forked from shaj13/go-guardian
-
Notifications
You must be signed in to change notification settings - Fork 0
/
jwks.go
93 lines (71 loc) · 1.6 KB
/
jwks.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package jwt
import (
"context"
"errors"
"net/http"
"strconv"
"sync"
"time"
"gopkg.in/square/go-jose.v2"
"github.com/Sosivio/go-guardian/v2/auth/internal"
"github.com/Sosivio/go-guardian/v2/auth/internal/header"
)
const cacheControl = "cache-control"
type jwks struct {
mu sync.Mutex
requester *internal.Requester
expiresAt time.Time
interval time.Duration
keys map[string]jose.JSONWebKey
}
func (j *jwks) KID() string {
return ""
}
func (j *jwks) Get(kid string) (interface{}, string, error) {
if err := j.load(); err != nil {
return nil, "", err
}
v, ok := j.keys[kid]
if !ok {
return nil, "", errors.New(
"strategies/oauth2/jwt: Invalid " + kid + " KID",
)
}
return v.Key, v.Algorithm, nil
}
func (j *jwks) load() error {
j.mu.Lock()
defer j.mu.Unlock()
if time.Now().UTC().Before(j.expiresAt) {
return nil
}
kset := new(jose.JSONWebKeySet)
//nolint:bodyclose
resp, err := j.requester.Do(context.TODO(), nil, nil, kset)
if err != nil {
return err
}
for _, v := range kset.Keys {
j.keys[v.KeyID] = v
}
j.setExpiresAt(resp.Header)
return nil
}
func (j *jwks) setExpiresAt(h http.Header) {
interval := j.interval
if v, ok := header.ParsePairs(h, cacheControl)["max-age"]; ok {
i, err := strconv.ParseInt(v, 10, 64)
if err == nil {
interval = time.Duration(i) * time.Second
}
}
j.expiresAt = time.Now().Add(interval).UTC()
}
func newJWKS(addr string) *jwks {
j := new(jwks)
j.interval = time.Minute * 5
j.keys = make(map[string]jose.JSONWebKey)
j.requester = internal.NewRequester(addr)
j.requester.Method = http.MethodGet
return j
}