jwt

package
v0.33.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 18, 2026 License: Apache-2.0 Imports: 9 Imported by: 10

README

JWT toolkit

JWT signing and verification support both the legacy flat config and optional resource-gated rules.

  • If Rules is omitted, behavior is unchanged.
  • Resource-gated rules use JWT aud.
  • Rules can override the default algorithm and key material for selected audiences, for example mcp -> HS256.
  • JWKS-style public key discovery should expose RSA keys from the default profile and any RSA rule profiles, but never HMAC keys.

Example config:

{
  "JWTValidator": {
    "RSA": [
      {
        "Key": "blowfish://default",
        "URL": "/opt/datly/jwt/public.enc"
      }
    ],
    "Rules": [
      {
        "Resource": ["mcp"],
        "Algorithm": "HS256",
        "HMAC": {
          "Key": "blowfish://default",
          "URL": "/opt/datly/jwt/mcp_hmac.enc"
        }
      }
    ]
  },
  "JwtSigner": {
    "RSA": {
      "Key": "blowfish://default",
      "URL": "/opt/datly/jwt/private.enc"
    },
    "Rules": [
      {
        "Resource": ["mcp"],
        "Algorithm": "HS256",
        "HMAC": {
          "Key": "blowfish://default",
          "URL": "/opt/datly/jwt/mcp_hmac.enc"
        }
      }
    ]
  }
}

Signing and verifying JWT token with custom RSA key

  1. Generating RSA key: `
# Created Private key
ssh-keygen -t rsa -f key.pem -m pem 
or 
openssl genpkey -out private.txt -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
#  Created public key with:
openssl pkey -inform PEM -outform PEM -in private.txt -pubout -out public.txt
  1. Secure rsa.json with scy client (use one of the supported security store)
     scy -m=secure -s=public.txt -d=public.scy -t=raw -k=blowfish://default ## on prod, use secure store instead of local fs
     scy -m=secure -s=private.txt -d=private.scy -t=raw -k=blowfish://default ## on prod, use secure store instead of local fs
    
  2. To sign JWT Claim a) Creates jwt Claim in JSON format
   echo '{"user_id":123,"email":"dev@viantinc.com"}' > claims.json 

b) Sign claim

   scy -m=signJwt -s=claims.json -e=600 -r=private.scy -k=blowfish://default
  1. To verify JWT Claim scy -m=verifyJwt -s=token.json -r=public.scy -k=blowfish://default

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateKid added in v0.18.0

func GenerateKid(pub *rsa.PublicKey) (string, error)

GenerateKid returns a JWK SHA-256 thumbprint in base64url-without-padding – exactly what AssignKeyID expects if you pass crypto.SHA256.

Types

type Claims

type Claims struct {
	Email         string      `json:"email,omitempty"`
	UserID        int         `json:"user_id,omitempty"`
	Username      string      `json:"username,omitempty"`
	FirstName     string      `json:"first_name,omitempty"`
	LastName      string      `json:"last_name,omitempty"`
	AccountName   string      `json:"account_name,omitempty"`
	AccountId     int         `json:"account_id,omitempty"`
	Scope         string      `json:"scope,omitempty"`
	Cognito       string      `json:"cognito,omitempty"`
	VerifiedEmail bool        `json:"verified_email,omitempty"`
	Nonce         string      `json:"nonce,omitempty"`
	AtHash        string      `json:"at_hash,omitempty"`
	Data          interface{} `json:"dat,omitempty"`
	jwt.RegisteredClaims
}

Claims represents JWT claim

func NewClaim

func NewClaim(token *jwt.Token) (*Claims, error)

NewClaim returns jwt claim from token

func (*Claims) VerifyAudience added in v0.17.0

func (c *Claims) VerifyAudience(cmp string, req bool) bool

func (*Claims) VerifyExpiresAt added in v0.17.0

func (c *Claims) VerifyExpiresAt(cmp time.Time, req bool) bool

type TokenOption added in v0.16.0

type TokenOption func(*jwt.Token)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL