Documentation
¶
Index ¶
- type Claims
- type TokenManager
- func (tm *TokenManager) CreateAccessToken(claims *Claims) (_ *jwt.Token, err error)
- func (tm *TokenManager) CreateRefreshToken(accessToken *jwt.Token) (refreshToken *jwt.Token, err error)
- func (tm *TokenManager) CurrentKey() ulid.ULID
- func (tm *TokenManager) Keys() map[ulid.ULID]*rsa.PublicKey
- func (tm *TokenManager) Parse(tks string) (claims *Claims, err error)
- func (tm *TokenManager) Sign(token *jwt.Token) (tks string, err error)
- func (tm *TokenManager) Verify(tks string) (claims *Claims, err error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Claims ¶
type Claims struct {
jwt.RegisteredClaims
Name string `json:"name,omitempty"`
Email string `json:"email,omitempty"`
OrgID string `json:"org,omitempty"`
ProjectID string `json:"project,omitempty"`
Permissions []string `json:"permissions,omitempty"`
}
Claims implements custom claims for the Quarterdeck application.
type TokenManager ¶
type TokenManager struct {
// contains filtered or unexported fields
}
TokenManager handles the creation and verification of RSA signed JWT tokens. To facilitate signing key rollover, TokenManager can accept multiple keys identified by a ulid. JWT tokens generated by token managers include a kid in the header that allows the token manager to verify the key with the specified signature. To sign keys the token manager will always use the latest private key by ulid.
When the TokenManager creates tokens it will use JWT standard claims as well as extended claims based on Oauth credentials. The standard claims included are exp, nbf aud, and sub. The iss claim is optional and would duplicate aud, so it is omitted. On token verification, the exp, nbf, and aud claims are validated. TODO: Create automatic key rotation mechanism rather than loading keys.
func New ¶
func New(keys map[string]string, audience, issuer string) (tm *TokenManager, err error)
New creates a TokenManager with the specified keys which should be a mapping of ULID strings to paths to files that contain PEM encoded RSA private keys. This input is specifically designed for the config environment variable so that keys can be loaded from k8s or vault secrets that are mounted as files on disk.
func (*TokenManager) CreateAccessToken ¶
func (tm *TokenManager) CreateAccessToken(claims *Claims) (_ *jwt.Token, err error)
CreateAccessToken from the credential payload or from an previous token if the access token is being reauthorized from previous credentials. Note that the returned token only contains the claims and is unsigned.
func (*TokenManager) CreateRefreshToken ¶
func (tm *TokenManager) CreateRefreshToken(accessToken *jwt.Token) (refreshToken *jwt.Token, err error)
CreateRefreshToken from the Access token claims with predefined expiration. Note that the returned token only contains the claims and is unsigned.
func (*TokenManager) CurrentKey ¶
func (tm *TokenManager) CurrentKey() ulid.ULID
CurrentKey returns the ulid of the current key being used to sign tokens.
func (*TokenManager) Keys ¶
func (tm *TokenManager) Keys() map[ulid.ULID]*rsa.PublicKey
Keys returns the map of ulid to public key for use externally.
func (*TokenManager) Parse ¶
func (tm *TokenManager) Parse(tks string) (claims *Claims, err error)
Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.
Source Files