authhttp

package
v0.11.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 25, 2026 License: MIT Imports: 37 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ActionUpdateUsername           = "update_username"
	ActionRequestPasswordReset     = "request_password_reset"
	ActionRequestEmailVerification = "request_email_verification"
	ActionRequestPhoneVerification = "request_phone_verification"
)
View Source 
const (
	// 2FA-specific rate limit buckets
	RL2FAStartPhone      = "auth_2fa_start_phone"
	RL2FAEnable          = "auth_2fa_enable"
	RL2FADisable         = "auth_2fa_disable"
	RL2FARegenerateCodes = "auth_2fa_regenerate_codes"
	RL2FAVerify          = "auth_2fa_verify"

	RLAuthToken                = "auth_token"
	RLAuthRegister             = "auth_register"
	RLAuthRegisterAvailability = "auth_register_availability"
	RLAuthRegisterResendEmail  = "auth_register_resend_email"
	RLAuthRegisterResendPhone  = "auth_register_resend_phone"
	RLPasswordLogin            = "auth_password_login"
	RLAuthLogout               = "auth_logout"
	RLAuthSessionsCurrent      = "auth_sessions_current"
	RLAuthSessionsList         = "auth_sessions_list"
	RLAuthSessionsRevoke       = "auth_sessions_revoke"
	RLAuthSessionsRevokeAll    = "auth_sessions_revoke_all"

	RLPasswordResetRequest = "auth_pwd_reset_request"
	RLPasswordResetConfirm = "auth_pwd_reset_confirm"
	RLEmailVerifyRequest   = "auth_email_verify_request"
	RLEmailVerifyConfirm   = "auth_email_verify_confirm"
	RLPhoneVerifyRequest   = "auth_phone_verify_request"
	RLPhoneVerifyConfirm   = "auth_phone_verify_confirm"

	RLOIDCStart    = "auth_oidc_start"
	RLOIDCCallback = "auth_oidc_callback"

	RLUserPasswordChange = "auth_user_password_change"
	RLUserMe             = "auth_user_me"
	RLUserUpdateUsername = "auth_user_update_username"
	RLUserUpdateEmail    = "auth_user_update_email"

	RLUserEmailChangeRequest = "auth_user_email_change_request"
	RLUserEmailChangeConfirm = "auth_user_email_change_confirm"
	RLUserEmailChangeResend  = "auth_user_email_change_resend"

	RLUserPhoneChangeRequest = "auth_user_phone_change_request"
	RLUserPhoneChangeConfirm = "auth_user_phone_change_confirm"
	RLUserPhoneChangeResend  = "auth_user_phone_change_resend"

	RLUserDelete         = "auth_user_delete"
	RLUserUnlinkProvider = "auth_user_unlink_provider"

	RLAdminRolesGrant            = "auth_admin_roles_grant"
	RLAdminRolesRevoke           = "auth_admin_roles_revoke"
	RLAdminUserSessionsList      = "auth_admin_user_sessions_list"
	RLAdminUserSessionsRevoke    = "auth_admin_user_sessions_revoke"
	RLAdminUserSessionsRevokeAll = "auth_admin_user_sessions_revoke_all"
	RLAdminPasswordReset         = "auth_admin_password_reset"

	// Solana SIWS authentication
	RLSolanaChallenge = "auth_solana_challenge"
	RLSolanaLogin     = "auth_solana_login"
	RLSolanaLink      = "auth_solana_link"
)

Bucket names used by authkit endpoints.

View Source 
const ServiceTokenType = "service"

ServiceTokenType is the TokenType value carried by an Organization Access Token (OAT) — a machine credential that acts as the org, not a user.

Variables

This section is empty.

