Documentation

Index

Constants

View Source
const (
	TlsClientAuth     = "tls_client_auth"
	PrivateKeyJwt     = "private_key_jwt"
	ClientSecretBasic = "client_secret_basic"
)

    token_endpoint_auth_methods_supported

    View Source
    const (
    	ClientAssertionType      = "client_assertion_type"
    	ClientAssertionTypeValue = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
    )
    View Source
    const (
    	GrantType                  = "grant_type"
    	GrantTypeAuthorizationCode = "authorization_code"
    )
    View Source
    const (
    	ClientAssertion = "client_assertion"
    )

    Variables

    View Source
    var (
    	// ErrInvalidSignatureHeader is an error indicating that the signature being validated has errors in the header
    	ErrInvalidSignatureHeader = errors.New("invalid signature header")
    	// ErrInvalidSignatureKID is returned if a valid KID can not be retrieved from a signature during validation
    	ErrInvalidSignatureKID = errors.New("invalid signature KID")
    	// ErrSignatureCert is an error indicating a failure during the retrieval of a certificate for a given KID
    	ErrSignatureCert = errors.New("failed to retrieve certificate")
    )
    View Source
    var SigningMethodPS256 = &jwt.SigningMethodRSAPSS{
    	SigningMethodRSA: jwt.SigningMethodPS256.SigningMethodRSA,
    	Options: &rsa.PSSOptions{
    		SaltLength: rsa.PSSSaltLengthEqualsHash,
    		Hash:       crypto.SHA256,
    	},
    }

      SigningMethodPS256 is a workaround for default PS256 signing parameter issue https://github.com/dgrijalva/jwt-go/issues/285

      Functions

      func CalcKid

      func CalcKid(modulus string) (string, error)

      func CalculateClientSecretBasicToken

      func CalculateClientSecretBasicToken(clientID, clientSecret string) (string, error)

        CalculateClientSecretBasicToken tests the generation of `client secret basic` value as a product of `client_id` and `client_secret` as per https://tools.ietf.org/html/rfc7617

        func CreateSignature

        func CreateSignature(t *jwt.Token, key interface{}, body string, b64encoded bool) (string, error)

          CreateSignature Get the complete, signed token for jws usage Takes the token object, private key, payload body and b64encoding indicator Create the signing string which includes the token header and payload body Then signs this string using the key provided - the signing algorithm is part of the jwt.Token object

          func DefaultAuthMethod

          func DefaultAuthMethod(openIDConfigAuthMethods []string, logger *logrus.Entry) string

          func GetB64Encoding

          func GetB64Encoding(ctx ContextInterface) (bool, error)

            GetB64Encoding returns - based on the API version - if the TPP signature should use base64 encoding for the payload

            func GetB64Status

            func GetB64Status() bool

            func GetJWKSUri

            func GetJWKSUri() string

            func GetKID

            func GetKID(ctx ContextInterface, modulus []byte) (string, error)

              GetKID determines the value of the JWS Key ID

              func GetSignatureToken30

              func GetSignatureToken30(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

                GetSignatureToken30 returns the Token for v3.0 versions of the R/W specification. Read/Write Data API Specification - v3.0 Specification: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/641992418/Read+Write+Data+API+Specification+-+v3.0. According to the spec this field `http://openbanking.org.uk/tan` should not be sent in the `x-jws-signature` header.

                func GetSignatureToken313Minus

                func GetSignatureToken313Minus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

                  GetSignatureToken313Minus returns the Token with correct headers for v3.1.3 and previous versions of the R/W Apis

                  func GetSignatureToken314Plus

                  func GetSignatureToken314Plus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

                    GetSignatureToken314Plus returns the Token with correct headers for v3.1.4 and above of the R/W Apis

                    func GetSigningAlg

                    func GetSigningAlg(alg string) (jwt.SigningMethod, error)

                    func JWSVerify

                    func JWSVerify(buf string, alg jwa.SignatureAlgorithm, key interface{}, b64 bool) (ret []byte, err error)

                      JWSVerify checks if the given JWS message is verifiable using `alg` and `key`. If the verification is successful, `err` is nil, and the content of the payload that was signed is returned.

                      func ModifyJWSHeaders

                      func ModifyJWSHeaders(jws string, ctx ContextInterface, opts ...JWSHeaderOpt) (string, error)

                        ModifyJWSHeaders allows the caller to mutate an existing JWS for testing purposes, re-signed with the new contents

                        func NewJWSSignature

                        func NewJWSSignature(requestBody string, ctx ContextInterface, alg jwt.SigningMethod) (string, error)

                          NewJWSSignature creates a signature to be used with TPP API calls

                          func PSUURLGenerate

                          func PSUURLGenerate(claims PSUConsentClaims) (*url.URL, error)

                            PSUURLGenerate generates a PSU Consent URL based on claims

                            func SigningString

                            func SigningString(t *jwt.Token, body string, b64encoded bool) (string, error)

                              SigningString takes the token, body string and b64 indicator if b64encoded=true - base64urlEncodes the payload string as part of the string to be signed if b64encoded=false - includes the payload unencoded (unmodified) in the string to be signed

                              func SplitJWSWithBody

                              func SplitJWSWithBody(token string) string

                              func SuiteSupportedAuthMethodsMostSecureFirst

                              func SuiteSupportedAuthMethodsMostSecureFirst() []string

                                SuiteSupportedAuthMethodsMostSecureFirst - We have made our own determination of security offered by each auth method. It is not from a formal definition.

                                func ValidateSignature

                                func ValidateSignature(jwtToken, body, jwksURI string, b64 bool) (bool, error)

                                  ValidateSignature takes the signature JWT and extracts the kid to lookup the public key in the JWKS

                                  func ValidateSignatureHeader

                                  func ValidateSignatureHeader(token string, b64 bool) error

                                    ValidateSignatureHeader takes a token and performs the header validation taking the b64 parameter value in consideration.

                                    Types

                                    type CachedOpenIdConfigGetter

                                    type CachedOpenIdConfigGetter struct {
                                    	// contains filtered or unexported fields
                                    }

                                    func NewOpenIdConfigGetter

                                    func NewOpenIdConfigGetter() *CachedOpenIdConfigGetter

                                    func (CachedOpenIdConfigGetter) Get

                                    type Certificate

                                    type Certificate interface {
                                    	PublicKey() *rsa.PublicKey
                                    	PrivateKey() *rsa.PrivateKey
                                    	TLSCert() tls.Certificate
                                    	DN() (string, string, string, error)
                                    	SignatureIssuer(bool) (string, error)
                                    }

                                      Certificate - create new Certificate.

                                      func NewCertificate

                                      func NewCertificate(publicKeyPem, privateKeyPem string) (Certificate, error)

                                        NewCertificate - create new Certificate.

                                        Parameters: * publicKeyPem=PEM encoded public key. * privateKeyPem=PEM encoded private key.

                                        Returns Certificate, or nil with error set if something is invalid.

                                        func NewPublicCertificate

                                        func NewPublicCertificate(publicKeyPem string) (Certificate, error)

                                          creates a certificate from only the public key, in the case of the aspsp public cert to validate signatures

                                          func SigningCertFromContext

                                          func SigningCertFromContext(ctx ContextInterface) (Certificate, error)

                                          type ContextInterface

                                          type ContextInterface interface {
                                          	// GetString get the string value associated with key
                                          	GetString(key string) (string, error)
                                          	// Get the key form the Context map - currently assumes value converts easily to a string!
                                          	Get(key string) (interface{}, bool)
                                          	GetStringSlice(key string) ([]string, error)
                                          }

                                            ContextInterface - avoid cycling dependency to `model.Context`.

                                            type JWK

                                            type JWK struct {
                                            	Alg string   `json:"alg,omitempty"`
                                            	Kty string   `json:"kty,omitempty"`
                                            	X5c []string `json:"x5c,omitempty"`
                                            	N   string   `json:"n,omitempty"`
                                            	E   string   `json:"e,omitempty"`
                                            	Kid string   `json:"kid,omitempty"`
                                            	X5t string   `json:"x5t,omitempty"`
                                            	X5u string   `json:"x5u,omitempty"`
                                            	Use string   `json:"use,omitempty"`
                                            }

                                              JWK is one entry in a JWKS

                                              type JWKS

                                              type JWKS struct {
                                              	Keys []JWK
                                              }

                                                JWKS is a JSON Web Key Set

                                                type JWSHeaderOpt

                                                type JWSHeaderOpt func(map[string]interface{}) map[string]interface{}

                                                  JWSHeaderOpt is a function signature which is used for altering JWS header when passed to ModifyJWSHeaders

                                                  func RemoveJWSHeader

                                                  func RemoveJWSHeader(removed []string) JWSHeaderOpt

                                                    RemoveJWSHeader provides an option which modifies an existing JWT by deleting specified keys from its header.

                                                    func SetJWSHeader

                                                    func SetJWSHeader(entries map[string]interface{}) JWSHeaderOpt

                                                      SetJWSHeader provides an option which modifies an existing JWT by setting specified keys on its header.

                                                      type OpenIDConfiguration

                                                      type OpenIDConfiguration struct {
                                                      	TokenEndpoint                          string   `json:"token_endpoint,omitempty"`
                                                      	TokenEndpointAuthMethodsSupported      []string `json:"token_endpoint_auth_methods_supported,omitempty"`
                                                      	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
                                                      	AuthorizationEndpoint                  string   `json:"authorization_endpoint,omitempty"`
                                                      	Issuer                                 string   `json:"issuer,omitempty"`
                                                      	ResponseTypesSupported                 []string `json:"response_types_supported,omitempty"`
                                                      	AcrValuesSupported                     []string `json:"acr_values_supported,omitempty"`
                                                      	JwksURI                                string   `json:"jwks_uri,omitempty"`
                                                      }

                                                        OpenIDConfiguration - The OpenID Connect discovery document retrieved by calling /.well-known/openid-configuration. https://openid.net/specs/openid-connect-discovery-1_0.html

                                                        type PSUConsentClaims

                                                        type PSUConsentClaims struct {
                                                        	AuthorizationEndpoint string
                                                        	Aud                   string // Audience
                                                        	Iss                   string // ClientID
                                                        	ResponseType          string // "code id_token"
                                                        	Scope                 string // "openid accounts"
                                                        	RedirectURI           string
                                                        	ConsentId             string
                                                        	State                 string // {test_id}
                                                        }

                                                        Directories

                                                        Path Synopsis