Skip to content

Commit

Permalink
Adds support for v5 of the golang-jwt library (#15)
Browse files Browse the repository at this point in the history
* Adds support for `v5` of the `golang-jwt` library

For better future maintainability, we had to change the way signing methods work slightly. Instead of decoding/encoding the token in the signing method, this is now done in the library itself. This should also make code in projects like this a little bit easier and cleaner.

Fixes #13

* v5 release

---------

Co-authored-by: Máté Lang <langmatelaszlo@gmail.com>
  • Loading branch information
oxisto and Máté Lang authored Apr 18, 2023
1 parent 66c5ecd commit 4d0c7db
Show file tree
Hide file tree
Showing 7 changed files with 40 additions and 30 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/go.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
go-version: 1.18

- name: Build
run: go build -v ./...
Expand Down
14 changes: 7 additions & 7 deletions example/example.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (

"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/golang-jwt/jwt/v4"
"github.com/golang-jwt/jwt/v5"
"github.com/matelang/jwt-go-aws-kms/v2/jwtkms"
)

Expand All @@ -21,13 +21,13 @@ func main() {
}

now := time.Now()
jwtToken := jwt.NewWithClaims(jwtkms.SigningMethodECDSA256, &jwt.StandardClaims{
Audience: "api.example.com",
ExpiresAt: now.Add(1 * time.Hour * 24).Unix(),
Id: "1234-5678",
IssuedAt: now.Unix(),
jwtToken := jwt.NewWithClaims(jwtkms.SigningMethodECDSA256, &jwt.RegisteredClaims{
Audience: jwt.ClaimStrings{"api.example.com"},
ExpiresAt: jwt.NewNumericDate(now.Add(1 * time.Hour * 24)),
ID: "1234-5678",
IssuedAt: jwt.NewNumericDate(now),
Issuer: "sso.example.com",
NotBefore: now.Unix(),
NotBefore: jwt.NewNumericDate(now),
Subject: "john.doe@example.com",
})

Expand Down
17 changes: 15 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,11 +1,24 @@
module github.com/matelang/jwt-go-aws-kms/v2

go 1.16
go 1.18

require (
github.com/aws/aws-sdk-go-v2 v1.17.7
github.com/aws/aws-sdk-go-v2/config v1.18.19
github.com/aws/aws-sdk-go-v2/service/kms v1.20.8
github.com/golang-jwt/jwt/v4 v4.5.0
github.com/golang-jwt/jwt/v5 v5.0.0
github.com/google/uuid v1.3.0
)

require (
github.com/aws/aws-sdk-go-v2/credentials v1.13.18 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 // indirect
github.com/aws/smithy-go v1.13.5 // indirect
)
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.18.7/go.mod h1:JuTnSoeePXmMVe9G8Ncjj
github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
Expand Down
3 changes: 2 additions & 1 deletion jwtkms/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,9 @@ package jwtkms

import (
"crypto"

"github.com/aws/aws-sdk-go-v2/service/kms/types"
"github.com/golang-jwt/jwt/v4"
"github.com/golang-jwt/jwt/v5"
)

var (
Expand Down
28 changes: 12 additions & 16 deletions jwtkms/kms_signing_method.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@ import (
"crypto/rsa"
"crypto/x509"
"encoding/asn1"
"math/big"

"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/aws/aws-sdk-go-v2/service/kms/types"
"github.com/golang-jwt/jwt/v4"
"math/big"
"github.com/golang-jwt/jwt/v5"
)

type fallbackSigningMethodCompatibilityCheckerFunc func(keyConfig interface{}) bool
Expand Down Expand Up @@ -94,7 +95,7 @@ func (m *KMSSigningMethod) Alg() string {
return m.fallbackSigningMethod.Alg()
}

func (m *KMSSigningMethod) Verify(signingString string, signature string, keyConfig interface{}) error {
func (m *KMSSigningMethod) Verify(signingString string, sig []byte, keyConfig interface{}) (err error) {
// Expecting a jwtkms.Config as the keyConfig to use AWS KMS to Verify tokens.
cfg, ok := keyConfig.(*Config)

Expand All @@ -104,17 +105,12 @@ func (m *KMSSigningMethod) Verify(signingString string, signature string, keyCon
keyConfigIsForFallbackSigningMethod := m.fallbackSigningMethodKeyConfigCheckerFunc(keyConfig)

if keyConfigIsForFallbackSigningMethod {
return m.fallbackSigningMethod.Verify(signingString, signature, keyConfig)
return m.fallbackSigningMethod.Verify(signingString, sig, keyConfig)
}

return jwt.ErrInvalidKeyType
}

sig, err := jwt.DecodeSegment(signature)
if err != nil {
return err
}

if !m.hash.Available() {
return jwt.ErrHashUnavailable
}
Expand Down Expand Up @@ -169,10 +165,10 @@ func (m *KMSSigningMethod) Verify(signingString string, signature string, keyCon
pubkeyCache.Add(cfg.kmsKeyID, cachedKey)
}

return m.fallbackSigningMethod.Verify(signingString, signature, cachedKey)
return m.fallbackSigningMethod.Verify(signingString, sig, cachedKey)
}

func (m *KMSSigningMethod) Sign(signingString string, keyConfig interface{}) (string, error) {
func (m *KMSSigningMethod) Sign(signingString string, keyConfig interface{}) ([]byte, error) {
// Expecting a jwtkms.Config as the keyConfig to use AWS KMS to Sign tokens.
cfg, ok := keyConfig.(*Config)

Expand All @@ -185,11 +181,11 @@ func (m *KMSSigningMethod) Sign(signingString string, keyConfig interface{}) (st
return m.fallbackSigningMethod.Sign(signingString, keyConfig)
}

return "", jwt.ErrInvalidKeyType
return nil, jwt.ErrInvalidKeyType
}

if !m.hash.Available() {
return "", jwt.ErrHashUnavailable
return nil, jwt.ErrHashUnavailable
}

hasher := m.hash.New()
Expand All @@ -205,16 +201,16 @@ func (m *KMSSigningMethod) Sign(signingString string, keyConfig interface{}) (st

signOutput, err := cfg.kmsClient.Sign(cfg.ctx, signInput)
if err != nil {
return "", err
return nil, err
}

formattedSig := signOutput.Signature
if m.postSignatureSigFormatterFunc != nil {
formattedSig, err = m.postSignatureSigFormatterFunc(signOutput.Signature)
if err != nil {
return "", err
return nil, err
}
}

return jwt.EncodeSegment(formattedSig), nil
return formattedSig, nil
}
2 changes: 1 addition & 1 deletion jwtkms/kms_signingmethod_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ package jwtkms
import (
"testing"

"github.com/golang-jwt/jwt/v4"
"github.com/golang-jwt/jwt/v5"
"github.com/matelang/jwt-go-aws-kms/v2/jwtkms/internal/mockkms"
)

Expand Down

0 comments on commit 4d0c7db

Please sign in to comment.