Documentation
¶
Overview ¶
Package jwtauth implements JWT-based authentication for BubbleFish Nexus using JWKS (JSON Web Key Set) validation. This is the "Pattern B: JWT Header Mapping (Advanced)" described in Tech Spec Section 6.6.
The middleware extracts a JWT from the Authorization: Bearer header, validates it against a cached JWKS endpoint, and maps a configurable claim (e.g. "sub") to a Nexus source name.
JWKS is fetched at startup and cached. On validation failure the cache is refreshed at most once per minute to handle key rotation.
Reference: Tech Spec Section 6.6, Phase R-20.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
JWKSUrl string // URL to fetch the JWKS from
ClaimToSource string // JWT claim name to map to a Nexus source (e.g. "sub")
Audience string // Expected "aud" claim (empty = skip audience check)
Logger *slog.Logger
}
Config holds JWT authentication settings.
type Result ¶
type Result struct {
SourceName string // value of the configured claim
Claims map[string]interface{}
}
Result holds the outcome of JWT validation.
type Validator ¶
type Validator struct {
// contains filtered or unexported fields
}
Validator validates JWTs against a cached JWKS.
func (*Validator) FetchJWKS ¶
FetchJWKS fetches the JWKS from the configured URL and caches the keys. Returns an error if the fetch or parse fails.
Source Files