jwt

package
v1.142.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2026 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrNilKey indicates that key is nil.
	ErrNilKey = errors.New("key is nil")

	// ErrInvalidKey indicates that key is not valid.
	ErrInvalidKey = errors.New("key is not valid")

	// ErrUnsupportedAlg indicates that given algorithm is not supported.
	ErrUnsupportedAlg = errors.New("algorithm is not supported")

	// ErrInvalidSignature indicates that signature is not valid.
	ErrInvalidSignature = errors.New("signature is not valid")
)

JWT sign, verify, build and parse errors.

View Source 
var (
	// ErrHeaderMissing missing header.
	ErrHeaderMissing = fmt.Errorf("jwt authorization header is missing")
	// ErrVMAccessFieldMissing missing vm_access field.
	ErrVMAccessFieldMissing = fmt.Errorf("missing `vm_access` claim")
	// ErrBadTokenFormat incorrect format for token
	ErrBadTokenFormat = fmt.Errorf("bad token format, must be jwt")
)
View Source 
var (
	// ErrSignatureVerificationFailed token signature verification failed
	ErrSignatureVerificationFailed = fmt.Errorf("failed to verify token signature")
	// ErrSignatureAlgorithmNotSupported signature algorithm not supported
	ErrSignatureAlgorithmNotSupported = fmt.Errorf("signature algorithm verification not supported, supported algorithms: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512")
)

Functions

func ParseKey 

func ParseKey(key []byte) (any, error)

ParseKey parses key in PEM format. It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or ed25519.PublicKey.

Types

type Algorithm 

type Algorithm string

Algorithm for signing and verifying. 

const (
	RS256 Algorithm = "RS256"
	RS384 Algorithm = "RS384"
	RS512 Algorithm = "RS512"

	ES256 Algorithm = "ES256"
	ES384 Algorithm = "ES384"
	ES512 Algorithm = "ES512"

	PS256 Algorithm = "PS256"
	PS384 Algorithm = "PS384"
	PS512 Algorithm = "PS512"
)

Algorithm names for signing and verifying.

func (Algorithm) String 

func (a Algorithm) String() string

type Claim added in v1.122.17 

type Claim struct {
	// contains filtered or unexported fields
}

Claim represents a single JWT token claim used for matching via Token.MatchClaims. It supports dot-delimited nested key lookup within the token body JSON.

func NewClaim added in v1.122.17 

func NewClaim(key, value string) (*Claim, error)

NewClaim constructs a JWT token claim from the given key and value regular expression. The key supports dot-delimited notation as a separator for nested key lookup. To include a literal dot in a key segment, escape it with a backslash (e.g. "a\.b.c").

For example, the key "audit.permissions.0" can be used to access a nested array element in:

{"audit": {"permissions": [0, 1, 0]}}

type TenantID 

type TenantID struct {
	ProjectID int32 `json:"project_id"`
	AccountID int32 `json:"account_id"`
}

TenantID represents tenantID. Deprecated

func (TenantID) String 

func (tid TenantID) String() string

String implements interface.

type Token 

type Token struct {
	// contains filtered or unexported fields
}

Token represents jwt token https://auth0.com/docs/tokens/json-web-tokens

func NewToken deprecated 

func NewToken(auth string, enforceAuthPrefix bool) (*Token, error)

NewToken creates token from raw string.

Deprecated: allocates a new Token on every call. Prefer acquiring a Token from a sync.Pool, calling t.Parse(), and returning it after use.

func NewTokenFromRequestWithCustomHeader deprecated 

func NewTokenFromRequestWithCustomHeader(r *http.Request, headerName string, enforceAuthPrefix bool) (*Token, error)

NewTokenFromRequestWithCustomHeader return new jwt token from request by provided header

Deprecated: allocates a new Token on every call. Prefer acquiring a Token from a sync.Pool, calling t.Parse(), and returning it after use.

func (*Token) AccessLabels 

func (t *Token) AccessLabels() []string

AccessLabels returns vm_access labels for given JWT token, in key=value format.

