revocation

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 23, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package revocation records every composite (sub/act) delegation token minted by the token-exchange endpoint and lets it be revoked before expiry. A self-contained JWT is otherwise unkillable until it expires, so resource servers and the introspection endpoint consult this store (a jti denylist) for any act-bearing token.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Feed

type Feed struct {
	// contains filtered or unexported fields
}

Feed builds and serves the signed revocation feed. It caches the signed bytes briefly so repeated scrapes don't hit the database on every request.

func NewFeed

func NewFeed(pool *pgxpool.Pool, signer FeedSigner, issuer string) *Feed

NewFeed builds a revocation feed signer over the given pool and key source.

func (*Feed) Handler

func (f *Feed) Handler() http.HandlerFunc

Handler serves the signed revocation feed at /.well-known/revoked.

func (*Feed) Snapshot

func (f *Feed) Snapshot(ctx context.Context) ([]byte, error)

Snapshot returns the current signed feed (cached for cacheFor).

type FeedClaims

type FeedClaims struct {
	jwt.RegisteredClaims
	Version int64    `json:"ver"`  // monotonic; verifiers reject a regressing version
	JTIs    []string `json:"jtis"` // sorted list of revoked, unexpired token ids
}

FeedClaims is the body of the signed revocation feed: a compact, TTL-bounded snapshot of currently-revoked-but-not-yet-expired token ids. Because tokens are short-lived, this set stays small (bounded by revoke-rate × max TTL), and a stale feed can only ever MISS a revoke — never forge one — with token expiry as the always-present backstop.

type FeedSigner

type FeedSigner interface {
	ActiveKID() string
	ActiveSigner() *rsa.PrivateKey
}

FeedSigner provides the active signing key — the SAME key published in the issuer's JWKS — so the revocation feed shares the verifier's existing trust root (no new key to distribute).

type Record

type Record struct {
	JTI          string
	DelegationID *string
	Subject      string
	AgentID      *string
	ActorChain   []string
	Audience     string
	Scopes       []string
	ExpiresAt    time.Time
}

Record is the metadata persisted for a minted delegation token.

type Store

type Store struct {
	// contains filtered or unexported fields
}

func NewStore

func NewStore(pool *pgxpool.Pool, pub *live.Publisher) *Store

func (*Store) IsActive

func (s *Store) IsActive(ctx context.Context, jti string) (bool, error)

IsActive reports whether a token jti is currently valid: present, not revoked, not expired. An unknown jti is treated as NOT active (fail closed) — we record every token we mint, so a missing row means the token was never issued by us.

func (*Store) RecordTx

func (s *Store) RecordTx(ctx context.Context, tx pgx.Tx, r Record) error

RecordTx persists a minted token within the caller's transaction, so the token row and its audit record commit together with the rest of the exchange.

func (*Store) Revoke

func (s *Store) Revoke(ctx context.Context, jti string) (int64, error)

Revoke marks a single token revoked. Returns the number of rows changed (0 if already revoked or unknown).

func (*Store) RevokeByDelegation

func (s *Store) RevokeByDelegation(ctx context.Context, delegationID string) (int64, error)

RevokeByDelegation marks every live token minted from a delegation revoked, used when the underlying delegation is revoked so its tokens die immediately.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL