-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
jwt_strategy.go
82 lines (65 loc) · 2.47 KB
/
jwt_strategy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
// Copyright © 2022 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package jwk
import (
"context"
"net"
"github.com/ory/x/josex"
"github.com/go-jose/go-jose/v3"
"github.com/gofrs/uuid"
"github.com/ory/fosite"
"github.com/ory/hydra/v2/driver/config"
"github.com/pkg/errors"
"github.com/ory/fosite/token/jwt"
)
type JWTSigner interface {
GetPublicKeyID(ctx context.Context) (string, error)
GetPublicKey(ctx context.Context) (jose.JSONWebKey, error)
jwt.Signer
}
type DefaultJWTSigner struct {
*jwt.DefaultSigner
r InternalRegistry
c *config.DefaultProvider
setID string
}
func NewDefaultJWTSigner(c *config.DefaultProvider, r InternalRegistry, setID string) *DefaultJWTSigner {
j := &DefaultJWTSigner{c: c, r: r, setID: setID, DefaultSigner: &jwt.DefaultSigner{}}
j.DefaultSigner.GetPrivateKey = j.getPrivateKey
return j
}
func (j *DefaultJWTSigner) getKeys(ctx context.Context) (private *jose.JSONWebKey, err error) {
private, err = GetOrGenerateKeys(ctx, j.r, j.r.KeyManager(), j.setID, uuid.Must(uuid.NewV4()).String(), string(jose.RS256))
if err == nil {
return private, nil
}
var netError net.Error
if errors.As(err, &netError) {
return nil, errors.WithStack(fosite.ErrServerError.
WithHintf(`Could not ensure that signing keys for "%s" exists. A network error occurred, see error for specific details.`, j.setID))
}
return nil, errors.WithStack(fosite.ErrServerError.
WithWrap(err).
WithHintf(`Could not ensure that signing keys for "%s" exists. If you are running against a persistent SQL database this is most likely because your "secrets.system" ("SECRETS_SYSTEM" environment variable) is not set or changed. When running with an SQL database backend you need to make sure that the secret is set and stays the same, unless when doing key rotation. This may also happen when you forget to run "hydra migrate sql up -e".`, j.setID))
}
func (j *DefaultJWTSigner) GetPublicKeyID(ctx context.Context) (string, error) {
private, err := j.getKeys(ctx)
if err != nil {
return "", errors.WithStack(err)
}
return josex.ToPublicKey(private).KeyID, nil
}
func (j *DefaultJWTSigner) GetPublicKey(ctx context.Context) (jose.JSONWebKey, error) {
private, err := j.getKeys(ctx)
if err != nil {
return jose.JSONWebKey{}, errors.WithStack(err)
}
return josex.ToPublicKey(private), nil
}
func (j *DefaultJWTSigner) getPrivateKey(ctx context.Context) (interface{}, error) {
private, err := j.getKeys(ctx)
if err != nil {
return nil, err
}
return private, nil
}