jwt

package
v0.0.0-...-a9d0937 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 10, 2024 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateAuthorizationHeader 

func GenerateAuthorizationHeader(payload interface{}, signatureGenerator SignatureGenerator) (string, error)

GenerateAuthorizationHeader can be used to create HTTP "Authorization" headers of shape "Bearer ${jwt}". It calls into a SignatureGenerator to sign the resulting header.

Types

type AuthorizationHeaderParser 

type AuthorizationHeaderParser struct {
	// contains filtered or unexported fields
}

AuthorizationHeaderParser is a helper type for parsing JSON Web Tokens stored in HTTP "Authorization" headers of shape "Bearer ${jwt}". To prevent wasting excessive amounts of processing time on signature verification, this type holds on to a cache of recently observed tokens.

func NewAuthorizationHeaderParser 

func NewAuthorizationHeaderParser(clock clock.Clock, signatureValidator SignatureValidator, claimsValidator, metadataExtractor *jmespath.JMESPath, maximumCacheSize int, evictionSet eviction.Set[string]) *AuthorizationHeaderParser

NewAuthorizationHeaderParser creates a new AuthorizationHeaderParser that does not have any cached tokens.

func NewAuthorizationHeaderParserFromConfiguration 

func NewAuthorizationHeaderParserFromConfiguration(config *configuration.AuthorizationHeaderParserConfiguration, group program.Group) (*AuthorizationHeaderParser, error)

NewAuthorizationHeaderParserFromConfiguration creates a new HTTP "Authorization" header parser based on options stored in a configuration file.

func (*AuthorizationHeaderParser) ParseAuthorizationHeaders 

func (a *AuthorizationHeaderParser) ParseAuthorizationHeaders(headers []string) (*auth.AuthenticationMetadata, bool)

ParseAuthorizationHeaders takes a set of HTTP "Authorization" headers and returned true if one or more headers contain a token whose signature can be validated, and whose "exp" (Expiration Time) and "nbf" (Not Before) claims are in bounds.

type ForwardingSignatureValidator 

type ForwardingSignatureValidator struct {
	// contains filtered or unexported fields
}

ForwardingSignatureValidator wraps another SignatureValidator. It is used when the underlying SignatureValidator needs to be replaced at runtime.

func NewForwardingSignatureValidator 

func NewForwardingSignatureValidator(validator SignatureValidator) *ForwardingSignatureValidator

NewForwardingSignatureValidator creates a SignatureValidator that simply forwards requests to another SignatureValidator. This returns a pointer to the new ForwardingSignatureValidator, so as not to copy the atomic.Pointer.

func (*ForwardingSignatureValidator) Replace 

func (sv *ForwardingSignatureValidator) Replace(validator SignatureValidator)

Replace replaces the registered SignatureValidator

func (*ForwardingSignatureValidator) ValidateSignature 

func (sv *ForwardingSignatureValidator) ValidateSignature(algorithm string, keyID *string, headerAndPayload string, signature []byte) bool

ValidateSignature validates a signature using the registered SignatureValidator

type SignatureGenerator 

type SignatureGenerator interface {
	GetAlgorithm() string
	GenerateSignature(headerAndPayload string) ([]byte, error)
}

SignatureGenerator is used by GenerateAuthorizationHeader() to create the signature of a JWT. Implementations of this interface may use HMAC, ECDSA or other algorithms.

func NewECDSASHASignatureGenerator 

func NewECDSASHASignatureGenerator(privateKey *ecdsa.PrivateKey, randomNumberGenerator random.ThreadSafeGenerator) (SignatureGenerator, error)

NewECDSASHASignatureGenerator creates a SignatureGenerator that can sign a JWT using the Elliptic Curve Digital Signature Algorithm (ECDSA), using SHA-256, SHA-384 or SHA-512 as a hashing algorithm.

ECDSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key.

type SignatureValidator 

type SignatureValidator interface {
	ValidateSignature(algorithm string, keyID *string, headerAndPayload string, signature []byte) bool
}

SignatureValidator is used by Authenticator to validate the signature of a JWT. Implementations of this interface may use HMAC, ECDSA or other algorithms.

func NewDemultiplexingSignatureValidator 

func NewDemultiplexingSignatureValidator(namedSignatureValidators map[string]SignatureValidator, allSignatureValidators []SignatureValidator) SignatureValidator

NewDemultiplexingSignatureValidator creates a SignatureValidator that routes signature validation requests based on the key ID ("kid") field that's part of a JWT's header.

func NewECDSASHASignatureValidator 

func NewECDSASHASignatureValidator(publicKey *ecdsa.PublicKey) (SignatureValidator, error)

NewECDSASHASignatureValidator creates a SignatureValidator that expects the signature of a JWT to use the Elliptic Curve Digital Signature Algorithm (ECDSA), using SHA-256, SHA-384 or SHA-512 as a hashing algorithm.

ECDSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key.

func NewEd25519SignatureValidator 

func NewEd25519SignatureValidator(publicKey ed25519.PublicKey) SignatureValidator

NewEd25519SignatureValidator creates a SignatureValidator that expects the signature of a JWT to use the Edwards-curve Digital Signature Algorithm (EdDSA), using Curve25519 as its elliptic curve and SHA-512 as a hashing algorithm.

EdDSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key.

func NewHMACSHASignatureValidator 

func NewHMACSHASignatureValidator(key []byte) SignatureValidator

NewHMACSHASignatureValidator creates a SignatureValidator that expects the signature of a JWT to use Hash-based Message Authentication Code (HMAC), using SHA-256, SHA-384 or SHA-512 as a hashing algorithm.

HMAC uses symmetric cryptography, meaning that the key used to sign a JWT is the same as the one used to validate it. There is no distinction between public and private keys, which may not be desirable from a security point of view.

func NewRSASHASignatureValidator 

func NewRSASHASignatureValidator(key *rsa.PublicKey) SignatureValidator

NewRSASHASignatureValidator creates a SignatureValidator that expects the signature of a JWT to use the Rivest-Shamir-Adleman (RSA) cryptosystem, using SHA-256, SHA-384 or SHA-512 as a hashing algorithm.

RSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key. Signatures tend to be a lot larger than those created by ECDSA and EdDSA.

func NewSignatureValidatorFromJSONWebKeySet 

func NewSignatureValidatorFromJSONWebKeySet(jwks *jose.JSONWebKeySet) (SignatureValidator, error)

NewSignatureValidatorFromJSONWebKeySet creates a new SignatureValidator capable of validating JWTs matching keys contained in a JSON Web Key Set, as described in RFC 7517, chapter 5.

func NewSignatureValidatorFromJSONWebKeySetFile 

func NewSignatureValidatorFromJSONWebKeySetFile(path string, group program.Group) (SignatureValidator, error)

NewSignatureValidatorFromJSONWebKeySetFile creates a new SignatureValidator capable of validating JWTs matching keys contained in a JSON Web Key Set read from a file. The content of the file is periodically refreshed.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.