jwt

package
v0.3.38 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 9, 2025 License: MIT Imports: 12 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	TokenID     = "jti" // TokenID is a unique identifier for this token.
	Issuer      = "iss" // Issuer is the principal that issued the token
	Audience    = "aud" // Audience identifies the recipients the token is intended for
	Subject     = "sub" // Subject is the user/account/etc. that this token authorizes
	IssuedAt    = "iat" // IssuedAt is a Unix timestamp for when the token was issued
	ExpiresAt   = "exp" // ExpiresAt is a Unix timestamp for when the token should expire
	NotBeforeAt = "nbf" // NotBeforeAt is a timestamp this token should not be accepted until

	Alg   = "alg" // Alg is a header field identifying the signing algorithm
	Typ   = "typ" // Typ is a header field that must be set to "JWT"
	KeyID = "kid" // KeyID is a header field, an opaque string identifying the key used

	Forever time.Duration = 1<<63 - 1 // Forever is a token validity that never expires

	HS256          Algorithm = "HS256"
	RS256          Algorithm = "RS256"
	MinHS256KeyLen           = 32
	MaxHS256KeyLen           = 64 // anything longer is hashed to 32 bytes
)

Variables

View Source 
var (
	ErrCorrupted          = errors.New("token corrupted")
	ErrAlg                = errors.New("token uses a wrong algorithm")
	ErrExpired            = errors.New("token expired")
	ErrNotYetValid        = errors.New("token not valid yet")
	ErrTooLong            = errors.New("token too long")
	ErrSignature          = errors.New("token signature invalid")
	ErrSignatureCorrupted = errors.New("token signature corrupted")

	MaxTokenLen        = 8000 // MaxTokenLen is the safety limit to avoid decoding very long data
	ExpectedClaimCount = 10   // ExpectedClaimCount is a starting size for the claims map
)

Functions

func Sign added in v0.3.27 

func Sign(claims, headerClaims Claims, signer Signer) ([]byte, error)

func SignHS256String 

func SignHS256String(claims, headerClaims Claims, key []byte) string

func SignRS25String added in v0.3.27 

func SignRS25String(claims, headerClaims Claims, key *rsa.PrivateKey) string

func SignString added in v0.3.27 

func SignString(claims, headerClaims Claims, signer Signer) (string, error)

Types

type Algorithm 

type Algorithm string

type Claims 

type Claims map[string]any

func DecodeHS256String 

func DecodeHS256String(rawToken string, tolerance time.Duration, key []byte) (Claims, error)

func DecodeHS256StringAt 

func DecodeHS256StringAt(
	rawToken string,
	key []byte,
	tolerance time.Duration,
	now time.Time,
) (Claims, error)

func DecodeRS256String added in v0.3.27 

func DecodeRS256String(rawToken string, tolerance time.Duration, pubKey *rsa.PublicKey) (Claims, error)

func DecodeRS256StringAt added in v0.3.27 

func DecodeRS256StringAt(
	rawToken string,
	pubKey *rsa.PublicKey,
	tolerance time.Duration,
	now time.Time,
) (Claims, error)

func DecodeStringAt added in v0.3.27 

func DecodeStringAt(
	rawToken string,
	verifier Verifier,
	tolerance time.Duration,
	now time.Time,
) (Claims, error)

func New 

func New(subject string, validity time.Duration) Claims

func NewAt 

func NewAt(subject string, validity time.Duration, now time.Time) Claims

func (Claims) ExpiresAt 

func (c Claims) ExpiresAt() time.Time

func (Claims) Int64 

func (c Claims) Int64(key string) (int64, bool)

func (Claims) Issuer 

func (c Claims) Issuer() string

func (Claims) KeyID added in v0.3.27 

func (c Claims) KeyID() string

func (Claims) String 

func (c Claims) String(key string) string

func (Claims) Subject 

func (c Claims) Subject() string

func (Claims) Time 

func (c Claims) Time(key string) time.Time

func (Claims) TokenID 

func (c Claims) TokenID() string

func (Claims) ValidateTime 

func (c Claims) ValidateTime(tolerance time.Duration) error

func (Claims) ValidateTimeAt 

func (c Claims) ValidateTimeAt(tolerance time.Duration, now time.Time) error

type HS256Signer added in v0.3.27 

type HS256Signer struct {
	// contains filtered or unexported fields
}

HS256Signer signs using HMAC-SHA256 with a symmetric key.

func NewHS256Signer added in v0.3.27 

func NewHS256Signer(key []byte, keyID string) *HS256Signer

NewHS256Signer returns an HS256 signer using the given key and optional keyID.

