jwtkit

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 2, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// DefaultAuthKeysPath is the default directory where External Secrets mounts auth keys
	DefaultAuthKeysPath = "/vault/auth"
)

Variables

This section is empty.

Functions

func BaseRegisteredClaims 

func BaseRegisteredClaims(subject string, audiences []string, ttl time.Duration) jwt.RegisteredClaims

Helper to make base registered claims.

func ServeJWKS 

func ServeJWKS(w http.ResponseWriter, r *http.Request, ks JWKS)

ServeJWKS writes JWKS JSON to the ResponseWriter.

Types

type ClaimsBuilder 

type ClaimsBuilder interface {
	// Build returns application-specific claims to embed.
	Build(ctx context.Context, userID string, base jwt.RegisteredClaims) (map[string]any, error)
}

ClaimsBuilder builds custom claims layered on top of RegisteredClaims.

type GeneratedKeySource 

type GeneratedKeySource struct {
	// contains filtered or unexported fields
}

GeneratedKeySource generates and persists RSA keys (for development only). Keys are stored in .runtime/authkit/ and reused across restarts.

func NewGeneratedKeySource 

func NewGeneratedKeySource() (*GeneratedKeySource, error)

NewGeneratedKeySource creates a KeySource with auto-generated RSA keys. First attempts to load from .runtime/authkit/, otherwise generates new keys and persists them. This should only be used in development environments.

func (*GeneratedKeySource) ActiveSigner 

func (g *GeneratedKeySource) ActiveSigner() Signer

func (*GeneratedKeySource) PublicKeys 

func (g *GeneratedKeySource) PublicKeys() map[string]*rsa.PublicKey

type HeaderSigner added in v0.12.0 

type HeaderSigner interface {
	Signer
	// SignWithHeaders signs claims and merges the provided extra JOSE header
	// params into the token header (kid is still set by the signer).
	SignWithHeaders(ctx context.Context, claims jwt.MapClaims, headers map[string]any) (token string, err error)
}

HeaderSigner is an optional extension of Signer that lets callers set extra JOSE header parameters (e.g. `typ`) on the signed token. Delegated access tokens use it to stamp the `typ=at+jwt` header. Mint code type-asserts to this interface and falls back to plain Sign when a signer does not implement it, so the extension is fully backwards compatible.

type JWK 

type JWK struct {
	Kty string `json:"kty"`
	Use string `json:"use,omitempty"`
	Kid string `json:"kid,omitempty"`
	Alg string `json:"alg,omitempty"`
	N   string `json:"n"` // base64url
	E   string `json:"e"` // base64url
}

JWK minimal fields for RSA public keys.

func RSAPublicToJWK 

func RSAPublicToJWK(pub *rsa.PublicKey, kid, alg string) JWK

RSAPublicToJWK converts an RSA public key to a JWK.

type JWKS 

type JWKS struct {
	Keys []JWK `json:"keys"`
}

type KeySource 

type KeySource interface {
	ActiveSigner() Signer
	PublicKeys() map[string]*rsa.PublicKey
}

KeySource provides the active signer and public keys for JWKS.

func NewAutoKeySource 

func NewAutoKeySource() (KeySource, error)

NewAutoKeySource auto-discovers JWT keys from multiple sources with the following priority: 1. Environment variables (ACTIVE_KEY_ID, ACTIVE_PRIVATE_KEY_PEM, PUBLIC_KEYS) - highest priority 2. Filesystem /vault/auth/keys.json (External Secrets Operator in Kubernetes) 3. Auto-generated keys in .runtime/authkit/ (development fallback)

This function is designed for use in production and development environments: - Production: Keys injected via External Secrets into /vault/auth/keys.json - Local dev with secrets: Set env vars to override filesystem - Local dev without secrets: Auto-generates and persists keys

Returns error only if keys are explicitly provided but invalid (parsing errors). Returns nil error with generated keys if no keys found (development mode).

type RSASigner 

type RSASigner struct {
	// contains filtered or unexported fields
}

Minimal in-memory RSA signer for bootstrap/dev. Production should load from KMS or DB.

func NewRSASigner 

func NewRSASigner(bits int, kid string) (*RSASigner, error)

func NewRSASignerFromPEM 

func NewRSASignerFromPEM(kid string, pemBytes []byte) (*RSASigner, error)

NewRSASignerFromPEM constructs an RSASigner from a PEM-encoded private key.

func (*RSASigner) Algorithm 

func (s *RSASigner) Algorithm() string

func (*RSASigner) KID 

func (s *RSASigner) KID() string

func (*RSASigner) PrivateKey 

func (s *RSASigner) PrivateKey() *rsa.PrivateKey

func (*RSASigner) PublicKey 

func (s *RSASigner) PublicKey() *rsa.PublicKey

func (*RSASigner) Sign 

func (s *RSASigner) Sign(_ context.Context, claims jwt.MapClaims) (string, error)

func (*RSASigner) SignWithHeaders added in v0.12.0 

func (s *RSASigner) SignWithHeaders(_ context.Context, claims jwt.MapClaims, headers map[string]any) (string, error)

SignWithHeaders implements HeaderSigner: it signs claims and merges extra JOSE header params (e.g. `typ`) into the token header. The signer's own kid is set last and cannot be overridden by the supplied headers.

type Signer 

type Signer interface {
	// Algorithm returns the JWS algorithm (e.g., RS256, EdDSA).
	Algorithm() string
	// KID returns current key id.
	KID() string
	// Sign creates a signed JWT with provided claims.
	Sign(ctx context.Context, claims jwt.MapClaims) (token string, err error)
}

Signer issues and verifies asymmetric JWTs.

type StaticKeySource 

type StaticKeySource struct {
	Active Signer
	Pubs   map[string]*rsa.PublicKey
}

StaticKeySource is a simple in-memory implementation.

func (StaticKeySource) ActiveSigner 

func (s StaticKeySource) ActiveSigner() Signer

func (StaticKeySource) PublicKeys 

func (s StaticKeySource) PublicKeys() map[string]*rsa.PublicKey

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.