Skip to content

Commit 65369ff

Browse files
oxistooxisto
authored
Some documentation improvements (#1)
* Some documentation improvements * Switching back to official image, since it now suports also arm-builds * Adding a bit of a structure and tabs * Added first small code pieces * more doc * First set of parser options * More parsing options
1 parent cfabc48 commit 65369ff

File tree

8 files changed

+154
-20
lines changed

8 files changed

+154
-20
lines changed

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
11
.build/
22
.idea/
33
.vscode/
4+
.cache/
5+

Makefile

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,5 @@
11
DOCKER ?= docker
2-
# The official docker image is linux/amd64 only. So we use the recommended
3-
# third-party image as suggested in the docs:
4-
# https://squidfunk.github.io/mkdocs-material/getting-started/?h=docker#with-docker
5-
DOCKER_IMAGE ?= ghcr.io/afritzler/mkdocs-material
2+
DOCKER_IMAGE ?= squidfunk/mkdocs-material
63
DOCKER_BUILD_EXTRA_ARGS ?=
74

85
preview:

README.md

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,5 @@ We use a pre-built
1212
[docker image](https://squidfunk.github.io/mkdocs-material/getting-started/#with-docker) which comes
1313
with all dependencies pre-installed.
1414

15-
Note, we're using the recommended third-party image because the official one only supports
16-
`linux/amd64`.
17-
18-
```
19-
docker pull ghcr.io/afritzler/mkdocs-material
20-
```
21-
2215
Ensure you have Docker installed, run `make preview`, and open http://127.0.0.1:8000 to see a
2316
preview of the site locally.

docs/index.md

Lines changed: 37 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,43 @@
22
description: Getting started with golang-jwt/jwt
33
---
44

5-
# Getting started
5+
# Getting Started
66

7-
⚠️ This webpage is a work in progress.
7+
Welcome to `jwt-go`, a [go](http://www.golang.org) (or 'golang' for search engine friendliness) implementation of [JSON Web Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
88

9-
## Installation
109

11-
## Signing Algorithms
10+
### Supported Go versions
11+
12+
Our support of Go versions is aligned with Go's [version release
13+
policy](https://golang.org/doc/devel/release#policy). So we will support a major
14+
version of Go until there are two newer major releases. We no longer support
15+
building jwt-go with unsupported Go versions, as these contain security
16+
vulnerabilities which will not be fixed.
17+
18+
## What the heck is a JWT?
19+
20+
JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web Tokens.
21+
22+
In short, it's a signed JSON object that does something useful (for example, authentication). It's commonly used for `Bearer` tokens in OAuth 2.0 A token is made of three parts, separated by `.`'s. The first two parts are JSON objects, that have been [base64url](https://datatracker.ietf.org/doc/html/rfc4648) encoded. The last part is the signature, encoded the same way.
23+
24+
The first part is called the header. It contains the necessary information for verifying the last part, the signature. For example, which encryption method was used for signing and what key was used.
25+
26+
The part in the middle is the interesting bit. It's called the Claims and contains the actual stuff you care about. Refer to [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519) for information about reserved keys and the proper way to add your own.
27+
28+
## What's in the box?
29+
30+
This library supports the parsing and verification as well as the generation and signing of JWTs. Current supported signing algorithms are HMAC SHA, RSA, RSA-PSS, ECDSA and EdDSA, though hooks are present for adding your own.
31+
32+
## Installation Guidelines
33+
34+
To install the jwt package, you first need to have [Go](https://go.dev/doc/install) installed, then you can use the command below to add `jwt-go` as a dependency in your Go program.
35+
36+
```sh
37+
go get -u github.com/golang-jwt/jwt/v5
38+
```
39+
40+
Then import it in your code:
41+
42+
```go
43+
import "github.com/golang-jwt/jwt/v5"
44+
```

docs/usage/create.md

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
# Creating a New JWT
2+
3+
One of the primary goals of this library is to create a new JWT (or in short
4+
*token*).
5+
6+
## With Default Options
7+
8+
The easiest way to create a token is to use the
9+
[`jwt.New`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#New) function. It
10+
then needs one of the available [signing methods](./signing_methods.md), to
11+
finally sign and convert the token into a string format (using the
12+
[`SignedString`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#Token.SignedString)
13+
method). In the first example, we are using a **symmetric** signing method, i.e.,
14+
HS256. For a symmetric method, both the signing and the verifying key are the
15+
same and thus, both must be equally protected (and should definitely NOT be
16+
stored in your code).
17+
18+
```go
19+
var (
20+
key []byte
21+
t *jwt.Token
22+
s string
23+
)
24+
25+
key = /* Load key from somewhere, for example an environment variable */
26+
t = jwt.New(jwt.SigningMethodHS256) // (1)!
27+
s = t.SignedString(key) // (2)!
28+
```
29+
30+
1. This initializes a new
31+
[`jwt.Token`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#Token) struct
32+
based on the supplied signing method. In this case a **symmetric** method is
33+
chosen.
34+
2. This step computes a cryptographic signature based on the supplied key.
35+
36+
Signing using an *asymmetric* signing method (for example ECDSA) works quite
37+
similar. For an **asymmetric** method, the private key (which must be kept
38+
secret) is used to *sign* and the corresponding public key (which can be freely
39+
transmitted) is used to *verify* the token.
40+
41+
```go
42+
var (
43+
key *ecdsa.PrivateKey
44+
t *jwt.Token
45+
s string
46+
)
47+
48+
key = /* Load key from somewhere, for example a file */
49+
t = jwt.New(jwt.SigningMethodES256) // (1)!
50+
s = t.SignedString(key) // (2)!
51+
```
52+
53+
1. This initializes a new [`jwt.Token`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#Token) struct based on the supplied signing method. In this case a **asymmetric** method is chosen.
54+
2. This step computes a cryptographic signature based on the supplied private
55+
key.
56+
57+
Note, that the chosen signing method and the type of key must match. Please refer to [Signing Methods](./signing_methods.md) for a complete overview.
58+
59+
60+
## With Additional Claims
61+
62+
## With Options
63+
64+
While we already prepared a
65+
[`jwt.TokenOption`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#TokenOption)
66+
type, which can be supplied as a varargs to
67+
[`jwt.New`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#New) and
68+
[`jwt.NewWithClaims`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#NewWithClaims),
69+
these are strictly for future compatibility and are currently not used.

docs/usage/parse.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Parsing and Validating a JWT
2+
3+
## Keyfunc
4+
5+
6+
7+
## With Options
8+
9+
| <div style="width:5.6rem">Option Name</div> | <div style="width:4.5rem">Arguments</div> | Description |
10+
| :------------------------------------------ | :------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
11+
| `WithValidMethods` | methods as `[]string` | Supplies a list of [signing methods](./signing_methods.md) that the parser will check against the algorithm on the token. Only the supplied methods will be considered valid. It is heavily encouraged to use this option in order to prevent "none" algorithm attacks.[^1] | |
12+
| `WithJSONNumber` | - | Configures the underlying JSON parser to use the [`UseNumber`](https://pkg.go.dev/encoding/json#Decoder.UseNumber) function, which decodes numeric JSON values into the [`json.Number`](https://pkg.go.dev/encoding/json#Number) type instead of `float64`. This type can then be used to convert the value into either a floating type or integer type. |
13+
| `WithIssuer` | issuer as `string` | Configures the validator to require the specified issuer in the `"iss"`[^iss] claim. Validation will fail if a different issuer is specified in the token or the `"iss"` claim is missing. |
14+
| `WithSubject` | subject as `string` | Configures the validator to require the specified subject in the `"sub"`[^sub] claim. Validation will fail if a different subject is specified in the token or the `"sub"` claim is missing. |
15+
| `WithAudience` | audience as `string` | Configures the validator to require the specified audience in the `"aud"`[^aud] claim. Validation will fail if the audience is not listed in the token or the `"aud"` claim is missing. The contents of the audience string is application specific, but often contains the URI of the service that consumes the token. |
16+
| `WithLeeway` | leeway as [`time.Duration`](https://pkg.go.dev/time#Duration) | According to the RFC, a certain time window (leeway) is allowed when verifying time based claims, such as expiration time. This is due to the fact that a there is not perfect clock synchronization on the a distributed system such as the internet. While we do not enforce any restriction on the amount of leeway, it should generally not exceed more than a few minutes.[^exp] |
17+
| `WithIssuedAt` | - | Enables a sanity check of the `"iat"`[^iat] claim. More specifically, when turning this option on, the validator will check if the issued-at time is not in the future. |
18+
| Danger Zone |
19+
20+
21+
[^1]: [https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries)
22+
[^iss]: [https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1)
23+
[^sub]: [https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2)
24+
[^aud]: [https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3)
25+
[^exp]: [https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)
26+
[^iat]: [https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6)
27+

docs/usage/signing_methods.md

Whitespace-only changes.

mkdocs.yaml

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,17 +5,30 @@ repo_name: golang-jwt/jwt
55
repo_url: https://github.com/golang-jwt/jwt
66
edit_uri: ""
77

8+
plugins:
9+
- social
10+
811
theme:
912
name: material
1013
palette:
11-
primary: white
12-
accent: indigo
14+
primary: light blue
15+
accent: purple
1316
logo: assets/jwt.png
1417
favicon: assets/jwt.png
1518
features:
1619
- navigation.instant
20+
- navigation.tabs
1721
- toc.integrate
18-
- navigation.sections
22+
- content.code.copy
23+
- content.code.annotate
1924

20-
nav:
21-
- index.md
25+
markdown_extensions:
26+
- pymdownx.highlight:
27+
use_pygments: true
28+
anchor_linenums: true
29+
line_spans: __span
30+
pygments_lang_class: true
31+
- pymdownx.inlinehilite
32+
- pymdownx.snippets
33+
- pymdownx.superfences
34+
- footnotes

0 commit comments

Comments
 (0)