core

package

v1.1.0 Latest Latest Go to latest Published: Mar 17, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/NVIDIA/ncx-infra-controller-rest

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func ComputeIssuerPrefix(issuerURL string) string
func GetClaimAttribute(claims jwt.MapClaims, attribute string) any
func GetClaimAttributeAsString(claims jwt.MapClaims, attributes ...string) string
func GetScopes(claims jwt.MapClaims) []string
func InterfaceToStringSlice(v any) ([]string, error)
type JWKS
- func NewJWKSFromURL(url string, timeout time.Duration) (*JWKS, error)
- func (jwks JWKS) GetKeyByID(keyID string) (*jose.JSONWebKey, error)
- func (jwks JWKS) GetKeysForAlgorithm(algorithm string) []jose.JSONWebKey

Constants ¶

View Source

const DefaultJWKSTimeout = 5 * time.Second

DefaultJWKSTimeout is the default timeout for JWKS fetch operations

Variables ¶

View Source

var (

	// ErrJWKSFetch is returned when JWKS cannot be fetched
	ErrJWKSFetch = errors.New("failed to fetch JWKS")
	// ErrInvalidJWK is returned when JWK is invalid
	ErrInvalidJWK = errors.New("invalid JWK")
	// ErrKeyNotFound is returned when a requested key is not found
	ErrKeyNotFound = errors.New("key not found")
	// ErrJWKSURLEmpty is returned when JWKS URL is empty
	ErrJWKSURLEmpty = errors.New("JWKS URL is empty")
	// ErrJWKSNotInitialized is returned when JWKS has not been initialized
	ErrJWKSNotInitialized = errors.New("JWKS not initialized - call UpdateAllJWKS first")
	// ErrEmptyKeySet is returned when JWKS key set is empty
	ErrEmptyKeySet = errors.New("JWKS key set is empty")
	// ErrNoValidKeys is returned when JWKS contains no valid keys
	ErrNoValidKeys = errors.New("JWKS contains no valid keys")
	// ErrJWKSUpdateInProgress is returned when a JWKS update is already in progress
	ErrJWKSUpdateInProgress = errors.New("JWKS update already in progress")

	// ErrInvalidAudience is returned when token audience does not match (401)
	ErrInvalidAudience = errors.New("token audience does not match issuer configuration")
	// ErrInvalidScope is returned when token scopes do not match (403)
	ErrInvalidScope = errors.New("token scopes do not match required scopes for issuer")

	// ErrInvalidConfiguration is returned when no claim mapping is configured (401)
	ErrInvalidConfiguration = errors.New("no claim mapping configured for requested organization")
	// ErrNoClaimRoles is returned when no roles found in token claims (401)
	ErrNoClaimRoles = errors.New("no roles found in token claims for organization")
	// ErrReservedOrgName is returned when token claims a reserved organization name (403)
	ErrReservedOrgName = errors.New("token claims a reserved organization name")
	// ErrInvalidRole is returned when role is not in allowed roles set
	ErrInvalidRole = errors.New("role is not in allowed roles set")
)

View Source

var ScopeClaims = []string{"scope", "scopes", "scp"}

ScopeClaims are the standard JWT claim keys used for scopes.

Functions ¶

func ComputeIssuerPrefix ¶

func ComputeIssuerPrefix(issuerURL string) string

ComputeIssuerPrefix returns SHA256(issuerURL)[0:10] for namespacing subject claims.

func GetClaimAttribute ¶

func GetClaimAttribute(claims jwt.MapClaims, attribute string) any

GetClaimAttribute extracts any value from a nested claim attribute (e.g., "data.roles"). Returns nil if the attribute is empty or the value is not found.

func GetClaimAttributeAsString ¶

func GetClaimAttributeAsString(claims jwt.MapClaims, attributes ...string) string

GetClaimAttributeAsString extracts a string from nested claim attributes (e.g., "data.org"). Accepts multiple attributes and returns the first non-empty string found. Returns empty string if none found or if values are not strings.

func GetScopes ¶

func GetScopes(claims jwt.MapClaims) []string

GetScopes extracts scopes from claims (tries "scope", "scopes", "scp"). Returns a slice of scope strings.

func InterfaceToStringSlice ¶

func InterfaceToStringSlice(v any) ([]string, error)

InterfaceToStringSlice converts interface{} to []string. Supports multiple common formats from various IdPs:

Native array/slice: ["role1", "role2"]
JSON-encoded string array: "[\"role1\", \"role2\"]"
Space-separated: "role1 role2"
Comma-separated: "role1,role2" or "role1, role2"
Semicolon-separated: "role1;role2"
Single value: "role1"

Types ¶

type JWKS ¶

type JWKS struct {
	Set *jose.JSONWebKeySet
}

JWKS represents a set of JSON Web keys using go-jose

func NewJWKSFromURL ¶

func NewJWKSFromURL(url string, timeout time.Duration) (*JWKS, error)

NewJWKSFromURL creates a new set of JSON Web Keys given a URL using go-jose If timeout is zero or negative, uses the default timeout of 5 seconds

func (JWKS) GetKeyByID ¶

func (jwks JWKS) GetKeyByID(keyID string) (*jose.JSONWebKey, error)

GetKeyByID returns a specific key by its ID, leveraging go-jose's key management

func (JWKS) GetKeysForAlgorithm ¶

func (jwks JWKS) GetKeysForAlgorithm(algorithm string) []jose.JSONWebKey

GetKeysForAlgorithm returns all keys that explicitly declare support for a specific algorithm

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
claim

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL