Documentation
¶
Index ¶
- Constants
- Variables
- func AlgorithmForPublicKey(pub crypto.PublicKey) string
- func BaseRegisteredClaims(subject string, audiences []string, ttl time.Duration) jwt.RegisteredClaims
- func JWKSToPublicKeys(ks JWKS) (map[string]crypto.PublicKey, error)
- func JWKToPublicKey(j JWK) (crypto.PublicKey, error)
- func ParsePublicKeyFromPEM(pemText string) (crypto.PublicKey, error)
- func ParsePublicKeyFromPEMBytes(pemBytes []byte) (crypto.PublicKey, error)
- func ServeJWKS(w http.ResponseWriter, r *http.Request, ks JWKS)
- func SetLogger(l Logger)
- func SignWithType(ctx context.Context, signer Signer, claims jwt.MapClaims, typ string, ...) (string, error)
- type Ed25519Signer
- func (s *Ed25519Signer) Algorithm() string
- func (s *Ed25519Signer) KID() string
- func (s *Ed25519Signer) PublicKey() crypto.PublicKey
- func (s *Ed25519Signer) Sign(_ context.Context, claims jwt.MapClaims) (string, error)
- func (s *Ed25519Signer) SignWithHeaders(_ context.Context, claims jwt.MapClaims, headers map[string]any) (string, error)
- type HeaderSigner
- type JWK
- type JWKS
- type KeySource
- type Logger
- type PublicKeySigner
- type RSASigner
- func (s *RSASigner) Algorithm() string
- func (s *RSASigner) KID() string
- func (s *RSASigner) PrivateKey() *rsa.PrivateKey
- func (s *RSASigner) PublicKey() crypto.PublicKey
- func (s *RSASigner) Sign(_ context.Context, claims jwt.MapClaims) (string, error)
- func (s *RSASigner) SignWithHeaders(_ context.Context, claims jwt.MapClaims, headers map[string]any) (string, error)
- type Signer
- type StaticKeySource
Constants ¶
const ( AccessTokenType = "access+jwt" DelegatedAccessTokenType = "delegated-access+jwt" // RemoteApplicationAccessTokenType is the JOSE `typ` for a remote application // access token. It carries neither sub nor delegated_sub; identity is the // validated iss -> remote_application mapping. RemoteApplicationAccessTokenType = "remote-application-access+jwt" )
AuthKit JOSE `typ` header values. These separate AuthKit JWT classes before claims are mapped into principals.
const ( // DefaultAuthKeysPath is the default directory where External Secrets mounts auth keys DefaultAuthKeysPath = "/vault/auth" // DefaultKeyReloadInterval is how often a reloadableKeySource re-stats // keys.json for changes. Short keeps the post-rotation multi-replica skew // window small; the cost is one stat() per tick. See authkit #90. DefaultKeyReloadInterval = 10 * time.Second )
Variables ¶
var ErrUnsupportedJWK = errors.New("unsupported_jwk")
Functions ¶
func AlgorithmForPublicKey ¶
AlgorithmForPublicKey returns a default JWS alg for a public key when none is specified.
func BaseRegisteredClaims ¶
func BaseRegisteredClaims(subject string, audiences []string, ttl time.Duration) jwt.RegisteredClaims
Helper to make base registered claims.
func JWKSToPublicKeys ¶
JWKSToPublicKeys parses all supported keys in a JWKS document.
func JWKToPublicKey ¶
JWKToPublicKey parses a single JWK into a crypto.PublicKey.
func ParsePublicKeyFromPEM ¶
ParsePublicKeyFromPEM parses a PKIX/SPKI, certificate, or PKCS#1 RSA public key PEM.
func ParsePublicKeyFromPEMBytes ¶
ParsePublicKeyFromPEMBytes parses a supported public key PEM block.
func ServeJWKS ¶
func ServeJWKS(w http.ResponseWriter, r *http.Request, ks JWKS)
ServeJWKS writes JWKS JSON to the ResponseWriter.
func SetLogger ¶
func SetLogger(l Logger)
SetLogger installs the package-level logger used for key-load warnings. Pass nil to restore the default no-op logger.
func SignWithType ¶
func SignWithType(ctx context.Context, signer Signer, claims jwt.MapClaims, typ string, requireHeader bool) (string, error)
SignWithType signs claims, optionally stamping the JOSE `typ` header. It is the single home for the "assert HeaderSigner and set typ, or fall back" idiom that AuthKit's token-minting paths share:
- typ == "": plain Sign (no typ header).
- typ != "" && requireHeader: assert HeaderSigner; error if the signer can't stamp headers.
- typ != "" && !requireHeader: stamp via HeaderSigner when available, else fall back to a plain Sign.
Types ¶
type Ed25519Signer ¶
type Ed25519Signer struct {
// contains filtered or unexported fields
}
Ed25519Signer signs JWTs with EdDSA (Ed25519).
func NewEd25519Signer ¶
func NewEd25519Signer(kid string) (*Ed25519Signer, error)
NewEd25519Signer generates a new Ed25519 key pair for development/testing.
func (*Ed25519Signer) Algorithm ¶
func (s *Ed25519Signer) Algorithm() string
func (*Ed25519Signer) KID ¶
func (s *Ed25519Signer) KID() string
func (*Ed25519Signer) PublicKey ¶
func (s *Ed25519Signer) PublicKey() crypto.PublicKey
type HeaderSigner ¶
type HeaderSigner interface {
Signer
// SignWithHeaders signs claims and merges the provided extra JOSE header
// params into the token header (kid is still set by the signer).
SignWithHeaders(ctx context.Context, claims jwt.MapClaims, headers map[string]any) (token string, err error)
}
HeaderSigner is an extension of Signer that lets callers set extra JOSE header parameters (e.g. `typ`) on the signed token. AuthKit token minting uses it to stamp the token profile header.
type JWK ¶
type JWK struct {
Kty string `json:"kty"`
Use string `json:"use,omitempty"`
Kid string `json:"kid,omitempty"`
Alg string `json:"alg,omitempty"`
// RSA
N string `json:"n,omitempty"`
E string `json:"e,omitempty"`
// EC / OKP
Crv string `json:"crv,omitempty"`
X string `json:"x,omitempty"`
Y string `json:"y,omitempty"`
}
JWK represents a JSON Web Key (RSA, EC, or OKP).
type KeySource ¶
KeySource provides the active signer and public keys for JWKS.
func ResolveKeySource ¶
ResolveKeySource resolves the local signing-key source with a fixed, explicit precedence. It reads NO environment variables (#231 — AuthKit is a library; env is read once, at the binary boundary, and flows in as explicit arguments/config):
- <path>/keys.json (path empty ⇒ DefaultAuthKeysPath "/vault/auth"), served through a reloadableKeySource so signing-key rotation (e.g. Vault Agent re-rendering the file) takes effect without a process restart.
- No keys.json: when allowEphemeralDevKeys is true, an auto-generated RSA dev keypair persisted under .runtime/authkit/ (DEVELOPMENT ONLY); when false — the default, fail-closed posture — a hard error.
Callers that hold key material in memory should build a source directly (NewStaticKeySourceFromPEM / StaticKeySource) instead.
type Logger ¶
Logger receives non-fatal key-loading warnings from jwtkit. The default is a no-op logger so libraries do not write to stdout.
type PublicKeySigner ¶
PublicKeySigner is implemented by in-memory signers that expose their public key.
type RSASigner ¶
type RSASigner struct {
// contains filtered or unexported fields
}
Minimal in-memory RSA signer for bootstrap/dev. Production should load from KMS or DB.
func NewRSASignerFromPEM ¶
NewRSASignerFromPEM constructs an RSASigner from a PEM-encoded RSA private key.
func (*RSASigner) PrivateKey ¶
func (s *RSASigner) PrivateKey() *rsa.PrivateKey
func (*RSASigner) SignWithHeaders ¶
func (s *RSASigner) SignWithHeaders(_ context.Context, claims jwt.MapClaims, headers map[string]any) (string, error)
SignWithHeaders implements HeaderSigner: it signs claims and merges extra JOSE header params (e.g. `typ`) into the token header. The signer's own kid is set last and cannot be overridden by the supplied headers.
type Signer ¶
type Signer interface {
// Algorithm returns the JWS algorithm (e.g., RS256, EdDSA).
Algorithm() string
// KID returns current key id.
KID() string
// Sign creates a signed JWT with provided claims.
Sign(ctx context.Context, claims jwt.MapClaims) (token string, err error)
}
Signer issues and verifies asymmetric JWTs.
type StaticKeySource ¶
StaticKeySource is a simple in-memory implementation.
func NewStaticKeySourceFromPEM ¶
func NewStaticKeySourceFromPEM(activeKeyID, activePrivateKeyPEM string, publicKeysPEM map[string]string) (StaticKeySource, error)
NewStaticKeySourceFromPEM builds a StaticKeySource from explicit key material: the active signing key (kid + private-key PEM) plus optional extra verification-only public keys (kid -> public-key PEM, e.g. retired keys kept in the JWKS during rotation). It performs no I/O and reads no environment variables — callers (binaries, hosts) own where the material comes from (#231). Unparseable extra public keys are skipped with a warning, matching the keys.json loader.
func (StaticKeySource) ActiveSigner ¶
func (s StaticKeySource) ActiveSigner() Signer
func (StaticKeySource) PublicKeys ¶
func (s StaticKeySource) PublicKeys() map[string]crypto.PublicKey