go/jwt/jwt_test.go - third_party/tink - Git at Google

 // Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ////////////////////////////////////////////////////////////////////////////////

 package jwt_test

 import (
 	"fmt"
 	"log"
 	"time"

 	"github.com/google/tink/go/jwt"
 	"github.com/google/tink/go/keyset"
 )

 func Example_signAndVerify() {
 	// Generate a private keyset handle.
 	handlePriv, err := keyset.NewHandle(jwt.ES256Template())
 	if err != nil {
 		log.Fatal(err)
 	}

 	// TODO: Save the private keyset to a safe location. DO NOT hardcode it in
 	// source code.  Consider encrypting it with a remote key in a KMS.
 	// See https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets

 	// Get a public keyset handle from the private keyset handle.
 	handlePub, err := handlePriv.Public()
 	if err != nil {
 		log.Fatal(err)
 	}

 	// Create and sign a token.
 	expiresAt := time.Now().Add(time.Hour)
 	audience := "example audience"
 	subject := "example subject"
 	rawJWT, err := jwt.NewRawJWT(&jwt.RawJWTOptions{
 		Audience:  &audience,
 		Subject:   &subject,
 		ExpiresAt: &expiresAt,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
 	signer, err := jwt.NewSigner(handlePriv)
 	if err != nil {
 		log.Fatal(err)
 	}
 	token, err := signer.SignAndEncode(rawJWT)
 	if err != nil {
 		log.Fatal(err)
 	}

 	// Verify the signed token.
 	verifier, err := jwt.NewVerifier(handlePub)
 	if err != nil {
 		log.Fatal(err)
 	}
 	validator, err := jwt.NewValidator(&jwt.ValidatorOpts{ExpectedAudience: &audience})
 	if err != nil {
 		log.Fatal(err)
 	}
 	verifiedJWT, err := verifier.VerifyAndDecode(token, validator)
 	if err != nil {
 		log.Fatal(err)
 	}

 	// Extract subject claim from the token.
 	if !verifiedJWT.HasSubject() {
 		log.Fatal(err)
 	}
 	extractedSubject, err := verifiedJWT.Subject()
 	if err != nil {
 		log.Fatal(err)
 	}
 	fmt.Println(extractedSubject)
 	// Output: example subject
 }

 func Example_computeMACAndVerify() {
 	// Generate a keyset handle.
 	handle, err := keyset.NewHandle(jwt.HS256Template())
 	if err != nil {
 		log.Fatal(err)
 	}

 	// TODO: Save the keyset to a safe location. DO NOT hardcode it in source
 	// code.  Consider encrypting it with a remote key in a KMS.  See
 	// https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets

 	// Create a token and compute a MAC for it.
 	expiresAt := time.Now().Add(time.Hour)
 	audience := "example audience"
 	customClaims := map[string]interface{}{"custom": "my custom claim"}
 	rawJWT, err := jwt.NewRawJWT(&jwt.RawJWTOptions{
 		Audience:     &audience,
 		CustomClaims: customClaims,
 		ExpiresAt:    &expiresAt,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
 	mac, err := jwt.NewMAC(handle)
 	if err != nil {
 		log.Fatal(err)
 	}
 	token, err := mac.ComputeMACAndEncode(rawJWT)
 	if err != nil {
 		log.Fatal(err)
 	}

 	// Verify the MAC.
 	validator, err := jwt.NewValidator(&jwt.ValidatorOpts{ExpectedAudience: &audience})
 	if err != nil {
 		log.Fatal(err)
 	}
 	verifiedJWT, err := mac.VerifyMACAndDecode(token, validator)
 	if err != nil {
 		log.Fatal(err)
 	}

 	// Extract a custom claim from the token.
 	if !verifiedJWT.HasStringClaim("custom") {
 		log.Fatal(err)
 	}
 	extractedCustomClaim, err := verifiedJWT.StringClaim("custom")
 	if err != nil {
 		log.Fatal(err)
 	}
 	fmt.Println(extractedCustomClaim)
 	// Output: my custom claim
 }
	// Copyright 2022 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	////////////////////////////////////////////////////////////////////////////////

	package jwt_test

	import (
	"fmt"
	"log"
	"time"

