Documentation ¶
Index ¶
- Constants
- Variables
- func ContextToken(ctx context.Context) string
- func LoadKey(material []byte) interface{}
- func NewToken(key interface{}, claims Claims) (string, error)
- func TestToken(keyvals ...interface{}) string
- func WithClaims(ctx context.Context, claims Claims) context.Context
- func WithToken(ctx context.Context, token string) context.Context
- type Claims
- func (c Claims) Bool(name string) bool
- func (c Claims) ExpiresAt() time.Time
- func (c Claims) Int(name string) int64
- func (c Claims) IssuedAt() time.Time
- func (c Claims) Issuer() string
- func (c Claims) NotBefore() time.Time
- func (c Claims) String(name string) string
- func (c Claims) Strings(name string) []string
- func (c Claims) Subject() string
- func (c Claims) Time(name string) time.Time
- type Keystore
- type NamedKeystore
- type SimpleKeystore
Constants ¶
const TestKey = "https://github.com/rightscale/jwtauth#test"
TestKey is a static HMAC key used to sign and verify test JWTs.
Variables ¶
var ScopesClaim = "scopes"
ScopesClaim is a Private Claim Name, as stipulated in RFC7519 Section 4.3, that jwtauth uses to store scope information in tokens. If you need to interoperate with third parties w/r/t to token scope, it may be advisable to change this to a Collision-Resistant Claim Name instead.
Functions ¶
func ContextToken ¶
ContextToken retrieves the actual JWT associated with the request.
func LoadKey ¶
func LoadKey(material []byte) interface{}
LoadKey is a helper function that transforms raw key material into a properly- typed key.
LoadKey returns a different type depending on the value of material:
If material is a []byte that contains a PEM-encoded PKIX key (e.g. "BEGIN PUBLIC KEY"), LoadKey parses it and returns a single public or private key of an algorithm-specific type.
If material is any other []byte, LoadKey returns it unmodified so that it can be used as an HMAC key.
Because LoadKey is designed to be used at startup, it panics if the PEM block is malformed.
func NewToken ¶
NewToken creates a JWT with the specified claims and signs it using the specified issuer key.
This method assumes that odd-numbered keyvals are always strings (claim names) and panics otherwise.
Example token identifying Bob, issued by Alice, and good for one hour:
exp := time.Now().Add(time.Hour) claims := jwt.NewClaims("iss", "alice", "sub", "bob", "exp", exp) tok := jwt.NewToken(alicesKey, claims)
Example token that contains authorization scopes, which the default authorization function will test against goa's RequiredScopes:
scopes = []string{"read","write"} claims := jwt.NewClaims("iss", "alice", "exp", exp, jwtauth.ScopesClaim, scopes)
In order for recipients to verify the example tokens above, their keystore must associate the "alice" issuer with alicesKey -- which can be either a []byte (for HMAC tokens) or a crypto.PrivateKey (for public-key tokens).
There is no standard claim name for authorization scopes, so jwtauth uses the least-surprising name, "scopes."
func TestToken ¶
func TestToken(keyvals ...interface{}) string
TestToken creates a JWT with the specified claims and signs it using TestKey.
func WithClaims ¶
WithClaims creates a child context containing the given JWT claims.
Types ¶
type Claims ¶
type Claims map[string]interface{}
Claims is a collection of claims extracted from a JWT.
func ContextClaims ¶
ContextClaims retrieves the JWT claims associated with the request.
func NewClaims ¶
func NewClaims(keyvals ...interface{}) Claims
NewClaims builds a map of claims using alternate keys and values from the variadic parameters. It is sugar designed to make new-token creation code more readable. Example:
claims := jwtauth.NewClaims("iss", "alice", "sub", "bob", "scopes", []string{"read", "write"})
If any odd-numbered key is not a string, this function will panic!
func (Claims) Bool ¶
Bool returns the named claim as a boolean, converting from other types as necessary. If the claim is absent or cannot be converted to a boolean, Bool returns false.
func (Claims) Int ¶
Int returns the named claim as an integer, converting from other types as necessary. If the claim is absent or cannot be converted to an integer, Int returns 0.
func (Claims) Issuer ¶
Issuer returns the value of the standard JWT "iss" claim, converting to string if necessary.
func (Claims) String ¶
String returns the named claim as a string, converting from other types using fmt.Stringer if supported, or fmt.Sprint() otherwise. If the claim is absent, String returns "".
func (Claims) Strings ¶
Strings returns the named claim as a list of strings, following the same conversion rules as String(). If the claim is absent, Strings returns nil.
type Keystore ¶
type Keystore interface { // Trust grants trust in an issuer. Trust(issuer string, key interface{}) error // RevokeTrust revokes trust in an issuer. RevokeTrust(issuer string) // Get returns the key associated with the named issuer. Get(issuer string) interface{} }
Keystore interface
When the middleware receives a request containing a JWT, it extracts the "iss" (Issuer) claim from the JWT body and gets a correspondingly-named key from the keystore, which it uses to verify the JWT's integrity.
type NamedKeystore ¶
NamedKeystore is a concurrency-safe, in-memory Keystore implementation that allows trust to be granted/revoked from issuers at any time.
All methods are safe to call on the zero value of this type; fields are initialized as needed.
func (*NamedKeystore) Get ¶
func (nk *NamedKeystore) Get(issuer string) interface{}
Get implements jwtauth.Keystore#Get
func (*NamedKeystore) RevokeTrust ¶
func (nk *NamedKeystore) RevokeTrust(issuer string)
RevokeTrust implements jwtauth.Keystore#RevokeTrust
func (*NamedKeystore) Trust ¶
func (nk *NamedKeystore) Trust(issuer string, key interface{}) error
Trust implements jwtauth.Keystore#Trust
Grants trust in an issuer. It accepts any of the following types:
- []byte (for HS tokens)
- *rsa.PublicKey (for RS tokens)
- *ecdsa.PublicKey (for ES tokens)
As a convenience, it converts the following to a related type:
- string becomes []byte
- *rsa.PrivateKey becomes its public key
- *ecdsa.PrivateKey becomes its public key
type SimpleKeystore ¶
type SimpleKeystore struct {
Key interface{}
}
SimpleKeystore is a Keystore that trusts exactly one key regardless of the token's issuer.
Trust() and RevokeTrust() have no effect, although Trust() returns an error if called with a key other than the one-and-only trusted key.
func (*SimpleKeystore) Get ¶
func (sk *SimpleKeystore) Get(issuer string) interface{}
Get implements jwtauth.Keystore#Get
func (*SimpleKeystore) RevokeTrust ¶
func (sk *SimpleKeystore) RevokeTrust(issuer string)
RevokeTrust implements jwtauth.Keystore#RevokeTrust
func (*SimpleKeystore) Trust ¶
func (sk *SimpleKeystore) Trust(issuer string, key interface{}) error
Trust implements jwtauth.Keystore#Trust