421 lines
13 KiB
Go
421 lines
13 KiB
Go
package jwt
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/lestrrat-go/jwx/jwa"
|
|
"github.com/lestrrat-go/jwx/jwe"
|
|
"github.com/lestrrat-go/jwx/jwk"
|
|
"github.com/lestrrat-go/jwx/jws"
|
|
"github.com/lestrrat-go/option"
|
|
)
|
|
|
|
type Option = option.Interface
|
|
|
|
// GlobalOption describes an Option that can be passed to `Settings()`.
|
|
type GlobalOption interface {
|
|
Option
|
|
globalOption()
|
|
}
|
|
|
|
type globalOption struct {
|
|
Option
|
|
}
|
|
|
|
func (*globalOption) globalOption() {}
|
|
|
|
// ParseRequestOption describes an Option that can be passed to `ParseRequest()`.
|
|
type ParseRequestOption interface {
|
|
ParseOption
|
|
httpParseOption()
|
|
}
|
|
|
|
type httpParseOption struct {
|
|
ParseOption
|
|
}
|
|
|
|
func (*httpParseOption) httpParseOption() {}
|
|
|
|
// ParseOption describes an Option that can be passed to `Parse()`.
|
|
// ParseOption also implements ReadFileOption, therefore it may be
|
|
// safely pass them to `jwt.ReadFile()`
|
|
type ParseOption interface {
|
|
ReadFileOption
|
|
parseOption()
|
|
}
|
|
|
|
type parseOption struct {
|
|
Option
|
|
}
|
|
|
|
func newParseOption(n interface{}, v interface{}) ParseOption {
|
|
return &parseOption{option.New(n, v)}
|
|
}
|
|
|
|
func (*parseOption) parseOption() {}
|
|
func (*parseOption) readFileOption() {}
|
|
|
|
// SignOption describes an Option that can be passed to Sign() or
|
|
// (jwt.Serializer).Sign
|
|
type SignOption interface {
|
|
Option
|
|
signOption()
|
|
}
|
|
|
|
type signOption struct {
|
|
Option
|
|
}
|
|
|
|
func newSignOption(n interface{}, v interface{}) SignOption {
|
|
return &signOption{option.New(n, v)}
|
|
}
|
|
|
|
func (*signOption) signOption() {}
|
|
|
|
// EncryptOption describes an Option that can be passed to Encrypt() or
|
|
// (jwt.Serializer).Encrypt
|
|
type EncryptOption interface {
|
|
Option
|
|
encryptOption()
|
|
}
|
|
|
|
type encryptOption struct {
|
|
Option
|
|
}
|
|
|
|
func newEncryptOption(n interface{}, v interface{}) EncryptOption {
|
|
return &encryptOption{option.New(n, v)}
|
|
}
|
|
|
|
func (*encryptOption) encryptOption() {}
|
|
|
|
// ValidateOption describes an Option that can be passed to Validate().
|
|
// ValidateOption also implements ParseOption, therefore it may be
|
|
// safely passed to `Parse()` (and thus `jwt.ReadFile()`)
|
|
type ValidateOption interface {
|
|
ParseOption
|
|
validateOption()
|
|
}
|
|
|
|
type validateOption struct {
|
|
ParseOption
|
|
}
|
|
|
|
func newValidateOption(n interface{}, v interface{}) ValidateOption {
|
|
return &validateOption{newParseOption(n, v)}
|
|
}
|
|
|
|
func (*validateOption) validateOption() {}
|
|
|
|
type identAcceptableSkew struct{}
|
|
type identAudience struct{}
|
|
type identClaim struct{}
|
|
type identClock struct{}
|
|
type identDecrypt struct{}
|
|
type identDefault struct{}
|
|
type identFlattenAudience struct{}
|
|
type identIssuer struct{}
|
|
type identJweHeaders struct{}
|
|
type identJwsHeaders struct{}
|
|
type identJwtid struct{}
|
|
type identKeySet struct{}
|
|
type identPedantic struct{}
|
|
type identRequiredClaim struct{}
|
|
type identSubject struct{}
|
|
type identTimeDelta struct{}
|
|
type identToken struct{}
|
|
type identTypedClaim struct{}
|
|
type identValidate struct{}
|
|
type identVerify struct{}
|
|
|
|
type identHeaderKey struct{}
|
|
type identFormKey struct{}
|
|
|
|
type VerifyParameters interface {
|
|
Algorithm() jwa.SignatureAlgorithm
|
|
Key() interface{}
|
|
}
|
|
|
|
type verifyParams struct {
|
|
alg jwa.SignatureAlgorithm
|
|
key interface{}
|
|
}
|
|
|
|
func (p *verifyParams) Algorithm() jwa.SignatureAlgorithm {
|
|
return p.alg
|
|
}
|
|
|
|
func (p *verifyParams) Key() interface{} {
|
|
return p.key
|
|
}
|
|
|
|
// WithVerify forces the Parse method to verify the JWT message
|
|
// using the given key. XXX Should have been named something like
|
|
// WithVerificationKey
|
|
func WithVerify(alg jwa.SignatureAlgorithm, key interface{}) ParseOption {
|
|
return newParseOption(identVerify{}, &verifyParams{
|
|
alg: alg,
|
|
key: key,
|
|
})
|
|
}
|
|
|
|
// WithKeySet forces the Parse method to verify the JWT message
|
|
// using one of the keys in the given key set. The key to be used
|
|
// is chosen by matching the Key ID of the JWT and the ID of the
|
|
// given keys.
|
|
//
|
|
// When using this option, keys MUST have a properly 'alg' field
|
|
// set. This is because we need to know the exact algorithm that
|
|
// you (the user) wants to use to verify the token. We do NOT
|
|
// trust the token's headers, because they can easily be tampered with.
|
|
func WithKeySet(set jwk.Set) ParseOption {
|
|
return newParseOption(identKeySet{}, set)
|
|
}
|
|
|
|
// UseDefaultKey is used in conjunction with the option WithKeySet
|
|
// to instruct the Parse method to default to the single key in a key
|
|
// set when no Key ID is included in the JWT. If the key set contains
|
|
// multiple keys then the behaviour is unchanged.
|
|
func UseDefaultKey(value bool) ParseOption {
|
|
return newParseOption(identDefault{}, value)
|
|
}
|
|
|
|
// WithToken specifies the token instance that is used when parsing
|
|
// JWT tokens.
|
|
func WithToken(t Token) ParseOption {
|
|
return newParseOption(identToken{}, t)
|
|
}
|
|
|
|
// WithHeaders is passed to `jwt.Sign()` function, to allow specifying arbitrary
|
|
// header values to be included in the header section of the jws message
|
|
//
|
|
// This option will be deprecated in the next major version. Use
|
|
// jwt.WithJwsHeaders() instead.
|
|
func WithHeaders(hdrs jws.Headers) SignOption {
|
|
return WithJwsHeaders(hdrs)
|
|
}
|
|
|
|
// WithJwsHeaders is passed to `jwt.Sign()` function or
|
|
// "jwt.Serializer".Sign() method, to allow specifying arbitrary
|
|
// header values to be included in the header section of the JWE message
|
|
func WithJwsHeaders(hdrs jws.Headers) SignOption {
|
|
return newSignOption(identJwsHeaders{}, hdrs)
|
|
}
|
|
|
|
// WithJweHeaders is passed to "jwt.Serializer".Encrypt() method to allow
|
|
// specifying arbitrary header values to be included in the protected header
|
|
// of the JWE message
|
|
func WithJweHeaders(hdrs jwe.Headers) EncryptOption {
|
|
return newEncryptOption(identJweHeaders{}, hdrs)
|
|
}
|
|
|
|
// WithValidate is passed to `Parse()` method to denote that the
|
|
// validation of the JWT token should be performed after a successful
|
|
// parsing of the incoming payload.
|
|
func WithValidate(b bool) ParseOption {
|
|
return newParseOption(identValidate{}, b)
|
|
}
|
|
|
|
// WithClock specifies the `Clock` to be used when verifying
|
|
// claims exp and nbf.
|
|
func WithClock(c Clock) ValidateOption {
|
|
return newValidateOption(identClock{}, c)
|
|
}
|
|
|
|
// WithAcceptableSkew specifies the duration in which exp and nbf
|
|
// claims may differ by. This value should be positive
|
|
func WithAcceptableSkew(dur time.Duration) ValidateOption {
|
|
return newValidateOption(identAcceptableSkew{}, dur)
|
|
}
|
|
|
|
// WithIssuer specifies that expected issuer value. If not specified,
|
|
// the value of issuer is not verified at all.
