Documentation
¶
Overview ¶
Package jwt contains low-level utilities for verifying JSON Web Tokens.
Supports only non-encrypted RS256 tokens with `kid` header field populated, as produced by Google Cloud Platform.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var NotJWT = errors.BoolTag{Key: errors.NewTagKey("not a JSON web token")}
NotJWT is an error tag used to indicate that the string passed to VerifyAndDecode is not in fact structurally a JWT.
Functions ¶
func UnsafeDecode ¶
UnsafeDecode extracts the payload of a JWT **without verifying it**.
It must always be followed by VerifyAndDecode. Useful to "peek" inside the token to see who it was supposedly signed by.
func VerifyAndDecode ¶
func VerifyAndDecode(jwt string, dest any, verifier SignatureVerifier) error
VerifyAndDecode deconstructs the token, verifies its signature using the given `verifier` and on success deserializes its body into `dest`.
Returns errors tagged with NotJWT if `token` doesn't look like a JWT at all. Other errors (like signature verification check errors) are returned without this tag.
Doesn't interpret any JWT claims in the body, just deserializes them into `dest`. The caller is responsible for checking them.
Types ¶
type SignatureVerifier ¶
type SignatureVerifier interface {
// CheckSignature returns nil if `signed` was indeed signed by given key.
CheckSignature(keyID string, signed, signature []byte) error
}
SignatureVerifier can verify RS256 signatures.
Source Files