-
Notifications
You must be signed in to change notification settings - Fork 205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add square/go-jose.v2 token validator #84
Conversation
|
||
// UserContext is the struct that will be inserted into the context for the | ||
// user. CustomClaims will be nil unless WithCustomClaims is passed to New. | ||
type UserContext struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the struct that will be in the request context to identify the user.
// optional options which we will default if not specified | ||
expectedClaims func() jwt.Expected | ||
allowedClockSkew time.Duration | ||
customClaims func() CustomClaims |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use a function for this because we don't want to share the same struct across go routines that are handling requests. The same is true for line 94.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤔 are we actually writing to these structs? Or just read only?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We unmarshal into CustomClaims
. expectedClaims
can include a time to validate against so a func allows us or the user to set the time as now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See line 76 above.
if signatureAlgorithm != "" && signatureAlgorithm != tok.Headers[0].Algorithm { | ||
return nil, fmt.Errorf("expected %q signin algorithm but token specified %q", signatureAlgorithm, tok.Headers[0].Algorithm) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is in support of https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
if v.customClaims != nil { | ||
claimDest = append(claimDest, v.customClaims()) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If customClaims
contains duplicate fields of jwt.Claims
the tok.Claims
function on 124 will unmarshal into both.
if err = userCtx.CustomClaims.Validate(ctx); err != nil { | ||
return nil, fmt.Errorf("custom claims not validated: %w", err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is where custom validation can happen!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
I like it. Soon I will take a stab at an implementation with JWX following this pattern. Nice work! |
7ec7235
to
3d59acb
Compare
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
3d59acb
to
71a966e
Compare
Signed-off-by: Jon Carl <[email protected]>
Codecov Report
@@ Coverage Diff @@
## v2 #84 +/- ##
==========================================
- Coverage 95.08% 90.65% -4.43%
==========================================
Files 1 2 +1
Lines 61 107 +46
==========================================
+ Hits 58 97 +39
- Misses 2 9 +7
Partials 1 1
Continue to review full report at Codecov.
|
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
Signed-off-by: Jon Carl <[email protected]>
In support of #73 this adds a square/go-jose.v2 implementation
ValidateToken
.This comes complete with an example. The package also adds support for clock skew (#58), custom claims (#53), custom validation (#74), and expected claims. It also supports algorithm validation.
Note that I'm merging this into the v2 branch and not main as v2 is not ready to be released yet.