Returned value is only valid until Token is reachable

func (*Token) CanRead 

func (t *Token) CanRead() bool

CanRead check if token has read permissions.

func (*Token) CanWrite 

func (t *Token) CanWrite() bool

CanWrite checks if token has write permissions.

func (*Token) ExtraFilters 

func (t *Token) ExtraFilters() []string

ExtraFilters metricsql filters for select queries

Returned value is only valid until Token is reachable

func (*Token) IsExpired 

func (t *Token) IsExpired(currentTime time.Time) bool

IsExpired checks if jwt token is expired.

func (*Token) Issuer added in v1.122.17 

func (t *Token) Issuer() string

Issuer returns `iss` claim value from token body

func (*Token) MatchClaims added in v1.122.17 

func (t *Token) MatchClaims(claims []*Claim) bool

MatchClaims checks if Token has all given claims

An empty claims always match

func (*Token) Parse added in v1.122.17 

func (t *Token) Parse(src string, enforceAuthPrefix bool) error

Parse parses JWT token from given source string

Token field is valid until src is reachable

func (*Token) Reset added in v1.122.17 

func (t *Token) Reset()

Reset release memory used by token Token cannot be used after this call

func (*Token) Tenant 

func (t *Token) Tenant() TenantID

Tenant returns tenantID for token.

func (*Token) VMAccess added in v1.110.31 

func (t *Token) VMAccess() *VMAccessClaim

VMAccess return a reference to the VMAccessClaim all data are valid until Token is reachable

type VMAccessClaim added in v1.110.31 

type VMAccessClaim struct {
	MetricsExtraFilters    []string `json:"metrics_extra_filters,omitempty"`
	MetricsExtraLabels     []string `json:"metrics_extra_labels,omitempty"`
	LogsExtraFilters       []string `json:"logs_extra_filters,omitempty"`
	LogsExtraStreamFilters []string `json:"logs_extra_stream_filters,omitempty"`

	MetricsAccountID uint32 `json:"metrics_account_id,omitempty"`
	MetricsProjectID uint32 `json:"metrics_project_id,omitempty"`

	LogsAccountID uint32 `json:"logs_account_id,omitempty"`
	LogsProjectID uint32 `json:"logs_project_id,omitempty"`

	// promql filters applied to each select query
	// Deprecated
	ExtraFilters []string `json:"extra_filters,omitempty"`
	// Deprecated
	Tenant TenantID `json:"tenant_id"`
	// role can be denied as 1 = read, 2 = write, 3 = read and write
	// 0 = unconfigured - read and write
	// Deprecated
	Mode int `json:"mode,omitempty"`
	// Deprecated
	Labels []string `json:"extra_labels,omitempty"`
	// contains filtered or unexported fields
}

VMAccessClaim represent JWT claim object

type Verifier 

type Verifier interface {
	Verify(token *Token) error
}

Verifier is used to verify tokens.

type VerifierPool 

type VerifierPool struct {
	// contains filtered or unexported fields
}

VerifierPool is a pool of verifiers for different algorithms

func NewVerifierPool 

func NewVerifierPool(keys []any) (*VerifierPool, error)

NewVerifierPool creates a new verifier pool for a set of keys

func ParseJWKs added in v1.122.17 

func ParseJWKs(rawResp []byte) (*VerifierPool, error)

ParseJWKs parses a JSON Web Key Set (JWKS) from rawResp and returns a VerifierPool containing a verifier for each key in the set. Each key might have a non-empty "kid" field. For RSA keys, if "alg" is specified it must be one of the supported RS or PS algorithms; if omitted, verifiers are created for all supported RSA and RSA-PSS algorithms. For EC keys, the curve determines the algorithm. It must match "alg" if provided.

The returned VerifierPool matches tokens by "kid" if not empty, otherwise tries all keys.

func (*VerifierPool) Verify 

func (vp *VerifierPool) Verify(token *Token) error

Verify verifies a token signature by using keys provided to verifier pool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.