Functions

func AllowNamed 

func AllowNamed(r *http.Request, rl RateLimiter, bucket string) bool

AllowNamed applies a per-IP limit using the provided bucket name. It fails open on limiter error.

func CheckOrgAccess 

func CheckOrgAccess(ctx context.Context, svc *core.Service, userID, orgSlug string) (canonicalOrg string, memberRoles []string, isMember bool, err error)

CheckOrgAccess resolves orgSlug (slug or alias) to its canonical slug, verifies membership, and returns the member's org-scoped roles.

func DefaultRateLimits 

func DefaultRateLimits() map[string]Limit

DefaultRateLimits returns AuthKit's built-in per-endpoint rate limits.

These limits are enforced per client IP (as determined by the Service's ClientIPFunc). Hosts can override by supplying their own limiter via WithRateLimiter(...).

func HasAnyOrgRole 

func HasAnyOrgRole(roles []string, want ...string) bool

HasAnyOrgRole returns true if roles contains any of want (case-insensitive).

func HasRoleDBCheck 

func HasRoleDBCheck(ctx context.Context, pg *pgxpool.Pool, userID, role string) (bool, error)

HasRoleDBCheck checks whether the given user has the provided role slug in Postgres. It also verifies the user is not deleted or banned.

func IsAdmin 

func IsAdmin(ctx context.Context, pg *pgxpool.Pool, userID string) (bool, error)

IsAdmin checks whether the given user has the admin role in Postgres.

func JWKSHandler 

func JWKSHandler(jwks jwtkit.JWKS) http.Handler

JWKSHandler serves the public JWKS document for the given key set.

func LanguageMiddleware 

func LanguageMiddleware(cfg *LanguageConfig) func(http.Handler) http.Handler

LanguageMiddleware infers request language and attaches it to the request context.

func MintDelegatedToken added in v0.9.6 

func MintDelegatedToken(ctx context.Context, signer jwtkit.Signer, p DelegatedTokenParams) (string, error)

MintDelegatedToken signs a delegated platform token. It NEVER sets `sub` — the federated user is carried in `delegated_sub` — so a validating authkit will treat it as a DelegatedPrincipal and skip the local-user gate. The `sub` XOR `delegated_sub` invariant is enforced by construction here.

func Optional 

func Optional(v *Verifier) func(http.Handler) http.Handler

Optional validates when Authorization is present; otherwise passes through.

func RequireAdmin 

func RequireAdmin(pg *pgxpool.Pool) func(http.Handler) http.Handler

RequireAdmin verifies admin role directly in Postgres.

func Required 

func Required(v *Verifier) func(http.Handler) http.Handler

Required validates the Bearer token (JWT), enforces iss/aud/exp, and stores claims in request context.

func ToMemoryLimits 

func ToMemoryLimits(in map[string]Limit) map[string]memorylimiter.Limit

func ToRedisLimits 

func ToRedisLimits(in map[string]Limit) map[string]redislimiter.Limit

Types

type ActionAvailability added in v0.9.4 

type ActionAvailability struct {
	Action            string     `json:"action"`
	Allowed           bool       `json:"allowed"`
	Reason            string     `json:"reason,omitempty"`
	RetryAfterSeconds int64      `json:"retry_after_seconds,omitempty"`
	NextAllowedAt     *time.Time `json:"next_allowed_at,omitempty"`
	Limit             *int       `json:"limit,omitempty"`
	Remaining         *int       `json:"remaining,omitempty"`
	WindowSeconds     *int64     `json:"window_seconds,omitempty"`
	CooldownSeconds   *int64     `json:"cooldown_seconds,omitempty"`
}

type Claims 

type Claims struct {
	UserID          string
	Email           string
	EmailVerified   bool
	Username        string
	DiscordUsername string
	SessionID       string
	Roles           []string
	// GlobalRoles are the user's GLOBAL (platform-wide) roles, carried in the
	// `global_roles` claim in both single and multi-org mode. Use these for
	// global-admin authorization decisions.
	GlobalRoles []string
	Org         string
	// OrgRoles are the roles scoped to the org named in Org, carried in the
	// `org_roles` claim on org-scoped tokens. Use these for org-scoped authz.
	OrgRoles     []string
	Entitlements []string
	Issuer       string
	UserTier     string
	JTI          string

