Documentation
¶
Index ¶
- Constants
- func GenerateAuthorizationHeader(payload interface{}, signatureGenerator SignatureGenerator) (string, error)
- type AuthorizationHeaderParser
- type ForwardingSignatureValidator
- type SignatureGenerator
- type SignatureValidator
- func NewDemultiplexingSignatureValidator(namedSignatureValidators map[string]SignatureValidator, ...) SignatureValidator
- func NewECDSASHASignatureValidator(publicKey *ecdsa.PublicKey) (SignatureValidator, error)
- func NewEd25519SignatureValidator(publicKey ed25519.PublicKey) SignatureValidator
- func NewHMACSHASignatureValidator(key []byte) SignatureValidator
- func NewRSASHASignatureValidator(key *rsa.PublicKey) SignatureValidator
- func NewSignatureValidatorFromJSONWebKeySet(jwks *jose.JSONWebKeySet) (SignatureValidator, error)
- func NewSignatureValidatorFromJSONWebKeySetFile(path string, group program.Group) (SignatureValidator, error)
Constants ¶
const AuthorizationHeaderName = "Authorization"
AuthorizationHeaderName is the name of the HTTP header that contains the JSON Web Token.
Variables ¶
This section is empty.
Functions ¶
func GenerateAuthorizationHeader ¶
func GenerateAuthorizationHeader(payload interface{}, signatureGenerator SignatureGenerator) (string, error)
GenerateAuthorizationHeader can be used to create HTTP "Authorization" headers of shape "Bearer ${jwt}". It calls into a SignatureGenerator to sign the resulting header.
Types ¶
type AuthorizationHeaderParser ¶
type AuthorizationHeaderParser struct {
// contains filtered or unexported fields
}
AuthorizationHeaderParser is a helper type for parsing JSON Web Tokens stored in HTTP "Authorization" headers of shape "Bearer ${jwt}". To prevent wasting excessive amounts of processing time on signature verification, this type holds on to a cache of recently observed tokens.
func NewAuthorizationHeaderParser ¶
func NewAuthorizationHeaderParser(clock clock.Clock, signatureValidator SignatureValidator, claimsValidator, metadataExtractor *jmespath.JMESPath, maximumCacheSize int, evictionSet eviction.Set[string]) *AuthorizationHeaderParser
NewAuthorizationHeaderParser creates a new AuthorizationHeaderParser that does not have any cached tokens.
func NewAuthorizationHeaderParserFromConfiguration ¶
func NewAuthorizationHeaderParserFromConfiguration(config *configuration.AuthorizationHeaderParserConfiguration, group program.Group) (*AuthorizationHeaderParser, error)
NewAuthorizationHeaderParserFromConfiguration creates a new HTTP "Authorization" header parser based on options stored in a configuration file.
func (*AuthorizationHeaderParser) Authenticate ¶
func (a *AuthorizationHeaderParser) Authenticate(ctx context.Context, headers map[string][]string) (*auth.AuthenticationMetadata, error)
Authenticate is the implementation of RequestHeadersAuthenticator.Authenticate.
func (*AuthorizationHeaderParser) ParseAuthorizationHeaders ¶
func (a *AuthorizationHeaderParser) ParseAuthorizationHeaders(headers []string) (*auth.AuthenticationMetadata, bool)
ParseAuthorizationHeaders takes a set of HTTP "Authorization" headers and returned true if one or more headers contain a token whose signature can be validated, and whose "exp" (Expiration Time) and "nbf" (Not Before) claims are in bounds.
type ForwardingSignatureValidator ¶
type ForwardingSignatureValidator struct {
// contains filtered or unexported fields
}
ForwardingSignatureValidator wraps another SignatureValidator. It is used when the underlying SignatureValidator needs to be replaced at runtime.
func NewForwardingSignatureValidator ¶
func NewForwardingSignatureValidator(validator SignatureValidator) *ForwardingSignatureValidator
NewForwardingSignatureValidator creates a SignatureValidator that simply forwards requests to another SignatureValidator. This returns a pointer to the new ForwardingSignatureValidator, so as not to copy the atomic.Pointer.
func (*ForwardingSignatureValidator) Replace ¶
func (sv *ForwardingSignatureValidator) Replace(validator SignatureValidator)
Replace replaces the registered SignatureValidator
func (*ForwardingSignatureValidator) ValidateSignature ¶
func (sv *ForwardingSignatureValidator) ValidateSignature(algorithm string, keyID *string, headerAndPayload string, signature []byte) bool
ValidateSignature validates a signature using the registered SignatureValidator
type SignatureGenerator ¶
type SignatureGenerator interface {
GetAlgorithm() string
GenerateSignature(headerAndPayload string) ([]byte, error)
}
SignatureGenerator is used by GenerateAuthorizationHeader() to create the signature of a JWT. Implementations of this interface may use HMAC, ECDSA or other algorithms.
func NewECDSASHASignatureGenerator ¶
func NewECDSASHASignatureGenerator(privateKey *ecdsa.PrivateKey, randomNumberGenerator random.ThreadSafeGenerator) (SignatureGenerator, error)
NewECDSASHASignatureGenerator creates a SignatureGenerator that can sign a JWT using the Elliptic Curve Digital Signature Algorithm (ECDSA), using SHA-256, SHA-384 or SHA-512 as a hashing algorithm.
ECDSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key.
func NewEd25519SignatureGenerator ¶
func NewEd25519SignatureGenerator(privateKey ed25519.PrivateKey) SignatureGenerator
NewEd25519SignatureGenerator creates a SignatureGenerator that can sign a JWT using the Edwards-curve Digital Signature Algorithm (EdDSA), using Curve25519 as its elliptic curve and SHA-512 as a hashing algorithm.
EdDSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key.
type SignatureValidator ¶
type SignatureValidator interface {
ValidateSignature(algorithm string, keyID *string, headerAndPayload string, signature []byte) bool
}
SignatureValidator is used by Authenticator to validate the signature of a JWT. Implementations of this interface may use HMAC, ECDSA or other algorithms.
func NewDemultiplexingSignatureValidator ¶
func NewDemultiplexingSignatureValidator(namedSignatureValidators map[string]SignatureValidator, allSignatureValidators []SignatureValidator) SignatureValidator
NewDemultiplexingSignatureValidator creates a SignatureValidator that routes signature validation requests based on the key ID ("kid") field that's part of a JWT's header.
func NewECDSASHASignatureValidator ¶
func NewECDSASHASignatureValidator(publicKey *ecdsa.PublicKey) (SignatureValidator, error)
NewECDSASHASignatureValidator creates a SignatureValidator that expects the signature of a JWT to use the Elliptic Curve Digital Signature Algorithm (ECDSA), using SHA-256, SHA-384 or SHA-512 as a hashing algorithm.
ECDSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key.
func NewEd25519SignatureValidator ¶
func NewEd25519SignatureValidator(publicKey ed25519.PublicKey) SignatureValidator
NewEd25519SignatureValidator creates a SignatureValidator that expects the signature of a JWT to use the Edwards-curve Digital Signature Algorithm (EdDSA), using Curve25519 as its elliptic curve and SHA-512 as a hashing algorithm.
EdDSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key.
func NewHMACSHASignatureValidator ¶
func NewHMACSHASignatureValidator(key []byte) SignatureValidator
NewHMACSHASignatureValidator creates a SignatureValidator that expects the signature of a JWT to use Hash-based Message Authentication Code (HMAC), using SHA-256, SHA-384 or SHA-512 as a hashing algorithm.
HMAC uses symmetric cryptography, meaning that the key used to sign a JWT is the same as the one used to validate it. There is no distinction between public and private keys, which may not be desirable from a security point of view.
func NewRSASHASignatureValidator ¶
func NewRSASHASignatureValidator(key *rsa.PublicKey) SignatureValidator
NewRSASHASignatureValidator creates a SignatureValidator that expects the signature of a JWT to use the Rivest-Shamir-Adleman (RSA) cryptosystem, using SHA-256, SHA-384 or SHA-512 as a hashing algorithm.
RSA uses asymmetrical cryptography, meaning that signing is performed using a private key, while verification only relies on a public key. Signatures tend to be a lot larger than those created by ECDSA and EdDSA.
func NewSignatureValidatorFromJSONWebKeySet ¶
func NewSignatureValidatorFromJSONWebKeySet(jwks *jose.JSONWebKeySet) (SignatureValidator, error)
NewSignatureValidatorFromJSONWebKeySet creates a new SignatureValidator capable of validating JWTs matching keys contained in a JSON Web Key Set, as described in RFC 7517, chapter 5.
func NewSignatureValidatorFromJSONWebKeySetFile ¶
func NewSignatureValidatorFromJSONWebKeySetFile(path string, group program.Group) (SignatureValidator, error)
NewSignatureValidatorFromJSONWebKeySetFile creates a new SignatureValidator capable of validating JWTs matching keys contained in a JSON Web Key Set read from a file. The content of the file is periodically refreshed.
Source Files
¶
- authorization_header_parser.go
- configuration.go
- demultiplexing_signature_validator.go
- ecdsa_sha_signature_generator.go
- ecdsa_sha_signature_validator.go
- ed25519_signature_generator.go
- ed25519_signature_validator.go
- forwarding_signature_validator.go
- generate_authorization_header.go
- hmac_sha_signature_validator.go
- rsa_sha_signature_validator.go
- signature_generator.go
- signature_validator.go