jwt_verifier.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JWT_VERIFIER_H
20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JWT_VERIFIER_H
21 
22 #include <grpc/support/port_platform.h>
23 
24 #include <stddef.h>
25 
26 #include <grpc/impl/codegen/gpr_types.h>
27 
28 #include "src/core/lib/gprpp/time.h"
29 #include "src/core/lib/iomgr/pollset.h"
30 #include "src/core/lib/json/json.h"
31 
32 /* --- Constants. --- */
33 
34 #define GRPC_OPENID_CONFIG_URL_SUFFIX "/.well-known/openid-configuration"
35 #define GRPC_GOOGLE_SERVICE_ACCOUNTS_EMAIL_DOMAIN "gserviceaccount.com"
36 #define GRPC_GOOGLE_SERVICE_ACCOUNTS_KEY_URL_PREFIX \
37  "www.googleapis.com/robot/v1/metadata/x509"
38 
39 /* --- grpc_jwt_verifier_status. --- */
40 
41 typedef enum {
42  GRPC_JWT_VERIFIER_OK = 0,
43  GRPC_JWT_VERIFIER_BAD_SIGNATURE,
44  GRPC_JWT_VERIFIER_BAD_FORMAT,
45  GRPC_JWT_VERIFIER_BAD_AUDIENCE,
46  GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR,
47  GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE,
48  GRPC_JWT_VERIFIER_BAD_SUBJECT,
49  GRPC_JWT_VERIFIER_GENERIC_ERROR
50 } grpc_jwt_verifier_status;
51 
52 const char* grpc_jwt_verifier_status_to_string(grpc_jwt_verifier_status status);
53 
54 /* --- grpc_jwt_claims. --- */
55 
56 typedef struct grpc_jwt_claims grpc_jwt_claims;
57 
58 void grpc_jwt_claims_destroy(grpc_jwt_claims* claims);
59 
60 /* Returns the whole JSON tree of the claims. */
61 const grpc_core::Json* grpc_jwt_claims_json(const grpc_jwt_claims* claims);
62 
63 /* Access to registered claims in https://tools.ietf.org/html/rfc7519#page-9 */
64 const char* grpc_jwt_claims_subject(const grpc_jwt_claims* claims);
65 const char* grpc_jwt_claims_issuer(const grpc_jwt_claims* claims);
66 const char* grpc_jwt_claims_id(const grpc_jwt_claims* claims);
67 const char* grpc_jwt_claims_audience(const grpc_jwt_claims* claims);
68 gpr_timespec grpc_jwt_claims_issued_at(const grpc_jwt_claims* claims);
69 gpr_timespec grpc_jwt_claims_expires_at(const grpc_jwt_claims* claims);
70 gpr_timespec grpc_jwt_claims_not_before(const grpc_jwt_claims* claims);
71 
72 /* --- grpc_jwt_verifier. --- */
73 
74 typedef struct grpc_jwt_verifier grpc_jwt_verifier;
75 
76 struct grpc_jwt_verifier_email_domain_key_url_mapping {
77  /* The email domain is the part after the @ sign. */
78  const char* email_domain;
79 
80  /* The key url prefix will be used to get the public key from the issuer:
81  https://<key_url_prefix>/<issuer_email>
82  Therefore the key_url_prefix must NOT contain https://. */
83  const char* key_url_prefix;
84 };
85 /* Globals to control the verifier. Not thread-safe. */
86 extern gpr_timespec grpc_jwt_verifier_clock_skew;
87 extern grpc_core::Duration grpc_jwt_verifier_max_delay;
88 
89 /* The verifier can be created with some custom mappings to help with key
90  discovery in the case where the issuer is an email address.
91  mappings can be NULL in which case num_mappings MUST be 0.
92  A verifier object has one built-in mapping (unless overridden):
93  GRPC_GOOGLE_SERVICE_ACCOUNTS_EMAIL_DOMAIN ->
94  GRPC_GOOGLE_SERVICE_ACCOUNTS_KEY_URL_PREFIX.*/
95 grpc_jwt_verifier* grpc_jwt_verifier_create(
96  const grpc_jwt_verifier_email_domain_key_url_mapping* mappings,
97  size_t num_mappings);
98 
99 /*The verifier must not be destroyed if there are still outstanding callbacks.*/
100 void grpc_jwt_verifier_destroy(grpc_jwt_verifier* verifier);
101 
102 /* User provided callback that will be called when the verification of the JWT
103  is done (maybe in another thread).
104  It is the responsibility of the callee to call grpc_jwt_claims_destroy on
105  the claims. */
106 typedef void (*grpc_jwt_verification_done_cb)(void* user_data,
107  grpc_jwt_verifier_status status,
108  grpc_jwt_claims* claims);
109 
110 /* Verifies for the JWT for the given expected audience. */
111 void grpc_jwt_verifier_verify(grpc_jwt_verifier* verifier,
112  grpc_pollset* pollset, const char* jwt,
113  const char* audience,
114  grpc_jwt_verification_done_cb cb,
115  void* user_data);
116 
117 /* --- TESTING ONLY exposed functions. --- */
118 
119 grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_core::Json json);
120 grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims* claims,
121  const char* audience);
122 const char* grpc_jwt_issuer_email_domain(const char* issuer);
123 
124 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JWT_VERIFIER_H */
GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE
@ GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE
Definition: jwt_verifier.h:47
pollset.h
grpc_jwt_claims_subject
const char * grpc_jwt_claims_subject(const grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:229
GRPC_JWT_VERIFIER_OK
@ GRPC_JWT_VERIFIER_OK
Definition: jwt_verifier.h:42
GRPC_JWT_VERIFIER_BAD_SIGNATURE
@ GRPC_JWT_VERIFIER_BAD_SIGNATURE
Definition: jwt_verifier.h:43
grpc_jwt_claims_expires_at
gpr_timespec grpc_jwt_claims_expires_at(const grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:254
grpc_jwt_verifier_verify
void grpc_jwt_verifier_verify(grpc_jwt_verifier *verifier, grpc_pollset *pollset, const char *jwt, const char *audience, grpc_jwt_verification_done_cb cb, void *user_data)
Definition: jwt_verifier.cc:880
GRPC_JWT_VERIFIER_BAD_SUBJECT
@ GRPC_JWT_VERIFIER_BAD_SUBJECT
Definition: jwt_verifier.h:48
grpc_jwt_verification_done_cb
void(* grpc_jwt_verification_done_cb)(void *user_data, grpc_jwt_verifier_status status, grpc_jwt_claims *claims)
Definition: jwt_verifier.h:106
status
absl::Status status
Definition: rls.cc:251
grpc_jwt_verifier_status_to_string
const char * grpc_jwt_verifier_status_to_string(grpc_jwt_verifier_status status)
Definition: jwt_verifier.cc:73
grpc_jwt_verifier_email_domain_key_url_mapping::key_url_prefix
const char * key_url_prefix
Definition: jwt_verifier.h:83
grpc_jwt_claims_audience
const char * grpc_jwt_claims_audience(const grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:244
grpc_jwt_verifier_email_domain_key_url_mapping::email_domain
const char * email_domain
Definition: jwt_verifier.h:78
verifier
static void verifier(grpc_server *server, grpc_completion_queue *cq, void *)
Definition: badreq.cc:31
grpc_jwt_verifier_destroy
void grpc_jwt_verifier_destroy(grpc_jwt_verifier *verifier)
Definition: jwt_verifier.cc:947
grpc_jwt_verifier_status
grpc_jwt_verifier_status
Definition: jwt_verifier.h:41
grpc_jwt_claims_id
const char * grpc_jwt_claims_id(const grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:239
GRPC_JWT_VERIFIER_GENERIC_ERROR
@ GRPC_JWT_VERIFIER_GENERIC_ERROR
Definition: jwt_verifier.h:49
GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR
@ GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR
Definition: jwt_verifier.h:46
time.h
grpc_jwt_claims_check
grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims, const char *audience)
Definition: jwt_verifier.cc:309
grpc_jwt_verifier_clock_skew
gpr_timespec grpc_jwt_verifier_clock_skew
Definition: jwt_verifier.cc:412
grpc_jwt_claims_issued_at
gpr_timespec grpc_jwt_claims_issued_at(const grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:249
json.h
GRPC_JWT_VERIFIER_BAD_FORMAT
@ GRPC_JWT_VERIFIER_BAD_FORMAT
Definition: jwt_verifier.h:44
gpr_types.h
grpc_jwt_verifier_email_domain_key_url_mapping
Definition: jwt_verifier.h:76
grpc_jwt_verifier
Definition: jwt_verifier.cc:422
grpc_jwt_claims_issuer
const char * grpc_jwt_claims_issuer(const grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:234
grpc_jwt_claims_destroy
void grpc_jwt_claims_destroy(grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:219
grpc_jwt_verifier_max_delay
grpc_core::Duration grpc_jwt_verifier_max_delay
Definition: jwt_verifier.cc:415
grpc_jwt_claims
Definition: jwt_verifier.cc:206
grpc_jwt_claims_from_json
grpc_jwt_claims * grpc_jwt_claims_from_json(grpc_core::Json json)
Definition: jwt_verifier.cc:264
gpr_timespec
Definition: gpr_types.h:50
grpc_core::Duration
Definition: src/core/lib/gprpp/time.h:122
grpc_jwt_claims_not_before
gpr_timespec grpc_jwt_claims_not_before(const grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:259
grpc_pollset
Definition: bm_cq_multiple_threads.cc:37
grpc_core::Json
Definition: src/core/lib/json/json.h:37
grpc_jwt_issuer_email_domain
const char * grpc_jwt_issuer_email_domain(const char *issuer)
Definition: jwt_verifier.cc:779
grpc_jwt_claims_json
const grpc_core::Json * grpc_jwt_claims_json(const grpc_jwt_claims *claims)
Definition: jwt_verifier.cc:224
GRPC_JWT_VERIFIER_BAD_AUDIENCE
@ GRPC_JWT_VERIFIER_BAD_AUDIENCE
Definition: jwt_verifier.h:45
cb
OPENSSL_EXPORT pem_password_cb * cb
Definition: pem.h:351
grpc_jwt_verifier_create
grpc_jwt_verifier * grpc_jwt_verifier_create(const grpc_jwt_verifier_email_domain_key_url_mapping *mappings, size_t num_mappings)
Definition: jwt_verifier.cc:925
port_platform.h

grpc
Author(s):
autogenerated on Thu Mar 13 2025 03:00:27