	// Delegated/federated fields. A delegated platform token carries the
	// external user in DelegatedSubject (claim `delegated_sub`) and the
	// federated org in Tenant (claim `tenant`, falling back to `org`). It never
	// carries `sub` (UserID stays empty), so the local-user gate does not apply.
	Tenant           string
	DelegatedSubject string

	// TokenType marks the credential class. Empty for ordinary user JWTs;
	// "service" for an Organization Access Token (OAT) acting AS THE ORG. A
	// service principal carries Org + Permissions but no UserID, so the live-user
	// ban/enrichment gate is skipped (there is no user to look up).
	TokenType string

	// Permissions are the app-defined permission strings a service principal
	// (OAT) carries directly — the PBAC grant. Empty for user principals, whose
	// authority is expressed as OrgRoles that the resource server expands to
	// permissions at request time. authkit treats permission strings as opaque.
	Permissions []string
}

Claims is a typed view of authenticated user information attached by middleware.

func ClaimsFromContext 

func ClaimsFromContext(ctx context.Context) (Claims, bool)

func (Claims) Delegated added in v0.9.6 

func (c Claims) Delegated() (DelegatedPrincipal, bool)

Delegated returns the typed DelegatedPrincipal when the claims are delegated.

func (Claims) HasEntitlement 

func (c Claims) HasEntitlement(ent string) bool

func (Claims) HasRole 

func (c Claims) HasRole(role string) bool

func (Claims) IsDelegated added in v0.9.6 

func (c Claims) IsDelegated() bool

IsDelegated reports whether these claims represent a delegated platform principal (i.e. carry `delegated_sub` rather than a local `sub`).

func (Claims) IsService added in v0.11.0 

func (c Claims) IsService() bool

IsService reports whether these claims represent a service principal (an Organization Access Token), as opposed to a human user or delegated subject.

type ClientIPFunc 

type ClientIPFunc func(r *http.Request) string

ClientIPFunc determines the client IP used for rate limiting and auditing.

Returning an empty string means "unknown" and causes rate limiting to fail open.

func ClientIPFromForwardedHeaders 

func ClientIPFromForwardedHeaders(trustedProxies []netip.Prefix) ClientIPFunc

ClientIPFromForwardedHeaders trusts CF-Connecting-IP and X-Forwarded-For only when the immediate peer (RemoteAddr) is in trustedProxies. Otherwise it falls back to DefaultClientIP behavior.

func DefaultClientIP 

func DefaultClientIP() ClientIPFunc

DefaultClientIP returns the immediate peer IP from RemoteAddr.

This intentionally includes private and loopback peers so embedded/local deployments still get default rate-limit protection. Hosts behind reverse proxies should use ClientIPFromForwardedHeaders with trusted proxy CIDRs when they need the original public client IP instead of the proxy peer.

func PublicRemoteAddrClientIP added in v0.9.1 

func PublicRemoteAddrClientIP() ClientIPFunc

PublicRemoteAddrClientIP returns the older conservative client IP strategy:

  • If RemoteAddr is a public IP, use it.
  • If RemoteAddr is private/loopback/etc, return "" (fail open) so we don't accidentally rate-limit a reverse proxy/ingress as a single client.

type DelegatedPrincipal added in v0.9.6 

type DelegatedPrincipal struct {
	Tenant           string
	DelegatedSubject string
	UserTier         string
	Roles            []string
	Issuer           string
}

DelegatedPrincipal is the federated identity carried by a delegated platform token: an external user (DelegatedSubject) acting under a federated org (Tenant). The subject does NOT exist as a local user in the validating service — authorization is by tenant/issuer trust, not local-user lookup.

