Documentation ¶
Index ¶
- Constants
- Variables
- func ConstructClaimsFromSlice(claims ...Claim) (*jwt.Claims, error)
- func ParsePKCS1PrivateKey(data []byte) (*rsa.PrivateKey, error)
- func ParsePKCS1PrivateKeyFromFile(filename string) (*rsa.PrivateKey, error)
- func ParsePKCS1PrivateKeyFromFileAFS(afs afero.Fs, filename string) (*rsa.PrivateKey, error)
- func ParsePKCS1PublicKey(data []byte) (*rsa.PublicKey, error)
- func ParsePKCS1PublicKeyFromFile(filename string) (*rsa.PublicKey, error)
- func ParsePKCS1PublicKeyFromFileAFS(afs afero.Fs, filename string) (*rsa.PublicKey, error)
- func Sign(signer Signer, subject, audience string, online bool, ...) ([]byte, error)
- func SignFingerprint(signer Signer, subject, audience, fingerprint string, online bool, ...) ([]byte, error)
- type Claim
- func Any(key string, value interface{}) Claim
- func Bool(key string, val bool) Claim
- func Float(key string, val float64) Claim
- func Int(key string, val int64) Claim
- func Reflect(key string, val interface{}) Claim
- func String(key, val string) Claim
- func Time(key string, val time.Time) Claim
- func Uint(key string, val uint64) Claim
- type ClaimType
- type RSASigner
- type RSAVerifier
- type Signer
- type Verifier
- type VerifyResult
Constants ¶
const ( // Issuer is the IANA Registered claim for JWT issuer. Issuer string = "iss" // Subject is the IANA Registered claim for JWT subject. Subject string = "sub" // Audience is the IANA Registered claim for JWT audience. Audience string = "aud" // Expires is the IANA Registered claim for JWT expiry time. Expires string = "exp" // NotBefore is the IANA Registered claim for JWT not before time. NotBefore string = "nbf" // Issued is the IANA Registered claim for JWT issue time. Issued string = "iat" // ID is the IANA Registered claim for JWT ID. ID string = "jti" )
Variables ¶
var ErrInvalidClaimType = errors.New("invalid claim type")
ErrInvalidClaimType is returned when an operation tries to return an invalid claim type.
var ErrTokenInvalidAudience = errors.New("invalid token audience")
ErrTokenInvalidAudience is the error returned when an audience does not match the token.
var ErrTokenTimeNotValid = errors.New("token time is not valid")
ErrTokenTimeNotValid is the general error returned when a token is outside the NotBefore or Expires times.
Functions ¶
func ConstructClaimsFromSlice ¶
ConstructClaimsFromSlice takes a slice of `Claim`s and returns a prepared `jwt.Claims` pointer, or an error if construction failed.
Duplicate keys will we overridden in order of apearance!
func ParsePKCS1PrivateKey ¶
func ParsePKCS1PrivateKey(data []byte) (*rsa.PrivateKey, error)
ParsePKCS1PrivateKey parses a PKCS1 Private Key from a byte slice containing an RSA key in PEM format.
func ParsePKCS1PrivateKeyFromFile ¶
func ParsePKCS1PrivateKeyFromFile(filename string) (*rsa.PrivateKey, error)
ParsePKCS1PrivateKeyFromFile parses a PKCS1 Private Key from a PEM file.
func ParsePKCS1PrivateKeyFromFileAFS ¶
ParsePKCS1PrivateKeyFromFileAFS parses a PKCS1 Private Key from a PEM file with a supplied `afero.Fs`.
func ParsePKCS1PublicKey ¶
ParsePKCS1PublicKey parses a PKCS1 Public Certificate from a byte slice containing a PEM certificate.
func ParsePKCS1PublicKeyFromFile ¶
ParsePKCS1PublicKeyFromFile parses a PKCS1 Public Certificate from a PEM file.
func ParsePKCS1PublicKeyFromFileAFS ¶
ParsePKCS1PublicKeyFromFileAFS parses a PKCS1 Public Certificate from a PEM file with a supplied `afero.Fs`.
