Пример #1
0
func GetGoogleUser(ctx context.Context, idToken string) (*GoogleUser, error) {
	span := trace.FromContext(ctx).NewChild("trythings.google_user.GetGoogleUser")
	defer span.Finish()

	tok, err := jwt.ParseSigned(idToken)
	if err != nil {
		return nil, err
	}

	if len(tok.Headers) != 1 {
		// We must have a header to specify a kid.
		// We don't know how to handle multiple headers,
		// since it's unclear which kid to use.
		return nil, errors.New("expected exactly one token header")
	}

	keys := googleKeys.Key(tok.Headers[0].KeyID)
	if len(keys) == 0 {
		err := updateGoogleKeys(ctx)
		if err != nil {
			return nil, err
		}
		keys = googleKeys.Key(tok.Headers[0].KeyID)
	}

	if len(keys) != 1 {
		// We must have a key to check the signature.
		// We don't know how to deal with multiple keys matching the same kid.
		return nil, errors.New("expected exactly one key matching kid")
	}
	key := keys[0]

	var payload struct {
		jwt.Claims
		GoogleUser
	}
	err = tok.Claims(&payload, key.Key)
	if err != nil {
		return nil, err
	}

	expectedIssuer := "accounts.google.com"
	if strings.HasPrefix(payload.Issuer, "https://") {
		expectedIssuer = "https://accounts.google.com"
	}

	err = payload.Validate(jwt.Expected{
		Issuer:   expectedIssuer,
		Audience: []string{"695504958192-8k3tf807271m7jcllcvlauddeqhbr0hg.apps.googleusercontent.com"},
		Time:     time.Now(),
	})
	if err != nil {
		return nil, err
	}

	return &payload.GoogleUser, nil
}
Пример #2
0
func ExampleParseSigned() {
	raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
	tok, err := jwt.ParseSigned(raw)
	if err != nil {
		panic(err)
	}

	out := jwt.Claims{}
	if err := tok.Claims(sharedKey, &out); err != nil {
		panic(err)
	}
	fmt.Printf("iss: %s, sub: %s\n", out.Issuer, out.Subject)
	// Output: iss: issuer, sub: subject
}
Пример #3
0
func ExampleJSONWebToken_Claims_map() {
	raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
	tok, err := jwt.ParseSigned(raw)
	if err != nil {
		panic(err)
	}

	out := make(map[string]interface{})
	if err := tok.Claims(sharedKey, &out); err != nil {
		panic(err)
	}

	fmt.Printf("iss: %s, sub: %s\n", out["iss"], out["sub"])
	// Output: iss: issuer, sub: subject
}
Пример #4
0
func ExampleJSONWebToken_Claims_multiple() {
	raw := `eyJhbGciOiJIUzI1NiJ9.eyJTY29wZXMiOlsiZm9vIiwiYmFyIl0sImlzcyI6Imlzc3VlciIsInN1YiI6InN1YmplY3QifQ.esKOIsmwkudr_gnfnB4SngxIr-7pspd5XzG3PImfQ6Y`
	tok, err := jwt.ParseSigned(raw)
	if err != nil {
		panic(err)
	}

	out := jwt.Claims{}
	out2 := struct {
		Scopes []string
	}{}
	if err := tok.Claims(sharedKey, &out, &out2); err != nil {
		panic(err)
	}
	fmt.Printf("iss: %s, sub: %s, scopes: %s\n", out.Issuer, out.Subject, strings.Join(out2.Scopes, ","))
	// Output: iss: issuer, sub: subject, scopes: foo,bar
}
Пример #5
0
func ExampleClaims_Validate_withParse() {
	raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
	tok, err := jwt.ParseSigned(raw)
	if err != nil {
		panic(err)
	}

	cl := jwt.Claims{}
	if err := tok.Claims(sharedKey, &cl); err != nil {
		panic(err)
	}

	err = cl.Validate(jwt.Expected{
		Issuer:  "issuer",
		Subject: "subject",
	})
	if err != nil {
		panic(err)
	}

	fmt.Printf("valid!")
	// Output: valid!
}