add square/go-jose.v2 token validator #84
Conversation
|
|
||
| // UserContext is the struct that will be inserted into the context for the | ||
| // user. CustomClaims will be nil unless WithCustomClaims is passed to New. | ||
| type UserContext struct { |
There was a problem hiding this comment.
This is the struct that will be in the request context to identify the user.
| // optional options which we will default if not specified | ||
| expectedClaims func() jwt.Expected | ||
| allowedClockSkew time.Duration | ||
| customClaims func() CustomClaims |
There was a problem hiding this comment.
We use a function for this because we don't want to share the same struct across go routines that are handling requests. The same is true for line 94.
There was a problem hiding this comment.
🤔 are we actually writing to these structs? Or just read only?
There was a problem hiding this comment.
We unmarshal into CustomClaims. expectedClaims can include a time to validate against so a func allows us or the user to set the time as now.
There was a problem hiding this comment.
See line 76 above.
| if signatureAlgorithm != "" && signatureAlgorithm != tok.Headers[0].Algorithm { | ||
| return nil, fmt.Errorf("expected %q signin algorithm but token specified %q", signatureAlgorithm, tok.Headers[0].Algorithm) | ||
| } |
There was a problem hiding this comment.
This is in support of https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
| if v.customClaims != nil { | ||
| claimDest = append(claimDest, v.customClaims()) | ||
| } |
There was a problem hiding this comment.
If customClaims contains duplicate fields of jwt.Claims the tok.Claims function on 124 will unmarshal into both.
| if err = userCtx.CustomClaims.Validate(ctx); err != nil { | ||
| return nil, fmt.Errorf("custom claims not validated: %w", err) | ||
| } |
There was a problem hiding this comment.
This is where custom validation can happen!
|
I like it. Soon I will take a stab at an implementation with JWX following this pattern. Nice work! |
grounded042
force-pushed
the
jon/go-jose-token-validator
branch
from
7ec7235
to
3d59acb
Compare
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
grounded042
force-pushed
the
jon/go-jose-token-validator
branch
from
3d59acb
to
71a966e
Compare
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Codecov Report
@@ Coverage Diff @@
## v2 #84 +/- ##
==========================================
- Coverage 95.08% 90.65% -4.43%
==========================================
Files 1 2 +1
Lines 61 107 +46
==========================================
+ Hits 58 97 +39
- Misses 2 9 +7
Partials 1 1
Continue to review full report at Codecov.
|
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
Signed-off-by: Jon Carl <jon.carl@auth0.com>
In support of #73 this adds a square/go-jose.v2 implementation
ValidateToken.This comes complete with an example. The package also adds support for clock skew (#58), custom claims (#53), custom validation (#74), and expected claims. It also supports algorithm validation.
Note that I'm merging this into the v2 branch and not main as v2 is not ready to be released yet.