Documentation
¶
Overview ¶
Package keyserve provides middleware to serve Public Keys via OIDC-style (https://example.com/.well-known/openid-configuration) and Auth0-style (https://example.com/.well-known/jwks.json) URLs. It uses the keypairs package to encode to JWK format.
Basic Usage
import (
"crypto/ecdsa"
"crypto/rand"
"time"
"git.rootprojects.org/root/keypairs/keyserve"
)
key, _ := ecdsa.GenerateKey(elliptic.P256, rand.Reader)
pub := key.Public()
handlers := &keyserve.Middleware{
// the self-reference used for building the openid-configuration url
BaseURL: "https://example.com/",
// public keys used to verify token signatures
Keys: []keypairs.PublicKey{ keypairs.NewPublicKey(pub) }
// how long clients should cache your public key
ExpiresIn: 72 * time.Hour
}
You can then use the handlers anywhere http.HandleFunc is allowed:
http.HandleFunc(keyserve.PEMPath, handlers.Auth0PEM) http.HandleFunc(keyserve.JWKsPath, handlers.WellKnownJWKs) http.HandleFunc(keyserve.OIDCPath, handlers.WellKnownOIDC)
Index ¶
Constants ¶
const JWKsPath = "/.well-known/jwks.json"
JWKsPath is "/.well-known/jwks.json" (Auth0 spec)
const OIDCPath = "/.well-known/openid-configuration"
OIDCPath is "/.well-known/openid-configuration" (OIDC spec)
const PEMPath = "/pem"
PEMPath is "/pem" (Auth0 convention)
Variables ¶
var DefaultExpiresIn = 72 * time.Hour
DefaultExpiresIn is 3 days
Functions ¶
This section is empty.
Types ¶
type Middleware ¶
Middleware holds your public keys and has http handler methods for OIDC and Auth0 JWKs
func (*Middleware) Auth0PEM ¶
func (m *Middleware) Auth0PEM(w http.ResponseWriter, r *http.Request)
Auth0PEM serves a PEM containing a public key
func (*Middleware) Handler ¶
func (m *Middleware) Handler(w http.ResponseWriter, r *http.Request) bool
Handler will match either OIDC or Auth0 jwks URLs and return true if it matches on (and responds to) either. Otherwise it will return false.
func (*Middleware) WellKnownJWKs ¶
func (m *Middleware) WellKnownJWKs(w http.ResponseWriter, r *http.Request)
WellKnownJWKs serves a JSON array of keys, no fluff
func (*Middleware) WellKnownOIDC ¶
func (m *Middleware) WellKnownOIDC(w http.ResponseWriter, r *http.Request)
WellKnownOIDC serves a minimal OIDC config for the purpose of distributing JWKs if you need something more powerful, do it yourself. (but feel free to copy the code here)
Security Note: If you do not supply Middleware.BaseURL, it will be taken from r.Host (since Web Browsers will always present it as the domain being accessed, which is not the case with TLS.ServerName over HTTP/2). This is normally not a problem because an attacker can only spoof back to themselves the jwks_uri. HOWEVER (DANGER, DANGER WILL ROBINSON) - RED FLAG - somewhere in the universe there is surely some old janky podunk proxy, still in use today, which is vulnerable to basic cache poisening which could cause others to receive a cached version of the malicious response rather than hitting the server and getting the correct response. Unlikely that that's you (and if it is you have much bigger problems), but I feel the need to warn you all the same - so just be sure to specify BaseURL.
Source Files