Documentation
¶
Overview ¶
Package jwts provides various different JWT tokens.
Index ¶
- Constants
- Variables
- func NeedsPermission(needs string) func(X40) error
- type ServerInterceptor
- func (o *ServerInterceptor) StreamServerInterceptor(srv any, ss grpc.ServerStream, info *grpc.StreamServerInfo, ...) error
- func (o *ServerInterceptor) UnaryServerInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, ...) (any, error)
- func (o *ServerInterceptor) ValidateCtx(ctx context.Context, method string) (context.Context, error)
- type ServerInterceptorOptionFunc
- func ServerInterceptorOptsFromViper() ([]ServerInterceptorOptionFunc, error)
- func WithAddedPermissions(perms map[string]string) ServerInterceptorOptionFunc
- func WithJWKSKeyFunc(urls ...string) ServerInterceptorOptionFunc
- func WithKeyFunc(kf jwt.Keyfunc) ServerInterceptorOptionFunc
- func WithParser(p *jwt.Parser) ServerInterceptorOptionFunc
- func WithStaticKey(k interface{}) ServerInterceptorOptionFunc
- type X40
Constants ¶
const ( // AudienceX40API is the audience field required for the X40 API. AudienceX40API = "https://api.x40.link" // ClaimPermissions is how auth0 returns the roles that are requested (via scopes). // // See: // 1. https://auth0.com/docs/get-started/apis/enable-role-based-access-control-for-apis ClaimPermissions = "permissions" )
Variables ¶
var ( ErrMissingPermission = errors.New("missing permission") ErrMissingSubject = errors.New("missing subject") )
Err* are sentinel errors
var ( PublicJWKSURL = "https://x40.eu.auth0.com/.well-known/jwks.json" // By default, quite a few of the JWT Claims are optional. However, we want them to be, by default, active. // Here, we configure the claims as we expected. // // See: // 1. https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims#registered-claims // 2. https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens // 3. https://auth0.com/docs/secure/tokens/token-best-practices PublicJWTClaims = []jwt.ParserOption{ jwt.WithIssuer("https://x40.eu.auth0.com/"), jwt.WithAudience("https://api.x40.link"), jwt.WithIssuedAt(), jwt.WithExpirationRequired(), } )
Public* is the configuration for the public endpoints.
var (
ErrOpt = errors.New("unable to apply option")
)
Err* are sentinel errors.
Functions ¶
func NeedsPermission ¶
NeedsPermission allows ensuring the validator guarantees a permission exists.
Types ¶
type ServerInterceptor ¶
type ServerInterceptor struct {
// Permissions are the scopes that a given user is expected to have for the supplied method.
Permissions map[string]string
// contains filtered or unexported fields
}
ServerInterceptor is an interceptor that validates the JWT tokens supplied by the user. See: 1. https://auth0.com/docs/secure/tokens/access-tokens/validate-access-tokens
func NewServerInterceptor ¶
func NewServerInterceptor(opts ...ServerInterceptorOptionFunc) (*ServerInterceptor, error)
NewServerInterceptor is a convenience function that generates the JWT validation interceptors
func WireServerInterceptor ¶
func WireServerInterceptor() (*ServerInterceptor, error)
WireServerInterceptor generates a server interceptor from the global DI container.
func (*ServerInterceptor) StreamServerInterceptor ¶
func (o *ServerInterceptor) StreamServerInterceptor( srv any, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler, ) error
StreamServerInterceptor provides the implementation of the OIDC Verifier
func (*ServerInterceptor) UnaryServerInterceptor ¶
func (o *ServerInterceptor) UnaryServerInterceptor( ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, ) (any, error)
UnaryServerInterceptor provides the implementation of the OIDC Verifier
func (*ServerInterceptor) ValidateCtx ¶
func (o *ServerInterceptor) ValidateCtx( ctx context.Context, method string, ) (context.Context, error)
ValidateCtx is a shared function that validates the metadata associated with this request has the required token, and that the token has the expected permissions.
type ServerInterceptorOptionFunc ¶
type ServerInterceptorOptionFunc func(o *ServerInterceptor) error
ServerInterceptorOptionFunc modifies the behavior of the oauth2 validator
func ServerInterceptorOptsFromViper ¶
func ServerInterceptorOptsFromViper() ([]ServerInterceptorOptionFunc, error)
ServerInterceptorOptsFromViper resolves the global viper configuration into a series of options that can bootstrap a server interceptor
func WithAddedPermissions ¶
func WithAddedPermissions(perms map[string]string) ServerInterceptorOptionFunc
WithAddedPermissions sets the scopes directly on the oauth2 implementation. TODO: Test this.
func WithJWKSKeyFunc ¶
func WithJWKSKeyFunc(urls ...string) ServerInterceptorOptionFunc
WithJWKSKeyFunc allows fetching the key function from upstream
func WithKeyFunc ¶
func WithKeyFunc(kf jwt.Keyfunc) ServerInterceptorOptionFunc
WithKeyFunc supplies the function that supplies the key for validation
func WithParser ¶
func WithParser(p *jwt.Parser) ServerInterceptorOptionFunc
WithParser allows configuring the parser.
func WithStaticKey ¶
func WithStaticKey(k interface{}) ServerInterceptorOptionFunc
WithStaticKey allows using an arbitrary static key to check for the token validity. WARNING: Should not really be used; primarily designed for ease of testing.
type X40 ¶
type X40 struct {
// val is the extension function that allows custom validating these claims
Needs func(X40) error
// The standard claims (based on the golang-jwt/jwt package)
jwt.RegisteredClaims
// See jwts.ClaimPermissions
Permissions []string `json:"permissions"`
}
X40 is a token extended with claims specific to this application
Source Files