const (
SigningMethodNone = jose.SignatureAlgorithm("none")
// This key should be use to correctly sign and verify alg:none JWT tokens
UnsafeAllowNoneSignatureType unsafeNoneMagicConstant = "none signing method allowed"
JWTHeaderType = jose.HeaderKey("typ")
JWTHeaderTypeValue = "JWT"
)
Validation provides a backwards compatible error definition from `jwt-go` to `go-jose`. The sourcecode was taken from https://github.com/dgrijalva/jwt-go/blob/master/errors.go
> The errors that might occur when parsing and validating a token
const (
ValidationErrorMalformed uint32 = 1 << iota // Token is malformed
ValidationErrorUnverifiable // Token could not be verified because of signing problems
ValidationErrorSignatureInvalid // Signature validation failed
// Standard Claim validation errors
ValidationErrorAudience // AUD validation failed
ValidationErrorExpired // EXP validation failed
ValidationErrorIssuedAt // IAT validation failed
ValidationErrorIssuer // ISS validation failed
ValidationErrorNotValidYet // NBF validation failed
ValidationErrorId // JTI validation failed
ValidationErrorClaimsInvalid // Generic claims validation error
)
var SHA256HashSize = crypto.SHA256.Size()
var TimeFunc = time.Now
func Copy(elements map[string]interface{}) (result map[string]interface{})
Copy will copy all elements in a map and return a new representational map
func Filter(elements map[string]interface{}, keys ...string) map[string]interface{}
Filter will filter out elements based on keys in a given input map na key-slice
func ToString(i interface{}) string
ToString will return a string representation of a map
func ToTime(i interface{}) time.Time
ToTime will try to convert a given input to a time.Time structure
Claims is a port from https://github.com/dgrijalva/jwt-go/blob/master/claims.go including its validation methods, which are not available in go-jose library
> For a type to be a Claims object, it must just have a Valid method that determines if the token is invalid for any supported reason
type Claims interface {
Valid() error
}
ES256JWTStrategy is responsible for generating and validating JWT challenges
type ES256JWTStrategy struct {
PrivateKey interface{}
}
func (j *ES256JWTStrategy) Decode(ctx context.Context, token string) (*Token, error)
Decode will decode a JWT token
func (j *ES256JWTStrategy) Generate(ctx context.Context, claims MapClaims, header Mapper) (string, string, error)
Generate generates a new authorize code or returns an error. set secret
func (j *ES256JWTStrategy) GetSignature(ctx context.Context, token string) (string, error)
GetSignature will return the signature of a token
func (j *ES256JWTStrategy) GetSigningMethodLength() int
GetSigningMethodLength will return the length of the signing method
func (j *ES256JWTStrategy) Hash(ctx context.Context, in []byte) ([]byte, error)
Hash will return a given hash based on the byte input or an error upon fail
func (j *ES256JWTStrategy) Validate(ctx context.Context, token string) (string, error)
Validate validates a token and returns its signature or an error if the token is not valid.
Headers is the jwt headers
type Headers struct {
Extra map[string]interface{}
}
func NewHeaders() *Headers
func (h *Headers) Add(key string, value interface{})
Add will add a key-value pair to the extra field
func (h *Headers) Get(key string) interface{}
Get will get a value from the extra field based on a given key
func (h *Headers) ToMap() map[string]interface{}
ToMap will transform the headers to a map structure
func (h Headers) ToMapClaims() MapClaims
ToMapClaims will return a jwt-go MapClaims representation
IDTokenClaims represent the claims used in open id connect requests
type IDTokenClaims struct {
JTI string
Issuer string
Subject string
Audience []string
Nonce string
ExpiresAt time.Time
IssuedAt time.Time
RequestedAt time.Time
AuthTime time.Time
AccessTokenHash string
AuthenticationContextClassReference string
AuthenticationMethodsReferences []string
CodeHash string
Extra map[string]interface{}
}
func (c *IDTokenClaims) Add(key string, value interface{})
Add will add a key-value pair to the extra field
func (c *IDTokenClaims) Get(key string) interface{}
Get will get a value from the extra field based on a given key
func (c *IDTokenClaims) ToMap() map[string]interface{}
ToMap will transform the headers to a map structure
func (c IDTokenClaims) ToMapClaims() MapClaims
ToMapClaims will return a jwt-go MapClaims representation
JWTClaims represent a token's claims.
type JWTClaims struct {
Subject string
Issuer string
Audience []string
JTI string
IssuedAt time.Time
NotBefore time.Time
ExpiresAt time.Time
Scope []string
Extra map[string]interface{}
ScopeField JWTScopeFieldEnum
}
func (c *JWTClaims) Add(key string, value interface{})
Add will add a key-value pair to the extra field
func (c *JWTClaims) FromMap(m map[string]interface{})
FromMap will set the claims based on a mapping
func (c *JWTClaims) FromMapClaims(mc MapClaims)
FromMapClaims will populate claims from a jwt-go MapClaims representation
func (c JWTClaims) Get(key string) interface{}
Get will get a value from the extra field based on a given key
func (c *JWTClaims) ToMap() map[string]interface{}
ToMap will transform the headers to a map structure
func (c JWTClaims) ToMapClaims() MapClaims
ToMapClaims will return a jwt-go MapClaims representation
func (c *JWTClaims) With(expiry time.Time, scope, audience []string) JWTClaimsContainer
func (c *JWTClaims) WithDefaults(iat time.Time, issuer string) JWTClaimsContainer
func (c *JWTClaims) WithScopeField(scopeField JWTScopeFieldEnum) JWTClaimsContainer
type JWTClaimsContainer interface {
// With returns a copy of itself with expiresAt, scope, audience set to the given values.
With(expiry time.Time, scope, audience []string) JWTClaimsContainer
// WithDefaults returns a copy of itself with issuedAt and issuer set to the given default values. If those
// values are already set in the claims, they will not be updated.
WithDefaults(iat time.Time, issuer string) JWTClaimsContainer
// WithScopeField configures how a scope field should be represented in JWT.
WithScopeField(scopeField JWTScopeFieldEnum) JWTClaimsContainer
// ToMapClaims returns the claims as a github.com/dgrijalva/jwt-go.MapClaims type.
ToMapClaims() MapClaims
}
type JWTClaimsDefaults struct {
ExpiresAt time.Time
IssuedAt time.Time
Issuer string
Scope []string
}
Enum for different types of scope encoding.
type JWTScopeFieldEnum int
const (
JWTScopeFieldUnset JWTScopeFieldEnum = iota
JWTScopeFieldList
JWTScopeFieldString
JWTScopeFieldBoth
)
type JWTStrategy interface {
Generate(ctx context.Context, claims MapClaims, header Mapper) (string, string, error)
Validate(ctx context.Context, token string) (string, error)
Hash(ctx context.Context, in []byte) ([]byte, error)
Decode(ctx context.Context, token string) (*Token, error)
GetSignature(ctx context.Context, token string) (string, error)
GetSigningMethodLength() int
}
Parse methods use this callback function to supply the key for verification. The function receives the parsed, but unverified Token. This allows you to use properties in the Header of the token (such as `kid`) to identify which key to use.
type Keyfunc func(*Token) (interface{}, error)
MapClaims provides backwards compatible validations not available in `go-jose`. It was taken from [here](https://raw.githubusercontent.com/form3tech-oss/jwt-go/master/map_claims.go).
Claims type that uses the map[string]interface{} for JSON decoding This is the default claims type if you don't supply one
type MapClaims map[string]interface{}
func (m MapClaims) UnmarshalJSON(b []byte) error
func (m MapClaims) Valid() error
Validates time based claims "exp, iat, nbf". There is no accounting for clock skew. As well, if any of the above claims are not in the token, it will still be considered a valid claim.
func (m MapClaims) VerifyAudience(cmp string, req bool) bool
Compares the aud claim against cmp. If required is false, this method will return true if the value matches or is unset
func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool
Compares the exp claim against cmp. If required is false, this method will return true if the value matches or is unset
func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool
Compares the iat claim against cmp. If required is false, this method will return true if the value matches or is unset
func (m MapClaims) VerifyIssuer(cmp string, req bool) bool
Compares the iss claim against cmp. If required is false, this method will return true if the value matches or is unset
func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool
Compares the nbf claim against cmp. If required is false, this method will return true if the value matches or is unset
Mapper is the interface used internally to map key-value pairs
type Mapper interface {
ToMap() map[string]interface{}
Add(key string, value interface{})
Get(key string) interface{}
}
RS256JWTStrategy is responsible for generating and validating JWT challenges
type RS256JWTStrategy struct {
PrivateKey interface{}
}
func (j *RS256JWTStrategy) Decode(ctx context.Context, token string) (*Token, error)
Decode will decode a JWT token
func (j *RS256JWTStrategy) Generate(ctx context.Context, claims MapClaims, header Mapper) (string, string, error)
Generate generates a new authorize code or returns an error. set secret
func (j *RS256JWTStrategy) GetSignature(ctx context.Context, token string) (string, error)
GetSignature will return the signature of a token
func (j *RS256JWTStrategy) GetSigningMethodLength() int
GetSigningMethodLength will return the length of the signing method
func (j *RS256JWTStrategy) Hash(ctx context.Context, in []byte) ([]byte, error)
Hash will return a given hash based on the byte input or an error upon fail
func (j *RS256JWTStrategy) Validate(ctx context.Context, token string) (string, error)
Validate validates a token and returns its signature or an error if the token is not valid.
Token represets a JWT Token This token provide an adaptation to transit from [jwt-go](https://github.com/dgrijalva/jwt-go) to [go-jose](https://github.com/square/go-jose) It provides method signatures compatible with jwt-go but implemented using go-json
type Token struct {
Header map[string]interface{} // The first segment of the token
Claims MapClaims // The second segment of the token
Method jose.SignatureAlgorithm
// contains filtered or unexported fields
}
func NewWithClaims(method jose.SignatureAlgorithm, claims MapClaims) *Token
NewWithClaims creates an unverified Token with the given claims and signing method
func Parse(tokenString string, keyFunc Keyfunc) (*Token, error)
func ParseWithClaims(rawToken string, claims MapClaims, keyFunc Keyfunc) (*Token, error)
Parse, validate, and return a token. keyFunc will receive the parsed token and should return the key for validating. If everything is kosher, err will be nil
func (t *Token) SignedString(k interface{}) (rawToken string, err error)
SignedString provides a compatible `jwt-go` Token.SignedString method
> Get the complete, signed token
func (t *Token) Valid() bool
Valid informs if the token was verified against a given verification key and claims are valid
The error from Parse if token is not valid
type ValidationError struct {
Inner error // stores the error returned by external dependencies, i.e.: KeyFunc
Errors uint32 // bitfield. see ValidationError... constants
// contains filtered or unexported fields
}
func (e ValidationError) Error() string
Validation error is an error type
func (e *ValidationError) Has(verr uint32) bool