This repository has been archived by the owner on May 21, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 995
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #77 from dgrijalva/release_3_0_0
Release 3.0.0
- Loading branch information
Showing
27 changed files
with
1,274 additions
and
241 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
## Migration Guide from v2 -> v3 | ||
|
||
Version 3 adds several new, frequently requested features. To do so, it introduces a few breaking changes. We've worked to keep these as minimal as possible. This guide explains the breaking changes and how you can quickly update your code. | ||
|
||
### `Token.Claims` is now an interface type | ||
|
||
The most requested feature from the 2.0 verison of this library was the ability to provide a custom type to the JSON parser for claims. This was implemented by introducing a new interface, `Claims`, to replace `map[string]interface{}`. We also included two concrete implementations of `Claims`: `MapClaims` and `StandardClaims`. | ||
|
||
`MapClaims` is an alias for `map[string]interface{}` with built in validation behavior. It is the default claims type when using `Parse`. The usage is unchanged except you must type cast the claims property. | ||
|
||
The old example for parsing a token looked like this.. | ||
|
||
```go | ||
if token, err := jwt.Parse(tokenString, keyLookupFunc); err == nil { | ||
fmt.Printf("Token for user %v expires %v", token.Claims["user"], token.Claims["exp"]) | ||
} | ||
``` | ||
|
||
is now directly mapped to... | ||
|
||
```go | ||
if token, err := jwt.Parse(tokenString, keyLookupFunc); err == nil { | ||
claims := token.Claims.(jwt.MapClaims) | ||
fmt.Printf("Token for user %v expires %v", claims["user"], claims["exp"]) | ||
} | ||
``` | ||
|
||
`StandardClaims` is designed to be embedded in your custom type. You can supply a custom claims type with the new `ParseWithClaims` function. Here's an example of using a custom claims type. | ||
|
||
```go | ||
type MyCustomClaims struct { | ||
User string | ||
*StandardClaims | ||
} | ||
|
||
if token, err := jwt.ParseWithClaims(tokenString, &MyCustomClaims{}, keyLookupFunc); err == nil { | ||
claims := token.Claims.(*MyCustomClaims) | ||
fmt.Printf("Token for user %v expires %v", claims.User, claims.StandardClaims.ExpiresAt) | ||
} | ||
``` | ||
|
||
### `ParseFromRequest` has been moved | ||
|
||
To keep this library focused on the tokens without becoming overburdened with complex request processing logic, `ParseFromRequest` and its new companion `ParseFromRequestWithClaims` have been moved to a subpackage, `request`. The method signatues have also been augmented to receive a new argument: `Extractor`. | ||
|
||
`Extractors` do the work of picking the token string out of a request. The interface is simple and composable. | ||
|
||
This simple parsing example: | ||
|
||
```go | ||
if token, err := jwt.ParseFromRequest(tokenString, req, keyLookupFunc); err == nil { | ||
fmt.Printf("Token for user %v expires %v", token.Claims["user"], token.Claims["exp"]) | ||
} | ||
``` | ||
|
||
is directly mapped to: | ||
|
||
```go | ||
if token, err := request.ParseFromRequest(tokenString, request.OAuth2Extractor, req, keyLookupFunc); err == nil { | ||
fmt.Printf("Token for user %v expires %v", token.Claims["user"], token.Claims["exp"]) | ||
} | ||
``` | ||
|
||
There are several concrete `Extractor` types provided for your convenience: | ||
|
||
* `HeaderExtractor` will search a list of headers until one contains content. | ||
* `ArgumentExtractor` will search a list of keys in request query and form arguments until one contains content. | ||
* `MultiExtractor` will try a list of `Extractors` in order until one returns content. | ||
* `AuthorizationHeaderExtractor` will look in the `Authorization` header for a `Bearer` token. | ||
* `OAuth2Extractor` searches the places an OAuth2 token would be specified (per the spec): `Authorization` header and `access_token` argument | ||
* `PostExtractionFilter` wraps an `Extractor`, allowing you to process the content before it's parsed. A simple example is stripping the `Bearer ` text from a header | ||
|
||
|
||
### RSA signing methods no longer accept `[]byte` keys | ||
|
||
Due to a [critical vulnerability](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/), we've decided the convenience of accepting `[]byte` instead of `rsa.PublicKey` or `rsa.PrivateKey` isn't worth the risk of misuse. | ||
|
||
To replace this behavior, we've added two helper methods: `ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error)` and `ParseRSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error)`. These are just simple helpers for unpacking PEM encoded PKCS1 and PKCS8 keys. If your keys are encoded any other way, all you need to do is convert them to the `crypto/rsa` package's types. | ||
|
||
```go | ||
func keyLookupFunc(*Token) (interface{}, error) { | ||
// Don't forget to validate the alg is what you expect: | ||
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { | ||
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) | ||
} | ||
|
||
// Look up key | ||
key, err := lookupPublicKey(token.Header["kid"]) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
// Unpack key from PEM encoded PKCS8 | ||
return jwt.ParseRSAPublicKeyFromPEM(key) | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
package jwt | ||
|
||
import ( | ||
"crypto/subtle" | ||
"fmt" | ||
"time" | ||
) | ||
|
||
// For a type to be a Claims object, it must just have a Valid method that determines | ||
// if the token is invalid for any supported reason | ||
type Claims interface { | ||
Valid() error | ||
} | ||
|
||
// Structured version of Claims Section, as referenced at | ||
// https://tools.ietf.org/html/rfc7519#section-4.1 | ||
// See examples for how to use this with your own claim types | ||
type StandardClaims struct { | ||
Audience string `json:"aud,omitempty"` | ||
ExpiresAt int64 `json:"exp,omitempty"` | ||
Id string `json:"jti,omitempty"` | ||
IssuedAt int64 `json:"iat,omitempty"` | ||
Issuer string `json:"iss,omitempty"` | ||
NotBefore int64 `json:"nbf,omitempty"` | ||
Subject string `json:"sub,omitempty"` | ||
} | ||
|
||
// Validates time based claims "exp, iat, nbf". | ||
// There is no accounting for clock skew. | ||
// As well, if any of the above claims are not in the token, it will still | ||
// be considered a valid claim. | ||
func (c StandardClaims) Valid() error { | ||
vErr := new(ValidationError) | ||
now := TimeFunc().Unix() | ||
|
||
// The claims below are optional, by default, so if they are set to the | ||
// default value in Go, let's not fail the verification for them. | ||
if c.VerifyExpiresAt(now, false) == false { | ||
delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0)) | ||
vErr.Inner = fmt.Errorf("token is expired by %v", delta) | ||
vErr.Errors |= ValidationErrorExpired | ||
} | ||
|
||
if c.VerifyIssuedAt(now, false) == false { | ||
vErr.Inner = fmt.Errorf("Token used before issued") | ||
vErr.Errors |= ValidationErrorIssuedAt | ||
} | ||
|
||
if c.VerifyNotBefore(now, false) == false { | ||
vErr.Inner = fmt.Errorf("token is not valid yet") | ||
vErr.Errors |= ValidationErrorNotValidYet | ||
} | ||
|
||
if vErr.valid() { | ||
return nil | ||
} | ||
|
||
return vErr | ||
} | ||
|
||
// Compares the aud claim against cmp. | ||
// If required is false, this method will return true if the value matches or is unset | ||
func (c *StandardClaims) VerifyAudience(cmp string, req bool) bool { | ||
return verifyAud(c.Audience, cmp, req) | ||
} | ||
|
||
// Compares the exp claim against cmp. | ||
// If required is false, this method will return true if the value matches or is unset | ||
func (c *StandardClaims) VerifyExpiresAt(cmp int64, req bool) bool { | ||
return verifyExp(c.ExpiresAt, cmp, req) | ||
} | ||
|
||
// Compares the iat claim against cmp. | ||
// If required is false, this method will return true if the value matches or is unset | ||
func (c *StandardClaims) VerifyIssuedAt(cmp int64, req bool) bool { | ||
return verifyIat(c.IssuedAt, cmp, req) | ||
} | ||
|
||
// Compares the iss claim against cmp. | ||
// If required is false, this method will return true if the value matches or is unset | ||
func (c *StandardClaims) VerifyIssuer(cmp string, req bool) bool { | ||
return verifyIss(c.Issuer, cmp, req) | ||
} | ||
|
||
// Compares the nbf claim against cmp. | ||
// If required is false, this method will return true if the value matches or is unset | ||
func (c *StandardClaims) VerifyNotBefore(cmp int64, req bool) bool { | ||
return verifyNbf(c.NotBefore, cmp, req) | ||
} | ||
|
||
// ----- helpers | ||
|
||
func verifyAud(aud string, cmp string, required bool) bool { | ||
if aud == "" { | ||
return !required | ||
} | ||
if subtle.ConstantTimeCompare([]byte(aud), []byte(cmp)) != 0 { | ||
return true | ||
} else { | ||
return false | ||
} | ||
} | ||
|
||
func verifyExp(exp int64, now int64, required bool) bool { | ||
if exp == 0 { | ||
return !required | ||
} | ||
return now <= exp | ||
} | ||
|
||
func verifyIat(iat int64, now int64, required bool) bool { | ||
if iat == 0 { | ||
return !required | ||
} | ||
return now >= iat | ||
} | ||
|
||
func verifyIss(iss string, cmp string, required bool) bool { | ||
if iss == "" { | ||
return !required | ||
} | ||
if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 { | ||
return true | ||
} else { | ||
return false | ||
} | ||
} | ||
|
||
func verifyNbf(nbf int64, now int64, required bool) bool { | ||
if nbf == 0 { | ||
return !required | ||
} | ||
return now >= nbf | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.