Version: v0.0.0-...-fdd12d1 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jan 4, 2020 License: Apache-2.0 Imports: 5 Imported by: 0



Package auth provides authentication behavior.



View Source
const (
	RoleAdmin = "ADMIN"
	RoleUser  = "USER"

These are the expected values for Claims.Roles.

View Source
const Key ctxKey = 1

Key is used to store/retrieve a Claims value from a context.Context.


This section is empty.


This section is empty.


type Authenticator

type Authenticator struct {
	// contains filtered or unexported fields

Authenticator is used to authenticate clients. It can generate a token for a set of user claims and recreate the claims by parsing the token.

func NewAuthenticator

func NewAuthenticator(privateKey *rsa.PrivateKey, activeKID, algorithm string, publicKeyLookupFunc KeyLookupFunc) (*Authenticator, error)

NewAuthenticator creates an *Authenticator for use. It will error if: - The private key is nil. - The public key func is nil. - The key ID is blank. - The specified algorithm is unsupported.

func (*Authenticator) GenerateToken

func (a *Authenticator) GenerateToken(claims Claims) (string, error)

GenerateToken generates a signed JWT token string representing the user Claims.

func (*Authenticator) ParseClaims

func (a *Authenticator) ParseClaims(tokenStr string) (Claims, error)

ParseClaims recreates the Claims that were used to generate a token. It verifies that the token was signed using our key.

type Claims

type Claims struct {
	Roles []string `json:"roles"`

Claims represents the authorization claims transmitted via a JWT.

func NewClaims

func NewClaims(subject string, roles []string, now time.Time, expires time.Duration) Claims

NewClaims constructs a Claims value for the identified user. The Claims expire within a specified duration of the provided time. Additional fields of the Claims can be set after calling NewClaims is desired.

func (Claims) HasRole

func (c Claims) HasRole(roles ...string) bool

HasRole returns true if the claims has at least one of the provided roles.

type KeyLookupFunc

type KeyLookupFunc func(kid string) (*rsa.PublicKey, error)

KeyLookupFunc is used to map a JWT key id (kid) to the corresponding public key. It is a requirement for creating an Authenticator.

* Private keys should be rotated. During the transition period, tokens signed with the old and new keys can coexist by looking up the correct public key by key id (kid).

* Key-id-to-public-key resolution is usually accomplished via a public JWKS endpoint. See for more details.

func NewSimpleKeyLookupFunc

func NewSimpleKeyLookupFunc(activeKID string, publicKey *rsa.PublicKey) KeyLookupFunc

NewSimpleKeyLookupFunc is a simple implementation of KeyFunc that only ever supports one key. This is easy for development but in production should be replaced with a caching layer that calls a JWKS endpoint.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL