JWKS support: Fetch, parse JWKS to Keys and encode Keys to JWKS. AWS Cognito JWKS with ease, one-liner: FetchAWSCognitoPublicKeys

Author: kataras

README.md

@@ -2,7 +2,7 @@
 
 [![build status](https://img.shields.io/github/actions/workflow/status/kataras/jwt/ci.yml?style=for-the-badge)](https://github.com/kataras/jwt/actions) [![gocov](https://img.shields.io/badge/Go%20Coverage-92%25-brightgreen.svg?style=for-the-badge)](https://travis-ci.org/github/kataras/jwt/jobs/740739405#L322) [![report card](https://img.shields.io/badge/report%20card-a%2B-ff3333.svg?style=for-the-badge)](https://goreportcard.com/report/github.com/kataras/jwt) [![godocs](https://img.shields.io/badge/go-%20docs-488AC7.svg?style=for-the-badge)](https://pkg.go.dev/github.com/kataras/jwt)
 
-Fast and simple [JWT](https://jwt.io/#libraries-io) implementation written in [Go](https://go.dev/dl/). This package was designed with security, performance and simplicity in mind, it protects your tokens from [critical vulnerabilities that you may find in other libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries).
+Fast and simple [JWT](https://jwt.io/#libraries-io) & JWKS implementation written in [Go](https://go.dev/dl/). This package was designed with security, performance and simplicity in mind, it protects your tokens from [critical vulnerabilities that you may find in other libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries).
 
 [![Benchmarks Total Repetitions - higher is better](http://iris-go.com/images/jwt/benchmarks.png)](_benchmarks)
 
@@ -133,7 +133,7 @@ Example Code to manually set all claims using a standard `map`:
 
 ```go
 now := time.Now()
-claims := map[string]interface{}{
+claims := map[string]any{
     "iat": now.Unix(),
     "exp": now.Add(15 * time.Minute).Unix(),
     "foo": "bar",
@@ -159,7 +159,7 @@ standardClaims := jwt.Claims{
 token, err := jwt.Sign(jwt.HS256, sharedKey, customClaims, standardClaims)
 ```
 
-> The `jwt.Map` is just a _type alias_, a _shortcut_, of `map[string]interface{}`.
+> The `jwt.Map` is just a _type alias_, a _shortcut_, of `map[string]any`.
 
 At all cases, the `iat(IssuedAt)` and `exp(Expiry/MaxAge)` (and `nbf(NotBefore)`) values will be validated automatically on the [`Verify`](#verify-a-token) method.
 
@@ -260,7 +260,7 @@ type VerifiedToken struct {
 
 ### Decode custom Claims
 
-To extract any custom claims, given on the `Sign` method, we use the result of the `Verify` method, which is a `VerifiedToken` pointer. This VerifiedToken has a single method, the `Claims(dest interface{}) error` one, which can be used to decode the claims (payload part) to a value of our choice. Again, that value can be a `map` or any `struct`.
+To extract any custom claims, given on the `Sign` method, we use the result of the `Verify` method, which is a `VerifiedToken` pointer. This VerifiedToken has a single method, the `Claims(dest any) error` one, which can be used to decode the claims (payload part) to a value of our choice. Again, that value can be a `map` or any `struct`.
 
 ```go
 var claims = struct {

_benchmarks/sign_benchmark_test.go

@@ -23,7 +23,7 @@ func BenchmarkSign_Map(b *testing.B) {
 	for i := 0; i < b.N; i++ {
 		// supports custom types and expiration helper.
 		now := time.Now()
-		claims := map[string]interface{}{
+		claims := map[string]any{
 			"foo": "bar",
 			"exp": now.Add(15 * time.Minute).Unix(),
 			"iat": now.Unix(),
@@ -159,7 +159,7 @@ func BenchmarkSign_go_jose_Map(b *testing.B) {
 		// unlike kataras/jwt which u can use already defined structs.
 		// We will benchmark it with structs (see below test).
 		now := time.Now()
-		claims := map[string]interface{}{
+		claims := map[string]any{
 			"foo": "bar",
 			"exp": now.Add(15 * time.Minute).Unix(),
 			"iat": now.Unix(),

_benchmarks/verify_benchmark_test.go

@@ -45,7 +45,7 @@ func BenchmarkVerify_jwt_go(b *testing.B) {
 	b.ResetTimer()
 
 	for i := 0; i < b.N; i++ {
-		_, err := jwtgo.Parse(tokenString, func(token *jwtgo.Token) (interface{}, error) {
+		_, err := jwtgo.Parse(tokenString, func(token *jwtgo.Token) (any, error) {
 			return testSecret, nil
 		})
 		if err != nil {

_examples/aws-cognito-verify/main.go

@@ -11,19 +11,7 @@ import (
 // |=================================================================================|
 
 func main() {
-	/*
-		cognitoConfig := jwt.AWSKeysConfiguration{
-			Region:     "us-west-2",
-			UserPoolID: "us-west-2_xxx",
-		}
-
-		keys, err := cognitoConfig.Load()
-		if err != nil {
-			panic(err)
-		}
-		OR:
-	*/
-	keys, err := jwt.LoadAWSCognitoKeys("us-west-2" /* region */, "us-west-2_xxx" /* user pool id */)
+	keys, err := jwt.FetchAWSCognitoPublicKeys("us-west-2" /* region */, "us-west-2_xxx" /* user pool id */)
 	if err != nil {
 		panic(err) // handle error, e.g. pool does not exist in the region.
 	}

_examples/basic/main.go

@@ -50,7 +50,7 @@ var sharedKey = []byte("sercrethatmaycontainch@r$32chars") // OR jwt.MustGenerat
 // generate token to use.
 func getTokenHandler(w http.ResponseWriter, r *http.Request) {
 	// now := time.Now()
-	// token, err := jwt.Sign(jwt.HS256, sharedKey, map[string]interface{}{
+	// token, err := jwt.Sign(jwt.HS256, sharedKey, map[string]any{
 	// 	"iat": now.Unix(),
 	// 	"exp": now.Add(15 * time.Minute).Unix(),
 	// 	"foo": "bar",
@@ -94,7 +94,7 @@ func verifyTokenHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Parse custom claims...
-	var claims map[string]interface{}
+	var claims map[string]any
 	// ^ can be any type, e.g.
 	// var claims = struct {
 	// 	Foo string `json:"foo"`

_examples/basic/rs512-verify/main.go

@@ -54,7 +54,7 @@ func verifyTokenHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Parse custom claims...
-	var claims map[string]interface{}
+	var claims map[string]any
 	// ^ can be any type, e.g.
 	// var claims = struct {
 	// 	Foo string `json:"foo"`

_examples/blocklist/main.go

@@ -85,7 +85,7 @@ Navigate to http://localhost:8080/protected?token=%s and you should see an ErrBl
 		}
 
 		// Parse custom claims...
-		var claims map[string]interface{}
+		var claims map[string]any
 		// ^ can be any type, e.g.
 		// var claims = struct {
 		// 	Foo string `json:"foo"`

_examples/generate-ed25519/main.go

@@ -2,8 +2,8 @@ package main
 
 import (
 	"crypto/ed25519"
-	"io/ioutil"
 	"log"
+	"os"
 
 	"github.com/kataras/jwt"
 )
@@ -14,12 +14,12 @@ func main() {
 		log.Fatal(err)
 	}
 
-	err = ioutil.WriteFile("ed25519_private.pem", priv, 0600)
+	err = os.WriteFile("ed25519_private.pem", priv, 0600)
 	if err != nil {
 		log.Fatalf("ed25519: private: write file: %w", err)
 	}
 
-	err = ioutil.WriteFile("ed25519_public.pem", pub, 0600)
+	err = os.WriteFile("ed25519_public.pem", pub, 0600)
 	if err != nil {
 		log.Fatalf("ed25519: public: write file: %w", err)
 	}

_examples/middleware/main.go

@@ -24,7 +24,7 @@ func main() {
 func getTokenHandler(w http.ResponseWriter, r *http.Request) {
 	now := time.Now()
 
-	token, err := jwt.Sign(jwt.HS256, sharedKey, map[string]interface{}{
+	token, err := jwt.Sign(jwt.HS256, sharedKey, map[string]any{
 		"iat": now.Unix(),
 		"exp": now.Add(15 * time.Minute).Unix(),
 		"foo": "bar",
@@ -47,7 +47,7 @@ func getTokenHandler(w http.ResponseWriter, r *http.Request) {
 func protectedHandler(w http.ResponseWriter, r *http.Request) {
 	verifiedToken := r.Context().Value(tokenContextKey).(*jwt.VerifiedToken)
 
-	var claims map[string]interface{}
+	var claims map[string]any
 	// ^ can be any type, e.g.
 	// var claims = struct {
 	// 	Foo string `json:"foo"`
@@ -108,14 +108,14 @@ func verify2(next http.HandlerFunc) http.HandlerFunc {
 	/*
 		Another idea, when you want a single middleware to support different
 		Go structs (benefit: type safety when access the claims fields):
-		verify2(getClaimsPtr func() interface{}, next http.HandlerFunc) {
+		verify2(getClaimsPtr func() any, next http.HandlerFunc) {
 			// [...]
 			claimsPtr := getClaimsPtr()
 			verifiedToken.Claims(claimsPtr)
 			// [...]
 		}
 		Another idea's usage:
-		verify2(func() interface{} {
+		verify2(func() any {
 			return &userClaims{}
 		}, routeHandler)
 		Inside the handler:

claims.go

@@ -68,8 +68,8 @@ type claimsSecondChance struct {
 	Expiry    json.Number `json:"exp,omitempty"`
 	ID        string      `json:"jti,omitempty"`
 	OriginID  string      `json:"origin_jti,omitempty"`
-	Issuer    interface{} `json:"iss,omitempty"`
-	Subject   interface{} `json:"sub,omitempty"`
+	Issuer    any         `json:"iss,omitempty"`
+	Subject   any         `json:"sub,omitempty"`
 	Audience  Audience    `json:"aud,omitempty"`
 }
 
@@ -90,7 +90,7 @@ func (c claimsSecondChance) toClaims() Claims {
 	}
 }
 
-func getStr(v interface{}) string {
+func getStr(v any) string {
 	if v == nil {
 		return ""
 	}
@@ -246,7 +246,7 @@ func MaxAge(maxAge time.Duration) SignOptionFunc {
 
 // MaxAgeMap is a helper to set "exp" and "iat" claims to a map claims.
 // Usage:
-// claims := map[string]interface{}{"foo": "bar"}
+// claims := map[string]any{"foo": "bar"}
 // MaxAgeMap(15 * time.Minute, claims)
 // Sign(alg, key, claims)
 func MaxAgeMap(maxAge time.Duration, claims Map) {
@@ -270,7 +270,7 @@ func MaxAgeMap(maxAge time.Duration, claims Map) {
 //
 // Usage:
 //
-//	claims := Merge(map[string]interface{}{"foo":"bar"}, Claims{
+//	claims := Merge(map[string]any{"foo":"bar"}, Claims{
 //	  MaxAge: 15 * time.Minute,
 //	  Issuer: "an-issuer",
 //	})
@@ -280,7 +280,7 @@ func MaxAgeMap(maxAge time.Duration, claims Map) {
 //
 //	Sign(alg, key, claims, MaxAge(time.Duration))
 //	Sign(alg, key, claims, Claims{...})
-func Merge(claims interface{}, other interface{}) []byte {
+func Merge(claims any, other any) []byte {
 	claimsB, err := Marshal(claims)
 	if err != nil {
 		return nil

claims_merge_benchmark_test.go

@@ -117,7 +117,7 @@ func BenchmarkStructToMapReflection(b *testing.B) {
 	}
 }
 
-func structToMapJSON(i interface{}) (Map, error) {
+func structToMapJSON(i any) (Map, error) {
 	if m, ok := i.(Map); ok {
 		return m, nil
 	}
@@ -136,7 +136,7 @@ func structToMapJSON(i interface{}) (Map, error) {
 	return m, nil
 }
 
-func structToMapReflection(i interface{}) (Map, error) {
+func structToMapReflection(i any) (Map, error) {
 	if m, ok := i.(Map); ok {
 		return m, nil
 	}
@@ -147,7 +147,7 @@ func structToMapReflection(i interface{}) (Map, error) {
 	}
 
 	n := v.NumField()
-	m := make(map[string]interface{}, n)
+	m := make(map[string]any, n)
 
 	typ := v.Type()
 	for i := 0; i < n; i++ {

doc.go

@@ -31,15 +31,15 @@ Getting Started:
 
 	func main() {
 	// Generate a token:
-	myClaims := map[string]interface{}{
+	myClaims := map[string]any{
 		"foo": "bar",
 	}
 	token, err := jwt.Sign(jwt.HS256, sharedKey, myClaims, jwt.MaxAge(15 * time.Minute))
 
 	// Verify and extract claims from a token:
 	verifiedToken, err := jwt.Verify(jwt.HS256, sharedKey, token)
 
-	var claims map[string]interface{}
+	var claims map[string]any
 	err = verifiedToken.Claims(&claims)
 	}
 */

hmac.go

@@ -57,7 +57,7 @@ func (a *algHMAC) Verify(key PublicKey, headerAndPayload []byte, signature []byt
 
 // Key Helper.
 
-var panicHandler = func(v interface{}) {
+var panicHandler = func(v any) {
 	panic(v)
 }
 

hmac_test.go

@@ -23,9 +23,9 @@ func catchPanic(t *testing.T, shouldPanic bool, fn func()) {
 	t.Helper()
 
 	got := false
-	var val interface{}
+	var val any
 	prevHandler := panicHandler
-	panicHandler = func(v interface{}) {
+	panicHandler = func(v any) {
 		got = true
 		val = v
 	}