type DelegatedTokenParams added in v0.9.6 

type DelegatedTokenParams struct {
	// Issuer is the platform issuer URL (becomes the `iss` claim) — must match a
	// federated issuer registered with the validating resource server.
	Issuer string
	// Audiences becomes the `aud` claim (the resource servers this token targets).
	Audiences []string
	// DelegatedSubject is the federated user id (becomes `delegated_sub`). Required.
	DelegatedSubject string
	// Tenant is the federated org slug (becomes `org` + `tenant`).
	Tenant string
	// UserTier becomes `user_tier` (the platform's tier for this user).
	UserTier string
	// Roles becomes `roles` (platform-scoped roles for this user).
	Roles []string
	// TTL is the token lifetime. Defaults to 15m when zero.
	TTL time.Duration
}

DelegatedTokenParams describes a delegated platform token to mint. The token represents a federated user (DelegatedSubject) acting under a federated org (Tenant). It is signed by the platform org's own issuer key.

type FederatedIssuerSource added in v0.10.0 

type FederatedIssuerSource interface {
	ListFederatedOrgIssuers(ctx context.Context, activeOnly bool) ([]core.FederatedOrgIssuer, error)
	// GetFederatedOrgIssuer fetches a SINGLE federated-org issuer by its
	// issuer_id, used by the lazy-load-on-miss path in keyForToken. *core.Service
	// already implements this.
	GetFederatedOrgIssuer(ctx context.Context, issuerID string) (*core.FederatedOrgIssuer, error)
}

FederatedIssuerSource is the minimal store contract the Verifier needs to load federated-org issuers. *core.Service satisfies it. An embedding app may supply its own implementation in tests or to source issuers from elsewhere.

type FederationClient added in v0.10.0 

type FederationClient struct {
	// contains filtered or unexported fields
}

FederationClient publishes THIS org's issuer registration to a resource server's inbound accept endpoint. It is the OUTBOUND (send-side) half of the AuthKit-owned federation handshake — the platform/IdP side (e.g. cozy-art) uses it to tell a resource server (e.g. tensorhub) "trust delegated tokens I mint with this issuer + JWKS URL". The resource server's handleFederatedIssuerRegisterPOST stores the registration.

func NewFederationClient added in v0.10.0 

func NewFederationClient(opts ...FederationClientOption) *FederationClient

NewFederationClient creates a FederationClient.

func (*FederationClient) RegisterIssuer added in v0.10.0 

func (fc *FederationClient) RegisterIssuer(ctx context.Context, acceptURL string, reg FederationRegistration) error

RegisterIssuer POSTs this org's issuer registration to the resource server's accept endpoint (acceptURL is the fully-qualified URL of the inbound handler, e.g. "https://tensorhub.example/api/v1/federated-issuers"). It returns an error for non-2xx responses.

type FederationClientOption added in v0.10.0 

type FederationClientOption func(*FederationClient)

FederationClientOption configures a FederationClient.

func WithFederationAuthToken added in v0.10.0 

func WithFederationAuthToken(token string) FederationClientOption

WithFederationAuthToken sets the Bearer token used to authenticate to the resource server's accept endpoint (owner/admin of the org being registered).

func WithFederationHTTPClient added in v0.10.0 

func WithFederationHTTPClient(c *http.Client) FederationClientOption

WithFederationHTTPClient sets the HTTP client used for registration calls.

type FederationRegistration added in v0.10.0 

type FederationRegistration struct {
	// Org is THIS org's slug (becomes the `org`/tenant claim of delegated tokens).
	Org string
	// IssuerID is THIS platform's issuer URL (the `iss` of delegated tokens).
	IssuerID string
	// JWKSURL is where the resource server fetches THIS platform's public keys.
	JWKSURL string
}

FederationRegistration is the payload published to a resource server.

type InternalErrorEvent added in v0.8.7 

type InternalErrorEvent struct {
	Route  string
	Stage  string
	Code   string
	Method string
	Path   string
	Err    error
}

InternalErrorEvent captures a swallowed internal handler error so host apps can log it without exposing implementation details to clients.

func (InternalErrorEvent) Error added in v0.8.7 

func (e InternalErrorEvent) Error() string

type IssuerKey 

type IssuerKey struct {
	KID          string
	PublicKeyPEM string
}

IssuerKey is a public key for an issuer, identified by key ID.

