Documentation
¶
Overview ¶
Package jwks contains clients for getting public keys from JWKS.
Index ¶
Constants ¶
const DefaultCacheTTL = time.Hour * 1
DefaultCacheTTL is the default time-to-live for cached JWKS entries. After this duration, cached entries are considered expired and will be refreshed. This prevents revoked keys from remaining in cache indefinitely.
const DefaultCacheUpdateMinInterval = time.Minute * 1
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CachingClient ¶
type CachingClient struct {
// contains filtered or unexported fields
}
CachingClient is a Client for getting keys from remote JWKS with a caching mechanism.
func NewCachingClient ¶
func NewCachingClient() *CachingClient
NewCachingClient returns a new Client that can cache fetched data.
func NewCachingClientWithOpts ¶
func NewCachingClientWithOpts(opts CachingClientOpts) *CachingClient
NewCachingClientWithOpts returns a new Client that can cache fetched data with options.
func (*CachingClient) GetRSAPublicKey ¶
func (cc *CachingClient) GetRSAPublicKey(ctx context.Context, issuerURL, keyID string) (interface{}, error)
GetRSAPublicKey searches JWK with passed key ID in JWKS and returns decoded RSA public key for it. The last one can be used for verifying JWT signature. Obtained JWKS is cached. If passed issuer URL or key ID is not found in the cache, JWKS will be fetched again, but not more than once in a some (configurable) period of time.
func (*CachingClient) InvalidateCacheIfPossible ¶ added in v0.31.0
func (cc *CachingClient) InvalidateCacheIfPossible(ctx context.Context, issuerURL string) (invalidated bool, err error)
InvalidateCacheIfPossible does cache invalidation for specific issuer URL if possible. It returns true if the cache was invalidated, false if invalidation was skipped due to rate limiting.
type CachingClientOpts ¶
type CachingClientOpts struct {
ClientOpts
// CacheUpdateMinInterval is a minimal interval between cache updates for the same issuer.
CacheUpdateMinInterval time.Duration
// CacheTTL is the time-to-live for cached JWKS entries.
// After this duration, cached entries expire and will be refreshed on next access.
// This prevents revoked keys from remaining in cache indefinitely.
// Default: DefaultCacheTTL (1 hour).
CacheTTL time.Duration
}
CachingClientOpts contains options for CachingClient.
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client gets public keys from remote JWKS. It uses jwks_uri field from /.well-known/openid-configuration endpoint. NOTE: CachingClient should be used in a typical service to avoid making HTTP requests on each JWT verification.
func NewClientWithOpts ¶
func NewClientWithOpts(opts ClientOpts) *Client
NewClientWithOpts returns a new Client with options.
type ClientOpts ¶
type ClientOpts struct {
// HTTPClient is an HTTP client for making requests.
HTTPClient *http.Client
// LoggerProvider is a function that provides a logger for the Client.
LoggerProvider func(ctx context.Context) log.FieldLogger
// PrometheusLibInstanceLabel is a label for Prometheus metrics.
// It allows distinguishing metrics from different instances of the same library.
PrometheusLibInstanceLabel string
}
ClientOpts contains options for the JWKS client.
type GetJWKSError ¶
GetJWKSError is an error that may occur during getting JWKS.
func (*GetJWKSError) Error ¶
func (e *GetJWKSError) Error() string
func (*GetJWKSError) Unwrap ¶
func (e *GetJWKSError) Unwrap() error
type GetOpenIDConfigurationError ¶
GetOpenIDConfigurationError is an error that may occur during getting openID configuration for issuer.
func (*GetOpenIDConfigurationError) Error ¶
func (e *GetOpenIDConfigurationError) Error() string
func (*GetOpenIDConfigurationError) Unwrap ¶
func (e *GetOpenIDConfigurationError) Unwrap() error
type JWKNotFoundError ¶
JWKNotFoundError is an error that occurs when JWK is not found by kid.
func (*JWKNotFoundError) Error ¶
func (e *JWKNotFoundError) Error() string
Source Files