-
Notifications
You must be signed in to change notification settings - Fork 13
/
keypairauthenticator.go
111 lines (94 loc) · 2.72 KB
/
keypairauthenticator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package oauth
import (
"crypto/rsa"
"fmt"
"net/url"
"time"
"github.com/Axway/agent-sdk/pkg/util"
"github.com/golang-jwt/jwt"
"github.com/google/uuid"
)
const (
SigningMethodRS256 = "RS256"
SigningMethodRS384 = "RS384"
SigningMethodRS512 = "RS512"
SigningMethodES256 = "ES256"
SigningMethodES384 = "ES384"
SigningMethodES512 = "ES512"
SigningMethodPS256 = "PS256"
SigningMethodPS384 = "PS384"
SigningMethodPS512 = "PS512"
SigningMethodHS256 = "HS256"
SigningMethodHS384 = "HS384"
SigningMethodHS512 = "HS512"
)
var signingMethodMap = map[string]jwt.SigningMethod{
SigningMethodRS256: jwt.SigningMethodRS256,
SigningMethodRS384: jwt.SigningMethodRS384,
SigningMethodRS512: jwt.SigningMethodRS512,
SigningMethodES256: jwt.SigningMethodES256,
SigningMethodES384: jwt.SigningMethodES384,
SigningMethodES512: jwt.SigningMethodES512,
SigningMethodPS256: jwt.SigningMethodPS256,
SigningMethodPS384: jwt.SigningMethodPS384,
SigningMethodPS512: jwt.SigningMethodPS512,
SigningMethodHS256: jwt.SigningMethodHS256,
SigningMethodHS384: jwt.SigningMethodHS384,
SigningMethodHS512: jwt.SigningMethodHS512,
}
type keyPairAuthenticator struct {
clientID string
issuer string
aud string
privateKey *rsa.PrivateKey
publicKey []byte
scope string
signingMethod string
}
func getSigningMethod(signingMethod string, defaultSigningMethod jwt.SigningMethod) jwt.SigningMethod {
sm, ok := signingMethodMap[signingMethod]
if !ok {
return defaultSigningMethod
}
return sm
}
// prepareInitialToken prepares a token for an access request
func (p *keyPairAuthenticator) prepareInitialToken(kid string) (string, error) {
now := time.Now()
if p.issuer == "" {
p.issuer = fmt.Sprintf("%s:%s", assertionTypeJWT, p.clientID)
}
token := jwt.NewWithClaims(getSigningMethod(p.signingMethod, jwt.SigningMethodRS256), jwt.StandardClaims{
Issuer: p.issuer,
Subject: p.clientID,
Audience: p.aud,
ExpiresAt: now.Add(60*time.Second).UnixNano() / 1e9,
IssuedAt: now.UnixNano() / 1e9,
Id: uuid.New().String(),
})
token.Header["kid"] = kid
requestToken, err := token.SignedString(p.privateKey)
if err != nil {
return "", err
}
return requestToken, nil
}
func (p *keyPairAuthenticator) prepareRequest() (url.Values, map[string]string, error) {
kid, err := util.ComputeKIDFromDER(p.publicKey)
if err != nil {
return nil, nil, err
}
requestToken, err := p.prepareInitialToken(kid)
if err != nil {
return nil, nil, err
}
v := url.Values{
metaGrantType: []string{GrantTypeClientCredentials},
metaClientAssertionType: []string{assertionTypeJWT},
metaClientAssertion: []string{requestToken},
}
if p.scope != "" {
v.Add(metaScope, p.scope)
}
return v, nil, nil
}