|
|
func WithIssuer(s string) ValidateOption {
|
|
return newValidateOption(identIssuer{}, s)
|
|
}
|
|
|
|
// WithSubject specifies that expected subject value. If not specified,
|
|
// the value of subject is not verified at all.
|
|
func WithSubject(s string) ValidateOption {
|
|
return newValidateOption(identSubject{}, s)
|
|
}
|
|
|
|
// WithJwtID specifies that expected jti value. If not specified,
|
|
// the value of jti is not verified at all.
|
|
func WithJwtID(s string) ValidateOption {
|
|
return newValidateOption(identJwtid{}, s)
|
|
}
|
|
|
|
// WithAudience specifies that expected audience value.
|
|
// `Validate()` will return true if one of the values in the `aud` element
|
|
// matches this value. If not specified, the value of issuer is not
|
|
// verified at all.
|
|
func WithAudience(s string) ValidateOption {
|
|
return newValidateOption(identAudience{}, s)
|
|
}
|
|
|
|
type claimValue struct {
|
|
name string
|
|
value interface{}
|
|
}
|
|
|
|
// WithClaimValue specifies that expected any claim value.
|
|
func WithClaimValue(name string, v interface{}) ValidateOption {
|
|
return newValidateOption(identClaim{}, claimValue{name, v})
|
|
}
|
|
|
|
// WithHeaderKey is used to specify header keys to search for tokens.
|
|
//
|
|
// While the type system allows this option to be passed to jwt.Parse() directly,
|
|
// doing so will have no effect. Only use it for HTTP request parsing functions
|
|
func WithHeaderKey(v string) ParseRequestOption {
|
|
return &httpParseOption{newParseOption(identHeaderKey{}, v)}
|
|
}
|
|
|
|
// WithFormKey is used to specify header keys to search for tokens.
|
|
//
|
|
// While the type system allows this option to be passed to jwt.Parse() directly,
|
|
// doing so will have no effect. Only use it for HTTP request parsing functions
|
|
func WithFormKey(v string) ParseRequestOption {
|
|
return &httpParseOption{newParseOption(identFormKey{}, v)}
|
|
}
|
|
|
|
// WithFlattenAudience specifies if the "aud" claim should be flattened
|
|
// to a single string upon the token being serialized to JSON.
|
|
//
|
|
// This is sometimes important when a JWT consumer does not understand that
|
|
// the "aud" claim can actually take the form of an array of strings.
|
|
//
|
|
// The default value is `false`, which means that "aud" claims are always
|
|
// rendered as a arrays of strings. This setting has a global effect,
|
|
// and will change the behavior for all JWT serialization.
|
|
func WithFlattenAudience(v bool) GlobalOption {
|
|
return &globalOption{option.New(identFlattenAudience{}, v)}
|
|
}
|
|
|
|
type typedClaimPair struct {
|
|
Name string
|
|
Value interface{}
|
|
}
|
|
|
|
// WithTypedClaim allows a private claim to be parsed into the object type of
|
|
// your choice. It works much like the RegisterCustomField, but the effect
|
|
// is only applicable to the jwt.Parse function call which receives this option.
|
|
//
|
|
// While this can be extremely useful, this option should be used with caution:
|
|
// There are many caveats that your entire team/user-base needs to be aware of,
|
|
// and therefore in general its use is discouraged. Only use it when you know
|
|
// what you are doing, and you document its use clearly for others.
|
|
//
|
|
// First and foremost, this is a "per-object" option. Meaning that given the same
|
|
// serialized format, it is possible to generate two objects whose internal
|
|
// representations may differ. That is, if you parse one _WITH_ the option,
|
|
// and the other _WITHOUT_, their internal representation may completely differ.
|
|
// This could potentially lead to problems.
|
|
//
|
|
// Second, specifying this option will slightly slow down the decoding process
|
|
// as it needs to consult multiple definitions sources (global and local), so
|
|
// be careful if you are decoding a large number of tokens, as the effects will stack up.
|
|
//
|
|
// Finally, this option will also NOT work unless the tokens themselves support such
|
|
// parsing mechanism. For example, while tokens obtained from `jwt.New()` and
|
|
// `openid.New()` will respect this option, if you provide your own custom
|
|
// token type, it will need to implement the TokenWithDecodeCtx interface.
