authentication

package

v1.5.2 Latest Latest Go to latest Published: Jul 7, 2020 License: MIT Imports: 28 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

bitbucket.org/openbankingteam/conformance-suite

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func CalcKid(modulus string) (string, error)
func CalculateCHash(alg string, code string) (string, error)
func CalculateClientSecretBasicToken(clientID, clientSecret string) (string, error)
func CreateSignature(t *jwt.Token, key interface{}, body string, b64encoded bool) (string, error)
func DefaultAuthMethod(openIDConfigAuthMethods []string, logger *logrus.Entry) string
func GetB64Encoding(ctx ContextInterface) (bool, error)
func GetB64Status() bool
func GetJWKSUri() string
func GetJWSIssuerString(ctx ContextInterface, cert Certificate) (string, error)
func GetKID(ctx ContextInterface, modulus []byte) (string, error)
func GetSignatureToken30(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
func GetSignatureToken313Minus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
func GetSignatureToken314Plus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token
func GetSigningAlg(alg string) (jwt.SigningMethod, error)
func MyJwsVerify(buf string, alg jwa.SignatureAlgorithm, key interface{}, b64 bool) (ret []byte, err error)
func NewJWSSignature(requestBody string, ctx ContextInterface, alg jwt.SigningMethod) (string, error)
func PSUURLGenerate(claims PSUConsentClaims) (*url.URL, error)
func ParseCertificateChain(chain []string) ([]*x509.Certificate, error)
func SetEidasSigningParameters(issuer, kid string)
func SigningString(t *jwt.Token, body string, b64encoded bool) (string, error)
func SplitJWSWithBody(token string) string
func SuiteSupportedAuthMethodsMostSecureFirst() []string
func ValidateSignature(jwtToken, body, jwksUri string, b64 bool) (bool, error)
func ValidateSignatureHeader(token string, b64 bool) error
type Certificate
- func NewCertificate(publicKeyPem, privateKeyPem string) (Certificate, error)
- func NewPublicCertificate(publicKeyPem string) (Certificate, error)
- func SigningCertFromContext(ctx ContextInterface) (Certificate, error)
type ContextInterface
type JWK
type JWKS
- func GetJwks(url string) (JWKS, error)
type OpenIDConfiguration
- func OpenIdConfig(url string) (OpenIDConfiguration, error)
type PSUConsentClaims

Constants ¶

View Source

const (
	TlsClientAuth     = "tls_client_auth"
	PrivateKeyJwt     = "private_key_jwt"
	ClientSecretBasic = "client_secret_basic"
)

token_endpoint_auth_methods_supported

View Source

const (
	ClientAssertionType      = "client_assertion_type"
	ClientAssertionTypeValue = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
)

View Source

const (
	GrantType                  = "grant_type"
	GrantTypeAuthorizationCode = "authorization_code"
)

View Source

const (
	ClientAssertion = "client_assertion"
)

Variables ¶

View Source

var SigningMethodPS256 = &jwt.SigningMethodRSAPSS{
	SigningMethodRSA: jwt.SigningMethodPS256.SigningMethodRSA,
	Options: &rsa.PSSOptions{
		SaltLength: rsa.PSSSaltLengthEqualsHash,
		Hash:       crypto.SHA256,
	},
}

Workaround for default PS256 signing parameter issue https://github.com/dgrijalva/jwt-go/issues/285

Functions ¶

func CalcKid ¶ added in v1.1.6

func CalcKid(modulus string) (string, error)

func CalculateCHash ¶ added in v1.1.16

func CalculateCHash(alg string, code string) (string, error)

