jwtauth

package
v3.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 1, 2021 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const TestKey = "https://github.com/rightscale/jwtauth#test"

TestKey is a static HMAC key used to sign and verify test JWTs.

Variables

View Source
var ScopesClaim = "scopes"

ScopesClaim is a Private Claim Name, as stipulated in RFC7519 Section 4.3, that jwtauth uses to store scope information in tokens. If you need to interoperate with third parties w/r/t to token scope, it may be advisable to change this to a Collision-Resistant Claim Name instead.

Functions

func ContextToken

func ContextToken(ctx context.Context) string

ContextToken retrieves the actual JWT associated with the request.

func LoadKey

func LoadKey(material []byte) interface{}

LoadKey is a helper function that transforms raw key material into a properly- typed key.

LoadKey returns a different type depending on the value of material:

If material is a []byte that contains a PEM-encoded PKIX key (e.g. "BEGIN PUBLIC KEY"), LoadKey parses it and returns a single public or private key of an algorithm-specific type.

If material is any other []byte, LoadKey returns it unmodified so that it can be used as an HMAC key.

Because LoadKey is designed to be used at startup, it panics if the PEM block is malformed.

func NewToken

func NewToken(key interface{}, claims Claims) (string, error)

NewToken creates a JWT with the specified claims and signs it using the specified issuer key.

This method assumes that odd-numbered keyvals are always strings (claim names) and panics otherwise.

Example token identifying Bob, issued by Alice, and good for one hour:

exp := time.Now().Add(time.Hour)
claims := jwt.NewClaims("iss", "alice", "sub", "bob", "exp", exp)
tok := jwt.NewToken(alicesKey, claims)

Example token that contains authorization scopes, which the default authorization function will test against goa's RequiredScopes:

scopes = []string{"read","write"}
claims := jwt.NewClaims("iss", "alice", "exp", exp, jwtauth.ScopesClaim, scopes)

In order for recipients to verify the example tokens above, their keystore must associate the "alice" issuer with alicesKey -- which can be either a []byte (for HMAC tokens) or a crypto.PrivateKey (for public-key tokens).

There is no standard claim name for authorization scopes, so jwtauth uses the least-surprising name, "scopes."

func TestToken

func TestToken(keyvals ...interface{}) string

TestToken creates a JWT with the specified claims and signs it using TestKey.

func WithClaims

func WithClaims(ctx context.Context, claims Claims) context.Context

WithClaims creates a child context containing the given JWT claims.

func WithToken

func WithToken(ctx context.Context, token string) context.Context

WithToken creates a child context containing the given JWT.

Types

type Claims

type Claims map[string]interface{}

Claims is a collection of claims extracted from a JWT.

func ContextClaims

func ContextClaims(ctx context.Context) Claims

ContextClaims retrieves the JWT claims associated with the request.

func NewClaims

func NewClaims(keyvals ...interface{}) Claims

NewClaims builds a map of claims using alternate keys and values from the variadic parameters. It is sugar designed to make new-token creation code more readable. Example:

claims := jwtauth.NewClaims("iss", "alice", "sub", "bob", "scopes", []string{"read", "write"})

If any odd-numbered key is not a string, this function will panic!

func (Claims) Bool

func (c Claims) Bool(name string) bool

Bool returns the named claim as a boolean, converting from other types as necessary. If the claim is absent or cannot be converted to a boolean, Bool returns false.

func (Claims) ExpiresAt

func (c Claims) ExpiresAt() time.Time

ExpiresAt returns time at which the claims were issued.

func (Claims) Int

func (c Claims) Int(name string) int64

Int returns the named claim as an integer, converting from other types as necessary. If the claim is absent or cannot be converted to an integer, Int returns 0.

func (Claims) IssuedAt

func (c Claims) IssuedAt() time.Time

IssuedAt returns time at which the claims were issued.

func (Claims) Issuer

func (c Claims) Issuer() string

Issuer returns the value of the standard JWT "iss" claim, converting to string if necessary.

func (Claims) NotBefore

func (c Claims) NotBefore() time.Time

NotBefore returns time at which the claims were issued.

func (Claims) String

func (c Claims) String(name string) string

String returns the named claim as a string, converting from other types using fmt.Stringer if supported, or fmt.Sprint() otherwise. If the claim is absent, String returns "".

func (Claims) Strings

func (c Claims) Strings(name string) []string

Strings returns the named claim as a list of strings, following the same conversion rules as String(). If the claim is absent, Strings returns nil.

func (Claims) Subject

func (c Claims) Subject() string

Subject returns the value of the standard JWT "iss" claim, converting to string if necessary.

func (Claims) Time

func (c Claims) Time(name string) time.Time

Time returns the named claim as a Time in the Unix epoch. If the claim is absent or cannot be converted to an integer, it returns 0.

type Keystore

type Keystore interface {
	// Trust grants trust in an issuer.
	Trust(issuer string, key interface{}) error
	// RevokeTrust revokes trust in an issuer.
	RevokeTrust(issuer string)
	// Get returns the key associated with the named issuer.
	Get(issuer string) interface{}
}

Keystore interface

When the middleware receives a request containing a JWT, it extracts the "iss" (Issuer) claim from the JWT body and gets a correspondingly-named key from the keystore, which it uses to verify the JWT's integrity.

type NamedKeystore

type NamedKeystore struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

NamedKeystore is a concurrency-safe, in-memory Keystore implementation that allows trust to be granted/revoked from issuers at any time.

All methods are safe to call on the zero value of this type; fields are initialized as needed.

func (*NamedKeystore) Get

func (nk *NamedKeystore) Get(issuer string) interface{}

Get implements jwtauth.Keystore#Get

func (*NamedKeystore) RevokeTrust

func (nk *NamedKeystore) RevokeTrust(issuer string)

RevokeTrust implements jwtauth.Keystore#RevokeTrust

func (*NamedKeystore) Trust

func (nk *NamedKeystore) Trust(issuer string, key interface{}) error

Trust implements jwtauth.Keystore#Trust

Grants trust in an issuer. It accepts any of the following types:

  • []byte (for HS tokens)
  • *rsa.PublicKey (for RS tokens)
  • *ecdsa.PublicKey (for ES tokens)

As a convenience, it converts the following to a related type:

  • string becomes []byte
  • *rsa.PrivateKey becomes its public key
  • *ecdsa.PrivateKey becomes its public key

type SimpleKeystore

type SimpleKeystore struct {
	Key interface{}
}

SimpleKeystore is a Keystore that trusts exactly one key regardless of the token's issuer.

Trust() and RevokeTrust() have no effect, although Trust() returns an error if called with a key other than the one-and-only trusted key.

func (*SimpleKeystore) Get

func (sk *SimpleKeystore) Get(issuer string) interface{}

Get implements jwtauth.Keystore#Get

func (*SimpleKeystore) RevokeTrust

func (sk *SimpleKeystore) RevokeTrust(issuer string)

RevokeTrust implements jwtauth.Keystore#RevokeTrust

func (*SimpleKeystore) Trust

func (sk *SimpleKeystore) Trust(issuer string, key interface{}) error

Trust implements jwtauth.Keystore#Trust

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL