forked from Nerzal/gocloak
-
Notifications
You must be signed in to change notification settings - Fork 0
/
jwx.go
99 lines (85 loc) · 2.53 KB
/
jwx.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package jwx
import (
"bytes"
"crypto/rsa"
"encoding/base64"
"encoding/binary"
"encoding/json"
"fmt"
"math/big"
"strings"
jwt "github.com/dgrijalva/jwt-go"
)
// DecodeAccessTokenHeader decodes the header of the accessToken
func DecodeAccessTokenHeader(token string) (*DecodedAccessTokenHeader, error) {
token = strings.Replace(token, "Bearer ", "", 1)
headerString := strings.Split(token, ".")
decodedData, err := base64.RawStdEncoding.DecodeString(headerString[0])
if err != nil {
return nil, err
}
result := &DecodedAccessTokenHeader{}
err = json.Unmarshal(decodedData, result)
if err != nil {
return nil, err
}
return result, nil
}
func decodePublicKey(e, n *string) (*rsa.PublicKey, error) {
decN, err := base64.RawURLEncoding.DecodeString(*n)
if err != nil {
return nil, err
}
nInt := big.NewInt(0)
nInt.SetBytes(decN)
decE, err := base64.RawURLEncoding.DecodeString(*e)
if err != nil {
return nil, err
}
var eBytes []byte
if len(decE) < 8 {
eBytes = make([]byte, 8-len(decE), 8)
eBytes = append(eBytes, decE...)
} else {
eBytes = decE
}
eReader := bytes.NewReader(eBytes)
var eInt uint64
err = binary.Read(eReader, binary.BigEndian, &eInt)
if err != nil {
return nil, err
}
pKey := rsa.PublicKey{N: nInt, E: int(eInt)}
return &pKey, nil
}
// DecodeAccessToken currently only supports RSA - sorry for that
func DecodeAccessToken(accessToken string, e, n *string) (*jwt.Token, *jwt.MapClaims, error) {
rsaPublicKey, err := decodePublicKey(e, n)
if err != nil {
return nil, nil, err
}
claims := &jwt.MapClaims{}
token2, err := jwt.ParseWithClaims(accessToken, claims, func(token *jwt.Token) (interface{}, error) {
// Don't forget to validate the alg is what you expect:
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return rsaPublicKey, nil
})
return token2, claims, err
}
// DecodeAccessTokenCustomClaims currently only supports RSA - sorry for that
func DecodeAccessTokenCustomClaims(accessToken string, e, n *string, customClaims jwt.Claims) (*jwt.Token, error) {
rsaPublicKey, err := decodePublicKey(e, n)
if err != nil {
return nil, err
}
token2, err := jwt.ParseWithClaims(accessToken, customClaims, func(token *jwt.Token) (interface{}, error) {
// Don't forget to validate the alg is what you expect:
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return rsaPublicKey, nil
})
return token2, err
}