Documentation
¶
Overview ¶
Package signkey manages the HMAC key ring used to sign and verify HS256 JWT access tokens. It derives a stable key id (kid) from a raw key, selects the active signing key, and resolves a verification key by kid across the current key plus verify-only previous keys so a signing-key rotation does not invalidate live sessions.
The kid derivation is deterministic and process-independent: every replica computes the same kid for the same key, which is what lets a token signed by one replica verify on another after a rolling key rotation.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Ring ¶
type Ring struct {
// contains filtered or unexported fields
}
Ring resolves a verification key for a token by its kid header across the current signing key plus verify-only previous keys, and yields the ordered candidate list for legacy no-kid tokens. A Ring is immutable after construction and safe for concurrent use.
The Ring is used by the resource-server (verification) side. The authorization-server (signing) side stamps its kid with KeyID directly, since it only ever signs with the single active key.
func NewRing ¶
NewRing builds a Ring from the current signing key and zero or more verify-only previous keys. Empty previous keys are skipped, and a previous key equal to the current key (same kid) is deduplicated. NewRing returns nil when current is empty, which signals opaque-token mode (no HS256 signing key configured); callers must nil-check before use.
func (*Ring) CandidateKeys ¶
CandidateKeys returns every key (current first, then previous) for verifying a legacy token that carries no kid header. Such tokens were issued before kid support existed; callers try each key in order so those live sessions survive the upgrade.
func (*Ring) VerificationKey ¶
VerificationKey resolves the key to verify a token by its kid header. A token whose kid is not in the ring returns ok=false and must be rejected: an unknown kid means the key was retired (dropped from previous_signing_keys) or the token was minted by a foreign issuer.