jo-micro
/
auth2
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
v0.0.1
v0.0.2
v0.0.3
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0a7672adcf'
${ noResults }
auth2/plugins/client/jwt/jwt.go

182 lines
4.4 KiB
Go
Raw Blame History

package jwt
import (
"context"
"crypto/ed25519"
"crypto/rsa"
"errors"
"fmt"
"strings"
"time"
"github.com/golang-jwt/jwt/v4"
"github.com/urfave/cli/v2"
"go-micro.dev/v4/metadata"
"go-micro.dev/v4/server"
"jochum.dev/jo-micro/auth2"
"jochum.dev/jo-micro/auth2/shared/sjwt"
"jochum.dev/jo-micro/auth2/shared/sutil"
"jochum.dev/jo-micro/components"
)
func New() auth2.ClientPlugin {
return &jwtPlugin{
verifiers: []auth2.VerifierPlugin{},
}
}
type jwtPlugin struct {
audiences []string
pubKey any
privKey any
verifiers []auth2.VerifierPlugin
}
func (p *jwtPlugin) String() string {
return "jwt"
}
func (p *jwtPlugin) Flags(r *components.Registry) []cli.Flag {
return []cli.Flag{
&cli.StringFlag{
Name: "auth2_jwt_pub_key",
Usage: "Public key PEM base64 encoded for access keys",
EnvVars: []string{"AUTH2_JWT_PUB_KEY"},
}, &cli.StringFlag{
Name: "auth2_jwt_priv_key",
Usage: "Private key PEM base64 encoded for access keys",
EnvVars: []string{"AUTH2_JWT_PRIV_KEY"},
}, &cli.StringSliceFlag{
Name: "auth2_jwt_audience",
Usage: "Add and expect this JWT audience",
EnvVars: []string{"AUTH2_JWT_AUDIENCES"},
},
}
}
func (p *jwtPlugin) Init(r *components.Registry, cli *cli.Context) error {
if len(cli.String("auth2_jwt_pub_key")) < 1 || len(cli.String("auth2_jwt_priv_key")) < 1 {
return errors.New("you must provide auth2_jwt_(priv|pub)_key")
}
if cli.StringSlice("auth2_jwt_audience") == nil {
return errors.New("AUTH2_JWT_AUDIENCES must be given")
}
pub, priv, err := sjwt.DecodeKeyPair(cli.String("auth2_jwt_pub_key"), cli.String("auth2_jwt_priv_key"))
if err != nil {
return err
}
p.audiences = cli.StringSlice("auth2_jwt_audience")
p.pubKey = pub
p.privKey = priv
return nil
}
func (p *jwtPlugin) Stop() error {
return nil
}
func (p *jwtPlugin) Health(ctx context.Context) error {
return nil
}
func (p *jwtPlugin) AddVerifier(v auth2.VerifierPlugin) {
p.verifiers = append(p.verifiers, v)
}
func (p *jwtPlugin) ServiceContext(ctx context.Context) (context.Context, error) {
user := auth2.ServiceUser
// Create the AccessToken
accessClaims := sjwt.JWTClaims{
RegisteredClaims: &jwt.RegisteredClaims{
Issuer: user.Issuer,
Subject: user.Metadata["Subject"],
Audience: p.audiences,
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Duration(10) * time.Second)),
NotBefore: jwt.NewNumericDate(time.Now().Add(-time.Second)),
IssuedAt: jwt.NewNumericDate(time.Now()),
ID: user.Id,
},
Roles: user.Roles,
}
if err := accessClaims.Valid(); err != nil {
return ctx, err
}
var accessToken *jwt.Token
switch p.privKey.(type) {
case *rsa.PrivateKey:
accessToken = jwt.NewWithClaims(jwt.SigningMethodRS512, accessClaims)
case ed25519.PrivateKey:
accessToken = jwt.NewWithClaims(jwt.SigningMethodEdDSA, accessClaims)
}
accessSignedToken, err := accessToken.SignedString(p.privKey)
if err != nil {
return ctx, err
}
md := metadata.Metadata{
"Authorization": fmt.Sprintf("Bearer %s", accessSignedToken),
}
ctx = metadata.MergeContext(ctx, md, true)
return ctx, nil
}
func (p *jwtPlugin) Inspect(ctx context.Context) (*auth2.User, error) {
md, ok := metadata.FromContext(ctx)
if !ok {
return nil, errors.New("failed to extract metadata from context")
}
authH, ok := md.Get("Authorization")
if !ok {
return nil, errors.New("failed to get Authorization header from context")
}
aTokenString, _, err := sutil.ExtractToken(authH)
if err != nil {
return nil, err
}
claims := sjwt.JWTClaims{}
_, err = jwt.ParseWithClaims(aTokenString, &claims, func(token *jwt.Token) (interface{}, error) {
return p.pubKey, nil
})
if err != nil {
return nil, err
}
cMD := map[string]string{
"Audience": strings.Join(claims.Audience, ","),
"ExpiresAt": fmt.Sprintf("%d", claims.ExpiresAt),
"IssuedAt": fmt.Sprintf("%d", claims.IssuedAt),
"NotBefore": fmt.Sprintf("%d", claims.NotBefore),
"Subject": claims.Subject,
}
return &auth2.User{Id: claims.ID, Type: claims.Type, Issuer: claims.Issuer, Metadata: cMD, Scopes: claims.Scopes, Roles: claims.Roles}, nil
}
func (p *jwtPlugin) WrapHandlerFunc(ctx context.Context, req server.Request, rsp interface{}) error {
u, err := p.Inspect(ctx)
if err != nil {
u = auth2.AnonUser
}
ctx = context.WithValue(ctx, auth2.ContextUserKey{}, u)
var defaultDenyOk bool
for _, v := range p.verifiers {
err, defaultDenyOk = v.Verify(ctx, u, req)
if !defaultDenyOk && err != nil {
return err
}
}
return err
}
Reference in New Issue View Git Blame Copy Permalink