type IssuerOptions 

type IssuerOptions struct {
	// JWKSURL is the URL to fetch JWKS from. If set, keys are fetched
	// automatically and refreshed when they expire or an unknown kid appears.
	JWKSURL string

	// Keys are pre-provided public keys as PEM. The caller is responsible for
	// refreshing by calling AddIssuer again with updated keys.
	Keys []IssuerKey

	// RawKeys are pre-provided public keys. Useful when the caller already
	// has parsed *rsa.PublicKey values (e.g., from a co-located core.Service).
	RawKeys map[string]*rsa.PublicKey

	// CacheTTL controls how long fetched JWKS keys are considered fresh.
	// Default: 10 minutes.
	CacheTTL time.Duration

	// MaxStale controls how long stale keys may be used as fallback after
	// a failed JWKS refresh. Default: 1 hour.
	MaxStale time.Duration
}

IssuerOptions configures how keys are obtained for an issuer. Provide one of JWKSURL, Keys, or RawKeys.

type LanguageConfig 

type LanguageConfig struct {
	Supported  []string
	Default    string
	QueryParam string
	CookieName string
}

type Limit 

type Limit struct {
	Limit    int
	Window   time.Duration
	Cooldown time.Duration
}

Limit configures a named rate limit bucket.

type RateLimitResult added in v0.9.1 

type RateLimitResult struct {
	Allowed      bool
	RetryAfter   time.Duration
	Availability *ActionAvailability
}

type RateLimiter 

type RateLimiter interface {
	AllowNamed(bucket string, key string) (bool, error)
}

RateLimiter is a minimal interface used by adapters.

type RateLimiterWithResult added in v0.9.4 

type RateLimiterWithResult interface {
	AllowNamedResult(bucket string, key string) (ratelimit.Result, error)
}

type RateLimiterWithRetryAfter added in v0.9.1 

type RateLimiterWithRetryAfter interface {
	AllowNamedWithRetryAfter(bucket string, key string) (bool, time.Duration, error)
}

type RouteGroup added in v0.8.5 

type RouteGroup string

RouteGroup identifies a prefix-neutral AuthKit route capability. Host applications can mount all default groups or select only the capabilities they want to expose. 

const (
	RouteCore               RouteGroup = "core"
	RoutePassword           RouteGroup = "password"
	RouteRegister           RouteGroup = "register"
	RouteOwners             RouteGroup = "owners"
	RouteEmailVerification  RouteGroup = "email_verification"
	RoutePhoneVerification  RouteGroup = "phone_verification"
	RouteOrganizations      RouteGroup = "organizations"
	RouteUser               RouteGroup = "user"
	RouteAccountOIDCLinking RouteGroup = "account_oidc_linking"
	RouteTwoFactor          RouteGroup = "two_factor"
	RouteSolana             RouteGroup = "solana"
	RouteAdmin              RouteGroup = "admin"
	RouteOIDCBrowser        RouteGroup = "oidc_browser"
	// RouteFederation exposes the inbound accept-side federated-issuer registry
	// routes (the home for what tensorhub previously exposed as
	// `/api/v1/platform/issuers`).
	RouteFederation RouteGroup = "federation"
)

type RouteSpec added in v0.8.5 

type RouteSpec struct {
	Method  string
	Path    string
	Group   RouteGroup
	Handler http.Handler
}

RouteSpec is a concrete, prefix-neutral route with its AuthKit handler attached. Path parameters use net/http ServeMux syntax, e.g. "/owners/{slug}".

type Routes added in v0.8.5 

type Routes struct {
	// contains filtered or unexported fields
}

Routes provides access to AuthKit's canonical route groups.

func (Routes) DefaultAPI added in v0.8.5 

func (r Routes) DefaultAPI() []RouteSpec

DefaultAPI returns every AuthKit JSON API route enabled by this service.

func (Routes) Groups added in v0.8.5 

func (r Routes) Groups(groups ...RouteGroup) []RouteSpec

Groups returns every enabled AuthKit JSON API route in the requested groups.

func (Routes) OIDCBrowser added in v0.8.5 

func (r Routes) OIDCBrowser() []RouteSpec

OIDCBrowser returns browser redirect OIDC routes without a mount prefix. Host applications choose where to mount them, commonly "/oidc".