|
|
func WithTypedClaim(name string, object interface{}) ParseOption {
|
|
return newParseOption(identTypedClaim{}, typedClaimPair{Name: name, Value: object})
|
|
}
|
|
|
|
// WithRequiredClaim specifies that the claim identified the given name
|
|
// must exist in the token. Only the existence of the claim is checked:
|
|
// the actual value associated with that field is not checked.
|
|
func WithRequiredClaim(name string) ValidateOption {
|
|
return newValidateOption(identRequiredClaim{}, name)
|
|
}
|
|
|
|
type delta struct {
|
|
c1 string
|
|
c2 string
|
|
dur time.Duration
|
|
less bool // if true, d =< c1 - c2. otherwise d >= c1 - c2
|
|
}
|
|
|
|
// WithMaxDelta specifies that given two claims `c1` and `c2` that represent time, the difference in
|
|
// time.Duration must be less than equal to the value specified by `d`. If `c1` or `c2` is the
|
|
// empty string, the current time (as computed by `time.Now` or the object passed via
|
|
// `WithClock()`) is used for the comparison.
|
|
//
|
|
// `c1` and `c2` are also assumed to be required, therefore not providing either claim in the
|
|
// token will result in an error.
|
|
//
|
|
// Because there is no way of reliably knowing how to parse private claims, we currently only
|
|
// support `iat`, `exp`, and `nbf` claims.
|
|
//
|
|
// If the empty string is passed to c1 or c2, then the current time (as calculated by time.Now() or
|
|
// the clock object provided via WithClock()) is used.
|
|
//
|
|
// For example, in order to specify that `exp` - `iat` should be less than 10*time.Second, you would write
|
|
//
|
|
// jwt.Validate(token, jwt.WithMaxDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey))
|
|
//
|
|
// If AcceptableSkew of 2 second is specified, the above will return valid for any value of
|
|
// `exp` - `iat` between 8 (10-2) and 12 (10+2).
|
|
func WithMaxDelta(dur time.Duration, c1, c2 string) ValidateOption {
|
|
return newValidateOption(identTimeDelta{}, delta{
|
|
c1: c1,
|
|
c2: c2,
|
|
dur: dur,
|
|
less: true,
|
|
})
|
|
}
|
|
|
|
// WithMinDelta is almost exactly the same as WithMaxDelta, but force validation to fail if
|
|
// the difference between time claims are less than dur.
|
|
//
|
|
// For example, in order to specify that `exp` - `iat` should be greater than 10*time.Second, you would write
|
|
//
|
|
// jwt.Validate(token, jwt.WithMinDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey))
|
|
//
|
|
// The validation would fail if the difference is less than 10 seconds.
|
|
//
|
|
func WithMinDelta(dur time.Duration, c1, c2 string) ValidateOption {
|
|
return newValidateOption(identTimeDelta{}, delta{
|
|
c1: c1,
|
|
c2: c2,
|
|
dur: dur,
|
|
less: false,
|
|
})
|
|
}
|
|
|
|
type decryptParams struct {
|
|
alg jwa.KeyEncryptionAlgorithm
|
|
key interface{}
|
|
}
|
|
|
|
type DecryptParameters interface {
|
|
Algorithm() jwa.KeyEncryptionAlgorithm
|
|
Key() interface{}
|
|
}
|
|
|
|
func (dp *decryptParams) Algorithm() jwa.KeyEncryptionAlgorithm {
|
|
return dp.alg
|
|
}
|
|
|
|
func (dp *decryptParams) Key() interface{} {
|
|
return dp.key
|
|
}
|
|
|
|
// WithDecrypt allows users to specify parameters for decryption using
|
|
// `jwe.Decrypt`. You must specify this if your JWT is encrypted.
|
|
func WithDecrypt(alg jwa.KeyEncryptionAlgorithm, key interface{}) ParseOption {
|
|
return newParseOption(identDecrypt{}, &decryptParams{
|
|
alg: alg,
|
|
key: key,
|
|
})
|
|
}
|
|
|
|
// WithPedantic enables pedantic mode for parsing JWTs. Currently this only
|
|
// applies to checking for the correct `typ` and/or `cty` when necessary.
|
|
func WithPedantic(v bool) ParseOption {
|
|
return newParseOption(identPedantic{}, v)
|
|
}
|