jwt

package
v0.0.0-...-4dcfcdd Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 2, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package jwt contains support for using JWT tokens to authenticate and authorize incoming connections.

We require that incoming tokens have been signed with either RSA or EC keys. The public keys used for validation are stored in the database and are periodically refreshed.

Incoming JWT tokens are required to have the well-known "jti" token identifier field set. This is checked against a list of revoked token ids that are also stored in the database.

A minimally-acceptable token is shown below:

{
   "jti": "a25dac04-9f3e-49c1-a068-ee0a2abbd7df",
   "https://github.com/cockroachdb/cdc-sink": {
     "sch": [
       [ "database", "schema" ],
       [ "another_database", "*" ],
       [ "*", "required_schema" ],
       [ "*", "*" ]
     ]
   }
}

As seen above, we use a globally-unique namespace to provide a list of schemas that the caller is allowed to use. Additional fields may be added to this namespace in the future.

Index

Constants

This section is empty.

Variables

View Source
var (
	// PublicKeysTable is the name of the table that contains public
	// keys used to validate incoming JWT tokens.
	PublicKeysTable = ident.New("jwt_public_keys")
	// RefreshDelay controls how ofter a watcher will refresh its schema. If
	// this value is zero or negative, refresh behavior will be disabled.
	RefreshDelay = flag.Duration("jwtRefresh", time.Minute,
		"how often to scan for updated JWT configuration; set to zero to disable")
	// RevokedIdsTable allows a list of known-bad "jti" token ids to be
	// rejected.
	RevokedIdsTable = ident.New("jwt_revoked_ids")
)

Set is used by Wire.

Functions

func InsertRevokedToken

func InsertRevokedToken(
	ctx context.Context,
	tx types.StagingQuerier,
	auth types.Authenticator,
	stagingDB ident.StagingSchema,
	id string,
) error

InsertRevokedToken inserts the id of a revoked token into the Authenticator.

func InsertTestingKey

func InsertTestingKey(
	ctx context.Context,
	tx types.StagingQuerier,
	auth types.Authenticator,
	stagingDB ident.StagingSchema,
) (method jwt.SigningMethod, signer crypto.PrivateKey, err error)

InsertTestingKey generates a new private key and updates the existing Authenticator with the associated public key.

func ProvideAuth

func ProvideAuth(
	ctx *stopper.Context, db types.StagingQuerier, stagingDB ident.StagingSchema,
) (auth types.Authenticator, err error)

ProvideAuth is called by Wire to construct a JWT-based authenticator. This provider will also start a background goroutine to look for configuration changes in the database.

Types

type ClaimData

type ClaimData struct {
	Schemas []ident.Schema `json:"schemas,omitempty"`
}

ClaimData is the custom data that we want to embed in a JWT token.

type Claims

type Claims struct {
	jwt.RegisteredClaims
	// Place our extension in a proper namespace, for compatibility with
	// e.g. Auth0.
	Ext ClaimData `json:"https://github.com/cockroachdb/cdc-sink,omitempty"`
}

Claims extends the core JWT Claims with elements specific to cdc-sink.

func NewClaim

func NewClaim(schemas []ident.Schema) (Claims, error)

NewClaim returns a minimal clam that would provide access to the requested schemas.

func Sign

func Sign(
	method jwt.SigningMethod, key crypto.PrivateKey, schemas []ident.Schema,
) (Claims, string, error)

Sign generates a new JWT that is compatible with cdc-sink. This method is used for testing and for the example quickstart.

func (Claims) Valid

func (c Claims) Valid() error

Valid implements jwt.Claims.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL