Files
QSfera/Server/vendor/github.com/lestrrat-go/jwx/v3/jwk
Курнат Андрей 2315f25754 Initial QSfera import
2026-06-07 10:20:04 +03:00
..
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00
2026-06-07 10:20:04 +03:00

JWK Go Reference

Package jwk implements JWK as described in RFC7517. If you are looking to use JWT wit JWKs, look no further than github.com/lestrrat-go/jwx.

  • Parse and work with RSA/EC/Symmetric/OKP JWK types
    • Convert to and from JSON
    • Convert to and from raw key types (e.g. *rsa.PrivateKey)
  • Ability to keep a JWKS fresh using *jwk.AutoRefresh

Supported key types:

kty Curve Go Key Type
RSA N/A rsa.PrivateKey / rsa.PublicKey (2)
EC P-256
P-384
P-521
secp256k1 (1)
ecdsa.PrivateKey / ecdsa.PublicKey (2)
oct N/A []byte
OKP Ed25519 (1) ed25519.PrivateKey / ed25519.PublicKey (2)
X25519 (1) (jwx/)x25519.PrivateKey / x25519.PublicKey (2)
  • Note 1: Experimental
  • Note 2: Either value or pointers accepted (e.g. rsa.PrivateKey or *rsa.PrivateKey)

Documentation

Please read the API reference, or the how-to style documentation on how to use JWK can be found in the docs directory.

Auto-Refresh a key during a long-running process

package examples_test

import (
  "context"
  "fmt"
  "time"

  "github.com/lestrrat-go/httprc/v3"
  "github.com/lestrrat-go/jwx/v3/jwk"
)

func Example_jwk_cache() {
  ctx, cancel := context.WithCancel(context.Background())
  defer cancel()

  const googleCerts = `https://www.googleapis.com/oauth2/v3/certs`

  // First, set up the `jwk.Cache` object. You need to pass it a
  // `context.Context` object to control the lifecycle of the background fetching goroutine.
  c, err := jwk.NewCache(ctx, httprc.NewClient())
  if err != nil {
    fmt.Printf("failed to create cache: %s\n", err)
    return
  }

  // Tell *jwk.Cache that we only want to refresh this JWKS periodically.
  if err := c.Register(ctx, googleCerts); err != nil {
    fmt.Printf("failed to register google JWKS: %s\n", err)
    return
  }

  // Pretend that this is your program's main loop
MAIN:
  for {
    select {
    case <-ctx.Done():
      break MAIN
    default:
    }
    keyset, err := c.Lookup(ctx, googleCerts)
    if err != nil {
      fmt.Printf("failed to fetch google JWKS: %s\n", err)
      return
    }
    _ = keyset
    // The returned `keyset` will always be "reasonably" new.
    //
    // By "reasonably" we mean that we cannot guarantee that the keys will be refreshed
    // immediately after it has been rotated in the remote source. But it should be close\
    // enough, and should you need to forcefully refresh the token using the `(jwk.Cache).Refresh()` method.
    //
    // If refetching the keyset fails, a cached version will be returned from the previous
    // successful sync

    // Do interesting stuff with the keyset... but here, we just
    // sleep for a bit
    time.Sleep(time.Second)

    // Because we're a dummy program, we just cancel the loop now.
    // If this were a real program, you presumably loop forever
    cancel()
  }
  // OUTPUT:
}

source: examples/jwk_cache_example_test.go

Parse and use a JWK key:

package examples_test

import (
  "context"
  "fmt"
  "log"

  "github.com/lestrrat-go/jwx/v3/internal/json"
  "github.com/lestrrat-go/jwx/v3/jwk"
)

func Example_jwk_usage() {
  // Use jwk.Cache if you intend to keep reuse the JWKS over and over
  set, err := jwk.Fetch(context.Background(), "https://www.googleapis.com/oauth2/v3/certs")
  if err != nil {
    log.Printf("failed to parse JWK: %s", err)
    return
  }

  // Key sets can be serialized back to JSON
  {
    jsonbuf, err := json.Marshal(set)
    if err != nil {
      log.Printf("failed to marshal key set into JSON: %s", err)
      return
    }
    log.Printf("%s", jsonbuf)
  }

  for i := 0; i < set.Len(); i++ {
    var rawkey any // This is where we would like to store the raw key, like *rsa.PrivateKey or *ecdsa.PrivateKey
    key, ok := set.Key(i)  // This retrieves the corresponding jwk.Key
    if !ok {
      log.Printf("failed to get key at index %d", i)
      return
    }

    // jws and jwe operations can be performed using jwk.Key, but you could also
    // covert it to their "raw" forms, such as *rsa.PrivateKey or *ecdsa.PrivateKey
    if err := jwk.Export(key, &rawkey); err != nil {
      log.Printf("failed to create public key: %s", err)
      return
    }
    _ = rawkey

    // You can create jwk.Key from a raw key, too
    fromRawKey, err := jwk.Import(rawkey)
    if err != nil {
      log.Printf("failed to acquire raw key from jwk.Key: %s", err)
      return
    }

    // Keys can be serialized back to JSON
    jsonbuf, err := json.Marshal(key)
    if err != nil {
      log.Printf("failed to marshal key into JSON: %s", err)
      return
    }

    fromJSONKey, err := jwk.Parse(jsonbuf)
    if err != nil {
      log.Printf("failed to parse json: %s", err)
      return
    }
    _ = fromJSONKey
    _ = fromRawKey
  }
  // OUTPUT:
}

//nolint:govet
func Example_jwk_marshal_json() {
  // JWKs that inherently involve randomness such as RSA and EC keys are
  // not used in this example, because they may produce different results
  // depending on the environment.
  //
  // (In fact, even if you use a static source of randomness, tests may fail
  // because of internal changes in the Go runtime).

  raw := []byte("01234567890123456789012345678901234567890123456789ABCDEF")

  // This would create a symmetric key
  key, err := jwk.Import(raw)
  if err != nil {
    fmt.Printf("failed to create symmetric key: %s\n", err)
    return
  }
  if _, ok := key.(jwk.SymmetricKey); !ok {
    fmt.Printf("expected jwk.SymmetricKey, got %T\n", key)
    return
  }

  key.Set(jwk.KeyIDKey, "mykey")

  buf, err := json.MarshalIndent(key, "", "  ")
  if err != nil {
    fmt.Printf("failed to marshal key into JSON: %s\n", err)
    return
  }
  fmt.Printf("%s\n", buf)

  // OUTPUT:
  // {
  //   "k": "MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODlBQkNERUY",
  //   "kid": "mykey",
  //   "kty": "oct"
  // }
}

source: examples/jwk_example_test.go