Documentation
¶
Index ¶
- type Keys
- type RotatingSigner
- func (r *RotatingSigner) PublicKeys(ctx context.Context) (*jose.JSONWebKeySet, error)
- func (r *RotatingSigner) Sign(ctx context.Context, data []byte) ([]byte, error)
- func (r *RotatingSigner) SignerAlg(ctx context.Context) (jose.SignatureAlgorithm, error)
- func (r *RotatingSigner) Start(ctx context.Context) error
- func (r *RotatingSigner) VerifySignature(ctx context.Context, jwt string) (payload []byte, err error)
- type RotationStrategy
- type StaticSigner
- func (s *StaticSigner) PublicKeys(_ context.Context) (*jose.JSONWebKeySet, error)
- func (s *StaticSigner) Sign(ctx context.Context, data []byte) (signed []byte, err error)
- func (s *StaticSigner) SignerAlg(_ context.Context) (jose.SignatureAlgorithm, error)
- func (s *StaticSigner) VerifySignature(ctx context.Context, jwt string) (payload []byte, err error)
- type VerificationKey
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Keys ¶
type Keys struct {
// Key for creating and verifying signatures. These may be nil.
SigningKey *jose.JSONWebKey
SigningKeyPub *jose.JSONWebKey
// Old signing keys which have been rotated but can still be used to validate
// existing signatures.
VerificationKeys []VerificationKey
// The next time the signing key will rotate.
//
// For caching purposes, implementations MUST NOT update keys before this time.
NextRotation time.Time
}
Keys hold encryption and signing keys.
type RotatingSigner ¶
type RotatingSigner struct {
// contains filtered or unexported fields
}
RotatingSigner is a OIDC signer that automatically rotates signing keys
func NewRotating ¶
func NewRotating(l logrus.FieldLogger, storage storage.Storage, strategy RotationStrategy) *RotatingSigner
func (*RotatingSigner) PublicKeys ¶
func (r *RotatingSigner) PublicKeys(ctx context.Context) (*jose.JSONWebKeySet, error)
PublicKeys returns a keyset of all valid signer public keys considered valid for signed tokens
func (*RotatingSigner) SignerAlg ¶
func (r *RotatingSigner) SignerAlg(ctx context.Context) (jose.SignatureAlgorithm, error)
SignerAlg returns the algorithm the signer uses
func (*RotatingSigner) Start ¶
func (r *RotatingSigner) Start(ctx context.Context) error
Start begins key rotation in a new goroutine, closing once the context is canceled.
The method blocks until after the first attempt to rotate keys has completed. That way healthy storages will return from this call with valid keys.
func (*RotatingSigner) VerifySignature ¶
func (r *RotatingSigner) VerifySignature(ctx context.Context, jwt string) (payload []byte, err error)
VerifySignature verifies the signature given token against the current signers
type RotationStrategy ¶
type RotationStrategy struct {
// contains filtered or unexported fields
}
RotationStrategy describes a strategy for generating cryptographic keys, how often to rotate them, and how long they can validate signatures after rotation.
func DefaultRotationStrategy ¶
func DefaultRotationStrategy(rotationFrequency, idTokenValidFor time.Duration) RotationStrategy
DefaultRotationStrategy returns a strategy which rotates keys every provided period, holding onto the public parts for some specified amount of time.
func StaticRotationStrategy ¶
func StaticRotationStrategy(key *rsa.PrivateKey) RotationStrategy
StaticRotationStrategy returns a strategy which never rotates keys.
type StaticSigner ¶
type StaticSigner struct {
// contains filtered or unexported fields
}
StaticSigner uses a fixed set of keys to manage signing operations
func NewStatic ¶
func NewStatic(signingKey jose.SigningKey, verificationKeys []jose.JSONWebKey) *StaticSigner
NewStatic returns a StaticSigner with the provided keys
func (*StaticSigner) PublicKeys ¶
func (s *StaticSigner) PublicKeys(_ context.Context) (*jose.JSONWebKeySet, error)
PublicKeys returns a keyset of all valid signer public keys considered valid for signed tokens
func (*StaticSigner) SignerAlg ¶
func (s *StaticSigner) SignerAlg(_ context.Context) (jose.SignatureAlgorithm, error)
SignerAlg returns the algorithm the signer uses
func (*StaticSigner) VerifySignature ¶
VerifySignature verifies the signature given token against the current signers
type VerificationKey ¶
type VerificationKey struct {
PublicKey *jose.JSONWebKey `json:"publicKey"`
Expiry time.Time `json:"expiry"`
}
VerificationKey is a rotated signing key which can still be used to verify signatures.
Source Files