func (*HS256Signer) Algorithm added in v0.3.27 

func (s *HS256Signer) Algorithm() Algorithm

func (*HS256Signer) KeyID added in v0.3.27 

func (s *HS256Signer) KeyID() string

func (*HS256Signer) Sign added in v0.3.27 

func (s *HS256Signer) Sign(data []byte) ([]byte, error)

Sign uses HMAC-SHA256 on 'data'.

type HS256Verifier added in v0.3.27 

type HS256Verifier struct {
	// contains filtered or unexported fields
}

func NewHS256Verifier added in v0.3.27 

func NewHS256Verifier(key []byte, keyID string) *HS256Verifier

NewHS256Verifier constructs an HS256 verifier with the given secret `key` and optional `keyID`.

func (*HS256Verifier) Algorithm added in v0.3.27 

func (v *HS256Verifier) Algorithm() Algorithm

func (*HS256Verifier) KeyID added in v0.3.27 

func (v *HS256Verifier) KeyID() string

func (*HS256Verifier) SigLen added in v0.3.27 

func (v *HS256Verifier) SigLen() int

func (*HS256Verifier) Verify added in v0.3.27 

func (v *HS256Verifier) Verify(data, signature []byte) error

Verify checks that `signature` (raw bytes) matches the HMAC-SHA256 of `data`.

type RS256Signer added in v0.3.27 

type RS256Signer struct {
	// contains filtered or unexported fields
}

func NewRS256Signer added in v0.3.27 

func NewRS256Signer(privKey *rsa.PrivateKey, keyID string) *RS256Signer

NewRS256Signer returns an RS256 signer using the given RSA private key.

func (*RS256Signer) Algorithm added in v0.3.27 

func (s *RS256Signer) Algorithm() Algorithm

func (*RS256Signer) KeyID added in v0.3.27 

func (s *RS256Signer) KeyID() string

func (*RS256Signer) Sign added in v0.3.27 

func (s *RS256Signer) Sign(data []byte) ([]byte, error)

Sign uses RSA-SHA256 on 'data'.

type RS256Verifier added in v0.3.27 

type RS256Verifier struct {
	// contains filtered or unexported fields
}

func NewRS256Verifier added in v0.3.27 

func NewRS256Verifier(pubKey *rsa.PublicKey, keyID string) *RS256Verifier

NewRS256Verifier constructs an RS256 verifier with the given `pubKey` and optional `keyID`.

func (*RS256Verifier) Algorithm added in v0.3.27 

func (v *RS256Verifier) Algorithm() Algorithm

func (*RS256Verifier) KeyID added in v0.3.27 

func (v *RS256Verifier) KeyID() string

func (*RS256Verifier) SigLen added in v0.3.27 

func (v *RS256Verifier) SigLen() int

func (*RS256Verifier) Verify added in v0.3.27 

func (v *RS256Verifier) Verify(data, signature []byte) error

Verify checks that `signature` (raw bytes) matches the RSA-SHA256 of `data`.

type Signer added in v0.3.27 

type Signer interface {
	Algorithm() Algorithm
	KeyID() string
	// Sign takes the combined "header.claims" (already base64-encoded) and returns the raw binary signature.
	// The caller is responsible for base64-encoding that signature.
	Sign(data []byte) ([]byte, error)
}

type Token 

type Token struct {
	// contains filtered or unexported fields
}

Token is the result of parsing a JWT token.

func Parse 

func Parse(rawToken []byte) (Token, error)

Parse decodes JWT parts of a token.

func ParseString 

func ParseString(rawToken string) (Token, error)

ParseString decodes JWT parts of a token.

func (*Token) Alg 

func (t *Token) Alg() Algorithm

func (*Token) Claims 

func (t *Token) Claims() Claims

func (*Token) KeyID 

func (t *Token) KeyID() string

func (*Token) Parse 

func (token *Token) Parse(rawToken []byte) error

Parse decodes JWT parts of a token.

func (*Token) ParseString 

func (token *Token) ParseString(rawToken string) error

ParseString decodes JWT parts of a token.

func (*Token) ValidateHS256 

func (token *Token) ValidateHS256(key []byte) error

func (*Token) ValidateRS256 added in v0.3.27 

func (token *Token) ValidateRS256(key *rsa.PublicKey) error

func (*Token) ValidateWith added in v0.3.27 

func (t *Token) ValidateWith(verifier Verifier) error

ValidateWith verifies that this token’s algorithm matches the verifier, then checks the signature with verifier.Verify().

type Verifier added in v0.3.27 

type Verifier interface {
	SigLen() int
	Algorithm() Algorithm
	KeyID() string
	// Verify takes the "header.claims" data (already base64-encoded) and the raw decoded signature bytes.
	// It should return nil if verification succeeds, or a non-nil error otherwise.
	Verify(data, signature []byte) error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.