Types ¶
type Claim ¶
type Claim struct { Key string Type ClaimType Integer int64 Uinteger uint64 Float float64 String string Interface interface{} }
A Claim is a marshaling operation used to add a key-value pair to a tokens context. Most claims are lazily marshaled, so it's inexpensive to add claims to disabled debug-level log statements.
func Any ¶
Any takes a key and an arbitrary value and chooses the best way to represent them as a claim, falling back to a reflection-based approach only if necessary.
Since byte/uint8 and rune/int32 are aliases, Any can't differentiate between them. To minimize surprises, []byte values are treated as binary blobs, byte values are treated as uint8, and runes are always treated as integers.
func Reflect ¶
Reflect constructs a claim with the given key and an arbitrary object. It uses an encoding-appropriate, reflection-based function to lazily serialize nearly any object into the logging context, but it's relatively slow and allocation-heavy. Outside tests, Any is always a better choice.
If encoding fails (e.g., trying to serialize a map[int]string to JSON), Reflect includes the error message in the final log output.
func (Claim) IsRegistered ¶
IsRegistered returns true if the Key is a IANA registered "JSON Web Token Claims".
type ClaimType ¶
type ClaimType uint8
A ClaimType indicates which member of the Field union struct should be used and how it should be serialized.
const ( // UnknownType is the default, this will throw an error. UnknownType ClaimType = iota // ArrayMarshalerType indicates that the field carries an ArrayMarshaler. ArrayMarshalerType // ObjectMarshalerType indicates that the field carries an ObjectMarshaler. ObjectMarshalerType // BinaryType indicates that the field carries an opaque binary blob. BinaryType // BoolType indicates that the field carries a bool. BoolType // ByteStringType indicates that the field carries UTF-8 encoded bytes. ByteStringType // Complex128Type indicates that the field carries a complex128. Complex128Type // Complex64Type indicates that the field carries a complex128. Complex64Type // DurationType indicates that the field carries a time.Duration. DurationType // Float64Type indicates that the field carries a float64. Float64Type // Float32Type indicates that the field carries a float32. Float32Type // Int64Type indicates that the field carries an int64. Int64Type // Int32Type indicates that the field carries an int32. Int32Type // Int16Type indicates that the field carries an int16. Int16Type // Int8Type indicates that the field carries an int8. Int8Type // StringType indicates that the field carries a string. StringType // TimeType indicates that the field carries a time.Time. TimeType // Uint64Type indicates that the field carries a uint64. Uint64Type // Uint32Type indicates that the field carries a uint32. Uint32Type // Uint16Type indicates that the field carries a uint16. Uint16Type // Uint8Type indicates that the field carries a uint8. Uint8Type // UintptrType indicates that the field carries a uintptr. UintptrType // ReflectType indicates that the field carries an interface{}, which should // be serialized using reflection. ReflectType // NamespaceType signals the beginning of an isolated namespace. All // subsequent fields should be added to the new namespace. NamespaceType // StringerType indicates that the field carries a fmt.Stringer. StringerType // ErrorType indicates that the field carries an error. ErrorType // SkipType indicates that the field is a no-op. SkipType )
Type list borrowed from uber-go/zap.
type RSASigner ¶
type RSASigner struct { PrivateKey *rsa.PrivateKey Issuer string Algorithm string }
RSASigner implements the `Signer` interface and creates a token signed with RSA public/private keys.
type RSAVerifier ¶
RSAVerifier implements the `Verifier` interface and tests a token signed with RSA public/private keys.
func (*RSAVerifier) Verify ¶
func (v *RSAVerifier) Verify(token []byte) (VerifyResult, error)
Verify takes the token and checks it's signature against the RSA public key, and the audience, notbefore and expires validity.
type Signer ¶
Signer produces a token from a supplied subject and audience with notbefore and expiry times.
func NewRSASignerFromFile ¶
NewRSASignerFromFile returns an `RSASigner` initialized with the RSA Private Key supplied.
type Verifier ¶
type Verifier interface { // Verify processes a supplied token Verify(token []byte) (VerifyResult, error) }
Verifier takes a token and returns the subject if it is valid, or an error if it is not.
func NewRSAVerifierFromFile ¶
NewRSAVerifierFromFile returns an `RSAVerifier` initialized with the RSA Public Key supplied and an audience for token verification.