Package token

const (
    // TokenSeparator is the value which separates the header, claims, and
    // signature in the compact serialization of a JSON Web Token.
    TokenSeparator = "."
    // Leeway is the Duration that will be added to NBF and EXP claim
    // checks to account for clock skew as per https://tools.ietf.org/html/rfc7519#section-4.1.5
    Leeway = 60 * time.Second
)

Variables

Errors used and exported by this package.

var (
    ErrInsufficientScope = errors.New("insufficient scope")
    ErrTokenRequired     = errors.New("authorization token required")
)

Errors used by token parsing and verification.

var (
    ErrMalformedToken = errors.New("malformed token")
    ErrInvalidToken   = errors.New("invalid token")
)

type ClaimSet ¶

ClaimSet describes the main section of a JSON Web Token.

type ClaimSet struct {
    // Public claims
    Issuer     string `json:"iss"`
    Subject    string `json:"sub"`
    Audience   string `json:"aud"`
    Expiration int64  `json:"exp"`
    NotBefore  int64  `json:"nbf"`
    IssuedAt   int64  `json:"iat"`
    JWTID      string `json:"jti"`

    // Private claims
    Access []*ResourceActions `json:"access"`
}

Header describes the header section of a JSON Web Token.

type Header struct {
    Type       string           `json:"typ"`
    SigningAlg string           `json:"alg"`
    KeyID      string           `json:"kid,omitempty"`
    X5c        []string         `json:"x5c,omitempty"`
    RawJWK     *json.RawMessage `json:"jwk,omitempty"`
}

type ResourceActions ¶

ResourceActions stores allowed actions on a named and typed resource.

type ResourceActions struct {
    Type    string   `json:"type"`
    Class   string   `json:"class,omitempty"`
    Name    string   `json:"name"`
    Actions []string `json:"actions"`
}

type Token ¶

Token describes a JSON Web Token.

type Token struct {
    Raw       string
    Header    *Header
    Claims    *ClaimSet
    Signature []byte
}

func NewToken ¶

func NewToken(rawToken string) (*Token, error)

NewToken parses the given raw token string and constructs an unverified JSON Web Token.

func (*Token) Verify ¶

func (t *Token) Verify(verifyOpts VerifyOptions) error

Verify attempts to verify this token using the given options. Returns a nil error if the token is valid.

func (*Token) VerifySigningKey ¶

func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (signingKey libtrust.PublicKey, err error)

VerifySigningKey attempts to get the key which was used to sign this token. The token header should contain either of these 3 fields:

`x5c` - The x509 certificate chain for the signing key. Needs to be
        verified.
`jwk` - The JSON Web Key representation of the signing key.
        May contain its own `x5c` field which needs to be verified.
`kid` - The unique identifier for the key. This library interprets it
        as a libtrust fingerprint. The key itself can be looked up in
        the trustedKeys field of the given verify options.

Each of these methods are tried in that order of preference until the signing key is found or an error is returned.

type VerifyOptions ¶

VerifyOptions is used to specify options when verifying a JSON Web Token.

type VerifyOptions struct {
    TrustedIssuers    []string
    AcceptedAudiences []string
    Roots             *x509.CertPool
    TrustedKeys       map[string]libtrust.PublicKey
}

Package token

Overview ▹

Overview ▾

Index ▹

Index ▾

Package files

Constants