Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ALLOWED_PURPOSES []string = []string{"id", "access", "refresh", "session", "api_key"}
`fence`-specific: the `pur` field indicates the purpose for the token, which may also be validated. If used, it must take one of these values.
Functions ¶
This section is empty.
Types ¶
type Claims ¶
type Claims = map[string]interface{}
Claims is a type alias for the values of the claims from a decoded token.
Because it's a map, it must be created with `make(Claims)`.
type EncodedToken ¶
type EncodedToken = string
type Expected ¶
type Expected struct { // Scopes is a list of expected uses of the token. Scopes []string `json:"scope"` // Expiration is the Unix timestamp at which the token becomes expired. Expiration *int64 `json:"exp"` // Issuers is a list of acceptable issuers to expect tokens to contain. Issuers []string `json:"iss"` // Purpose is an optional field indicating the type of the token (access, // refresh, etc.) Purpose *string `json:"pur"` }
Expected represents some values which are used to validate the claims in a token.
type JWTApplication ¶
type JWTApplication struct { // KeyKeys for looking up RSA public keys by ID for token validation. Keys *KeysManager }
JWTApplication stores the state for an application needing to validate JWTs.
func NewJWTApplication ¶
func NewJWTApplication(jwkURL string) *JWTApplication
NewJWTApplication initializes a new application.
func (*JWTApplication) Decode ¶
func (application *JWTApplication) Decode(encodedToken EncodedToken) (*Claims, error)
Decode takes an encoded token, finds the key suitable for validating this token, and returns the decoded token claims.
NOTE that this does NOT validate the claims, only the signature.
func (*JWTApplication) ValidateRequest ¶
func (application *JWTApplication) ValidateRequest(r *http.Request, expected *Expected) (*Claims, error)
ValidateRequest takes an http.Request and some expectations for the claims in a token, looks for an encoded JWT in the `Authorization` header, and validates and decodes the JWT header to return the claims it contains.
type KeysManager ¶
type KeysManager struct { URL string KeyList []*jose.JSONWebKey KeyMap map[string]*jose.JSONWebKey }
KeysManager handles the storage and updating of a set of JWKs. The KeysManager must be configured with the URL for the endpoint of a keys provider that returns the JWKS in the format specified by RFC 7517.
func NewKeysManager ¶
func NewKeysManager(jwkURL string) KeysManager
func (*KeysManager) Clear ¶
func (manager *KeysManager) Clear()
Clear empties all keys from the KeysManager.
func (*KeysManager) DefaultKey ¶
func (manager *KeysManager) DefaultKey() *jose.JSONWebKey
DefaultKey returns the first key in the list of keys stored by the KeysManager. By internal convention, the keys provider should return the keys in chronological order, with the most recently-created keys first, which is meant to be the default.
func (*KeysManager) Insert ¶
func (manager *KeysManager) Insert(key jose.JSONWebKey)
Insert adds a single jose.JSONWebKey to the KeysManager.
func (*KeysManager) Lookup ¶
func (manager *KeysManager) Lookup(keyID string) (*jose.JSONWebKey, error)
Lookup finds the key with the given ID. If none is found attached to the application currently, it makes a request to the URL configured in the manager to retrieve new keys.
func (*KeysManager) Refresh ¶
func (manager *KeysManager) Refresh() error
Refresh makes a request to the URL configured in the KeysManager to update the keys it stores with the latest results from the provider.
type KeysResponse ¶
KeysResponse is used for decoding the JSON response from the service issuing the RSA keys.