pktoken

package

v0.4.0 Latest Latest Go to latest Published: Mar 27, 2025 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Hello-User/openpubkey

Links

Open Source Insights

Documentation ¶

Index ¶

func CompactPKToken(tokens [][]byte, freshIDToken []byte) ([]byte, error)
func SplitCompactPKToken(pktCom []byte) ([][]byte, []byte, error)
type CosignerClaims
type OptionFunc
- func WithTyp(typ string) OptionFunc
type Options
type PKToken
- func New(idToken []byte, cicToken []byte) (*PKToken, error)
- func NewFromCompact(pktCom []byte) (*PKToken, error)
type Signature
type SignatureType

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CompactPKToken ¶

func CompactPKToken(tokens [][]byte, freshIDToken []byte) ([]byte, error)

CompactPKToken creates a compact representation of a PK Token from a list of tokens

func SplitCompactPKToken ¶

func SplitCompactPKToken(pktCom []byte) ([][]byte, []byte, error)

SplitCompactPKToken breaks a compact representation of a PK Token into its constituent tokens

Types ¶

type CosignerClaims ¶

type CosignerClaims struct {
	Issuer      string `json:"iss"`
	KeyID       string `json:"kid"`
	Algorithm   string `json:"alg"`
	AuthID      string `json:"eid"`
	AuthTime    int64  `json:"auth_time"`
	IssuedAt    int64  `json:"iat"` // may differ from auth_time because of refresh
	Expiration  int64  `json:"exp"`
	RedirectURI string `json:"ruri"`
	Nonce       string `json:"nonce"`
	Typ         string `json:"typ"`
}

type OptionFunc ¶

type OptionFunc func(*Options)

func WithTyp ¶

func WithTyp(typ string) OptionFunc

WithTyp sets a custom typ value for verification

type Options ¶

type Options struct {
	Typ string // Override for the expected typ value
}

Options configures VerifySignedMessage behavior

type PKToken ¶

type PKToken struct {
	Payload []byte     // decoded payload
	Op      *Signature // Provider Signature
	Cic     *Signature // Client Signature
	Cos     *Signature // Cosigner Signature

	// We keep the tokens around as  unmarshalled values can no longer be verified
	OpToken  []byte // Base64 encoded ID Token signed by the OP
	CicToken []byte // Base64 encoded Token signed by the Client
	CosToken []byte // Base64 encoded Token signed by the Cosigner

	// FreshIDToken is the refreshed ID Token. It has a different payload from
	// other tokens and must be handled separately.
	// It is only used for POP Authentication
	FreshIDToken []byte // Base64 encoded Refreshed ID Token
	// contains filtered or unexported fields
}

func New ¶

func New(idToken []byte, cicToken []byte) (*PKToken, error)

New creates a new PKToken from an ID Token and a CIC Token. It adds signatures for both tokens to the PK Token and returns the PK Token.

func NewFromCompact ¶

func NewFromCompact(pktCom []byte) (*PKToken, error)

NewFromCompact creates a PK Token from a compact representation

func (*PKToken) AddSignature ¶

func (p *PKToken) AddSignature(token []byte, sigType SignatureType) error

AddSignature will add a signature to the PKToken with the specified signature type. It takes a token byte slice and a signature type as input, and returns an error if the signature cannot be added.

To use AddSignature, first parse the token byte slice using the jws.Parse function to obtain a jws.Message object. You can then extract the signature from the message object using the Signatures method, and pass it to AddSignature along with the desired signature type.

The function supports three signature types: OIDC, CIC, and COS. These signature types correspond to the JWTs in the PK Token. Depending on the signature type, the function will set the corresponding field in the PKToken struct (Op, Cic, or Cos) to the provided signature. It will also set the corresponding token field (OpToken, CicToken, or CosToken) to the provided token byte slice.

If the signature type is not recognized, an error will be returned.

func (*PKToken) Audience ¶

func (p *PKToken) Audience() (string, error)

Audience returns the audience (`aud`) of the ID Token in the PKToken. The audience is also known as the client ID.

func (*PKToken) Compact ¶

func (p *PKToken) Compact() ([]byte, error)

Compact serializes a PK Token into a compact representation.

func (*PKToken) DeepCopy ¶

func (p *PKToken) DeepCopy() (*PKToken, error)

DeepCopy creates a complete and independent copy of this PKToken,

func (*PKToken) GetCicValues ¶

func (p *PKToken) GetCicValues() (*clientinstance.Claims, error)

func (*PKToken) Hash ¶

func (p *PKToken) Hash() (string, error)

func (*PKToken) IdentityString ¶

func (p *PKToken) IdentityString() (string, error)

IdentityString string returns the three attributes that are used to uniquely identify a user in the OpenID Connect protocol: the subscriber, the issuer

func (*PKToken) Issuer ¶

func (p *PKToken) Issuer() (string, error)

Issuer returns the issuer (`iss`) of the ID Token in the PKToken. It extracts the issuer from the PKToken payload and returns it as a string.

func (*PKToken) MarshalJSON ¶

func (p *PKToken) MarshalJSON() ([]byte, error)

func (*PKToken) NewSignedMessage ¶

func (p *PKToken) NewSignedMessage(content []byte, signer crypto.Signer) ([]byte, error)

NewSignedMessage signs a message with the signer provided. The signed message is OSM (OpenPubkey Signed Message) which is a type of JWS (JSON Web Signature). OSMs commit to the PK Token which was used to generate the OSM.

func (*PKToken) ParseCosignerClaims ¶

func (p *PKToken) ParseCosignerClaims() (*CosignerClaims, error)

func (*PKToken) ProviderAlgorithm ¶

func (p *PKToken) ProviderAlgorithm() (jwa.SignatureAlgorithm, bool)

func (*PKToken) SignToken ¶

func (p *PKToken) SignToken(
	signer crypto.Signer,
	alg jwa.KeyAlgorithm,
	protected map[string]any,
) ([]byte, error)

Signs PK Token and then returns only the payload, header and signature as a JWT

func (*PKToken) Subscriber ¶

func (p *PKToken) Subscriber() (string, error)

Subscriber returns the subscriber (`sub`) of the ID Token in the PKToken. This is a unique identifier for the user at the OpenID Provider.

func (*PKToken) UnmarshalJSON ¶

func (p *PKToken) UnmarshalJSON(data []byte) error

func (*PKToken) VerifySignedMessage ¶

func (p *PKToken) VerifySignedMessage(osm []byte, options ...OptionFunc) ([]byte, error)

VerifySignedMessage verifies that an OSM (OpenPubkey Signed Message) using the public key in this PK Token. If verification is successful, VerifySignedMessage returns the content of the signed message. Otherwise it returns an error explaining why verification failed.

Note: VerifySignedMessage does not check this the PK Token is valid. The PK Token should always be verified first before calling VerifySignedMessage

type Signature ¶

type Signature = jws.Signature

type SignatureType ¶

type SignatureType string

const (
	OIDC SignatureType = "JWT"
	CIC  SignatureType = "CIC"
	COS  SignatureType = "COS"
)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
clientinstance
mocks

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL