Documentation
¶
Index ¶
- Constants
- Variables
- func GetClaimValue(r *http.Request, key string) (interface{}, bool)
- func GetClaims(r *http.Request) (jwt.MapClaims, bool)
- func GetSubject(r *http.Request) (string, bool)
- func GetToken(r *http.Request) (string, bool)
- func Middleware(config Config) func(http.Handler) http.Handler
- type Config
- type JWK
- type JWKS
Constants ¶
View Source
const ( CodeMissingToken = "MISSING_TOKEN" CodeInvalidToken = "INVALID_TOKEN" CodeInvalidClaims = "INVALID_CLAIMS" CodeAuthorizationFailed = "AUTHORIZATION_FAILED" CodeKeyNotFound = "KEY_NOT_FOUND" )
JWT-specific error codes
Variables ¶
View Source
var ( ErrMissingToken = errors.New("missing or invalid authentication token") ErrInvalidToken = errors.New("invalid or expired token") ErrInvalidClaims = errors.New("token claims validation failed") ErrAuthorizationFailed = errors.New("authorization failed") ErrKeyNotFound = errors.New("token signing key not available") )
JWT-specific authentication errors
Functions ¶
func GetClaimValue ¶
GetClaimValue retrieves a specific claim value from the request context
func GetSubject ¶
GetSubject retrieves the subject (sub) claim from the request context
Types ¶
type Config ¶
type Config struct {
// Disabled disables JWT authentication when set to true
// When disabled, the middleware will pass through all requests without authentication
// This is useful for local development or testing environments
// Default: false
Disabled bool
// JWKSURL is the URL to fetch the JSON Web Key Set for token validation
// This is the primary method for key management in production environments
JWKSURL string
// JWKSRefreshInterval defines how often to refresh the JWKS from the URL
// Default: 1 hour
JWKSRefreshInterval time.Duration
// SigningKey is an alternative to JWKS for simpler scenarios
// For HMAC algorithms (HS256, HS384, HS512), this should be a []byte
// For RSA algorithms (RS256, RS384, RS512), this should be a *rsa.PublicKey
// Note: If JWKSURL is provided, this field is ignored
SigningKey interface{}
// TokenLookup defines where to extract the JWT token from the request
// Format: "<source>:<name>"
// Possible values:
// - "header:<name>" - extract from HTTP header (e.g., "header:Authorization")
// When using "header:Authorization", the Bearer scheme is automatically handled
// - "query:<name>" - extract from query parameter (e.g., "query:token")
// - "cookie:<name>" - extract from cookie (e.g., "cookie:jwt")
// Default: "header:Authorization"
TokenLookup string
// SuccessHandler is an optional handler called after successful token validation
// Can be used for additional validation, logging, etc.
SuccessHandler func(w http.ResponseWriter, r *http.Request, claims jwt.MapClaims) error
// Logger is an optional slog logger for logging authentication events
Logger *slog.Logger
// ValidateIssuer enables issuer validation
// If set, the token's "iss" claim must match this value
ValidateIssuer string
// ValidateAudience enables audience validation (optional)
// If set, the token's "aud" claim must contain this value
// If empty, audience validation is skipped
ValidateAudience string
// SignatureAlgorithm specifies the expected signature algorithm (optional)
// Common values: RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384, ES512
// If set, incoming tokens must use this algorithm
// If empty, algorithm validation is skipped (except JWK alg validation if present)
SignatureAlgorithm string
// ClockSkew allows for clock skew when validating time-based claims
// Default: 0 (no skew tolerance)
ClockSkew time.Duration
// HTTPClient is the HTTP client used to fetch JWKS
// If not set, http.DefaultClient is used
HTTPClient *http.Client
}
Config holds the configuration for JWT authentication middleware
Source Files
Click to show internal directories.
Click to hide internal directories.