SQLManager) CreateSchemas(dbName string) (int, error)
func (*SQLManager) DeleteKey ¶
func (m *SQLManager) DeleteKey(ctx context.Context, set, kid string) error
func (*SQLManager) DeleteKeySet ¶
func (m *SQLManager) DeleteKeySet(ctx context.Context, set string) error
func (*SQLManager) GetKey ¶
func (m *SQLManager) GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error)
func (*SQLManager) GetKeySet ¶
func (m *SQLManager) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKeySet, error)
func (*SQLManager) PlanMigration ¶
func (m *SQLManager) PlanMigration(dbName string) ([]*migrate.PlannedMigration, error)