Documentation
¶
Overview ¶
Package jwtutil offers shared helpers for signing and verifying JWTs with statically-configured multi-key sets — i.e. kid-based key rotation. It replaces the convenience that go-jose's JSONWebKeySet provided when picking the right key out of a set during verification, which golang-jwt/jwt/v5 leaves to the caller.
Index ¶
Constants ¶
This section is empty.
Variables ¶
Functions ¶
Types ¶
type HMACKey ¶
type HMACKey struct {
// ID is the value placed in (and matched against) the JWT's `kid` header.
ID string
// Key is the HMAC shared secret.
Key []byte
}
HMACKey is one entry in an HMACKeySet.
type HMACKeySet ¶
type HMACKeySet struct {
// contains filtered or unexported fields
}
HMACKeySet is an ordered set of HMAC keys for signing and verifying JWTs with kid-based key rotation. The first key is the active signer; all keys in the set are accepted during verification, allowing graceful rotation without invalidating in-flight tokens.
func NewHMACKeySet ¶
func NewHMACKeySet(method jwt.SigningMethod, keys ...HMACKey) (*HMACKeySet, error)
NewHMACKeySet builds an HMACKeySet for the given signing method. method must be one of jwt.SigningMethodHS256 / HS384 / HS512. The first key in keys is the active signer.
func NewHMACKeySetFromBytes ¶
func NewHMACKeySetFromBytes(method jwt.SigningMethod, keys ...[]byte) (*HMACKeySet, error)
NewHMACKeySetFromBytes is a convenience that derives each key's ID via HMACKeyID. Use when keys are configured as opaque secrets and the caller doesn't manage key IDs explicitly.
func (*HMACKeySet) ParseWithClaims ¶
func (ks *HMACKeySet) ParseWithClaims(token string, claims jwt.Claims, opts ...jwt.ParserOption) (*jwt.Token, error)
ParseWithClaims parses and verifies the token, selecting the signing key from the set by matching the token's `kid` header. The set's signing method is enforced via jwt.WithValidMethods. Additional parser options (WithIssuer, WithLeeway, WithExpirationRequired, …) may be passed.
func (*HMACKeySet) Sign ¶
func (ks *HMACKeySet) Sign(claims jwt.Claims) (string, error)
Sign returns a compact-serialized JWT signed with the active (first) key. The active key's ID is set as the `kid` header.
func (*HMACKeySet) SigningMethod ¶
func (ks *HMACKeySet) SigningMethod() jwt.SigningMethod
SigningMethod returns the signing method enforced by this key set.