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service wraps core.Service with net/http mounting helpers.

func NewService 

func NewService(cfg core.Config) (*Service, error)

NewService constructs a core.Service and wraps it for net/http mounting. Returns an error if the core service fails to initialize (e.g., missing keys in production).

func (*Service) APIHandler 

func (s *Service) APIHandler() http.Handler

APIHandler returns a handler that serves prefix-neutral JSON API routes. It is intended to be mounted under the host's mux/router at the host's chosen API prefix.

func (*Service) APIRoutes added in v0.8.5 

func (s *Service) APIRoutes(groups ...RouteGroup) []RouteSpec

APIRoutes returns AuthKit's enabled JSON API routes. With no groups it returns the default API surface. With groups, it returns only matching routes.

func (*Service) Core 

func (s *Service) Core() *core.Service

func (*Service) DisableRateLimiter 

func (s *Service) DisableRateLimiter() *Service

func (*Service) JWKSHandler 

func (s *Service) JWKSHandler() http.Handler

JWKSHandler returns a handler for GET /.well-known/jwks.json.

func (*Service) OIDCBrowserRoutes added in v0.8.5 

func (s *Service) OIDCBrowserRoutes(groups ...RouteGroup) []RouteSpec

OIDCBrowserRoutes returns browser redirect routes with no mount prefix.

func (*Service) OIDCHandler 

func (s *Service) OIDCHandler() http.Handler

OIDCHandler returns a handler that serves browser redirect flows: - GET /oidc/{provider}/login - GET /oidc/{provider}/callback - GET /oidc/{provider}/reauth/callback

func (*Service) Routes added in v0.8.5 

func (s *Service) Routes() Routes

Routes returns AuthKit's canonical route registry for this service.

func (*Service) Verifier 

func (s *Service) Verifier() *Verifier

func (*Service) WithAuthLogReader 

func (s *Service) WithAuthLogReader(r core.AuthEventLogReader) *Service

func (*Service) WithAuthLogger 

func (s *Service) WithAuthLogger(l core.AuthEventLogger) *Service

func (*Service) WithClientIPFunc 

func (s *Service) WithClientIPFunc(fn ClientIPFunc) *Service

func (*Service) WithEmailSender 

func (s *Service) WithEmailSender(es core.EmailSender) *Service

func (*Service) WithEntitlements 

func (s *Service) WithEntitlements(p core.EntitlementsProvider) *Service

func (*Service) WithEphemeralStore 

func (s *Service) WithEphemeralStore(store core.EphemeralStore, mode core.EphemeralMode) *Service

func (*Service) WithErrorLogger added in v0.8.7 

func (s *Service) WithErrorLogger(fn func(context.Context, InternalErrorEvent)) *Service

func (*Service) WithLanguageConfig 

func (s *Service) WithLanguageConfig(cfg LanguageConfig) *Service

func (*Service) WithPostgres 

func (s *Service) WithPostgres(pg *pgxpool.Pool) *Service

func (*Service) WithRateLimiter 

func (s *Service) WithRateLimiter(rl RateLimiter) *Service

func (*Service) WithRedis 

func (s *Service) WithRedis(rd *redis.Client) *Service

func (*Service) WithSMSSender 

func (s *Service) WithSMSSender(sender core.SMSSender) *Service

func (*Service) WithSolanaDomain 

func (s *Service) WithSolanaDomain(domain string) *Service

WithSolanaDomain sets the domain used in SIWS sign-in messages. If not set, the domain is derived from the request Origin or Host header.

type Verifier 

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier validates JWTs from one or more issuers.

