Documentation ¶
Index ¶
- Constants
- Variables
- func ExpiresAt(tks string) (_ time.Time, err error)
- func NotBefore(tks string) (_ time.Time, err error)
- func ParseUnverified(tks string) (claims *jwt.RegisteredClaims, err error)
- type Cache
- type CachedJWKSValidator
- type Claims
- func (c Claims) HasAllPermissions(requiredPermissions ...string) bool
- func (c Claims) HasAnyPermission(permissions ...string) bool
- func (c Claims) HasPermission(requiredPermission string) bool
- func (c Claims) ParseOrgID() ulid.ULID
- func (c Claims) ParseProjectID() ulid.ULID
- func (c Claims) ParseUserID() ulid.ULID
- func (c Claims) ValidateProject(projectID ulid.ULID) bool
- type JWKSValidator
- type MockValidator
- type SessionToken
- type TokenManager
- func (tm *TokenManager) CreateAccessToken(claims *Claims) (_ *jwt.Token, err error)
- func (tm *TokenManager) CreateRefreshToken(accessToken *jwt.Token) (refreshToken *jwt.Token, err error)
- func (tm *TokenManager) CreateToken(claims *Claims) *jwt.Token
- func (tm *TokenManager) CreateTokenPair(claims *Claims) (accessToken, refreshToken string, err error)
- func (tm *TokenManager) CurrentKey() ulid.ULID
- func (tm *TokenManager) Keys() (keys jwk.Set, err error)
- func (v *TokenManager) Parse(tks string) (claims *Claims, err error)
- func (tm *TokenManager) RefreshAudience() string
- func (tm *TokenManager) Sign(token *jwt.Token) (tks string, err error)
- func (v *TokenManager) Verify(tks string) (claims *Claims, err error)
- type Validator
Constants ¶
const DefaultRefreshAudience = "https://auth.rotational.app/v1/refresh"
Variables ¶
var ( ErrCacheMiss = errors.New("requested key is not in the cache") ErrCacheExpired = errors.New("requested key is expired") )
Functions ¶
func ParseUnverified ¶ added in v0.5.2
func ParseUnverified(tks string) (claims *jwt.RegisteredClaims, err error)
Types ¶
type Cache ¶ added in v0.8.0
Cache is an in-memory cache that stores issued token claims by ULID.
func (*Cache) Get ¶ added in v0.8.0
Get the token from the user ID and project ID or return an error if it does not exist.
type CachedJWKSValidator ¶ added in v0.2.0
type CachedJWKSValidator struct { JWKSValidator // contains filtered or unexported fields }
func NewCachedJWKSValidator ¶ added in v0.2.0
func (*CachedJWKSValidator) Parse ¶ added in v0.2.0
Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.
type Claims ¶
type Claims struct { jwt.RegisteredClaims Name string `json:"name,omitempty"` Email string `json:"email,omitempty"` Picture string `json:"picture,omitempty"` OrgID string `json:"org,omitempty"` ProjectID string `json:"project,omitempty"` Permissions []string `json:"permissions,omitempty"` AccountType string `json:"account,omitempty"` }
Claims implements custom claims for the Quarterdeck application.
func ParseUnverifiedTokenClaims ¶ added in v0.5.2
Parse token claims from an access token.
func (Claims) HasAllPermissions ¶ added in v0.2.0
HasAllPermissions checks if all specified permissions are in the claims.
func (Claims) HasAnyPermission ¶ added in v0.5.1
HasAnyPermission checks if at least one of the specified permissions are in the claims.
func (Claims) HasPermission ¶ added in v0.2.0
HasPermission checks if the claims contain the specified permission.
func (Claims) ParseOrgID ¶ added in v0.3.0
func (c Claims) ParseOrgID() ulid.ULID
ParseOrgID returns the ULID of the organization ID in the claims. If the OrgID is not valid then an empty ULID is returned without an error to reduce error checking in handlers. If the caller needs to know if the ULID is invalid they should parse it themselves; otherwise the Null ULID will prevent most accesses from succeeding.
func (Claims) ParseProjectID ¶ added in v0.5.1
func (c Claims) ParseProjectID() ulid.ULID
ParseProjectID returns the ULID of the project from the claims. If the project ID is not valid then an empty ULID is returned without an error to reduce error checking in handlers. If the caller needs to know if the ULID is invalid they should parse it directly or perform an IsZero check on the result.
func (Claims) ParseUserID ¶ added in v0.3.0
func (c Claims) ParseUserID() ulid.ULID
ParseUserID returns the ULID of the user from the Subject of the claims. If the UserID is not valid then an empty ULID is returned without an error to reduce error checking in the handlers. If the caller needs to know if the ULID is invalid, they should parse it themselves or perform an IsZero check on the result.
