1
// Copyright 2014 The oauth2 Authors. All rights reserved.
2
// Use of this source code is governed by a BSD-style
3
// license that can be found in the LICENSE file.
5
// Package jws provides encoding and decoding utilities for
6
// signed JWS messages.
7
package jws // import "golang.org/x/oauth2/jws"
23
// ClaimSet contains information about the JWT signature including the
24
// permissions being requested (scopes), the target of the token, the issuer,
25
// the time the token was issued, and the lifetime of the token.
26
type ClaimSet struct {
27
Iss string `json:"iss"` // email address of the client_id of the application making the access token request
28
Scope string `json:"scope,omitempty"` // space-delimited list of the permissions the application requests
29
Aud string `json:"aud"` // descriptor of the intended target of the assertion (Optional).
30
Exp int64 `json:"exp"` // the expiration time of the assertion
31
Iat int64 `json:"iat"` // the time the assertion was issued.
32
Typ string `json:"typ,omitempty"` // token type (Optional).
34
// Email for which the application is requesting delegated access (Optional).
35
Sub string `json:"sub,omitempty"`
37
// The old name of Sub. Client keeps setting Prn to be
38
// complaint with legacy OAuth 2.0 providers. (Optional)
39
Prn string `json:"prn,omitempty"`
41
// See http://tools.ietf.org/html/draft-jones-json-web-token-10#section-4.3
42
// This array is marshalled using custom code (see (c *ClaimSet) encode()).
43
PrivateClaims map[string]interface{} `json:"-"`
49
func (c *ClaimSet) encode() (string, error) {
50
if c.exp.IsZero() || c.iat.IsZero() {
51
// Reverting time back for machines whose time is not perfectly in sync.
52
// If client machine's time is in the future according
53
// to Google servers, an access token will not be issued.
54
now := time.Now().Add(-10 * time.Second)
56
c.exp = now.Add(time.Hour)
62
b, err := json.Marshal(c)
67
if len(c.PrivateClaims) == 0 {
68
return base64Encode(b), nil
71
// Marshal private claim set and then append it to b.
72
prv, err := json.Marshal(c.PrivateClaims)
74
return "", fmt.Errorf("jws: invalid map of private claims %v", c.PrivateClaims)
77
// Concatenate public and private claim JSON objects.
78
if !bytes.HasSuffix(b, []byte{'}'}) {
79
return "", fmt.Errorf("jws: invalid JSON %s", b)
81
if !bytes.HasPrefix(prv, []byte{'{'}) {
82
return "", fmt.Errorf("jws: invalid JSON %s", prv)
84
b[len(b)-1] = ',' // Replace closing curly brace with a comma.
85
b = append(b, prv[1:]...) // Append private claims.
86
return base64Encode(b), nil
89
// Header represents the header for the signed JWS payloads.
91
// The algorithm used for signature.
92
Algorithm string `json:"alg"`
94
// Represents the token type.
95
Typ string `json:"typ"`
98
func (h *Header) encode() (string, error) {
99
b, err := json.Marshal(h)
103
return base64Encode(b), nil
106
// Decode decodes a claim set from a JWS payload.
107
func Decode(payload string) (*ClaimSet, error) {
108
// decode returned id token to get expiry
109
s := strings.Split(payload, ".")
111
// TODO(jbd): Provide more context about the error.
112
return nil, errors.New("jws: invalid token received")
114
decoded, err := base64Decode(s[1])
119
err = json.NewDecoder(bytes.NewBuffer(decoded)).Decode(c)
123
// Encode encodes a signed JWS with provided header and claim set.
124
func Encode(header *Header, c *ClaimSet, signature *rsa.PrivateKey) (string, error) {
125
head, err := header.encode()
129
cs, err := c.encode()
133
ss := fmt.Sprintf("%s.%s", head, cs)
136
b, err := rsa.SignPKCS1v15(rand.Reader, signature, crypto.SHA256, h.Sum(nil))
140
sig := base64Encode(b)
141
return fmt.Sprintf("%s.%s", ss, sig), nil
144
// base64Encode returns and Base64url encoded version of the input string with any
145
// trailing "=" stripped.
146
func base64Encode(b []byte) string {
147
return strings.TrimRight(base64.URLEncoding.EncodeToString(b), "=")
150
// base64Decode decodes the Base64url encoded string
151
func base64Decode(s string) ([]byte, error) {
152
// add back missing padding
159
return base64.URLEncoding.DecodeString(s)