verify

package
v0.57.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 23, 2026 License: MIT Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AccessTokenType                  = jwtkit.AccessTokenType
	DelegatedAccessTokenType         = jwtkit.DelegatedAccessTokenType
	RemoteApplicationAccessTokenType = jwtkit.RemoteApplicationAccessTokenType
)

Token-type tags used by the verification layer. Sourced from jwtkit so they stay in lockstep with the signer; authhttp exposes the same values via its own delegation.go constants.

View Source 
const DefaultOutboundTimeout = 30 * time.Second

DefaultOutboundTimeout bounds the verify layer's outbound HTTP calls (JWKS fetches). Mirrors authhttp's constant of the same name.

View Source 
const DefaultSensitiveMaxAge = 15 * time.Minute
View Source 
const MaxDelegatedRoles = 64

MaxDelegatedRoles bounds how many role UUIDs we lift from attributes.roles on a delegated token, so a hostile issuer can't inflate a principal unboundedly.

View Source 
const RemoteApplicationTokenType = "remote_application"

RemoteApplicationTokenType is the TokenType value carried by a remote application access token: a remote_application acting AS ITSELF. Like a service principal it carries Permissions (its STORED authority) but no UserID; the live-user enrichment/ban gate is skipped (there is no user).

View Source 
const ServicePrincipalType = "service"

ServicePrincipalType is the TokenType value carried by an opaque API key: a machine credential, not a user.

Variables

This section is empty.

Functions

func NewSSRFGuardedClient 

func NewSSRFGuardedClient() *http.Client

NewSSRFGuardedClient returns an *http.Client whose transport uses ssrfGuardDialer. Pass this to WithHTTPClient on a Verifier that fetches JWKS from user-registered (remote_application) issuers to prevent SSRF via crafted jwks_uri values including DNS-rebinding attacks.

func Optional 

func Optional(v *Verifier) func(http.Handler) http.Handler

Optional validates when Authorization is present; otherwise passes through.

func RemoteApplicationCORS 

func RemoteApplicationCORS(v *Verifier) func(http.Handler) http.Handler

RemoteApplicationCORS handles browser preflight using the union of enabled remote_application allowed origins. It is compatibility/browser hardening, not authorization; use RequireDelegatedOrigin after Required for the real issuer-vs-Origin check.

func RequireACR added in v0.52.0 

func RequireACR(level string) func(http.Handler) http.Handler

func RequireAMR added in v0.52.0 

func RequireAMR(method string) func(http.Handler) http.Handler

func RequireAnyEntitlement 

func RequireAnyEntitlement(ents ...string) func(http.Handler) http.Handler

RequireAnyEntitlement gates a handler on the presence of at least one of the given entitlements. With no entitlements listed it denies all requests (fail-closed). It must run after Required.

func RequireDelegatedOrigin 

func RequireDelegatedOrigin(v *Verifier, allowNoOrigin bool) func(http.Handler) http.Handler

RequireDelegatedOrigin enforces Origin against the verified issuer for delegated JWT requests. Mount it after Required. Non-delegated requests pass through unchanged.

func RequireEntitlement 

func RequireEntitlement(ent string) func(http.Handler) http.Handler

RequireEntitlement gates a handler on the presence of a single entitlement in the verified claims (case-insensitive, see Claims.HasEntitlement). It must run after Required so claims are present. Service principals (OATs) and delegated tokens carry no entitlements and are therefore denied.

func RequireFreshAuth added in v0.52.0 

func RequireFreshAuth(maxAge time.Duration) func(http.Handler) http.Handler

func RequireMFA added in v0.52.0 

func RequireMFA() func(http.Handler) http.Handler

func Required 

func Required(v *Verifier) func(http.Handler) http.Handler

Required validates the Bearer token (JWT), enforces iss/aud/exp, and stores claims in request context.

func RequiredServiceJWT 

func RequiredServiceJWT(v *Verifier, opts ...ServiceJWTVerifyOption) func(http.Handler) http.Handler

RequiredServiceJWT verifies a Bearer service JWT and attaches its principal. It is intentionally separate from Required so service JWTs do not become valid on ordinary user/delegated-token routes by accident.

func Sensitive added in v0.54.0 

func Sensitive(options ...SensitiveOptions) func(http.Handler) http.Handler

func SensitiveClaims added in v0.54.0 

func SensitiveClaims(cl Claims, options ...SensitiveOptions) bool

func SetClaims 

func SetClaims(ctx context.Context, cl Claims) context.Context

func SetRequestContextHook 

func SetRequestContextHook(fn func(context.Context) context.Context)

SetRequestContextHook installs the per-request context hook. authhttp wires it to core.WithPermissionMemo at init so RBAC resolution caching works per request; the verify package itself never imports core.

