type ServiceAccountTokenGetter … type TokenGenerator … // JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey. // privateKey is a PEM-encoded byte array of a private RSA key. func JWTTokenGenerator(iss string, privateKey interface{ … } // keyIDFromPublicKey derives a key ID non-reversibly from a public key. // // The Key ID is field on a given on JWTs and JWKs that help relying parties // pick the correct key for verification when the identity party advertises // multiple keys. // // Making the derivation non-reversible makes it impossible for someone to // accidentally obtain the real key from the key ID and use it for token // validation. func keyIDFromPublicKey(publicKey interface{ … } func signerFromRSAPrivateKey(keyPair *rsa.PrivateKey) (jose.Signer, error) { … } func signerFromECDSAPrivateKey(keyPair *ecdsa.PrivateKey) (jose.Signer, error) { … } func signerFromOpaqueSigner(opaqueSigner jose.OpaqueSigner) (jose.Signer, error) { … } type jwtTokenGenerator … func (j *jwtTokenGenerator) GenerateToken(claims *jwt.Claims, privateClaims interface{ … } // JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator // Token signatures are verified using each of the given public keys until one works (allowing key rotation) // If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter func JWTTokenAuthenticator[PrivateClaims any](issuers []string, publicKeysGetter PublicKeysGetter, implicitAuds authenticator.Audiences, validator Validator[PrivateClaims]) authenticator.Token { … } type Listener … type PublicKeysGetter … type PublicKey … type staticPublicKeysGetter … // StaticPublicKeysGetter constructs an implementation of PublicKeysGetter // which returns all public keys when key id is unspecified, and returns // the public keys matching the keyIDFromPublicKey-derived key id when // a key id is specified. func StaticPublicKeysGetter(keys []interface{ … } func (s staticPublicKeysGetter) AddListener(listener Listener) { … } func (s staticPublicKeysGetter) GetCacheAgeMaxSeconds() int { … } func (s staticPublicKeysGetter) GetPublicKeys(keyID string) []PublicKey { … } type jwtTokenAuthenticator … type Validator … func (j *jwtTokenAuthenticator[PrivateClaims]) AuthenticateToken(ctx context.Context, tokenData string) (*authenticator.Response, bool, error) { … } // hasCorrectIssuer returns true if tokenData is a valid JWT in compact // serialization format and the "iss" claim matches the iss field of this token // authenticator, and otherwise returns false. // // Note: go-jose currently does not allow access to unverified JWS payloads. // See https://github.com/square/go-jose/issues/169 func (j *jwtTokenAuthenticator[PrivateClaims]) hasCorrectIssuer(tokenData string) bool { … }
Codebase Browser
kubernetes