Add ES256 (ECDSA P-256) JWT support for Apple Sign In
- Added SignES256 function with issuer, audience, and subject parameters - Added ParseES256 function for validation with issuer and audience - Comprehensive test coverage for ES256 signing and parsing - Supports Apple Sign In requirements with ES256 algorithm
This commit is contained in:
67
jwt/jwt.go
67
jwt/jwt.go
@@ -6,6 +6,7 @@
|
||||
package jwt
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"errors"
|
||||
"fmt"
|
||||
@@ -94,3 +95,69 @@ func ParseHS256(secret []byte, tokenString string, issuer string) (jwt.MapClaims
|
||||
}
|
||||
return nil, errors.New("no claims found in token")
|
||||
}
|
||||
|
||||
// SignES256 signs a JWT using ES256 (ECDSA P-256) algorithm.
|
||||
// This is required for Apple Sign In which mandates ES256.
|
||||
// Pass empty string for issuer, audience, or subject to omit them from the token.
|
||||
func SignES256(
|
||||
key *ecdsa.PrivateKey, issuer, audience, subject string, d time.Duration, claims map[string]any,
|
||||
) (string, error) {
|
||||
cl := jwt.MapClaims{
|
||||
"iat": jwt.NewNumericDate(time.Now().UTC()),
|
||||
"exp": jwt.NewNumericDate(time.Now().Add(d)),
|
||||
}
|
||||
|
||||
if issuer != "" {
|
||||
cl["iss"] = issuer
|
||||
}
|
||||
|
||||
if audience != "" {
|
||||
cl["aud"] = audience
|
||||
}
|
||||
|
||||
if subject != "" {
|
||||
cl["sub"] = subject
|
||||
}
|
||||
|
||||
maps.Copy(cl, claims)
|
||||
|
||||
t := jwt.NewWithClaims(jwt.SigningMethodES256, cl)
|
||||
return t.SignedString(key)
|
||||
}
|
||||
|
||||
// ParseES256 parses and validates a JWT signed with ES256 (ECDSA P-256) algorithm.
|
||||
// This is required for Apple Sign In which mandates ES256.
|
||||
// issuer and audience are typically validated, while subject is optional (pass empty string to skip).
|
||||
func ParseES256(key *ecdsa.PublicKey, tokenString, issuer, audience string) (jwt.MapClaims, error) {
|
||||
opts := []jwt.ParserOption{
|
||||
jwt.WithValidMethods([]string{jwt.SigningMethodES256.Alg()}),
|
||||
jwt.WithIssuedAt(),
|
||||
jwt.WithExpirationRequired(),
|
||||
}
|
||||
|
||||
if issuer != "" {
|
||||
opts = append(opts, jwt.WithIssuer(issuer))
|
||||
}
|
||||
if audience != "" {
|
||||
opts = append(opts, jwt.WithAudience(audience))
|
||||
}
|
||||
|
||||
token, err := jwt.Parse(
|
||||
tokenString,
|
||||
func(token *jwt.Token) (any, error) {
|
||||
if _, ok := token.Method.(*jwt.SigningMethodECDSA); !ok {
|
||||
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||
}
|
||||
return key, nil
|
||||
},
|
||||
opts...,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse JWT token: %w", err)
|
||||
}
|
||||
|
||||
if claims, ok := token.Claims.(jwt.MapClaims); ok {
|
||||
return claims, nil
|
||||
}
|
||||
return nil, errors.New("no claims found in token")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user