CalculateCHash calculates the code hash (c_hash) value as described in section 3.3.2.11 (ID Token) https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken List of valid algorithms https://openid.net/specs/openid-financial-api-part-2.html#jws-algorithm-considerations At the time of writing, the list shows "PS256", "ES256" https://openbanking.atlassian.net/wiki/spaces/DZ/pages/83919096/Open+Banking+Security+Profile+-+Implementer+s+Draft+v1.1.2#OpenBankingSecurityProfile-Implementer'sDraftv1.1.2-Step2:FormtheJOSEHeader

func CalculateClientSecretBasicToken ¶

func CalculateClientSecretBasicToken(clientID, clientSecret string) (string, error)

CalculateClientSecretBasicToken tests the generation of `client secret basic` value as a product of `client_id` and `client_secret` as per https://tools.ietf.org/html/rfc7617

func CreateSignature ¶ added in v1.5.1

func CreateSignature(t *jwt.Token, key interface{}, body string, b64encoded bool) (string, error)

CreateSignature Get the complete, signed token for jws usage Takes the token object, private key, payload body and b64encoding indicator Create the signing string which includes the token header and payload body Then signs this string using the key provided - the signing algorithm is part of the jwt.Token object

func DefaultAuthMethod ¶

func DefaultAuthMethod(openIDConfigAuthMethods []string, logger *logrus.Entry) string

func GetB64Encoding ¶ added in v1.5.1

func GetB64Encoding(ctx ContextInterface) (bool, error)

func GetB64Status ¶ added in v1.5.1

func GetB64Status() bool

func GetJWKSUri ¶ added in v1.5.1

func GetJWKSUri() string

func GetJWSIssuerString ¶ added in v1.1.15

func GetJWSIssuerString(ctx ContextInterface, cert Certificate) (string, error)

func GetKID ¶ added in v1.1.15

func GetKID(ctx ContextInterface, modulus []byte) (string, error)

GetKID determines the value of the JWS Key ID

func GetSignatureToken30 ¶ added in v1.5.1

func GetSignatureToken30(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

Read/Write Data API Specification - v3.0 Specification: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/641992418/Read+Write+Data+API+Specification+-+v3.0. According to the spec this field `http://openbanking.org.uk/tan` should not be sent in the `x-jws-signature` header.

func GetSignatureToken313Minus ¶ added in v1.5.1

func GetSignatureToken313Minus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

Get Token with correct headers for v3.1.3 and previous versions of the R/W Apis

func GetSignatureToken314Plus ¶ added in v1.5.1

func GetSignatureToken314Plus(kid, issuer, trustAnchor string, alg jwt.SigningMethod) jwt.Token

Get Token with correct headers for v3.1.4 and above of the R/W Apis

func GetSigningAlg ¶ added in v1.1.15

func GetSigningAlg(alg string) (jwt.SigningMethod, error)

func MyJwsVerify ¶ added in v1.5.1

func MyJwsVerify(buf string, alg jwa.SignatureAlgorithm, key interface{}, b64 bool) (ret []byte, err error)

Verify checks if the given JWS message is verifiable using `alg` and `key`. If the verification is successful, `err` is nil, and the content of the payload that was signed is returned.

func NewJWSSignature ¶ added in v1.1.15

func NewJWSSignature(requestBody string, ctx ContextInterface, alg jwt.SigningMethod) (string, error)

func PSUURLGenerate ¶

func PSUURLGenerate(claims PSUConsentClaims) (*url.URL, error)

PSUURLGenerate generates a PSU Consent URL based on claims

func ParseCertificateChain ¶ added in v1.5.1

func ParseCertificateChain(chain []string) ([]*x509.Certificate, error)

func SetEidasSigningParameters ¶ added in v1.5.2

func SetEidasSigningParameters(issuer, kid string)

func SigningString ¶ added in v1.1.15

func SigningString(t *jwt.Token, body string, b64encoded bool) (string, error)

JWT SigningString takes the token, body string and b64 indicator if b64encoded=true - base64urlEncodes the payload string as part of the string to be signed if b64encoded=false - includes the payload unencoded (unmodified) in the string to be signed

func SplitJWSWithBody ¶ added in v1.1.15

func SplitJWSWithBody(token string) string

func SuiteSupportedAuthMethodsMostSecureFirst ¶

func SuiteSupportedAuthMethodsMostSecureFirst() []string

SuiteSupportedAuthMethodsMostSecureFirst - We have made our own determination of security offered by each auth method. It is not from a formal definition.

func ValidateSignature ¶ added in v1.5.1

func ValidateSignature(jwtToken, body, jwksUri string, b64 bool) (bool, error)

ValidateSignature take the signature JWT extract the kid used the kid to lookup the public key in the JWKS

func ValidateSignatureHeader ¶ added in v1.5.1

func ValidateSignatureHeader(token string, b64 bool) error

Types ¶

type Certificate ¶

type Certificate interface {
	PublicKey() *rsa.PublicKey
	PrivateKey() *rsa.PrivateKey
	TLSCert() tls.Certificate
	DN() (string, string, string, error)
	SignatureIssuer(bool) (string, error)
}

Certificate - create new Certificate.

func NewCertificate ¶

func NewCertificate(publicKeyPem, privateKeyPem string) (Certificate, error)

NewCertificate - create new Certificate.

Parameters: * publicKeyPem=PEM encoded public key. * privateKeyPem=PEM encoded private key.

Returns Certificate, or nil with error set if something is invalid.

func NewPublicCertificate ¶ added in v1.5.1

func NewPublicCertificate(publicKeyPem string) (Certificate, error)

creates a certificate from only the public key, in the case of the aspsp public cert to validate signatures

func SigningCertFromContext ¶ added in v1.1.15

func SigningCertFromContext(ctx ContextInterface) (Certificate, error)

type ContextInterface ¶ added in v1.1.15

type ContextInterface interface {
	// GetString get the string value associated with key
	GetString(key string) (string, error)
	// Get the key form the Context map - currently assumes value converts easily to a string!
	Get(key string) (interface{}, bool)
	GetStringSlice(key string) ([]string, error)
}

ContextInterface - avoid cycling dependency to `model.Context`.

type JWK ¶ added in v1.5.1

type JWK struct {
	Alg string   `json:"alg,omitempty"`
	Kty string   `json:"kty,omitempty"`
	X5c []string `json:"x5c,omitempty"`
	N   string   `json:"n,omitempty"`
	E   string   `json:"e,omitempty"`
	Kid string   `json:"kid,omitempty"`
	X5t string   `json:"x5t,omitempty"`
	X5u string   `json:"x5u,omitempty"`
	Use string   `json:"use,omitempty"`
}

type JWKS ¶ added in v1.5.1

type JWKS struct {
	Keys []JWK
}

func GetJwks ¶ added in v1.5.1

func GetJwks(url string) (JWKS, error)

type OpenIDConfiguration ¶

type OpenIDConfiguration struct {
	TokenEndpoint                          string   `json:"token_endpoint,omitempty"`
	TokenEndpointAuthMethodsSupported      []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
	AuthorizationEndpoint                  string   `json:"authorization_endpoint,omitempty"`
	Issuer                                 string   `json:"issuer,omitempty"`
	ResponseTypesSupported                 []string `json:"response_types_supported,omitempty"`
	AcrValuesSupported                     []string `json:"acr_values_supported,omitempty"`
	JwksURI                                string   `json:"jwks_uri,omitempty"`
}

OpenIDConfiguration - The OpenID Connect discovery document retrieved by calling /.well-known/openid-configuration. https://openid.net/specs/openid-connect-discovery-1_0.html

func OpenIdConfig ¶

func OpenIdConfig(url string) (OpenIDConfiguration, error)

type PSUConsentClaims ¶

type PSUConsentClaims struct {
	AuthorizationEndpoint string
	Aud                   string // Audience
	Iss                   string // ClientID
	ResponseType          string // "code id_token"
	Scope                 string // "openid accounts"
	RedirectURI           string
	ConsentId             string
	State                 string // {test_id}
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
certificates
mocks

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL