oauthx/jar.go at main · vdbulcke/oauthx · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package oauthx

import (
	"fmt"
	"time"

	"github.com/golang-jwt/jwt/v5"
	"github.com/vdbulcke/assert"
)

func (c *OAuthClient) PlumbingGenerateRFC9101RequestJwt(claims map[string]any, extraHeaderFields ...*HeaderField) (string, error) {
	assert.NotNil(c.privateKey, assert.Panic, "rfc9101: private key required for generating 'request' JAR")

	jwtClaims := jwt.MapClaims{}

	jwtClaims["exp"] = jwt.NewNumericDate(time.Now().Add(c.rfc9101JarJwtTTL))
	jwtClaims["iat"] = jwt.NewNumericDate(time.Now())
	jwtClaims["nbf"] = jwt.NewNumericDate(time.Now())

	// rfc9101
	// The value of "aud" should be the value of
	// the authorization server (AS) "issuer", as defined in RFC 8414
	// [RFC8414].
	jwtClaims["aud"] = c.wk.Issuer
	jwtClaims["iss"] = c.ClientId

	jti := assert.Must(RandString(10))
	jwtClaims["jti"] = jti

	// add extra claims
	for k, v := range claims {
		jwtClaims[k] = v
	}

	signedJwt, err := c.privateKey.SignJWT(jwtClaims, extraHeaderFields...)
	if err != nil {
		return "", fmt.Errorf("rfc9101: %w", err)
	}

	return signedJwt, nil
}