Documentation ¶
Index ¶
- Constants
- type CachedJWKSValidator
- type Claims
- type JWKSValidator
- type MockValidator
- type TokenManager
- func (tm *TokenManager) CreateAccessToken(claims *Claims) (_ *jwt.Token, err error)
- func (tm *TokenManager) CreateRefreshToken(accessToken *jwt.Token) (refreshToken *jwt.Token, err error)
- func (tm *TokenManager) CreateToken(claims *Claims) *jwt.Token
- func (tm *TokenManager) CreateTokenPair(claims *Claims) (accessToken, refreshToken string, err error)
- func (tm *TokenManager) CurrentKey() ulid.ULID
- func (tm *TokenManager) Keys() (keys jwk.Set, err error)
- func (v *TokenManager) Parse(tks string) (claims *Claims, err error)
- func (tm *TokenManager) RefreshAudience() string
- func (tm *TokenManager) Sign(token *jwt.Token) (tks string, err error)
- func (v *TokenManager) Verify(tks string) (claims *Claims, err error)
- type Validator
Constants ¶
const DefaultRefreshAudience = "https://auth.rotational.app/v1/refresh"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CachedJWKSValidator ¶ added in v0.2.0
type CachedJWKSValidator struct { JWKSValidator // contains filtered or unexported fields }
func NewCachedJWKSValidator ¶ added in v0.2.0
func (*CachedJWKSValidator) Parse ¶ added in v0.2.0
Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.
type Claims ¶
type Claims struct { jwt.RegisteredClaims Name string `json:"name,omitempty"` Email string `json:"email,omitempty"` Picture string `json:"picture,omitempty"` OrgID string `json:"org,omitempty"` ProjectID string `json:"project,omitempty"` Permissions []string `json:"permissions,omitempty"` }
Claims implements custom claims for the Quarterdeck application.
func (Claims) HasAllPermissions ¶ added in v0.2.0
HasAllPermissions checks if all specified permissions are in the claims.
func (Claims) HasPermission ¶ added in v0.2.0
HasPermission checks if the claims contain the specified permission.
func (Claims) ParseOrgID ¶ added in v0.3.0
func (c Claims) ParseOrgID() ulid.ULID
ParseOrgID returns the ULID of the organization ID in the claims. If the OrgID is not valid then an empty ULID is returned without an error to reduce error checking in handlers. If the caller needs to know if the ULID is invalid they should parse it themselves; otherwise the Null ULID will prevent most accesses from succeeding.
func (Claims) ParseUserID ¶ added in v0.3.0
func (c Claims) ParseUserID() ulid.ULID
ParseUserID returns the ULID of the user from the Subject of the claims. If the UserID is not valid then an empty ULID is returned without an error to reduce error checking in the handlers. If the caller needs to know if the ULID is invalid, they should parse it themsleves or perform an IsZero check on the result.
func (Claims) ValidateProject ¶ added in v0.5.0
Checks to see if the claims match the input projectID.
type JWKSValidator ¶ added in v0.2.0
type JWKSValidator struct {
// contains filtered or unexported fields
}
JWKSValidator provides public verification that JWT tokens have been issued by the Quarterdeck authentication service by checking that the tokens have been signed using public keys from a JSON Web Key Set (JWKS). The validator then returns Quarterdeck specific claims if the token is in fact valid.
func NewJWKSValidator ¶ added in v0.2.0
func NewJWKSValidator(keys jwk.Set, audience, issuer string) *JWKSValidator
func (*JWKSValidator) Parse ¶ added in v0.2.0
Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.
type MockValidator ¶ added in v0.2.0
type MockValidator struct { OnVerify func(string) (*Claims, error) OnParse func(string) (*Claims, error) Calls map[string]int }
type TokenManager ¶
type TokenManager struct {
// contains filtered or unexported fields
}
TokenManager handles the creation and verification of RSA signed JWT tokens. To facilitate signing key rollover, TokenManager can accept multiple keys identified by a ulid. JWT tokens generated by token managers include a kid in the header that allows the token manager to verify the key with the specified signature. To sign keys the token manager will always use the latest private key by ulid.
When the TokenManager creates tokens it will use JWT standard claims as well as extended claims based on Quarterdeck usage. The standard claims included are exp, nbf aud, and sub. On token verification, the exp, nbf, iss and aud claims are validated. TODO: Create automatic key rotation mechanism rather than loading keys.
func New ¶
func New(conf config.TokenConfig) (tm *TokenManager, err error)
New creates a TokenManager with the specified keys which should be a mapping of ULID strings to paths to files that contain PEM encoded RSA private keys. This input is specifically designed for the config environment variable so that keys can be loaded from k8s or vault secrets that are mounted as files on disk.
func NewWithKey ¶ added in v0.2.0
func NewWithKey(key *rsa.PrivateKey, conf config.TokenConfig) (tm *TokenManager, err error)
func (*TokenManager) CreateAccessToken ¶
func (tm *TokenManager) CreateAccessToken(claims *Claims) (_ *jwt.Token, err error)
CreateAccessToken from the credential payload or from an previous token if the access token is being reauthorized from previous credentials. Note that the returned token only contains the claims and is unsigned.
func (*TokenManager) CreateRefreshToken ¶
func (tm *TokenManager) CreateRefreshToken(accessToken *jwt.Token) (refreshToken *jwt.Token, err error)
CreateRefreshToken from the Access token claims with predefined expiration. Note that the returned token only contains the claims and is unsigned.
func (*TokenManager) CreateToken ¶ added in v0.5.0
func (tm *TokenManager) CreateToken(claims *Claims) *jwt.Token
CreateToken from the claims payload without modifying the claims unless the claims are missing required fields that need to be updated.
func (*TokenManager) CreateTokenPair ¶ added in v0.2.0
func (tm *TokenManager) CreateTokenPair(claims *Claims) (accessToken, refreshToken string, err error)
CreateTokenPair returns signed access and refresh tokens for the specified claims in one step (since normally users want both an access and a refresh token)!
func (*TokenManager) CurrentKey ¶
func (tm *TokenManager) CurrentKey() ulid.ULID
CurrentKey returns the ulid of the current key being used to sign tokens.
func (*TokenManager) Keys ¶
func (tm *TokenManager) Keys() (keys jwk.Set, err error)
Keys returns the JSON Web Key Set with public keys for use externally.
func (*TokenManager) Parse ¶
Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.
func (*TokenManager) RefreshAudience ¶ added in v0.5.0
func (tm *TokenManager) RefreshAudience() string
type Validator ¶ added in v0.2.0
type Validator interface { // Verify an access or a refresh token after parsing and return its claims. Verify(tks string) (claims *Claims, err error) // Parse an access or refresh token without verifying claims (e.g. to check an expired token). Parse(tks string) (claims *Claims, err error) }
Validators are able to verify that access and refresh tokens were issued by Quarterdeck and that their claims are valid (e.g. not expired).