func (Claims) ValidateProject ¶ added in v0.5.0
Checks to see if the claims match the input projectID.
type JWKSValidator ¶ added in v0.2.0
type JWKSValidator struct {
// contains filtered or unexported fields
}
JWKSValidator provides public verification that JWT tokens have been issued by the Quarterdeck authentication service by checking that the tokens have been signed using public keys from a JSON Web Key Set (JWKS). The validator then returns Quarterdeck specific claims if the token is in fact valid.
func NewJWKSValidator ¶ added in v0.2.0
func NewJWKSValidator(keys jwk.Set, audience, issuer string) *JWKSValidator
func (*JWKSValidator) Parse ¶ added in v0.2.0
Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.
type MockValidator ¶ added in v0.2.0
type MockValidator struct { OnVerify func(string) (*Claims, error) OnParse func(string) (*Claims, error) Calls map[string]int }
type SessionToken ¶ added in v0.8.0
type SessionToken struct {
// contains filtered or unexported fields
}
SessionToken is a string token issued to users that has a limited lifetime. The cache is responsible for checking whether tokens are expired and removing expired tokens to maintain the cache size.
func (*SessionToken) Key ¶ added in v0.8.0
func (t *SessionToken) Key() string
The key is used to lookup the token in the cache by user ID and project ID.
type TokenManager ¶
type TokenManager struct {
// contains filtered or unexported fields
}
TokenManager handles the creation and verification of RSA signed JWT tokens. To facilitate signing key rollover, TokenManager can accept multiple keys identified by a ulid. JWT tokens generated by token managers include a kid in the header that allows the token manager to verify the key with the specified signature. To sign keys the token manager will always use the latest private key by ulid.
When the TokenManager creates tokens it will use JWT standard claims as well as extended claims based on Quarterdeck usage. The standard claims included are exp, nbf aud, and sub. On token verification, the exp, nbf, iss and aud claims are validated. TODO: Create automatic key rotation mechanism rather than loading keys.
func New ¶
func New(conf config.TokenConfig) (tm *TokenManager, err error)
New creates a TokenManager with the specified keys which should be a mapping of ULID strings to paths to files that contain PEM encoded RSA private keys. This input is specifically designed for the config environment variable so that keys can be loaded from k8s or vault secrets that are mounted as files on disk.
func NewWithKey ¶ added in v0.2.0
func NewWithKey(key *rsa.PrivateKey, conf config.TokenConfig) (tm *TokenManager, err error)
func (*TokenManager) CreateAccessToken ¶
func (tm *TokenManager) CreateAccessToken(claims *Claims) (_ *jwt.Token, err error)
CreateAccessToken from the credential payload or from an previous token if the access token is being reauthorized from previous credentials. Note that the returned token only contains the claims and is unsigned.
func (*TokenManager) CreateRefreshToken ¶
func (tm *TokenManager) CreateRefreshToken(accessToken *jwt.Token) (refreshToken *jwt.Token, err error)
CreateRefreshToken from the Access token claims with predefined expiration. Note that the returned token only contains the claims and is unsigned.
func (*TokenManager) CreateToken ¶ added in v0.5.0
func (tm *TokenManager) CreateToken(claims *Claims) *jwt.Token
CreateToken from the claims payload without modifying the claims unless the claims are missing required fields that need to be updated.
func (*TokenManager) CreateTokenPair ¶ added in v0.2.0
func (tm *TokenManager) CreateTokenPair(claims *Claims) (accessToken, refreshToken string, err error)
CreateTokenPair returns signed access and refresh tokens for the specified claims in one step (since normally users want both an access and a refresh token)!
func (*TokenManager) CurrentKey ¶
func (tm *TokenManager) CurrentKey() ulid.ULID
CurrentKey returns the ulid of the current key being used to sign tokens.
func (*TokenManager) Keys ¶
func (tm *TokenManager) Keys() (keys jwk.Set, err error)
Keys returns the JSON Web Key Set with public keys for use externally.
func (*TokenManager) Parse ¶
Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.
func (*TokenManager) RefreshAudience ¶ added in v0.5.0
func (tm *TokenManager) RefreshAudience() string
type Validator ¶ added in v0.2.0
type Validator interface { // Verify an access or a refresh token after parsing and return its claims. Verify(tks string) (claims *Claims, err error) // Parse an access or refresh token without verifying claims (e.g. to check an expired token). Parse(tks string) (claims *Claims, err error) }
Validators are able to verify that access and refresh tokens were issued by Quarterdeck and that their claims are valid (e.g. not expired).