Documentation

Overview

    Package jwk implements JSON Web Key management capabilities

    A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens).

    Index

    Constants

    View Source
    const (
    	KeyHandlerPath    = "/keys"
    	WellKnownKeysPath = "/.well-known/jwks.json"
    )

    Variables

    This section is empty.

    Functions

    func AsymmetricKeypair

    func AsymmetricKeypair(ctx context.Context, r InternalRegistry, g KeyGenerator, set string) (public, private *jose.JSONWebKey, err error)

    func EnsureAsymmetricKeypairExists

    func EnsureAsymmetricKeypairExists(ctx context.Context, r InternalRegistry, g KeyGenerator, set string) error

    func FindKeyByPrefix

    func FindKeyByPrefix(set *jose.JSONWebKeySet, prefix string) (key *jose.JSONWebKey, err error)

    func FindKeysByPrefix

    func FindKeysByPrefix(set *jose.JSONWebKeySet, prefix string) (*jose.JSONWebKeySet, error)

    func First

    func First(keys []jose.JSONWebKey) *jose.JSONWebKey

    func GetOrCreateKey

    func GetOrCreateKey(ctx context.Context, r InternalRegistry, g KeyGenerator, set, prefix string) (*jose.JSONWebKey, error)

    func Ider

    func Ider(typ, id string) string

    func MustRSAPrivate

    func MustRSAPrivate(key *jose.JSONWebKey) *rsa.PrivateKey

    func MustRSAPublic

    func MustRSAPublic(key *jose.JSONWebKey) *rsa.PublicKey

    func PEMBlockForKey

    func PEMBlockForKey(key interface{}) (*pem.Block, error)

    func RandomBytes

    func RandomBytes(n int) ([]byte, error)

    func TestHelperManagerKey

    func TestHelperManagerKey(m Manager, keys *jose.JSONWebKeySet, suffix string) func(t *testing.T)

    func TestHelperManagerKeySet

    func TestHelperManagerKeySet(m Manager, keys *jose.JSONWebKeySet, suffix string) func(t *testing.T)

    func ToRSAPrivate

    func ToRSAPrivate(key *jose.JSONWebKey) (*rsa.PrivateKey, error)

    func ToRSAPublic

    func ToRSAPublic(key *jose.JSONWebKey) (*rsa.PublicKey, error)

    Types

    type AEAD

    type AEAD struct {
    	// contains filtered or unexported fields
    }

    func NewAEAD

    func NewAEAD(c *config.Provider) *AEAD

    func (*AEAD) Decrypt

    func (c *AEAD) Decrypt(ciphertext string) (p []byte, err error)

    func (*AEAD) Encrypt

    func (c *AEAD) Encrypt(plaintext []byte) (string, error)

    type ECDSA256Generator

    type ECDSA256Generator struct{}

    func (*ECDSA256Generator) Generate

    func (g *ECDSA256Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)

    type ECDSA512Generator

    type ECDSA512Generator struct{}

    func (*ECDSA512Generator) Generate

    func (g *ECDSA512Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)

    type HS256Generator

    type HS256Generator struct{}

    func (*HS256Generator) Generate

    func (g *HS256Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)

    type HS512Generator

    type HS512Generator struct{}

    func (*HS512Generator) Generate

    func (g *HS512Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)

    type Handler

    type Handler struct {
    	// contains filtered or unexported fields
    }

    func NewHandler

    func NewHandler(r InternalRegistry, c *config.Provider) *Handler

    func (*Handler) Create

    func (h *Handler) Create(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

    swagger:route POST /keys/{set} admin createJsonWebKeySet

    Generate a New JSON Web Key

    This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.

    A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

    Consumes:
    - application/json
    
    Produces:
    - application/json
    
    Schemes: http, https
    
    Responses:
      201: JSONWebKeySet
      401: genericError
      403: genericError
      500: genericError
    

    func (*Handler) DeleteKey

    func (h *Handler) DeleteKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

    swagger:route DELETE /keys/{set}/{kid} admin deleteJsonWebKey

    Delete a JSON Web Key

    Use this endpoint to delete a single JSON Web Key.

    A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

    Consumes:
    - application/json
    
    Produces:
    - application/json
    
    Schemes: http, https
    
    Responses:
      204: emptyResponse
      401: genericError
      403: genericError
      500: genericError
    

    func (*Handler) DeleteKeySet

    func (h *Handler) DeleteKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

    swagger:route DELETE /keys/{set} admin deleteJsonWebKeySet

    Delete a JSON Web Key Set

    Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.

    A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

    Consumes:
    - application/json
    
    Produces:
    - application/json
    
    Schemes: http, https
    
    Responses:
      204: emptyResponse
      401: genericError
      403: genericError
      500: genericError
    

    func (*Handler) GetKey

    func (h *Handler) GetKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

    swagger:route GET /keys/{set}/{kid} admin getJsonWebKey

    Fetch a JSON Web Key

    This endpoint returns a singular JSON Web Key, identified by the set and the specific key ID (kid).

    Consumes:
    - application/json
    
    Produces:
    - application/json
    
    Schemes: http, https
    
    Responses:
      200: JSONWebKeySet
      404: genericError
      500: genericError
    

    func (*Handler) GetKeySet

    func (h *Handler) GetKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

    swagger:route GET /keys/{set} admin getJsonWebKeySet

    Retrieve a JSON Web Key Set

    This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.

    A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

    Consumes:
    - application/json
    
    Produces:
    - application/json
    
    Schemes: http, https
    
    Responses:
      200: JSONWebKeySet
      401: genericError
      403: genericError
      500: genericError
    

    func (*Handler) SetRoutes

    func (h *Handler) SetRoutes(admin *x.RouterAdmin, public *x.RouterPublic, corsMiddleware func(http.Handler) http.Handler)

    func (*Handler) UpdateKey

    func (h *Handler) UpdateKey(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

    swagger:route PUT /keys/{set}/{kid} admin updateJsonWebKey

    Update a JSON Web Key

    Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.

    A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

    Consumes:
    - application/json
    
    Produces:
    - application/json
    
    Schemes: http, https
    
    Responses:
      200: JSONWebKey
      401: genericError
      403: genericError
      500: genericError
    

    func (*Handler) UpdateKeySet

    func (h *Handler) UpdateKeySet(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

    swagger:route PUT /keys/{set} admin updateJsonWebKeySet

    Update a JSON Web Key Set

    Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.

    A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

    Consumes:
    - application/json
    
    Produces:
    - application/json
    
    Schemes: http, https
    
    Responses:
      200: JSONWebKeySet
      401: genericError
      403: genericError
      500: genericError
    

    func (*Handler) WellKnown

    func (h *Handler) WellKnown(w http.ResponseWriter, r *http.Request)

    swagger:route GET /.well-known/jwks.json public wellKnown

    JSON Web Keys Discovery

    This endpoint returns JSON Web Keys to be used as public keys for verifying OpenID Connect ID Tokens and, if enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like [node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) among others.

    Consumes:
    - application/json
    
    Produces:
    - application/json
    
    Schemes: http, https
    
    Responses:
      200: JSONWebKeySet
      500: genericError
    

    type InternalRegistry

    type InternalRegistry interface {
    	x.RegistryWriter
    	x.RegistryLogger
    	Registry
    }

    type JWTStrategy

    type JWTStrategy interface {
    	GetPublicKeyID(ctx context.Context) (string, error)
    
    	jwt.JWTStrategy
    }

    type KeyGenerator

    type KeyGenerator interface {
    	Generate(id, use string) (*jose.JSONWebKeySet, error)
    }

    type Manager

    type Manager interface {
    	AddKey(ctx context.Context, set string, key *jose.JSONWebKey) error
    
    	AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error
    
    	GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error)
    
    	GetKeySet(ctx context.Context, set string) (*jose.JSONWebKeySet, error)
    
    	DeleteKey(ctx context.Context, set, kid string) error
    
    	DeleteKeySet(ctx context.Context, set string) error
    }

    type RS256Generator

    type RS256Generator struct {
    	KeyLength int
    }

    func (*RS256Generator) Generate

    func (g *RS256Generator) Generate(id, use string) (*jose.JSONWebKeySet, error)

    type RS256JWTStrategy

    type RS256JWTStrategy struct {
    	sync.RWMutex
    
    	RS256JWTStrategy *jwt.RS256JWTStrategy
    	// contains filtered or unexported fields
    }

    func NewRS256JWTStrategy

    func NewRS256JWTStrategy(r InternalRegistry, rs func() string) (*RS256JWTStrategy, error)

    func (*RS256JWTStrategy) Decode

    func (j *RS256JWTStrategy) Decode(ctx context.Context, token string) (*jwt2.Token, error)

    func (*RS256JWTStrategy) Generate

    func (j *RS256JWTStrategy) Generate(ctx context.Context, claims jwt2.Claims, header jwt.Mapper) (string, string, error)

    func (*RS256JWTStrategy) GetPublicKeyID

    func (j *RS256JWTStrategy) GetPublicKeyID(ctx context.Context) (string, error)

    func (*RS256JWTStrategy) GetSignature

    func (j *RS256JWTStrategy) GetSignature(ctx context.Context, token string) (string, error)

    func (*RS256JWTStrategy) GetSigningMethodLength

    func (j *RS256JWTStrategy) GetSigningMethodLength() int

      GetSigningMethodLength will return the length of the signing method

      func (*RS256JWTStrategy) Hash

      func (j *RS256JWTStrategy) Hash(ctx context.Context, in []byte) ([]byte, error)

      func (*RS256JWTStrategy) Validate

      func (j *RS256JWTStrategy) Validate(ctx context.Context, token string) (string, error)

      type Registry

      type Registry interface {
      	KeyManager() Manager
      	KeyGenerators() map[string]KeyGenerator
      	KeyCipher() *AEAD
      }

      type SQLData

      type SQLData struct {
      	ID        int       `db:"pk"`
      	Set       string    `db:"sid"`
      	KID       string    `db:"kid"`
      	Version   int       `db:"version"`
      	CreatedAt time.Time `db:"created_at"`
      	Key       string    `db:"keydata"`
      }

      func (SQLData) TableName

      func (d SQLData) TableName() string