Documentation
¶
Index ¶
- Constants
- func BaseRegisteredClaims(subject string, audiences []string, ttl time.Duration) jwt.RegisteredClaims
- func ServeJWKS(w http.ResponseWriter, r *http.Request, ks JWKS)
- type ClaimsBuilder
- type GeneratedKeySource
- type JWK
- type JWKS
- type KeySource
- type RSASigner
- type Signer
- type StaticKeySource
Constants ¶
const (
// DefaultAuthKeysPath is the default directory where External Secrets mounts auth keys
DefaultAuthKeysPath = "/vault/auth"
)
Variables ¶
This section is empty.
Functions ¶
func BaseRegisteredClaims ¶
func BaseRegisteredClaims(subject string, audiences []string, ttl time.Duration) jwt.RegisteredClaims
Helper to make base registered claims.
Types ¶
type ClaimsBuilder ¶
type ClaimsBuilder interface {
// Build returns application-specific claims to embed.
Build(ctx context.Context, userID string, base jwt.RegisteredClaims) (map[string]any, error)
}
ClaimsBuilder builds custom claims layered on top of RegisteredClaims.
type GeneratedKeySource ¶
type GeneratedKeySource struct {
// contains filtered or unexported fields
}
GeneratedKeySource generates and persists RSA keys (for development only). Keys are stored in .runtime/authkit/ and reused across restarts.
func NewGeneratedKeySource ¶
func NewGeneratedKeySource() (*GeneratedKeySource, error)
NewGeneratedKeySource creates a KeySource with auto-generated RSA keys. First attempts to load from .runtime/authkit/, otherwise generates new keys and persists them. This should only be used in development environments.
func (*GeneratedKeySource) ActiveSigner ¶
func (g *GeneratedKeySource) ActiveSigner() Signer
func (*GeneratedKeySource) PublicKeys ¶
func (g *GeneratedKeySource) PublicKeys() map[string]*rsa.PublicKey
type JWK ¶
type JWK struct {
Kty string `json:"kty"`
Use string `json:"use,omitempty"`
Kid string `json:"kid,omitempty"`
Alg string `json:"alg,omitempty"`
N string `json:"n"` // base64url
E string `json:"e"` // base64url
}
JWK minimal fields for RSA public keys.
type KeySource ¶
KeySource provides the active signer and public keys for JWKS.
func NewAutoKeySource ¶
NewAutoKeySource auto-discovers JWT keys from multiple sources with the following priority: 1. Environment variables (ACTIVE_KEY_ID, ACTIVE_PRIVATE_KEY_PEM, PUBLIC_KEYS) - highest priority 2. Filesystem /vault/auth/keys.json (External Secrets Operator in Kubernetes) 3. Auto-generated keys in .runtime/authkit/ (development fallback)
This function is designed for use in production and development environments: - Production: Keys injected via External Secrets into /vault/auth/keys.json - Local dev with secrets: Set env vars to override filesystem - Local dev without secrets: Auto-generates and persists keys
Returns error only if keys are explicitly provided but invalid (parsing errors). Returns nil error with generated keys if no keys found (development mode).
type RSASigner ¶
type RSASigner struct {
// contains filtered or unexported fields
}
Minimal in-memory RSA signer for bootstrap/dev. Production should load from KMS or DB.
func NewRSASignerFromPEM ¶
NewRSASignerFromPEM constructs an RSASigner from a PEM-encoded private key.
func (*RSASigner) PrivateKey ¶
func (s *RSASigner) PrivateKey() *rsa.PrivateKey
type Signer ¶
type Signer interface {
// Algorithm returns the JWS algorithm (e.g., RS256, EdDSA).
Algorithm() string
// KID returns current key id.
KID() string
// Sign creates a signed JWT with provided claims.
Sign(ctx context.Context, claims jwt.MapClaims) (token string, err error)
}
Signer issues and verifies asymmetric JWTs.
type StaticKeySource ¶
StaticKeySource is a simple in-memory implementation.
func (StaticKeySource) ActiveSigner ¶
func (s StaticKeySource) ActiveSigner() Signer
func (StaticKeySource) PublicKeys ¶
func (s StaticKeySource) PublicKeys() map[string]*rsa.PublicKey
Source Files