For verify-only mode, create with NewVerifier and add issuers via AddIssuer. For issuing mode, authhttp.Service creates a Verifier internally.

func NewVerifier 

func NewVerifier(opts ...VerifierOption) *Verifier

NewVerifier creates a new Verifier. Add trusted issuers via AddIssuer.

func (*Verifier) AddIssuer 

func (v *Verifier) AddIssuer(issuerID string, audiences []string, opts IssuerOptions) error

AddIssuer registers (or updates) a trusted issuer. This is the single method for adding any issuer — whether at startup or at runtime, whether keys come from a JWKS URL or are pre-provided.

func (*Verifier) LoadFederatedIssuers added in v0.10.0 

func (v *Verifier) LoadFederatedIssuers(ctx context.Context, src FederatedIssuerSource, audiences []string) error

LoadFederatedIssuers loads the ACTIVE federated-org issuers from authkit's OWN store (the federated_org_issuers table) and registers each as a trusted issuer via AddIssuer with its JWKS URL. The Verifier's existing in-house JWKS fetch/refresh then handles the federated keys — there is NO external push or sync of keys.

audiences, when non-empty, is applied to every loaded issuer (typically this resource server's own audience). Call this at startup, and re-call (e.g. on a ticker, or after an inbound registration) to pick up store changes. Pass the embedding app's core.Service (or any FederatedIssuerSource); if nil, the Service provided via WithService is used.

func (*Verifier) RemoveIssuer 

func (v *Verifier) RemoveIssuer(issuerID string)

RemoveIssuer removes a previously added issuer.

func (*Verifier) Verify 

func (v *Verifier) Verify(tokenStr string) (Claims, error)

Verify parses + verifies a token and returns typed Claims. It enforces issuer/audience/expiry with the configured skew, plus authkit's user-token invariant, on top of VerifyClaims.

func (*Verifier) VerifyClaims added in v0.11.2 

func (v *Verifier) VerifyClaims(tokenStr string) (jwt.MapClaims, error)

VerifyClaims parses and cryptographically verifies a token against the registered issuers and returns its RAW validated claims. It performs the generic, token-type-agnostic checks: JWKS key resolution + signature, issuer must be registered, audience match, and exp/nbf/iat with the configured skew. It does NOT apply authkit's user-token semantics (the sub/delegated_sub invariant) or map into the typed Claims struct.

Use it to verify CUSTOM token types (e.g. a host application's capability tokens) that should reuse authkit's single JWKS engine — registry, caching, rotation, lazy-load — while carrying their own claim shape. The caller registers the token's issuer via AddIssuer and parses the returned MapClaims itself. Verify() is built on top of this for authkit's own user tokens.

func (*Verifier) WithService 

func (v *Verifier) WithService(svc *core.Service) *Verifier

WithService enables best-effort enrichment hooks (roles/provider usernames) from Postgres, and wires the same *core.Service as the default federated-issuer source for lazy-load-on-miss (see keyForToken).

type VerifierOption 

type VerifierOption func(*Verifier)

VerifierOption configures a Verifier.

func WithAlgorithms 

func WithAlgorithms(algs ...string) VerifierOption

WithAlgorithms sets the allowed JWS algorithms. Default: ["RS256"].

func WithHTTPClient 

func WithHTTPClient(c *http.Client) VerifierOption

WithHTTPClient sets the HTTP client used for JWKS fetching.

func WithOrgMode 

func WithOrgMode(mode string) VerifierOption

WithOrgMode sets the organization mode ("single" or "multi") for claim extraction. When "multi" and an org claim is present, roles are treated as org-scoped roles.

func WithSkew 

func WithSkew(d time.Duration) VerifierOption

WithSkew sets the clock skew tolerance for exp/nbf/iat checks. Default: 60s.

func WithTokenPrefix added in v0.11.0 

func WithTokenPrefix(prefix string) VerifierOption

WithTokenPrefix sets the host application's Organization Access Token (OAT) brand prefix used to detect OATs in the middleware. Empty -> bare "oat_".

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.