Documentation ¶
Index ¶
Constants ¶
const ( // TokenSeparator is the value which separates the header, claims, and // signature in the compact serialization of a JSON Web Token. TokenSeparator = "." // Leeway is the Duration that will be added to NBF and EXP claim // checks to account for clock skew as per https://tools.ietf.org/html/rfc7519#section-4.1.5 Leeway = 60 * time.Second )
Variables ¶
var ( ErrInsufficientScope = errors.New("insufficient scope") ErrTokenRequired = errors.New("authorization token required") )
Errors used and exported by this package.
var ( ErrMalformedToken = errors.New("malformed token") ErrInvalidToken = errors.New("invalid token") )
Errors used by token parsing and verification.
Functions ¶
This section is empty.
Types ¶
type AudienceList ¶
type AudienceList []string
AudienceList is a slice of strings that can be deserialized from either a single string value or a list of strings.
func (AudienceList) MarshalJSON ¶
func (s AudienceList) MarshalJSON() (b []byte, err error)
func (*AudienceList) UnmarshalJSON ¶
func (s *AudienceList) UnmarshalJSON(data []byte) (err error)
type ClaimSet ¶
type ClaimSet struct { // Public claims Issuer string `json:"iss"` Subject string `json:"sub"` Audience AudienceList `json:"aud"` Expiration int64 `json:"exp"` NotBefore int64 `json:"nbf"` IssuedAt int64 `json:"iat"` JWTID string `json:"jti"` // Private claims Access []*ResourceActions `json:"access"` }
ClaimSet describes the main section of a JSON Web Token.
type Header ¶
type Header struct { Type string `json:"typ"` SigningAlg string `json:"alg"` KeyID string `json:"kid,omitempty"` X5c []string `json:"x5c,omitempty"` RawJWK *json.RawMessage `json:"jwk,omitempty"` }
Header describes the header section of a JSON Web Token.
type ResourceActions ¶
type ResourceActions struct { Type string `json:"type"` Class string `json:"class,omitempty"` Name string `json:"name"` Actions []string `json:"actions"` }
ResourceActions stores allowed actions on a named and typed resource.
type Token ¶
Token describes a JSON Web Token.
func NewToken ¶
NewToken parses the given raw token string and constructs an unverified JSON Web Token.
func (*Token) Verify ¶
func (t *Token) Verify(verifyOpts VerifyOptions) error
Verify attempts to verify this token using the given options. Returns a nil error if the token is valid.
func (*Token) VerifySigningKey ¶
func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (signingKey libtrust.PublicKey, err error)
VerifySigningKey attempts to get the key which was used to sign this token. The token header should contain either of these 3 fields:
`x5c` - The x509 certificate chain for the signing key. Needs to be verified. `jwk` - The JSON Web Key representation of the signing key. May contain its own `x5c` field which needs to be verified. `kid` - The unique identifier for the key. This library interprets it as a libtrust fingerprint. The key itself can be looked up in the trustedKeys field of the given verify options.
Each of these methods are tried in that order of preference until the signing key is found or an error is returned.