token

package
v0.11.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 26, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrJWKSNotFound    = errors.New("kid not found in JWKS")
	ErrJWKSInvalidType = errors.New("certificate must be ecdsa")
	ErrJWKSKeyExists   = errors.New("key with the same kid already exists")
)

Various errors returned by a JWKS.

Functions

func Fingerprint 

func Fingerprint(cert *x509.Certificate) string

Fingerprint returns the fingerprint of the given certificate.

func Fprint 

func Fprint(w io.Writer, token string, opts ...PrintOption) error

Fprint prints the given token string using the methods passed as options in the given io.Writer. If you pass no option, this function is a noop

func FromRequest 

func FromRequest(req *elemental.Request) string

FromRequest retrieves the token from the given elemental.Request first looking at the cookie x-a3s-token, then the request.Password.

func FromSession 

func FromSession(session bahamut.Session) string

FromSession retrieves the token from the given bahamut.Session first looking at the cookie x-a3s-token, then the session.Token(.

Types

type ErrJWKSRemote 

type ErrJWKSRemote struct {
	Err error
}

A ErrJWKSRemote represents an error while interacting with a remote JWKS.

func (ErrJWKSRemote) Error 

func (e ErrJWKSRemote) Error() string

func (ErrJWKSRemote) Unwrap 

func (e ErrJWKSRemote) Unwrap() error

Unwrap returns the warped error.

type IdentityToken 

type IdentityToken struct {

	// The identity claims of the token.
	Identity []string `json:"identity"`

	// If true, the token can be used to get a new token.
	// with a longer expiration time.
	Refresh bool `json:"refresh,omitempty"`

	// Opaque user information transmitted in the token.
	Opaque map[string]string `json:"opaque,omitempty"`

	// Restrictions applied on dynamically computed permissions.
	Restrictions *permissions.Restrictions `json:"restrictions,omitempty"`

	// Information relative to the autentication source used to
	// validate bearer's Identity.
	Source Source `json:"-"`

	jwt.RegisteredClaims
}

An IdentityToken represents a normalized identity token.

func NewIdentityToken 

func NewIdentityToken(source Source) *IdentityToken

NewIdentityToken returns a new IdentityToken with the given Source.

func Parse 

func Parse(tokenString string, keychain *JWKS, trustedIssuer string, requiredAudience string) (*IdentityToken, error)

Parse returns a validated IdentityToken from the given token string using the given JWKS, mandatory trusted issuer and requiredAudience. The token must contain the "kid" header, and that ID must match an existing key in JWKS. The function will populate the identity token's source using the @source* claims. The claim @source:type is mandatory and the function will return an error if it is missing.

func ParseUnverified 

func ParseUnverified(tokenString string) (*IdentityToken, error)

ParseUnverified returns a non validated IdentityToken from the given tokenString, This method does not do any additional check on signature, issuer or audience and should only used to peek some data from the token before actually verifying it.

func (*IdentityToken) JWT 

func (t *IdentityToken) JWT(key crypto.PrivateKey, kid string, issuer string, audience jwt.ClaimStrings, exp time.Time, cloak []string) (string, error)

JWT returns the signed JWT string signed by the given crypto.PrivateKey. The given kid must match the ID of the public key. The JWT iss and aud will be set to the provided issuer and audience, whatever was any current values. The iat field will be set time.Now(), also ignoring current values. The exp field will be set to the provided time.Time. If it is a zero value time.Time, then any current value will be kept (potentially ending in an already expired token if the current value is also zero). cloak, if not empty, will remove any identity claims that are not prefixed with any string from the array.

func (*IdentityToken) Restrict 

func (t *IdentityToken) Restrict(restrictions permissions.Restrictions) (err error)

Restrict applies the given permissions to the token. If the token is not already restricted the restrictions will be applied as is. If it is already restricted, the new restrictions will be applied over the existing ones, and the function will return an error if the requested restrictions break the limits of the current ones.

type Issuer 

type Issuer interface {
	Issue() *IdentityToken
}

An Issuer is an object that can issue IdentityToken.

type JWKS 

type JWKS struct {
	Keys []*JWKSKey `json:"keys"`

	sync.RWMutex
	// contains filtered or unexported fields
}

A JWKS is a structure to manage a JSON Web Key Set.

func JWKSFromTokenIssuer 

func JWKSFromTokenIssuer(ctx context.Context, idt *IdentityToken, tlsConfig *tls.Config) (*JWKS, error)

JWKSFromTokenIssuer will retrieve a remote JWKS from the issuer field in the given idt, using the eventually given tlsConfig to retrieve the JWKS.. You usually want to pass a non verified IdentityToken here (from ParseUnverified for instance) so you can then correctly verify it using Parse().

func NewJWKS 

func NewJWKS() *JWKS

NewJWKS returns a new JWKS.

func NewRemoteJWKS 

func NewRemoteJWKS(ctx context.Context, client *http.Client, url string) (*JWKS, error)

NewRemoteJWKS returns a JWKS prepulated with the data found at the given URL using the provided http.Client. If http.Client is nil, the default client will be used.

func (*JWKS) Append 

func (j *JWKS) Append(cert *x509.Certificate) error

Append appends a new certificate to the JWKS.

func (*JWKS) AppendWithPrivate 

func (j *JWKS) AppendWithPrivate(cert *x509.Certificate, private crypto.PrivateKey) error

AppendWithPrivate appends a new certificate and its private key to the JWKS.

func (*JWKS) Del 

func (j *JWKS) Del(kid string) bool

Del deletes the key with the given ID. Returns true if something was deleted, false otherwise.

func (*JWKS) Get 

func (j *JWKS) Get(kid string) (*JWKSKey, error)

Get returns the key with the given ID. Returns ErrJWKSNotFound if not found.

func (*JWKS) GetLast 

func (j *JWKS) GetLast() *JWKSKey

GetLast returns the last inserted key.

type JWKSKey 

type JWKSKey struct {
	KTY string `json:"kty"`
	KID string `json:"kid"`
	Use string `json:"use"`
	Alg string `json:"alg,omitempty"`
	N   string `json:"n,omitempty"`
	X   string `json:"x,omitempty"`
	Y   string `json:"y,omitempty"`
	CRV string `json:"crv,omitempty"`
	// contains filtered or unexported fields
}

JWKSKey represents a single key stored in a JWKS.

func (*JWKSKey) Curve 

func (k *JWKSKey) Curve() elliptic.Curve

Curve returns the curve used by the key.

func (*JWKSKey) PrivateKey 

func (k *JWKSKey) PrivateKey() crypto.PrivateKey

PrivateKey returns the crypto.PrivateKey associated to the public key, if it was given it was added to the JWKS.

func (*JWKSKey) PublicKey 

func (k *JWKSKey) PublicKey() crypto.PublicKey

PublicKey returns a ready to use crypto.PublicKey.

type PrintOption 

type PrintOption func(*printCfg)

PrintOption represents options that can be passed to token.Print

func PrintOptionDecoded 

func PrintOptionDecoded(enabled bool) PrintOption

PrintOptionDecoded prints the information contained in the token.

func PrintOptionQRCode 

func PrintOptionQRCode(enabled bool) PrintOption

PrintOptionQRCode prints the token as a QRCode.

func PrintOptionRaw 

func PrintOptionRaw(enabled bool) PrintOption

PrintOptionRaw sets the printer to print the raw token.

type Source 

type Source struct {
	Type      string `json:"type"`
	Namespace string `json:"namespace,omitempty"`
	Name      string `json:"name,omitempty"`
}

A Source represents the authentication source info used to derive an IdentityToken.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.