Documentation ¶
Index ¶
- Variables
- type JWTIssuer
- func (i *JWTIssuer) DecodeJWEToken(tokenString string, claims interface{}) error
- func (i *JWTIssuer) EncodeJWEToken(claims interface{}) (string, error)
- func (i *JWTIssuer) EncodeJWT(claims interface{}) (string, error)
- func (i *JWTIssuer) GetKeyPair() (any, crypto.PrivateKey, string, error)
- func (i *JWTIssuer) JWKS() (*jose.JSONWebKeySet, error)
- type Options
Constants ¶
This section is empty.
Variables ¶
var ( // ErrKeyFormat is raised when something is wrong with the // encryption keys. ErrKeyFormat = errors.New("key format error") // ErrTokenVerification is raised when token verification fails. ErrTokenVerification = errors.New("failed to verify token") // ErrContextError is raised when a required value cannot be retrieved // from a context. ErrContextError = errors.New("value missing from context") )
Functions ¶
This section is empty.
Types ¶
type JWTIssuer ¶
type JWTIssuer struct {
// contains filtered or unexported fields
}
JWTIssuer is in charge of API token issue and verification. It is expected that the keys come from a mounted kubernetes.io/tls secret, and that is managed by cert-manager. As a result the keys will rotate every 60 days (by default), so you MUST ensure they are not cached in perpetuity. Additionally, due to horizontal scale-out these secrets need to be shared between all replicas so that a token issued by one, can be verified by another. As such if you ever do cache the certificate load, it will need to be coordinated between all instances.
func NewJWTIssuer ¶
NewJWTIssuer returns a new JWT issuer and validator.
func (*JWTIssuer) DecodeJWEToken ¶
func (*JWTIssuer) EncodeJWEToken ¶
func (*JWTIssuer) GetKeyPair ¶
GetKeyPair returns the public key, private key and key id from the configuration data. The key id is inspired by X.509 subject key identifiers, so a hash over the subject public key info.