Documentation ¶
Index ¶
Constants ¶
const DEFAULT_TIME_WINDOW = time.Second * 30
Variables ¶
var ( // If proof validation failed for some reason a `ErrInvalidProof` error is returned. // // More specific reason for why validation failed will be added as a joined error on this error. ErrInvalidProof = errors.New("invalid_dpop_proof") // If the nonce was not provided a `ErrIncorrectNonce` error is returned. // // When this error is returned the the server needs to supply the client with a new nonce. ErrIncorrectNonce = errors.New("use_dpop_nonce") // The claims of the DPoP proof are invalid. ErrMissingClaims = errors.New("missing claims") // The `typ` header of the proof is invalid. ErrUnsupportedJWTType = errors.New("unsupported jwt type") // The `htm` and `htu` headers of the proof target the wrong resource. ErrIncorrectHTTPTarget = errors.New("incorrect http target") // The proof has expired. ErrExpired = errors.New("proof has expired") // The proof is issued too far into the future. ErrFuture = errors.New("proof is issued too far into the future") // The proof claims are not of correct type ErrIncorrectClaimsType = errors.New("incorrect claims type") // The proof missing the `ath` claim ErrMissingAth = errors.New("missing 'ath' claim") // The proof 'ath' claim does not match bound access token ErrAthMismatch = errors.New("ath mismatch") // The proof is missing the `jwk` public key header ErrMissingJWK = errors.New("missing 'jwk' header") // The proof 'jwk' public header does not match supplied jkt ErrIncorrectJKT = errors.New("incorrect 'jkt'") // The bound token 'jkt' claim does not match public key in proof ErrJWKMismatch = errors.New("key mismatch") // The bound access token claims are not of correct type ErrIncorrectAccessTokenClaimsType = errors.New("incorrect access token claims type") // The proof public key has an unsupported curve ErrUnsupportedCurve = errors.New("unsupported curve") // The proof uses an unsupported key algorithm ErrUnsupportedKeyAlgorithm = errors.New("unsupported key algorithm") )
Functions ¶
Types ¶
type BoundAccessTokenClaims ¶
type BoundAccessTokenClaims struct { *jwt.RegisteredClaims // the `cnf` (Confirmation) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-6.1 Confirmation Confirmation `json:"cnf"` }
These claims contains fields that are required to be present in bound access tokens.
If there is a need for custom claims this can be embedded in custom claims to ensure that claims are still possible to validate with the Validate function.
func (*BoundAccessTokenClaims) GetJWKThumbprint ¶
func (c *BoundAccessTokenClaims) GetJWKThumbprint() (string, error)
Implement the BoundClaims interface.
func (*BoundAccessTokenClaims) Validate ¶
func (c *BoundAccessTokenClaims) Validate() error
BoundAccessTokenClaims implements the 'ClaimsValidator' interface from golang-jwt/jwt.
This ensures that bound tokens has the required JWK thumbprint when parsed with 'ParseWithClaims'
type BoundClaims ¶
This interface allows for custom claims to be used in bound tokens.
As long as any custom claims extends the 'BoundAccessTokenClaims' they will implement this interface and 'Validate' should handle them correctly
type Confirmation ¶
type Confirmation struct { // the `jkt` (JWK Thumbprint) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-6.1 JWKThumbprint string `json:"jkt"` }
type HTTPVerb ¶
type HTTPVerb string
HTTPVerb is a convenience for determining the HTTP method of a request. This package defines the all available HTTP verbs which can be used when calling the Parse function.
type ParseOptions ¶
type ParseOptions struct { // The expected nonce if the authorization server has issued a nonce. Nonce string // Used to control if the `iat` field is used to control the proof age. // If set to true the authorization server has to validate the nonce timestamp itself. NonceHasTimestamp bool // The allowed age of the proof. Defaults to 1 minute if not specified. TimeWindow *time.Duration // dpop_jkt parameter that is optionally sent by the client to the authorization server on token request. // If set the proof proof-of-possession public key needs to match or the proof is rejected. JKT string }
ParseOptions and its contents are optional for the Parse function.
type Proof ¶
type Proof struct { *jwt.Token HashedPublicKey string }
Represents a DPoP proof, if acquired through the Parse function it should be a valid DPoP proof.
However if a bound access token was recieved with the proof the Validate function needs be used to verify that the proof is valid for the access token.
func Parse ¶
func Parse( tokenString string, httpMethod HTTPVerb, httpURL *url.URL, opts ParseOptions, ) (*Proof, error)
Parse translates a DPoP proof string into a JWT token and parses it with the jwt package (github.com/golang-jwt/jwt/v5). It will also validate the proof according to https://datatracker.ietf.org/doc/html/rfc9449#section-4.3 but not check whether the proof matches a bound access token. It also assumes point 1 is checked by the calling application.
Protected resources should use the 'Validate' function on the returned proof to ensure that the proof matches any bound access token.
func (*Proof) PublicKey ¶
Get the public key from the proof.
The public key string is base64 and url encoded according to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-6.1 in order to help comparison of proof public key and 'jkt' claim of a bound access token.
An authorization server can use this to get the 'jkt' value it should encode in the bound access token.
func (*Proof) Validate ¶
Validate takes a bound access token and validate that the token is bound correctly to this DPoP proof. This satisfies point 12 in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-4.3
Validate needs to be called by a protected resource after parsing the DPoP proof. A bound access token needs to be introspected by the resource server in order for claims to be availabe for validation.
The bound access token should be validated before calling this function and the claims of the introspected bound access token needs to be of the BoundAccessTokenClaims type.
The access token hash needs to be a URL encoded SHA256 hash of the access token.
If no error is returned the proof is valid for the supplied bound token.
type ProofClaims ¶
This interface allows for custom claims to be used in proof tokens.
As long as any custom claims extends the 'ProofTokenClaims' they will implement this interface and 'Validate' should handle them correctly
type ProofTokenClaims ¶
type ProofTokenClaims struct { *jwt.RegisteredClaims // the `htm` (HTTP Method) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-4.2 Method HTTPVerb `json:"htm"` // the `htu` (HTTP URL) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-4.2 URL string `json:"htu"` // the `ath` (Authorization Token Hash) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-4.2 AccessTokenHash string `json:"ath,omitempty"` // the `nonce` claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-4.2 Nonce string `json:"nonce,omitempty"` }
These claims contains the standard fields of a DPoP proof claim.
If there is a need for custom claims this can be embedded in custom claims to ensure that claims are still possible to validate with the Validate function.
func (ProofTokenClaims) GetAccessTokenHash ¶
func (p ProofTokenClaims) GetAccessTokenHash() (string, error)
Implement the ProofClaims interface.