Types

type AttributeDefResolver 

type AttributeDefResolver func(ctx context.Context, issuer, key, ref string) (json.RawMessage, error)

AttributeDefResolver resolves a REFERENCE-mode attribute (#75) to its opaque definition, given the token's validated issuer, the attribute key, and the reference value the token carried. It returns the resolved definition (raw JSON) to substitute for the reference, or an error. *authbase.Service-backed resolvers map issuer -> remote_application -> registered definition.

type AttributesValidator 

type AttributesValidator func(attributes map[string]json.RawMessage) error

AttributesValidator validates a delegated access token's `attributes` against the receiving service's policy schema. Return an error to reject the token. Called only for delegated access tokens.

type Claims 

type Claims struct {
	UserID          string
	Email           string
	EmailVerified   bool
	Username        string
	DiscordUsername string
	SessionID       string
	Roles           []string
	Entitlements    []string
	AMR             []string
	ACR             string
	AuthTime        time.Time
	TwoFAEnrollment bool
	Issuer          string
	UserTier        string
	JTI             string

	// A delegated access token carries the external delegated subject in
	// DelegatedSubject (claim `delegated_sub`). It never carries `sub` (UserID
	// stays empty), so the local-user gate does not apply.
	DelegatedSubject string

	// Attributes is the `attributes` claim of a delegated access token: the
	// canonical app-specific ESCAPE HATCH (#75). It is an object of issuer-
	// asserted, NAMESPACED, OPAQUE key/values that AuthKit transports and
	// optionally shape-validates (WithAttributesPolicy) but NEVER interprets —
	// the semantics belong to the consuming app. Each value is in one of two
	// modes (see Attribute / AttributeIsReference):
	//   INLINE    — the value carries the full definition, e.g.
	//               {"tier":{"endpoints":[...],"caps":[...]}}.
	//   REFERENCE — the value is a short JSON string key, e.g. {"tier":"tier-1"},
	//               resolved against a definition the remote_application
	//               registered ahead of time (resolve via the attribute-def
	//               registry, or opt-in verify-time hydration).
	// Reserved well-known keys: `tier` (opaque entitlement-tier string, surfaced
	// as UserTier) and `roles` (uuid array, surfaced as DelegatedRoles).
	// Everything else is free-form per consuming app. Values are kept as raw
	// JSON so the receiver decodes each into its own typed schema; nil when the
	// claim is absent.
	Attributes map[string]json.RawMessage

	// DelegatedRoles are the delegated subject's role UUIDs carried by a
	// delegated access token under `attributes.roles` (a JSON array of UUID strings). They are
	// extracted and validated at verify (malformed entries dropped, count
	// capped) and surfaced on DelegatedPrincipal.Roles. Downstream services use
	// them as e.g. budget-scope keys; authkit treats them as opaque strings.
	// Nil when absent. Distinct from the native-user Roles claim, which a
	// delegated token never carries.
	DelegatedRoles []string

	// TokenTyp is the JOSE `typ` header value. "access+jwt" identifies an
	// AuthKit user access token; "delegated-access+jwt" identifies a delegated
	// access token; "remote-application-access+jwt" identifies a remote
	// application access token.
	TokenTyp string

	// TokenType marks the credential class. Empty for ordinary user JWTs;
	// "service" for an API-key service principal. A service principal carries
	// Permissions but no UserID, so the live-user ban/enrichment gate is skipped
	// (there is no user to look up).
	TokenType string

	// Permissions are the app-defined permission strings a service principal
	// carries directly — the PBAC grant. Empty for user principals. authkit
	// treats permission strings as opaque.
	Permissions []string

	// Resources are opaque host-defined resource scopes carried by an
	// API key. Empty means the service principal has no AuthKit-stored
	// resource constraints; resource-aware hosts decide whether to require them.
	Resources []authbase.APIKeyResource

	// RemoteApplicationID / RemoteApplicationSlug identify the remote_application
	// authenticated by a remote application access token. Populated ONLY for
	// RemoteApplicationTokenType claims, resolved server-side from the validated
	// `iss` (never from a self-asserted token claim). The principal's Permissions
	// carry its STORED, assigned authority.
	RemoteApplicationID   string
	RemoteApplicationSlug string
}

Claims is a typed view of authenticated user information attached by middleware.

func ClaimsFromContext 

func ClaimsFromContext(ctx context.Context) (Claims, bool)

func GetClaims 

func GetClaims(ctx context.Context) (Claims, error)

func (Claims) Attribute 

func (c Claims) Attribute(key string) (json.RawMessage, bool)

Attribute returns the raw JSON value of a single delegated-access-token attribute and whether it was present. The value is opaque (#75): the caller decides whether it is an INLINE definition (a JSON object/array) or a REFERENCE (a JSON string key) — see AttributeIsReference / AttributeReference.

func (Claims) AttributeIsReference 

func (c Claims) AttributeIsReference(key string) bool

AttributeIsReference reports whether attribute `key` is a REFERENCE (JSON string) rather than an INLINE definition. Convenience over AttributeReference.

func (Claims) AttributeReference 

func (c Claims) AttributeReference(key string) (ref string, ok bool)

AttributeReference reports whether attribute `key` is in REFERENCE mode (a JSON string the consumer resolves against the remote_application's registered definition) and returns the reference key. ok is false for INLINE values (objects/arrays/other) or an absent key. This is the ref-vs-inline detector the consumer uses before resolving against the attribute-def registry.

func (Claims) AuthenticatedWithin added in v0.52.0 

func (c Claims) AuthenticatedWithin(maxAge time.Duration) bool

func (Claims) Delegated 

func (c Claims) Delegated() (DelegatedPrincipal, bool)

Delegated returns the typed DelegatedPrincipal when the claims are delegated.

func (Claims) DelegatedAccess 

func (c Claims) DelegatedAccess() (DelegatedPrincipal, bool)

DelegatedAccess is the canonical accessor for a delegated access token's principal. It returns the typed DelegatedPrincipal and true only when the claims are a delegated access token (see IsDelegatedAccessToken).

func (Claims) HasAMR added in v0.52.0 

func (c Claims) HasAMR(method string) bool

func (Claims) HasEntitlement 

func (c Claims) HasEntitlement(ent string) bool

func (Claims) HasPermission 

func (c Claims) HasPermission(perm string) bool

HasPermission reports whether the claims carry a permission token covering the requested concrete permission.

func (Claims) HasRole 

func (c Claims) HasRole(role string) bool

func (Claims) IsDelegated 

func (c Claims) IsDelegated() bool

IsDelegated reports whether these claims represent a delegated principal (i.e. carry `delegated_sub` rather than a local `sub`).

func (Claims) IsDelegatedAccessToken 

func (c Claims) IsDelegatedAccessToken() bool

IsDelegatedAccessToken reports whether these claims represent a delegated access token. The canonical signal is the `typ=delegated-access+jwt` JOSE header plus a delegated subject and no local user subject.

func (Claims) IsRemoteApplication 

func (c Claims) IsRemoteApplication() bool

IsRemoteApplication reports whether these claims represent a remote application authenticated via a remote application access token.

func (Claims) IsService 

func (c Claims) IsService() bool

IsService reports whether these claims represent a service principal, as opposed to a human user or delegated subject.

type DelegatedPrincipal 

type DelegatedPrincipal struct {
	// Issuer is the validated token issuer the receiving service trusts.
	Issuer           string
	DelegatedSubject string
	// Permissions are the resource-defined permission strings the receiving
	// service authorizes against its own catalog. This is the authority source.
	Permissions []string
	// Attributes is the issuer-asserted escape-hatch bag (#75): namespaced,
	// OPAQUE, consumer-interpreted key/values, each INLINE or REFERENCE (see
	// Claims.Attributes / Claims.AttributeReference). Reserved keys: `tier`
	// (-> UserTier) and `roles` (-> Roles). Raw JSON values.
	Attributes map[string]json.RawMessage
	// JTI is the token identifier (`jti` claim), when present.
	JTI string
	// UserTier is the resolved tier, sourced from `attributes.tier`.
	UserTier string
	// Roles are the actor's role UUID strings, sourced from `attributes.roles`
	// (each validated as a well-formed UUID at verify; malformed entries are
	// dropped, count is capped). Kept as strings so consumers parse to uuid
	// without forcing a uuid dependency on the principal. Nil when absent.
	Roles []string
}

DelegatedPrincipal is the identity carried by a delegated access token: an external actor (DelegatedSubject) whose authority is bounded by the VALIDATED Issuer plus Permissions. The subject does NOT exist as a local user in the validating service — authorization is by issuer trust plus Permissions, not local-user lookup.

type Enricher 

type Enricher interface {
	ResolveAPIKeyWithResources(ctx context.Context, keyID, secret string) (authbase.ResolvedAPIKey, error)
	GetRemoteApplication(ctx context.Context, issuer string) (*authbase.RemoteApplication, error)
	ListRemoteApplications(ctx context.Context, activeOnly bool) ([]authbase.RemoteApplication, error)
	ResolveRemoteApplicationAuthority(ctx context.Context, appID string) ([]string, error)
	ResolveRemoteAppAttributeDef(ctx context.Context, appID, key string, version int32) (*authbase.RemoteAppAttributeDef, error)
	GetProviderUsername(ctx context.Context, userID, provider string) (string, error)
	ListRoleSlugsByUser(ctx context.Context, userID string) []string
	GetEmailByUserID(ctx context.Context, id string) (string, error)
	IsUserAllowed(ctx context.Context, userID string) (bool, error)
}

Enricher is the optional, DB-backed hook surface the Verifier and middleware use for best-effort enrichment (roles/email/provider username), the live-user ban/deleted gate, opaque API-key resolution, and remote_application + attribute lookups. *authbase.Service satisfies it. The Verifier holds this as an INTERFACE (not *authbase.Service) so the verification layer carries no hard dependency on core's storage stack — a verify-only consumer can leave it nil or supply a lightweight implementation (#110).

type IssuerKey 

type IssuerKey struct {
	KID          string
	PublicKeyPEM string
}

IssuerKey is a public key for an issuer, identified by key ID.

type IssuerOptions 

type IssuerOptions struct {
	// JWKSURI is the URL to fetch JWKS from. If set, keys are fetched
	// automatically and refreshed when they expire or an unknown kid appears.
	JWKSURI string

	// Keys are pre-provided public keys as PEM. The caller is responsible for
	// refreshing by calling AddIssuer again with updated keys.
	Keys []IssuerKey

	// RawKeys are pre-provided public keys (e.g., from a co-located authbase.Service).
	RawKeys map[string]crypto.PublicKey

	// CacheTTL controls how long fetched JWKS keys are considered fresh.
	// Default: 10 minutes.
	CacheTTL time.Duration

	// MaxStale controls how long stale keys may be used as fallback after
	// a failed JWKS refresh. Default: 1 hour.
	MaxStale time.Duration

	// RemoteApplicationSlug is the receiver-internal remote-application slug
	// registered for this issuer. Tokens do not self-assert this value; it comes
	// only from the trusted issuer registry.
	RemoteApplicationSlug string

	// IsLocal marks this issuer as the host application's own (first-party) token
	// signer, as opposed to a remote_application/federated issuer. It guards the
	// signing-key registry against a non-local registration overwriting the local
	// issuer entry (AK-AUTH-01); it does not change how claims are parsed.
	IsLocal bool
}

IssuerOptions configures how keys are obtained for an issuer. Provide one of JWKSURI, Keys, or RawKeys.

func RemoteAppOptions 

func RemoteAppOptions(ra authbase.RemoteApplication) IssuerOptions

RemoteAppOptions builds the verifier IssuerOptions for a remote_application (issuer/JWKS or static keys + allowed origins). Exported so authhttp handlers that register issuers from stored remote_applications can reuse it.

type PermissionValidator 

type PermissionValidator func(permissions []string) error

PermissionValidator validates a delegated access token's `permissions` against the receiving service's own permissions. Return an error to reject the token. Called only for delegated access tokens.

type RemoteApplicationSource 

type RemoteApplicationSource interface {
	ListRemoteApplications(ctx context.Context, enabledOnly bool) ([]authbase.RemoteApplication, error)
	// GetRemoteApplication fetches a SINGLE remote_application by its issuer,
	// used by the lazy-load-on-miss path in keyForToken. *authbase.Service already
	// implements this.
	GetRemoteApplication(ctx context.Context, issuer string) (*authbase.RemoteApplication, error)
}

RemoteApplicationSource is the minimal store contract the Verifier needs to load remote_application principals (#74). *authbase.Service satisfies it. An embedding app may supply its own implementation in tests.

type SensitiveOptions added in v0.54.0 

type SensitiveOptions struct {
	MaxAge        time.Duration
	RequireMFA    bool
	AMR           []string
	ACR           string
	ReauthMethods []string
}

type ServiceJWTPrincipal 

type ServiceJWTPrincipal struct {
	Issuer                string
	Subject               string
	RemoteApplicationSlug string
	Audiences             []string
	Permissions           []string
	Resources             []authbase.APIKeyResource
	JTI                   string
	ExpiresAt             time.Time
}

