Documentation ¶
Index ¶
- Constants
- Variables
- func Authenticate(v JWSValidator, ctx context.Context, input *openapi3filter.AuthenticationInput, ...) error
- func CheckTokenClaims(expectedClaims []string, t jwt.Token) error
- func GetClaimsFromToken(t jwt.Token) ([]string, error)
- func GetJWSFromRequest(req *http.Request) (string, error)
- func NewAuthenticator(v JWSValidator, authClient *auth.Client) openapi3filter.AuthenticationFunc
- type FakeAuthenticator
- type JWSValidator
- type User
Constants ¶
const FakeAudience = "example-users"
const FakeIssuer = "fake-issuer"
const JWTClaimsContextKey = "jwt_claims"
const KeyID = `fake-key-id`
const PermissionsClaim = "perm"
const PrivateKey = `` /* 226-byte string literal not displayed */
PrivateKey is an ECDSA private key which was generated with the following command:
openssl ecparam -name prime256v1 -genkey -noout -out ecprivatekey.pem
We are using a hard coded key here in this example, but in real applications, you would never do this. Your JWT signing key must never be in your application, only the public key.
const UserContextKey = "user"
Variables ¶
var ( ErrNoAuthHeader = errors.New("Authorization header is missing") ErrInvalidAuthHeader = errors.New("Authorization header is malformed") ErrClaimsInvalid = errors.New("Provided claims do not match expected scopes") )
var ( // if we expect that the user of the function may be interested with concrete error, // it's a good idea to provide variable with this error NoUserInContextError = commonerrors.NewAuthorizationError("no user in context", "no-user-found") )
Functions ¶
func Authenticate ¶
func Authenticate(v JWSValidator, ctx context.Context, input *openapi3filter.AuthenticationInput, authClient *auth.Client) error
Authenticate uses the specified validator to ensure a JWT is valid, then makes sure that the claims provided by the JWT match the scopes as required in the API.
func GetClaimsFromToken ¶
GetClaimsFromToken returns a list of claims from the token. We store these as a list under the "perms" claim, short for permissions, to keep the token shorter.
func GetJWSFromRequest ¶
GetJWSFromRequest extracts a JWS string from an Authorization: Bearer <jws> header
func NewAuthenticator ¶
func NewAuthenticator(v JWSValidator, authClient *auth.Client) openapi3filter.AuthenticationFunc
Types ¶
type FakeAuthenticator ¶
type FakeAuthenticator struct { PrivateKey *ecdsa.PrivateKey KeySet jwk.Set }
func NewFakeAuthenticator ¶
func NewFakeAuthenticator() (*FakeAuthenticator, error)
NewFakeAuthenticator creates an authenticator example which uses a hard coded ECDSA key to validate JWT's that it has signed itself.
func (*FakeAuthenticator) CreateJWSWithClaims ¶
func (f *FakeAuthenticator) CreateJWSWithClaims(claims []string) ([]byte, error)
CreateJWSWithClaims is a helper function to create JWT's with the specified claims.
func (*FakeAuthenticator) SignToken ¶
func (f *FakeAuthenticator) SignToken(t jwt.Token) ([]byte, error)
SignToken takes a JWT and signs it with our private key, returning a JWS.
func (*FakeAuthenticator) ValidateJWS ¶
func (f *FakeAuthenticator) ValidateJWS(jwsString string) (jwt.Token, error)
ValidateJWS ensures that the critical JWT claims needed to ensure that we trust the JWT are present and with the correct values.
type JWSValidator ¶
JWSValidator is used to validate JWS payloads and return a JWT if they're valid