diff options
Diffstat (limited to 'vendor/github.com/golang-jwt/jwt/v5/README.md')
| -rw-r--r-- | vendor/github.com/golang-jwt/jwt/v5/README.md | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/vendor/github.com/golang-jwt/jwt/v5/README.md b/vendor/github.com/golang-jwt/jwt/v5/README.md new file mode 100644 index 0000000..964598a --- /dev/null +++ b/vendor/github.com/golang-jwt/jwt/v5/README.md | |||
| @@ -0,0 +1,167 @@ | |||
| 1 | # jwt-go | ||
| 2 | |||
| 3 | [](https://github.com/golang-jwt/jwt/actions/workflows/build.yml) | ||
| 4 | [](https://pkg.go.dev/github.com/golang-jwt/jwt/v5) | ||
| 6 | [](https://coveralls.io/github/golang-jwt/jwt?branch=main) | ||
| 7 | |||
| 8 | A [go](http://www.golang.org) (or 'golang' for search engine friendliness) | ||
| 9 | implementation of [JSON Web | ||
| 10 | Tokens](https://datatracker.ietf.org/doc/html/rfc7519). | ||
| 11 | |||
| 12 | Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0) | ||
| 13 | this project adds Go module support, but maintains backwards compatibility with | ||
| 14 | older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the | ||
| 15 | [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version | ||
| 16 | v5.0.0 introduces major improvements to the validation of tokens, but is not | ||
| 17 | entirely backwards compatible. | ||
| 18 | |||
| 19 | > After the original author of the library suggested migrating the maintenance | ||
| 20 | > of `jwt-go`, a dedicated team of open source maintainers decided to clone the | ||
| 21 | > existing library into this repository. See | ||
| 22 | > [dgrijalva/jwt-go#462](https://github.com/dgrijalva/jwt-go/issues/462) for a | ||
| 23 | > detailed discussion on this topic. | ||
| 24 | |||
| 25 | |||
| 26 | **SECURITY NOTICE:** Some older versions of Go have a security issue in the | ||
| 27 | crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue | ||
| 28 | [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more | ||
| 29 | detail. | ||
| 30 | |||
| 31 | **SECURITY NOTICE:** It's important that you [validate the `alg` presented is | ||
| 32 | what you | ||
| 33 | expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). | ||
| 34 | This library attempts to make it easy to do the right thing by requiring key | ||
| 35 | types match the expected alg, but you should take the extra step to verify it in | ||
| 36 | your usage. See the examples provided. | ||
| 37 | |||
| 38 | ### Supported Go versions | ||
| 39 | |||
| 40 | Our support of Go versions is aligned with Go's [version release | ||
| 41 | policy](https://golang.org/doc/devel/release#policy). So we will support a major | ||
| 42 | version of Go until there are two newer major releases. We no longer support | ||
| 43 | building jwt-go with unsupported Go versions, as these contain security | ||
| 44 | vulnerabilities which will not be fixed. | ||
| 45 | |||
| 46 | ## What the heck is a JWT? | ||
| 47 | |||
| 48 | JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web | ||
| 49 | Tokens. | ||
| 50 | |||
| 51 | In short, it's a signed JSON object that does something useful (for example, | ||
| 52 | authentication). It's commonly used for `Bearer` tokens in Oauth 2. A token is | ||
| 53 | made of three parts, separated by `.`'s. The first two parts are JSON objects, | ||
| 54 | that have been [base64url](https://datatracker.ietf.org/doc/html/rfc4648) | ||
| 55 | encoded. The last part is the signature, encoded the same way. | ||
| 56 | |||
| 57 | The first part is called the header. It contains the necessary information for | ||
| 58 | verifying the last part, the signature. For example, which encryption method | ||
| 59 | was used for signing and what key was used. | ||
| 60 | |||
| 61 | The part in the middle is the interesting bit. It's called the Claims and | ||
| 62 | contains the actual stuff you care about. Refer to [RFC | ||
| 63 | 7519](https://datatracker.ietf.org/doc/html/rfc7519) for information about | ||
| 64 | reserved keys and the proper way to add your own. | ||
| 65 | |||
| 66 | ## What's in the box? | ||
| 67 | |||
| 68 | This library supports the parsing and verification as well as the generation and | ||
| 69 | signing of JWTs. Current supported signing algorithms are HMAC SHA, RSA, | ||
| 70 | RSA-PSS, and ECDSA, though hooks are present for adding your own. | ||
| 71 | |||
| 72 | ## Installation Guidelines | ||
| 73 | |||
| 74 | 1. To install the jwt package, you first need to have | ||
| 75 | [Go](https://go.dev/doc/install) installed, then you can use the command | ||
| 76 | below to add `jwt-go` as a dependency in your Go program. | ||
| 77 | |||
| 78 | ```sh | ||
| 79 | go get -u github.com/golang-jwt/jwt/v5 | ||
| 80 | ``` | ||
| 81 | |||
| 82 | 2. Import it in your code: | ||
