jwtverifier

package module
v0.1.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 7, 2020 License: Apache-2.0 Imports: 16 Imported by: 0

README

Okta JWT Verifier for Golang

This library helps you verify tokens that have been issued by Okta. To learn more about verification cases and Okta's tokens please read Working With OAuth 2.0 Tokens

⚠ 🚧 Beta Preview 🚧 ⚠

This library is under development and is currently in 0.x version series. Breaking changes may be introduced at minor versions in the 0.x range. Please lock your dependency to a specific version until this library reaches 1.x.

Need help? Okta Developer Forum.

Installation

go get -u github.com/okta/okta-jwt-verifier-golang

Usage

This library was built to keep configuration to a minimum. To get it running at its most basic form, all you need to provide is the the following information:

  • Issuer - This is the URL of the authorization server that will perform authentication. All Developer Accounts have a "default" authorization server. The issuer is a combination of your Org URL (found in the upper right of the console home page) and /oauth2/default. For example, https://dev-1234.oktapreview.com/oauth2/default.
  • Client ID- These can be found on the "General" tab of the Web application that you created earlier in the Okta Developer Console.
Access Token Validation
import github.com/okta/okta-jwt-verifier-golang

toValidate := map[string]string{}
toValidate["aud"] = "api://default"
toValidate["cid"] = "{CLIENT_ID}"

jwtVerifierSetup := jwtverifier.JwtVerifier{
        Issuer: "{ISSUER}",
        ClaimsToValidate: toValidate
}

verifier := jwtVerifierSetup.New()

token, err := verifier.VerifyAccessToken("{JWT}")
Id Token Validation
import github.com/okta/okta-jwt-verifier-golang

toValidate := map[string]string{}
toValidate["nonce"] = "{NONCE}"
toValidate["aud"] = "{CLIENT_ID}"


jwtVerifierSetup := jwtverifier.JwtVerifier{
        Issuer: "{ISSUER}",
        ClaimsToValidate: toValidate
}

verifier := jwtVerifierSetup.New()

token, err := verifier.VerifyIdToken("{JWT}")

This will either provide you with the token which gives you access to all the claims, or an error. The token struct contains a Claims property that will give you a map[string]interface{} of all the claims in the token.

// Getting the sub from the token
sub := token.Claims["sub"]
Dealing with clock skew

We default to a PT2M clock skew adjustment in our validation. If you need to change this, you can use the SetLeeway method:

jwtVerifierSetup := JwtVerifier{
        Issuer: "{ISSUER}",
}

verifier := jwtVerifierSetup.New()
verifier.SetLeeway(60) // seconds

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrJWTEmptyString = errors.New("you must provide a jwt to verify")
	ErrJWKNotFound    = errors.New("jwk not found for kid")
)

Functions

func GenerateNonce added in v0.1.12 

func GenerateNonce() (string, error)

func ParseEnvironment added in v0.1.12 

func ParseEnvironment()

Types

type Adaptor added in v0.1.12 

type Adaptor interface {
	Decode(jwt string) (map[string]interface{}, error)
}

func NewJWXAdaptor added in v0.1.12 

func NewJWXAdaptor(metaDataUrl string) (Adaptor, error)

type ConfigFunc added in v0.1.12 

type ConfigFunc = func(v *JwtVerifier)

func WithAdaptor added in v0.1.12 

func WithAdaptor(adaptor Adaptor) ConfigFunc

func WithDefaultLeeway added in v0.1.12 

func WithDefaultLeeway(leeway int64) ConfigFunc

func WithDiscovery added in v0.1.12 

func WithDiscovery(discovery Discovery) ConfigFunc

type Discovery added in v0.1.12 

type Discovery interface {
	GetWellKnownUrl() string
}

func NewOIDCDiscovery added in v0.1.12 

func NewOIDCDiscovery() Discovery

type JWXAdaptor added in v0.1.12 

type JWXAdaptor struct {
	// contains filtered or unexported fields
}

func (*JWXAdaptor) Decode added in v0.1.12 

func (a *JWXAdaptor) Decode(jwt string) (map[string]interface{}, error)

type Jwt 

type Jwt struct {
	Claims map[string]interface{}
}

type JwtVerifier 

type JwtVerifier struct {
	// contains filtered or unexported fields
}

JwtVerifier verifies jwt tokens. It is thread safe and therefore you should always have one instance of the verifier per application. It is important to pass around a single instance to utilize RS256 key caching and the http thread pool for its client.

func New added in v0.1.12 

func New(issuer string, configs ...ConfigFunc) (*JwtVerifier, error)

func (*JwtVerifier) VerifyAccessToken 

func (j *JwtVerifier) VerifyAccessToken(jwt string) (*Jwt, error)

func (*JwtVerifier) VerifyAccessTokenWithOpts added in v0.1.12 

func (j *JwtVerifier) VerifyAccessTokenWithOpts(jwt string, opts VerificationOpts) (*Jwt, error)

func (*JwtVerifier) VerifyIdToken 

func (j *JwtVerifier) VerifyIdToken(jwt string) (*Jwt, error)

func (*JwtVerifier) VerifyIdTokenWithOpts added in v0.1.12 

func (j *JwtVerifier) VerifyIdTokenWithOpts(jwt string, opts VerificationOpts) (*Jwt, error)

type OIDC added in v0.1.12 

type OIDC struct {
	// contains filtered or unexported fields
}

func (*OIDC) GetWellKnownUrl added in v0.1.12 

func (d *OIDC) GetWellKnownUrl() string

type VerificationOpts added in v0.1.12 

type VerificationOpts struct {
	// Leeway is the leeway in seconds.
	Leeway *int64
	// Claims are the claims you want to validate on an individual token.
	Claims map[string]string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.