Documentation
¶
Overview ¶
Package revocation records every composite (sub/act) delegation token minted by the token-exchange endpoint and lets it be revoked before expiry. A self-contained JWT is otherwise unkillable until it expires, so resource servers and the introspection endpoint consult this store (a jti denylist) for any act-bearing token.
Index ¶
- type Feed
- type FeedClaims
- type FeedSigner
- type Record
- type Store
- func (s *Store) IsActive(ctx context.Context, jti string) (bool, error)
- func (s *Store) RecordTx(ctx context.Context, tx pgx.Tx, r Record) error
- func (s *Store) Revoke(ctx context.Context, jti string) (int64, error)
- func (s *Store) RevokeByDelegation(ctx context.Context, delegationID string) (int64, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Feed ¶
type Feed struct {
// contains filtered or unexported fields
}
Feed builds and serves the signed revocation feed. It caches the signed bytes briefly so repeated scrapes don't hit the database on every request.
func NewFeed ¶
func NewFeed(pool *pgxpool.Pool, signer FeedSigner, issuer string) *Feed
NewFeed builds a revocation feed signer over the given pool and key source.
func (*Feed) Handler ¶
func (f *Feed) Handler() http.HandlerFunc
Handler serves the signed revocation feed at /.well-known/revoked.
type FeedClaims ¶
type FeedClaims struct {
jwt.RegisteredClaims
Version int64 `json:"ver"` // monotonic; verifiers reject a regressing version
JTIs []string `json:"jtis"` // sorted list of revoked, unexpired token ids
}
FeedClaims is the body of the signed revocation feed: a compact, TTL-bounded snapshot of currently-revoked-but-not-yet-expired token ids. Because tokens are short-lived, this set stays small (bounded by revoke-rate × max TTL), and a stale feed can only ever MISS a revoke — never forge one — with token expiry as the always-present backstop.
type FeedSigner ¶
type FeedSigner interface {
ActiveKID() string
ActiveSigner() *rsa.PrivateKey
}
FeedSigner provides the active signing key — the SAME key published in the issuer's JWKS — so the revocation feed shares the verifier's existing trust root (no new key to distribute).
type Record ¶
type Record struct {
JTI string
DelegationID *string
Subject string
AgentID *string
ActorChain []string
Audience string
Scopes []string
ExpiresAt time.Time
}
Record is the metadata persisted for a minted delegation token.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
func (*Store) IsActive ¶
IsActive reports whether a token jti is currently valid: present, not revoked, not expired. An unknown jti is treated as NOT active (fail closed) — we record every token we mint, so a missing row means the token was never issued by us.
func (*Store) RecordTx ¶
RecordTx persists a minted token within the caller's transaction, so the token row and its audit record commit together with the rest of the exchange.