jwtkit

package
v0.12.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 6, 2026 License: MIT Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AccessTokenType          = "access+jwt"
	DelegatedAccessTokenType = "delegated-access+jwt"
)

AuthKit JOSE `typ` header values. These separate ordinary AuthKit access tokens from delegated access tokens before claims are mapped into principals.

View Source 
const (
	// DefaultAuthKeysPath is the default directory where External Secrets mounts auth keys
	DefaultAuthKeysPath = "/vault/auth"
)

Variables

View Source 
var ErrUnsupportedJWK = errors.New("unsupported_jwk")

Functions

func AlgorithmForPublicKey added in v0.12.3 

func AlgorithmForPublicKey(pub crypto.PublicKey) string

AlgorithmForPublicKey returns a default JWS alg for a public key when none is specified.

func BaseRegisteredClaims 

func BaseRegisteredClaims(subject string, audiences []string, ttl time.Duration) jwt.RegisteredClaims

Helper to make base registered claims.

func JWKSToPublicKeys added in v0.12.3 

func JWKSToPublicKeys(ks JWKS) (map[string]crypto.PublicKey, error)

JWKSToPublicKeys parses all supported keys in a JWKS document.

func JWKToPublicKey added in v0.12.3 

func JWKToPublicKey(j JWK) (crypto.PublicKey, error)

JWKToPublicKey parses a single JWK into a crypto.PublicKey.

func ParsePublicKeyFromPEM added in v0.12.3 

func ParsePublicKeyFromPEM(pemText string) (crypto.PublicKey, error)

ParsePublicKeyFromPEM parses a PKIX/SPKI, certificate, or PKCS#1 RSA public key PEM.

func ParsePublicKeyFromPEMBytes added in v0.12.3 

func ParsePublicKeyFromPEMBytes(pemBytes []byte) (crypto.PublicKey, error)

ParsePublicKeyFromPEMBytes parses a supported public key PEM block.

func ServeJWKS 

func ServeJWKS(w http.ResponseWriter, r *http.Request, ks JWKS)

ServeJWKS writes JWKS JSON to the ResponseWriter.

func SetLogger added in v0.12.3 

func SetLogger(l Logger)

SetLogger installs the package-level logger used for key-load warnings. Pass nil to restore the default no-op logger.

Types

type ClaimsBuilder 

type ClaimsBuilder interface {
	// Build returns application-specific claims to embed.
	Build(ctx context.Context, userID string, base jwt.RegisteredClaims) (map[string]any, error)
}

ClaimsBuilder builds custom claims layered on top of RegisteredClaims.

type ECDSASigner added in v0.12.3 

type ECDSASigner struct {
	// contains filtered or unexported fields
}

ECDSASigner signs JWTs with ES256, ES384, or ES512 based on the private key curve.

func (*ECDSASigner) Algorithm added in v0.12.3 

func (s *ECDSASigner) Algorithm() string

func (*ECDSASigner) KID added in v0.12.3 

func (s *ECDSASigner) KID() string

func (*ECDSASigner) PublicKey added in v0.12.3 

func (s *ECDSASigner) PublicKey() crypto.PublicKey

func (*ECDSASigner) Sign added in v0.12.3 

func (s *ECDSASigner) Sign(_ context.Context, claims jwt.MapClaims) (string, error)

func (*ECDSASigner) SignWithHeaders added in v0.12.3 

func (s *ECDSASigner) SignWithHeaders(_ context.Context, claims jwt.MapClaims, headers map[string]any) (string, error)

type Ed25519Signer added in v0.12.3 

type Ed25519Signer struct {
	// contains filtered or unexported fields
}

Ed25519Signer signs JWTs with EdDSA (Ed25519).

func NewEd25519Signer added in v0.12.3 

func NewEd25519Signer(kid string) (*Ed25519Signer, error)

NewEd25519Signer generates a new Ed25519 key pair for development/testing.

func (*Ed25519Signer) Algorithm added in v0.12.3 

func (s *Ed25519Signer) Algorithm() string

func (*Ed25519Signer) KID added in v0.12.3 

func (s *Ed25519Signer) KID() string

func (*Ed25519Signer) PublicKey added in v0.12.3 

func (s *Ed25519Signer) PublicKey() crypto.PublicKey

func (*Ed25519Signer) Sign added in v0.12.3 

func (s *Ed25519Signer) Sign(_ context.Context, claims jwt.MapClaims) (string, error)

func (*Ed25519Signer) SignWithHeaders added in v0.12.3 

func (s *Ed25519Signer) SignWithHeaders(_ context.Context, claims jwt.MapClaims, headers map[string]any) (string, error)

type GeneratedKeySource 

type GeneratedKeySource struct {
	// contains filtered or unexported fields
}

GeneratedKeySource generates and persists RSA keys (for development only).

func NewGeneratedKeySource 

func NewGeneratedKeySource() (*GeneratedKeySource, error)

NewGeneratedKeySource creates a KeySource with auto-generated RSA keys.

func (*GeneratedKeySource) ActiveSigner 

func (g *GeneratedKeySource) ActiveSigner() Signer

func (*GeneratedKeySource) PublicKeys 

func (g *GeneratedKeySource) PublicKeys() map[string]crypto.PublicKey

type HeaderSigner added in v0.12.0 

type HeaderSigner interface {
	Signer
	// SignWithHeaders signs claims and merges the provided extra JOSE header
	// params into the token header (kid is still set by the signer).
	SignWithHeaders(ctx context.Context, claims jwt.MapClaims, headers map[string]any) (token string, err error)
}