| 83 | |||
| 84 | ```go | ||
| 85 | import "github.com/golang-jwt/jwt/v5" | ||
| 86 | ``` | ||
| 87 | |||
| 88 | ## Usage | ||
| 89 | |||
| 90 | A detailed usage guide, including how to sign and verify tokens can be found on | ||
| 91 | our [documentation website](https://golang-jwt.github.io/jwt/usage/create/). | ||
| 92 | |||
| 93 | ## Examples | ||
| 94 | |||
| 95 | See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt/v5) | ||
| 96 | for examples of usage: | ||
| 97 | |||
| 98 | * [Simple example of parsing and validating a | ||
| 99 | token](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-Parse-Hmac) | ||
| 100 | * [Simple example of building and signing a | ||
| 101 | token](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-New-Hmac) | ||
| 102 | * [Directory of | ||
| 103 | Examples](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#pkg-examples) | ||
| 104 | |||
| 105 | ## Compliance | ||
| 106 | |||
| 107 | This library was last reviewed to comply with [RFC | ||
| 108 | 7519](https://datatracker.ietf.org/doc/html/rfc7519) dated May 2015 with a few | ||
| 109 | notable differences: | ||
| 110 | |||
| 111 | * In order to protect against accidental use of [Unsecured | ||
| 112 | JWTs](https://datatracker.ietf.org/doc/html/rfc7519#section-6), tokens using | ||
| 113 | `alg=none` will only be accepted if the constant | ||
| 114 | `jwt.UnsafeAllowNoneSignatureType` is provided as the key. | ||
| 115 | |||
| 116 | ## Project Status & Versioning | ||
| 117 | |||
| 118 | This library is considered production ready. Feedback and feature requests are | ||
| 119 | appreciated. The API should be considered stable. There should be very few | ||
| 120 | backwards-incompatible changes outside of major version updates (and only with | ||
| 121 | good reason). | ||
| 122 | |||
| 123 | This project uses [Semantic Versioning 2.0.0](http://semver.org). Accepted pull | ||
| 124 | requests will land on `main`. Periodically, versions will be tagged from | ||
| 125 | `main`. You can find all the releases on [the project releases | ||
| 126 | page](https://github.com/golang-jwt/jwt/releases). | ||
| 127 | |||
| 128 | **BREAKING CHANGES:*** A full list of breaking changes is available in | ||
| 129 | `VERSION_HISTORY.md`. See `MIGRATION_GUIDE.md` for more information on updating | ||
| 130 | your code. | ||
| 131 | |||
| 132 | ## Extensions | ||
| 133 | |||
| 134 | This library publishes all the necessary components for adding your own signing | ||
| 135 | methods or key functions. Simply implement the `SigningMethod` interface and | ||
| 136 | register a factory method using `RegisterSigningMethod` or provide a | ||
| 137 | `jwt.Keyfunc`. | ||
| 138 | |||
| 139 | A common use case would be integrating with different 3rd party signature | ||
| 140 | providers, like key management services from various cloud providers or Hardware | ||
| 141 | Security Modules (HSMs) or to implement additional standards. | ||
| 142 | |||
| 143 | | Extension | Purpose | Repo | | ||
| 144 | | --------- | -------------------------------------------------------------------------------------------------------- | ------------------------------------------ | | ||
| 145 | | GCP | Integrates with multiple Google Cloud Platform signing tools (AppEngine, IAM API, Cloud KMS) | https://github.com/someone1/gcp-jwt-go | | ||
| 146 | | AWS | Integrates with AWS Key Management Service, KMS | https://github.com/matelang/jwt-go-aws-kms | | ||
| 147 | | JWKS | Provides support for JWKS ([RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517)) as a `jwt.Keyfunc` | https://github.com/MicahParks/keyfunc | | ||
| 148 | |||
| 149 | *Disclaimer*: Unless otherwise specified, these integrations are maintained by | ||
| 150 | third parties and should not be considered as a primary offer by any of the | ||
| 151 | mentioned cloud providers | ||
| 152 | |||
| 153 | ## More | ||
| 154 | |||
| 155 | Go package documentation can be found [on | ||
| 156 | pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt/v5). Additional | ||
| 157 | documentation can be found on [our project | ||
| 158 | page](https://golang-jwt.github.io/jwt/). | ||
| 159 | |||
| 160 | The command line utility included in this project (cmd/jwt) provides a | ||
| 161 | straightforward example of token creation and parsing as well as a useful tool | ||
| 162 | for debugging your own integration. You'll also find several implementation | ||
| 163 | examples in the documentation. | ||
| 164 | |||
| 165 | [golang-jwt](https://github.com/orgs/golang-jwt) incorporates a modified version | ||
| 166 | of the JWT logo, which is distributed under the terms of the [MIT | ||
| 167 | License](https://github.com/jsonwebtoken/jsonwebtoken.github.io/blob/master/LICENSE.txt). | ||