// https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md#example
func (as *AuthServer) CreateToken(ar *authRequest, ares []authzResult) (string, error) {
now := time.Now().Unix()
tc := &as.config.Token
// Sign something dummy to find out which algorithm is used.
_, sigAlg, err := tc.privateKey.Sign(strings.NewReader("dummy"), 0)
if err != nil {
return "", fmt.Errorf("failed to sign: %s", err)
}
header := token.Header{
Type: "JWT",
SigningAlg: sigAlg,
KeyID: tc.publicKey.KeyID(),
}
headerJSON, err := json.Marshal(header)
if err != nil {
return "", fmt.Errorf("failed to marshal header: %s", err)
}
claims := token.ClaimSet{
Issuer: tc.Issuer,
Subject: ar.Account,
Audience: ar.Service,
NotBefore: now - 1,
IssuedAt: now,
Expiration: now + tc.Expiration,
JWTID: fmt.Sprintf("%d", rand.Int63()),
Access: []*token.ResourceActions{},
}
for _, a := range ares {
ra := &token.ResourceActions{
Type: a.scope.Type,
Name: a.scope.Name,
Actions: a.autorizedActions,
}
if ra.Actions == nil {
ra.Actions = []string{}
}
sort.Strings(ra.Actions)
claims.Access = append(claims.Access, ra)
}
claimsJSON, err := json.Marshal(claims)
if err != nil {
return "", fmt.Errorf("failed to marshal claims: %s", err)
}
payload := fmt.Sprintf("%s%s%s", joseBase64UrlEncode(headerJSON), token.TokenSeparator, joseBase64UrlEncode(claimsJSON))
sig, sigAlg2, err := tc.privateKey.Sign(strings.NewReader(payload), 0)
if err != nil || sigAlg2 != sigAlg {
return "", fmt.Errorf("failed to sign token: %s", err)
}
glog.Infof("New token for %s: %s", *ar, claimsJSON)
return fmt.Sprintf("%s%s%s", payload, token.TokenSeparator, joseBase64UrlEncode(sig)), nil
}
// https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md#example
func (as *AuthServer) CreateToken(ar *AuthRequest, actions []string) (string, error) {
now := time.Now().Unix()
tc := &as.config.Token
// Sign something dummy to find out which algorithm is used.
_, sigAlg, err := tc.privateKey.Sign(strings.NewReader("dummy"), 0)
if err != nil {
return "", fmt.Errorf("failed to sign: %s", err)
}
header := token.Header{
Type: "JWT",
SigningAlg: sigAlg,
KeyID: tc.publicKey.KeyID(),
}
glog.V(3).Infoln("header", header)
headerJSON, err := json.Marshal(header)
if err != nil {
return "", fmt.Errorf("failed to marshal header: %s", err)
}
glog.V(3).Infoln("headerJSON", headerJSON)
claims := token.ClaimSet{
Issuer: tc.Issuer,
Subject: ar.ai.Account,
Audience: ar.ai.Service,
NotBefore: now - tc.Expiration/2,
IssuedAt: now,
Expiration: now + tc.Expiration/2,
JWTID: strconv.Itoa(rand.Int()),
Access: []*token.ResourceActions{},
}
if len(actions) > 0 {
claims.Access = []*token.ResourceActions{
&token.ResourceActions{Type: ar.ai.Type, Name: ar.ai.Name, Actions: actions},
}
}
glog.V(3).Infoln("claims", claims)
claimsJSON, err := json.Marshal(claims)
if err != nil {
return "", fmt.Errorf("failed to marshal claims: %s", err)
}
glog.V(3).Infoln("claimsJSON", claimsJSON)
payload := fmt.Sprintf("%s%s%s", joseBase64UrlEncode(headerJSON), token.TokenSeparator, joseBase64UrlEncode(claimsJSON))
glog.V(3).Infoln("payload", payload)
sig, sigAlg2, err := tc.privateKey.Sign(strings.NewReader(payload), 0)
if err != nil || sigAlg2 != sigAlg {
return "", fmt.Errorf("failed to sign token: %s", err)
}
glog.Infof("New token for %s: %s", *ar, claimsJSON)
return fmt.Sprintf("%s%s%s", payload, token.TokenSeparator, joseBase64UrlEncode(sig)), nil
}
// https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md#example
func (t *TokenAuth) CreateToken(ar *AuthRequest) (string, error) {
now := time.Now().Unix()
// Sign something dummy to find out which algorithm is used.
_, sigAlg, err := t.privateKey.Sign(strings.NewReader("dummy"), 0)
if err != nil {
return "", fmt.Errorf("failed to sign: %s", err)
}
header := token.Header{
Type: "JWT",
SigningAlg: sigAlg,
KeyID: t.publicKey.KeyID(),
}
headerJSON, err := json.Marshal(header)
if err != nil {
return "", fmt.Errorf("failed to marshal header: %s", err)
}
claims := token.ClaimSet{
Issuer: t.Issuer,
Subject: ar.Account,
Audience: ar.Service,
NotBefore: now - 1,
IssuedAt: now,
Expiration: now + t.Expiration,
JWTID: fmt.Sprintf("%d", rand.Int63()),
Access: []*token.ResourceActions{},
}
if len(ar.Actions) > 0 {
claims.Access = []*token.ResourceActions{
{Type: ar.Type, Name: ar.Name, Actions: ar.Actions},
}
}
claimsJSON, err := json.Marshal(claims)
if err != nil {
return "", fmt.Errorf("failed to marshal claims: %s", err)
}
payload := fmt.Sprintf("%s%s%s", joseBase64UrlEncode(headerJSON), token.TokenSeparator, joseBase64UrlEncode(claimsJSON))
sig, sigAlg2, err := t.privateKey.Sign(strings.NewReader(payload), 0)
if err != nil || sigAlg2 != sigAlg {
return "", fmt.Errorf("failed to sign token: %s", err)
}
return fmt.Sprintf("%s%s%s", payload, token.TokenSeparator, joseBase64UrlEncode(sig)), nil
}