HeaderSigner is an extension of Signer that lets callers set extra JOSE header parameters (e.g. `typ`) on the signed token. AuthKit token minting uses it to stamp the token profile header.

type JWK 

type JWK struct {
	Kty string `json:"kty"`
	Use string `json:"use,omitempty"`
	Kid string `json:"kid,omitempty"`
	Alg string `json:"alg,omitempty"`
	// RSA
	N string `json:"n,omitempty"`
	E string `json:"e,omitempty"`
	// EC / OKP
	Crv string `json:"crv,omitempty"`
	X   string `json:"x,omitempty"`
	Y   string `json:"y,omitempty"`
}

JWK represents a JSON Web Key (RSA, EC, or OKP).

func PublicToJWK added in v0.12.3 

func PublicToJWK(pub crypto.PublicKey, kid, alg string) JWK

PublicToJWK converts a supported public key to a JWK.

func RSAPublicToJWK 

func RSAPublicToJWK(pub *rsa.PublicKey, kid, alg string) JWK

RSAPublicToJWK converts an RSA public key to a JWK.

type JWKS 

type JWKS struct {
	Keys []JWK `json:"keys"`
}

type KeyRing added in v0.12.3 

type KeyRing struct {
	// contains filtered or unexported fields
}

KeyRing is a KeySource that exposes one active signer and a merged set of verification public keys (active + retired).

func NewKeyRing added in v0.12.3 

func NewKeyRing(active Signer, verificationKeys map[string]crypto.PublicKey) *KeyRing

NewKeyRing builds a KeyRing. verificationKeys are merged with the active signer's public key (when the signer implements PublicKeySigner). Retired keys remain in JWKS for rotation without being used to sign.

func (*KeyRing) ActiveSigner added in v0.12.3 

func (k *KeyRing) ActiveSigner() Signer

func (*KeyRing) PublicKeys added in v0.12.3 

func (k *KeyRing) PublicKeys() map[string]crypto.PublicKey

type KeySource 

type KeySource interface {
	ActiveSigner() Signer
	PublicKeys() map[string]crypto.PublicKey
}

KeySource provides the active signer and public keys for JWKS.

func NewAutoKeySource 

func NewAutoKeySource() (KeySource, error)

NewAutoKeySource auto-discovers JWT keys from multiple sources with the following priority: 1. Environment variables (ACTIVE_KEY_ID, ACTIVE_PRIVATE_KEY_PEM, PUBLIC_KEYS) 2. Filesystem /vault/auth/keys.json 3. Auto-generated keys in .runtime/authkit/ (development fallback)

type Logger added in v0.12.3 

type Logger func(format string, args ...any)

Logger receives non-fatal key-loading warnings from jwtkit. The default is a no-op logger so libraries do not write to stdout.

type PublicKeySigner added in v0.12.3 

type PublicKeySigner interface {
	Signer
	PublicKey() crypto.PublicKey
}

PublicKeySigner is implemented by in-memory signers that expose their public key.

type RSASigner 

type RSASigner struct {
	// contains filtered or unexported fields
}

Minimal in-memory RSA signer for bootstrap/dev. Production should load from KMS or DB.

func NewRSASigner 

func NewRSASigner(bits int, kid string) (*RSASigner, error)

func NewRSASignerFromPEM 

func NewRSASignerFromPEM(kid string, pemBytes []byte) (*RSASigner, error)

NewRSASignerFromPEM constructs an RSASigner from a PEM-encoded RSA private key.

func (*RSASigner) Algorithm 

func (s *RSASigner) Algorithm() string

func (*RSASigner) KID 

func (s *RSASigner) KID() string

func (*RSASigner) PrivateKey 

func (s *RSASigner) PrivateKey() *rsa.PrivateKey

func (*RSASigner) PublicKey 

func (s *RSASigner) PublicKey() crypto.PublicKey

func (*RSASigner) Sign 

func (s *RSASigner) Sign(_ context.Context, claims jwt.MapClaims) (string, error)

func (*RSASigner) SignWithHeaders added in v0.12.0 

func (s *RSASigner) SignWithHeaders(_ context.Context, claims jwt.MapClaims, headers map[string]any) (string, error)

SignWithHeaders implements HeaderSigner: it signs claims and merges extra JOSE header params (e.g. `typ`) into the token header. The signer's own kid is set last and cannot be overridden by the supplied headers.

type Signer 

type Signer interface {
	// Algorithm returns the JWS algorithm (e.g., RS256, EdDSA).
	Algorithm() string
	// KID returns current key id.
	KID() string
	// Sign creates a signed JWT with provided claims.
	Sign(ctx context.Context, claims jwt.MapClaims) (token string, err error)
}

Signer issues and verifies asymmetric JWTs.

func NewSignerFromPEM added in v0.12.3 

func NewSignerFromPEM(kid string, pemBytes []byte) (Signer, error)

NewSignerFromPEM constructs a Signer from a PEM-encoded private key (RSA, EC, or Ed25519).

type StaticKeySource 

type StaticKeySource struct {
	Active Signer
	Pubs   map[string]crypto.PublicKey
}

StaticKeySource is a simple in-memory implementation.

func NewStaticKeySourceFromRing added in v0.12.3 

func NewStaticKeySourceFromRing(active Signer, verificationKeys map[string]crypto.PublicKey) StaticKeySource

NewStaticKeySourceFromRing is a convenience alias for NewKeyRing(...).StaticKeySource().

func (StaticKeySource) ActiveSigner 

func (s StaticKeySource) ActiveSigner() Signer

func (StaticKeySource) PublicKeys 

func (s StaticKeySource) PublicKeys() map[string]crypto.PublicKey

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.