ServiceJWTPrincipal is the verified machine principal in a service JWT. The receiving host still owns authorization: intersect Permissions with its own server-side grants before allowing an action.

func ServiceJWTPrincipalFromContext 

func ServiceJWTPrincipalFromContext(ctx context.Context) (ServiceJWTPrincipal, bool)

ServiceJWTPrincipalFromContext returns the verified service-JWT principal attached by RequiredServiceJWT.

type ServiceJWTReplayChecker 

type ServiceJWTReplayChecker func(ctx context.Context, claims authbase.ServiceJWTClaims) error

ServiceJWTReplayChecker lets hosts reject already-seen jti values.

type ServiceJWTVerifyOption 

type ServiceJWTVerifyOption func(*serviceJWTVerifyConfig)

ServiceJWTVerifyOption configures VerifyServiceJWT.

func WithServiceJWTMaxLifetime 

func WithServiceJWTMaxLifetime(d time.Duration) ServiceJWTVerifyOption

WithServiceJWTMaxLifetime caps accepted service-JWT lifetime. Empty defaults to AuthKit's 15-minute service-JWT lifetime.

func WithServiceJWTReplayChecker 

func WithServiceJWTReplayChecker(fn ServiceJWTReplayChecker) ServiceJWTVerifyOption

WithServiceJWTReplayChecker installs an optional jti replay hook.

type Verifier 

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier validates JWTs from one or more issuers.

For verify-only mode, create with NewVerifier and add issuers via AddIssuer. For issuing mode, authhttp.Service creates a Verifier internally.

func NewVerifier 

func NewVerifier(opts ...VerifierOption) *Verifier

NewVerifier creates a new Verifier. Add trusted issuers via AddIssuer.

func (*Verifier) AddIssuer 

func (v *Verifier) AddIssuer(issuerID string, audiences []string, opts IssuerOptions) error

AddIssuer registers (or updates) a trusted issuer. This is the single method for adding any issuer — whether at startup or at runtime, whether keys come from a JWKS URL or are pre-provided.

func (*Verifier) HTTPClient 

func (v *Verifier) HTTPClient() *http.Client

HTTPClient returns the outbound HTTP client the Verifier uses for JWKS fetches (the WithHTTPClient override, or the default timeout-bounded client).

func (*Verifier) LoadRemoteApplications 

func (v *Verifier) LoadRemoteApplications(ctx context.Context, src RemoteApplicationSource, audiences []string) error

LoadRemoteApplications loads the ACTIVE remote_applications from authkit's OWN store (the remote_applications table) and registers each as a trusted issuer via AddIssuer with its JWKS URL. The Verifier's in-house JWKS fetch/refresh then handles the keys — there is NO external push or sync of keys.

audiences, when non-empty, is applied to every loaded issuer (typically this resource server's own audience). Call this at startup, and re-call (e.g. on a ticker, or after an inbound registration) to pick up store changes. Pass the embedding app's authbase.Service (or any RemoteApplicationSource); if nil, the Service provided via WithService is used.

func (*Verifier) OriginAllowedForIssuer 

func (v *Verifier) OriginAllowedForIssuer(ctx context.Context, issuer, origin string, allowNoOrigin bool) (bool, error)

OriginAllowedForIssuer checks a real request Origin against the remote_application registered for the already-verified JWT issuer.

func (*Verifier) RemoteApplicationAllowedOrigins 

func (v *Verifier) RemoteApplicationAllowedOrigins(ctx context.Context) ([]string, error)

RemoteApplicationAllowedOrigins returns the de-duplicated union of enabled remote_application browser origins. This is useful for CORS preflight, which carries an Origin but no JWT issuer.

func (*Verifier) RemoveIssuer 

func (v *Verifier) RemoveIssuer(issuerID string)

RemoveIssuer removes a previously added issuer.

func (*Verifier) SetRemoteApplicationSource 

func (v *Verifier) SetRemoteApplicationSource(src RemoteApplicationSource)

SetRemoteApplicationSource overrides the federation source consulted by the lazy-load-on-miss path (keyForToken). LoadRemoteApplications is the normal way to set it; this is the explicit seam for tests and advanced wiring.

func (*Verifier) Verify 

func (v *Verifier) Verify(tokenStr string) (Claims, error)

Verify parses + verifies a token and returns typed Claims. It enforces issuer/audience/expiry with the configured skew, plus authkit's user-token invariant, on top of VerifyClaims.

func (*Verifier) VerifyClaims 

func (v *Verifier) VerifyClaims(tokenStr string) (jwt.MapClaims, error)

VerifyClaims parses and cryptographically verifies a token against the registered issuers and returns its RAW validated claims. It performs the generic, token-type-agnostic checks: JWKS key resolution + signature, issuer must be registered, audience match, and exp/nbf/iat with the configured skew. It does NOT apply authkit's user-token semantics (the sub/delegated_sub invariant) or map into the typed Claims struct.

