token

package
v0.28.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TokenCategoryAccess  = "access"
	TokenCategoryRefresh = "refresh"
)

Token category constants used in the "type" JWT claim.

View Source 
const (
	TokenTypeBearer = "Bearer"
)

Token type constants

Variables

View Source 
var (
	// ErrTokenGeneration indicates token generation failed
	ErrTokenGeneration = errors.New("failed to generate token")

	// ErrInvalidToken indicates the token is invalid
	ErrInvalidToken = errors.New("invalid token")

	// ErrExpiredToken indicates the token has expired
	ErrExpiredToken = errors.New("token expired")

	// ErrInvalidRefreshToken indicates the refresh token is invalid
	ErrInvalidRefreshToken = errors.New("invalid refresh token")

	// ErrExpiredRefreshToken indicates the refresh token has expired
	ErrExpiredRefreshToken = errors.New("refresh token expired")

	// ErrInvalidScope indicates scope validation failed
	ErrInvalidScope = errors.New("invalid scope")
)

Functions

func ComputeAtHash added in v0.13.0 

func ComputeAtHash(accessToken string) string

ComputeAtHash computes the at_hash claim value per OIDC Core 1.0 §3.3.2.11. at_hash = base64url( left-most 128 bits of SHA-256( ASCII(access_token) ) )

func DeriveKeyID added in v0.22.0 

func DeriveKeyID(pub crypto.PublicKey) (string, error)

DeriveKeyID computes a deterministic kid from the SHA-256 hash of the DER-encoded public key (SPKI format). Returns a base64url-encoded string of the full 32-byte hash, suitable for JWKS key rotation.

func LoadSigningKey added in v0.22.0 

func LoadSigningKey(path string) (crypto.Signer, error)

LoadSigningKey reads a PEM file and returns the parsed private key. Supports RSA (PKCS#1 / PKCS#8) and ECDSA (SEC1 / PKCS#8).

func ParseSigningKey added in v0.28.0 

func ParseSigningKey(data []byte) (crypto.Signer, error)

ParseSigningKey parses PEM-encoded data into a supported private key. Supports RSA (PKCS#1 / PKCS#8) and ECDSA (SEC1 / PKCS#8). All PEM blocks are tried in order until a supported key is found.

Types

type IDTokenParams added in v0.13.0 

type IDTokenParams = core.IDTokenParams

IDTokenParams holds all data needed to generate an OIDC ID Token (OIDC Core 1.0 §2). Re-exported from core as a type alias so existing callers (token.IDTokenParams{...}) compile unchanged while the canonical definition lives in core.

type IDTokenProvider added in v0.15.0 

type IDTokenProvider = core.IDTokenProvider

IDTokenProvider is an optional capability of a TokenProvider. Currently, LocalTokenProvider is the only built-in production implementation. Re-exported from core for callers that import only the token package.

type LocalTokenProvider 

type LocalTokenProvider struct {
	// contains filtered or unexported fields
}

LocalTokenProvider generates and validates JWT tokens locally

func NewLocalTokenProvider 

func NewLocalTokenProvider(cfg *config.Config, opts ...Option) (*LocalTokenProvider, error)

NewLocalTokenProvider creates a new local token provider. By default it uses HS256. Use WithSigningKey and WithKeyID for asymmetric algorithms. Returns an error if the algorithm requires an asymmetric key but none was provided.

func (*LocalTokenProvider) Algorithm added in v0.22.0 

func (p *LocalTokenProvider) Algorithm() string

Algorithm returns the JWT signing algorithm name (e.g. "HS256", "RS256", "ES256").

func (*LocalTokenProvider) GenerateClientCredentialsToken added in v0.12.0 

func (p *LocalTokenProvider) GenerateClientCredentialsToken(
	ctx context.Context,
	userID, clientID, scopes string,
	ttl time.Duration,
) (*Result, error)

GenerateClientCredentialsToken creates an access token for the client_credentials grant. If ttl > 0 it overrides the default CLIENT_CREDENTIALS_TOKEN_EXPIRATION. The userID field carries the synthetic machine identity "client:<clientID>".

func (*LocalTokenProvider) GenerateIDToken added in v0.13.0 

func (p *LocalTokenProvider) GenerateIDToken(params IDTokenParams) (string, error)

GenerateIDToken creates a signed JWT ID Token for the given params. The signing algorithm and key are determined by the provider's configuration. ID tokens are not stored in the database; they are short-lived and non-revocable by design.

func (*LocalTokenProvider) GenerateRefreshToken 

func (p *LocalTokenProvider) GenerateRefreshToken(
	ctx context.Context,
	userID, clientID, scopes string,
	ttl time.Duration,
) (*Result, error)

GenerateRefreshToken creates a refresh token JWT. If ttl > 0 it overrides the default REFRESH_TOKEN_EXPIRATION.

func (*LocalTokenProvider) GenerateToken 

func (p *LocalTokenProvider) GenerateToken(
	ctx context.Context,
	userID, clientID, scopes string,
	ttl time.Duration,
) (*Result, error)

GenerateToken creates a JWT access token using local signing. If ttl > 0 it overrides p.config.JWTExpiration and no jitter is applied (the caller has chosen an explicit lifetime per client profile).

func (*LocalTokenProvider) KeyID added in v0.22.0 

func (p *LocalTokenProvider) KeyID() string

KeyID returns the "kid" value used in JWT headers.

func (*LocalTokenProvider) Name 

func (p *LocalTokenProvider) Name() string

Name returns provider name for logging

func (*LocalTokenProvider) ParseJWT added in v0.18.0 

func (p *LocalTokenProvider) ParseJWT(tokenString string) (*ValidationResult, error)

ParseJWT parses a JWT token, verifies its signature, and extracts standard claims. It does not check the "type" claim — callers (ValidateToken, ValidateRefreshToken) add their own type-specific checks on top.

func (*LocalTokenProvider) PublicKey added in v0.22.0 

func (p *LocalTokenProvider) PublicKey() crypto.PublicKey

PublicKey returns the asymmetric public verification key. Returns nil for HS256 (symmetric key).

func (*LocalTokenProvider) RefreshAccessToken 

func (p *LocalTokenProvider) RefreshAccessToken(
	ctx context.Context,
	refreshToken string,
	accessTTL, refreshTTL time.Duration,
) (*RefreshResult, error)

RefreshAccessToken generates new access token (and optionally new refresh token in rotation mode). accessTTL and refreshTTL override the default expirations when > 0, allowing the caller (TokenService) to apply the client's current TokenProfile at refresh time rather than reusing the TTL the original tokens were issued with.

func (*LocalTokenProvider) ValidateRefreshToken 

func (p *LocalTokenProvider) ValidateRefreshToken(
	ctx context.Context,
	tokenString string,
) (*ValidationResult, error)

ValidateRefreshToken verifies a refresh token JWT

func (*LocalTokenProvider) ValidateToken 

func (p *LocalTokenProvider) ValidateToken(
	ctx context.Context,
	tokenString string,
) (*ValidationResult, error)

ValidateToken verifies a JWT access token using local verification. It rejects refresh tokens (type=="refresh") at the JWT level.

type Option added in v0.22.0 

type Option func(*LocalTokenProvider)

Option configures a LocalTokenProvider.

func WithKeyID added in v0.22.0 

func WithKeyID(kid string) Option

WithKeyID sets the "kid" JWT header value.

func WithSigningKey added in v0.22.0 

func WithSigningKey(privateKey crypto.Signer, publicKey crypto.PublicKey) Option

WithSigningKey sets the asymmetric signing and verification keys. Only *rsa.PrivateKey/*rsa.PublicKey (RS256) and *ecdsa.PrivateKey/*ecdsa.PublicKey (ES256) are supported; NewLocalTokenProvider validates concrete types and returns an error on mismatch.

type RefreshResult 

type RefreshResult = core.TokenRefreshResult

RefreshResult is an alias for core.TokenRefreshResult.

type Result 

type Result = core.TokenResult

Result is an alias for core.TokenResult. All existing callers using *token.Result continue to compile unchanged.

type ValidationResult 

type ValidationResult = core.TokenValidationResult

ValidationResult is an alias for core.TokenValidationResult.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.