authn

package
v0.17.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 6, 2026 License: MIT Imports: 13 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrMissingAuthorization = errors.New("missing authorization")
	ErrInvalidCredentials   = errors.New("invalid credentials")
)
View Source 
var ErrInvalidToken = errors.New("invalid token")

ErrInvalidToken is returned when a bearer token is missing required properties, fails signature verification, or fails claim validation.

Functions

func JWTClaimsFromContext added in v0.15.1 

func JWTClaimsFromContext(ctx context.Context) (map[string]any, bool)

JWTClaimsFromContext returns the verified JWT claims that JWTAuthenticator stored on the request context, if the request was authenticated by it.

Types

type Authenticator 

type Authenticator struct {
	Type         string
	Authenticate func(*http.Request) error
	Forbidden    func(w http.ResponseWriter, r *http.Request, err error)

	// ShareValueSlice writes the WWW-Authenticate value from a single slice
	// shared across requests instead of allocating one per unauthenticated
	// response. Type is fixed at construction, so this is safe as long as
	// nothing mutates the response header value slice in place. Off by
	// default; see header.SetShared.
	ShareValueSlice bool
}

Authenticator middleware

func (Authenticator) ServeHandler 

func (m Authenticator) ServeHandler(h http.Handler) http.Handler

ServeHandler implements middleware interface

type BasicAuthenticator 

type BasicAuthenticator struct {
	Realm        string
	Authenticate func(r *http.Request, username, password string) error

	// ShareValueSlice writes the WWW-Authenticate value from a single slice
	// shared across requests instead of allocating one per unauthenticated
	// response. The value is fixed at construction (it depends only on Realm),
	// so this is safe as long as nothing mutates the response header value
	// slice in place. Off by default; see header.SetShared.
	ShareValueSlice bool
}

BasicAuthenticator middleware

func Basic 

func Basic(username, password string) *BasicAuthenticator

Basic creates new basic auth middleware

func (BasicAuthenticator) ServeHandler 

func (m BasicAuthenticator) ServeHandler(h http.Handler) http.Handler

ServeHandler implements middleware interface

type ForwardAuthenticator added in v0.11.0 

type ForwardAuthenticator struct {
	URL                 *url.URL
	Client              *http.Client
	AuthRequestHeaders  []string
	AuthResponseHeaders []string
}

ForwardAuthenticator middleware

func Forward added in v0.11.0 

func Forward(url *url.URL) *ForwardAuthenticator

Forward creates new auth request middleware

func (ForwardAuthenticator) ServeHandler added in v0.11.0 

func (m ForwardAuthenticator) ServeHandler(h http.Handler) http.Handler

type ForwardServerError added in v0.11.0 

type ForwardServerError struct {
	Response         *http.Response
	OriginError      error
	StatusCode       int
	IsTransportError bool
}

func (*ForwardServerError) Error added in v0.11.0 

func (err *ForwardServerError) Error() string

type JWTAuthenticator added in v0.15.1 

type JWTAuthenticator struct {
	// Key verifies the token signature. See JWT for accepted types.
	Key any

	// Algorithms is the set of accepted signature algorithms. It is required;
	// when empty every request is rejected.
	Algorithms []jose.SignatureAlgorithm

	// Issuer and Audience, when set, must match the token's "iss" and "aud"
	// claims respectively.
	Issuer   string
	Audience string

	// Leeway tolerates clock skew when checking the time-based claims "exp",
	// "nbf" and "iat". Defaults to jwt.DefaultLeeway (1 minute).
	Leeway time.Duration

	// Realm is reported in the WWW-Authenticate challenge on rejection.
	Realm string

	// Now overrides the clock used for claim validation. Defaults to time.Now;
	// mainly useful for tests.
	Now func() time.Time

	// ShareValueSlice shares the fixed WWW-Authenticate value slice across
	// rejected responses instead of allocating one per request. See
	// Authenticator.ShareValueSlice.
	ShareValueSlice bool
}

JWTAuthenticator middleware

func JWT added in v0.15.1 

func JWT(key any, algs ...jose.SignatureAlgorithm) *JWTAuthenticator

JWT creates a new JWT bearer-token authentication middleware. It reads the token from the Authorization: Bearer header, verifies its signature against key, and accepts only the listed signature algorithms.

The algorithm allowlist is mandatory: a token signed with any other algorithm — including "none" — is rejected. Pinning the algorithms this way prevents algorithm-confusion attacks, where an attacker re-signs a token with an algorithm the verifier did not intend to accept.

key may be any type go-jose accepts for verification: []byte for HMAC (HS256/384/512), an *rsa.PublicKey, *ecdsa.PublicKey or ed25519.PublicKey for asymmetric signatures, or a *jose.JSONWebKey / *jose.JSONWebKeySet.

func (JWTAuthenticator) ServeHandler added in v0.15.1 

func (m JWTAuthenticator) ServeHandler(h http.Handler) http.Handler

ServeHandler implements middleware interface

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.