Documentation
¶
Index ¶
- Constants
- Variables
- func GenerateAccessToken(ctx context.Context, identityId string) (string, time.Duration, error)
- func NewRefreshToken(ctx context.Context, identityId string) (string, error)
- func RevokeRefreshToken(ctx context.Context, refreshTokenRaw string) error
- func RotateRefreshToken(ctx context.Context, refreshTokenRaw string) (isValid bool, refreshToken string, identityId string, err error)
- func ValidateAccessToken(ctx context.Context, tokenString string) (string, string, error)
- func ValidateRefreshToken(ctx context.Context, refreshTokenRaw string) (isValid bool, identityId string, err error)
- func VerifyIdToken(ctx context.Context, idTokenRaw string) (*oidc.IDToken, error)
- type AccessTokenClaims
- type IdTokenClaims
- type UserClaims
Constants ¶
const (
// Issuer 'iss' claim for access tokens issued by Keel
KeelIssuer = "https://keel.so"
)
Variables ¶
var ( ErrInvalidToken = common.NewAuthenticationFailedMessageErr("cannot be parsed or verified as a valid JWT") ErrTokenExpired = common.NewAuthenticationFailedMessageErr("token has expired") ErrIdentityNotFound = common.NewAuthenticationFailedMessageErr("identity not found") )
Functions ¶
func GenerateAccessToken ¶
func NewRefreshToken ¶
NewRefreshToken generates a new refresh token for the identity using the configured or default expiry time.
func RevokeRefreshToken ¶
RevokeRefreshToken will delete (revoke) the provided refresh token, which will prevent it from being used again.
func RotateRefreshToken ¶
func RotateRefreshToken(ctx context.Context, refreshTokenRaw string) (isValid bool, refreshToken string, identityId string, err error)
RotateRefreshToken validates that the provided refresh token has not expired, and then rotates it for a new refresh token with the exact same expiry time and identity. The original refresh token is then revoked from future use.
func ValidateAccessToken ¶
func ValidateRefreshToken ¶
func ValidateRefreshToken(ctx context.Context, refreshTokenRaw string) (isValid bool, identityId string, err error)
ValidateRefreshToken validates that the provided refresh token has no expired, and also returns the identity it is associated with. The refresh token is not revoked.
Types ¶
type AccessTokenClaims ¶
type AccessTokenClaims struct {
jwt.RegisteredClaims
}
https://pkg.go.dev/github.com/golang-jwt/jwt/v4#RegisteredClaims
type IdTokenClaims ¶
type IdTokenClaims struct {
jwt.RegisteredClaims
UserClaims
}
type UserClaims ¶
type UserClaims struct {
// default 'email' scope claims
Email string `json:"email,omitempty"`
EmailVerified bool `json:"email_verified,omitempty"`
// default 'profile' scope claims
Name string `json:"name,omitempty"`
GivenName string `json:"given_name,omitempty"`
FamilyName string `json:"family_name,omitempty"`
MiddleName string `json:"middle_name,omitempty"`
NickName string `json:"nick_name,omitempty"`
PreferredUsername string `json:"preferred_username,omitempty"`
Profile string `json:"profile,omitempty"`
Picture string `json:"picture,omitempty"`
Website string `json:"website,omitempty"`
Gender string `json:"gender,omitempty"`
ZoneInfo string `json:"zoneinfo,omitempty"`
Locale string `json:"locale,omitempty"`
// default 'phone' scope claims
PhoneNumber string `json:"phone_number,omitempty"`
PhoneNumberVerified bool `json:"phone_number_verified,omitempty"`
}
https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims
Source Files
Directories