authentik/internal/outpost/proxyv2/hs256/hs256.go

package hs256

import (
	"context"
	"encoding/base64"
	"strings"

	"github.com/golang-jwt/jwt"
)

type KeySet struct {
	m      jwt.SigningMethod
	secret string
}

func NewKeySet(secret string) *KeySet {
	return &KeySet{
		m:      jwt.GetSigningMethod("HS256"),
		secret: secret,
	}
}

func (ks *KeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
	parts := strings.Split(jwt, ".")
	err := ks.m.Verify(strings.Join(parts[0:2], "."), parts[2], []byte(ks.secret))
	if err != nil {
		return nil, err
	}
	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
	return payload, err
}
outposts/proxyv2 (#1365) * outposts/proxyv2: initial commit Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add rs256 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> more stuff Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add forward auth an sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> match cookie name Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> re-add support for rs256 for backwards compat Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add error handler Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> ensure unique user-agent is used Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> set cookie duration based on id_token expiry Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> build proxy v2 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add ssl Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add basic auth and custom header support Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add application cert loading Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> implement whitelist Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add redis Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> migrate embedded outpost to v2 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> remove old proxy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> providers/proxy: make token expiration configurable Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add metrics Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> fix tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: only allow one redirect URI Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix docker build for proxy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * remove default port offset Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add AUTHENTIK_HOST_BROWSER Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * tests: fix e2e/integration tests not using proper tags Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * remove references of old port Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix user_attributes not being loaded correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * cleanup dependencies Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * cleanup Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-08 18:04:56 +00:00			`package hs256`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"strings"`

			`"github.com/golang-jwt/jwt"`
			`)`

			`type KeySet struct {`
			`m jwt.SigningMethod`
			`secret string`
			`}`

			`func NewKeySet(secret string) *KeySet {`
			`return &KeySet{`
			`m: jwt.GetSigningMethod("HS256"),`
			`secret: secret,`
			`}`
			`}`

			`func (ks *KeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {`
			`parts := strings.Split(jwt, ".")`
			`err := ks.m.Verify(strings.Join(parts[0:2], "."), parts[2], []byte(ks.secret))`
			`if err != nil {`
			`return nil, err`
			`}`
			`payload, err := base64.RawURLEncoding.DecodeString(parts[1])`
			`return payload, err`
			`}`