signkey

package
v1.102.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2026 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Overview

Package signkey manages the HMAC key ring used to sign and verify HS256 JWT access tokens. It derives a stable key id (kid) from a raw key, selects the active signing key, and resolves a verification key by kid across the current key plus verify-only previous keys so a signing-key rotation does not invalidate live sessions.

The kid derivation is deterministic and process-independent: every replica computes the same kid for the same key, which is what lets a token signed by one replica verify on another after a rolling key rotation.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func KeyID

func KeyID(key []byte) string

KeyID derives the kid header value for a raw HMAC key as the hex encoding of the first kidBytes bytes of its SHA-256 digest. It is stable across processes so every replica computes the same kid for the same key.

Types

type Ring

type Ring struct {
	// contains filtered or unexported fields
}

Ring resolves a verification key for a token by its kid header across the current signing key plus verify-only previous keys, and yields the ordered candidate list for legacy no-kid tokens. A Ring is immutable after construction and safe for concurrent use.

The Ring is used by the resource-server (verification) side. The authorization-server (signing) side stamps its kid with KeyID directly, since it only ever signs with the single active key.

func NewRing

func NewRing(current []byte, previous [][]byte) *Ring

NewRing builds a Ring from the current signing key and zero or more verify-only previous keys. Empty previous keys are skipped, and a previous key equal to the current key (same kid) is deduplicated. NewRing returns nil when current is empty, which signals opaque-token mode (no HS256 signing key configured); callers must nil-check before use.

func (*Ring) CandidateKeys

func (r *Ring) CandidateKeys() [][]byte

CandidateKeys returns every key (current first, then previous) for verifying a legacy token that carries no kid header. Such tokens were issued before kid support existed; callers try each key in order so those live sessions survive the upgrade.

func (*Ring) VerificationKey

func (r *Ring) VerificationKey(kid string) (key []byte, ok bool)

VerificationKey resolves the key to verify a token by its kid header. A token whose kid is not in the ring returns ok=false and must be rejected: an unknown kid means the key was retired (dropped from previous_signing_keys) or the token was minted by a foreign issuer.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL