token

package
v3.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 6, 2026 License: Apache-2.0 Imports: 24 Imported by: 19

Documentation

Index

Constants

View Source 
const (
	// TokenSeparator is the value which separates the header, claims, and
	// signature in the compact serialization of a JSON Web Token.
	TokenSeparator = "."
	// Leeway is the Duration that will be added to NBF and EXP claim
	// checks to account for clock skew as per https://tools.ietf.org/html/rfc7519#section-4.1.5
	Leeway = 60 * time.Second
)

Variables

View Source 
var (
	ErrInsufficientScope = errors.New("insufficient scope")
	ErrTokenRequired     = errors.New("authorization token required")
)

Errors used and exported by this package.

View Source 
var (
	ErrMalformedToken = errors.New("malformed token")
	ErrInvalidToken   = errors.New("invalid token")
)

Errors used by token parsing and verification.

Functions

func GetJWKThumbprint added in v3.1.0 

func GetJWKThumbprint(publickey crypto.PublicKey) string

GetJWKThumbprint calculates the JWK thumbprint of a public key. The current implementation uses SHA256, but this algorithm may change in the future as cryptographic best practices evolve. It returns an empty string if the public key type is not supported.

func GetRFC7638Thumbprint deprecated 

func GetRFC7638Thumbprint(publickey crypto.PublicKey) string

Deprecated: use GetJWKThumbprint instead.

Types

type AudienceList 

type AudienceList []string

AudienceList is a slice of strings that can be deserialized from either a single string value or a list of strings.

func (AudienceList) MarshalJSON 

func (s AudienceList) MarshalJSON() (b []byte, err error)

func (*AudienceList) UnmarshalJSON 

func (s *AudienceList) UnmarshalJSON(data []byte) (err error)

type ClaimSet 

type ClaimSet struct {
	// Public claims
	Issuer     string       `json:"iss"`
	Subject    string       `json:"sub"`
	Audience   AudienceList `json:"aud"`
	Expiration int64        `json:"exp"`
	NotBefore  int64        `json:"nbf"`
	IssuedAt   int64        `json:"iat"`
	JWTID      string       `json:"jti"`

	// Private claims
	Access []*ResourceActions `json:"access"`
}

ClaimSet describes the main section of a JSON Web Token.

type ResourceActions 

type ResourceActions struct {
	Type    string   `json:"type"`
	Class   string   `json:"class,omitempty"`
	Name    string   `json:"name"`
	Actions []string `json:"actions"`
}

ResourceActions stores allowed actions on a named and typed resource.

type Token 

type Token struct {
	Raw string
	JWT *jwt.JSONWebToken
}

Token is a JSON Web Token.

func NewToken 

func NewToken(rawToken string, signingAlgs []jose.SignatureAlgorithm) (*Token, error)

NewToken parses the given raw token string and constructs an unverified JSON Web Token.

func (*Token) Verify 

func (t *Token) Verify(verifyOpts VerifyOptions) (*ClaimSet, error)

Verify attempts to verify this token using the given options. Returns a nil error if the token is valid.

func (*Token) VerifySigningKey 

func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (crypto.PublicKey, error)

VerifySigningKey attempts to verify and return the signing key which was used to sign the token.

type VerifyOptions 

type VerifyOptions struct {
	TrustedIssuers    []string
	AcceptedAudiences []string
	Roots             *x509.CertPool
	TrustedKeys       map[string]crypto.PublicKey
}

VerifyOptions is used to specify options when verifying a JSON Web Token.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.