Use it to verify CUSTOM token types (e.g. a host application's capability tokens) that should reuse authkit's single JWKS engine — registry, caching, rotation, lazy-load — while carrying their own claim shape. The caller registers the token's issuer via AddIssuer and parses the returned MapClaims itself. Verify() is built on top of this for authkit's own user tokens.

func (*Verifier) VerifyDelegatedAccess 

func (v *Verifier) VerifyDelegatedAccess(tokenStr string) (Claims, DelegatedPrincipal, error)

VerifyDelegatedAccess verifies a token, requires it to be a delegated access token, and runs any configured permission/attributes validators. It returns the typed Claims and the DelegatedPrincipal. Use it on resource servers that only accept delegated access tokens and want catalog/policy enforcement.

func (*Verifier) VerifyServiceJWT 

func (v *Verifier) VerifyServiceJWT(ctx context.Context, tokenStr string, opts ...ServiceJWTVerifyOption) (authbase.ServiceJWTClaims, ServiceJWTPrincipal, error)

VerifyServiceJWT verifies a first-party OIDC service JWT through the verifier's registered issuer/JWKS store and returns the requested permissions/resources. AuthKit does not grant those permissions; the host must intersect them with server-side grants for the issuer/subject/resource.

func (*Verifier) WithService 

func (v *Verifier) WithService(svc Enricher) *Verifier

WithService enables best-effort enrichment hooks (roles/provider usernames) from Postgres, and wires the same enricher as the default remote-application source for lazy-load-on-miss (see keyForToken). *authbase.Service satisfies Enricher.

type VerifierOption 

type VerifierOption func(*Verifier)

VerifierOption configures a Verifier.

func WithAPIKeyPrefix 

func WithAPIKeyPrefix(prefix string) VerifierOption

WithAPIKeyPrefix sets the host application's API-key brand prefix used to detect opaque shared-secret API keys in the middleware. Empty -> bare "st_".

func WithAlgorithms 

func WithAlgorithms(algs ...string) VerifierOption

WithAlgorithms sets the allowed JWS algorithms. Default: ["RS256"].

func WithAttributeHydration 

func WithAttributeHydration(resolver AttributeDefResolver) VerifierOption

WithAttributeHydration enables OPT-IN verify-time hydration (#75): after a delegated token verifies, VerifyDelegatedAccess resolves each REFERENCE-mode attribute (a JSON-string value) into its full definition via resolver, so the consumer sees a uniform INLINE shape whether the token used inline or reference. OFF by default. A resolver miss leaves that attribute untouched (the consumer can still resolve it itself); only a hard resolver error fails the call. Pass nil to use the Service-backed default resolver (requires WithService).

func WithAttributesPolicy 

func WithAttributesPolicy(fn AttributesValidator) VerifierOption

WithAttributesPolicy installs a validator that VerifyDelegatedAccess runs against the token's `attributes`. Use it to enforce a policy schema (allowed keys, value shapes/ranges).

func WithHTTPClient 

func WithHTTPClient(c *http.Client) VerifierOption

WithHTTPClient sets the HTTP client used for JWKS fetching.

func WithPermissions 

func WithPermissions(fn PermissionValidator) VerifierOption

WithPermissions installs a validator that VerifyDelegatedAccess runs against the token's `permissions`. Use it to ensure every permission string belongs to this resource server's permissions.

func WithSSRFGuard 

func WithSSRFGuard() VerifierOption

WithSSRFGuard installs an SSRF-guarding HTTP client that resolves DNS and rejects any private/reserved IP before connecting. Use this on Verifiers that fetch JWKS from user-registered (remote_application) issuers. Production Services created via NewService/NewFromConfig already include this guard.

func WithSkew 

func WithSkew(d time.Duration) VerifierOption

WithSkew sets the clock skew tolerance for exp/nbf/iat checks. Default: 60s.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.