MCPcopy Index your code
hub / github.com/smallstep/cli / DoJWTAuthorization

Method DoJWTAuthorization

command/oauth/cmd.go:1046–1088  ·  view source on GitHub ↗

DoJWTAuthorization generates a JWT instead of an OAuth token. Only works for certain APIs. See https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth.

(issuer, aud string)

Source from the content-addressed store, hash-verified

1044// DoJWTAuthorization generates a JWT instead of an OAuth token. Only works for
1045// certain APIs. See https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth.
1046func (o *oauth) DoJWTAuthorization(issuer, aud string) (*token, error) {
1047 pemBytes := []byte(o.clientSecret)
1048 block, _ := pem.Decode(pemBytes)
1049 if block == nil {
1050 return nil, fmt.Errorf("failed to read private key pem block")
1051 }
1052 priv, err := x509.ParsePKCS8PrivateKey(block.Bytes)
1053 if err != nil {
1054 return nil, errors.Wrap(err, "error parsing private key")
1055 }
1056
1057 // Add claims
1058 now := int(time.Now().Unix())
1059 c := map[string]interface{}{
1060 "aud": aud,
1061 "nbf": now,
1062 "iat": now,
1063 "exp": now + 3600,
1064 "iss": issuer,
1065 "sub": issuer,
1066 }
1067
1068 so := new(jose.SignerOptions)
1069 so.WithType("JWT")
1070 so.WithHeader("kid", o.clientID)
1071
1072 // Sign JWT
1073 signer, err := jose.NewSigner(jose.SigningKey{
1074 Algorithm: "RS256",
1075 Key: priv,
1076 }, so)
1077 if err != nil {
1078 return nil, errors.Wrapf(err, "error creating JWT signer")
1079 }
1080
1081 raw, err := jose.Signed(signer).Claims(c).CompactSerialize()
1082 if err != nil {
1083 return nil, errors.Wrapf(err, "error serializing JWT")
1084 }
1085
1086 tok := &token{raw, "", "", 3600, "Bearer", "", "", ""}
1087 return tok, nil
1088}
1089
1090// ServeHTTP is the handler that performs the OAuth 2.0 dance and returns the
1091// tokens using channels.

Callers 1

oauthCmdFunction · 0.80

Calls 1

CompactSerializeMethod · 0.80

Tested by

no test coverage detected