	"github.com/google/tink/go/jwt"
	"github.com/google/tink/go/keyset"
	)

	func Example_signAndVerify() {
	// Generate a private keyset handle.
	handlePriv, err := keyset.NewHandle(jwt.ES256Template())
	if err != nil {
	log.Fatal(err)
	}

	// TODO: Save the private keyset to a safe location. DO NOT hardcode it in
	// source code. Consider encrypting it with a remote key in a KMS.
	// See https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets

	// Get a public keyset handle from the private keyset handle.
	handlePub, err := handlePriv.Public()
	if err != nil {
	log.Fatal(err)
	}

	// Create and sign a token.
	expiresAt := time.Now().Add(time.Hour)
	audience := "example audience"
	subject := "example subject"
	rawJWT, err := jwt.NewRawJWT(&jwt.RawJWTOptions{
	Audience: &audience,
	Subject: &subject,
	ExpiresAt: &expiresAt,
	})
	if err != nil {
	log.Fatal(err)
	}
	signer, err := jwt.NewSigner(handlePriv)
	if err != nil {
	log.Fatal(err)
	}
	token, err := signer.SignAndEncode(rawJWT)
	if err != nil {
	log.Fatal(err)
	}

	// Verify the signed token.
	verifier, err := jwt.NewVerifier(handlePub)
	if err != nil {
	log.Fatal(err)
	}
	validator, err := jwt.NewValidator(&jwt.ValidatorOpts{ExpectedAudience: &audience})
	if err != nil {
	log.Fatal(err)
	}
	verifiedJWT, err := verifier.VerifyAndDecode(token, validator)
	if err != nil {
	log.Fatal(err)
	}

	// Extract subject claim from the token.
	if !verifiedJWT.HasSubject() {
	log.Fatal(err)
	}
	extractedSubject, err := verifiedJWT.Subject()
	if err != nil {
	log.Fatal(err)
	}
	fmt.Println(extractedSubject)
	// Output: example subject
	}

	func Example_computeMACAndVerify() {
	// Generate a keyset handle.
	handle, err := keyset.NewHandle(jwt.HS256Template())
	if err != nil {
	log.Fatal(err)
	}

	// TODO: Save the keyset to a safe location. DO NOT hardcode it in source
	// code. Consider encrypting it with a remote key in a KMS. See
	// https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets

	// Create a token and compute a MAC for it.
	expiresAt := time.Now().Add(time.Hour)
	audience := "example audience"
	customClaims := map[string]interface{}{"custom": "my custom claim"}
	rawJWT, err := jwt.NewRawJWT(&jwt.RawJWTOptions{
	Audience: &audience,
	CustomClaims: customClaims,
	ExpiresAt: &expiresAt,
	})
	if err != nil {
	log.Fatal(err)
	}
	mac, err := jwt.NewMAC(handle)
	if err != nil {
	log.Fatal(err)
	}
	token, err := mac.ComputeMACAndEncode(rawJWT)
	if err != nil {
	log.Fatal(err)
	}

	// Verify the MAC.
	validator, err := jwt.NewValidator(&jwt.ValidatorOpts{ExpectedAudience: &audience})
	if err != nil {
	log.Fatal(err)
	}
	verifiedJWT, err := mac.VerifyMACAndDecode(token, validator)
	if err != nil {
	log.Fatal(err)
	}

	// Extract a custom claim from the token.
	if !verifiedJWT.HasStringClaim("custom") {
	log.Fatal(err)
	}
	extractedCustomClaim, err := verifiedJWT.StringClaim("custom")
	if err != nil {
	log.Fatal(err)
	}
	fmt.Println(extractedCustomClaim)
	// Output: my custom claim
	}