https://github.com/eclipse-xfsc/ssi-jwt
This library contains common JWT extensions for usage in SSI context.
https://github.com/eclipse-xfsc/ssi-jwt
golang jwt ssi
Last synced: about 1 month ago
JSON representation
This library contains common JWT extensions for usage in SSI context.
- Host: GitHub
- URL: https://github.com/eclipse-xfsc/ssi-jwt
- Owner: eclipse-xfsc
- License: apache-2.0
- Created: 2025-04-10T13:28:02.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2026-01-19T17:27:04.000Z (6 months ago)
- Last Synced: 2026-05-12T08:53:23.207Z (2 months ago)
- Topics: golang, jwt, ssi
- Language: Go
- Size: 76.2 KB
- Stars: 0
- Watchers: 7
- Forks: 0
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# JWT
## Introduction
This library contains common JWT extensions for usage in SSI context.
## Self Signed Token
To create a self signed token use the following:
```
headers := jws.NewHeaders()
headers.Set("jwk", pubkey)
signed, err := jwt.Sign(tok, jwt.WithKey(jwa.PS256, privkey, jws.WithProtectedHeaders(headers)))
```
To verify the Self signed token use:
```
token, err := self.ParseSelfSigned(string(signed))
```
Options can be appended by using:
```
options = append(options, ljwt.WithAudience("http://test"))
token, err := self.ParseSelfSigned(string(signed),options)
```
## Use of multiple JWKS/DID Key Verifications
The library extends the standard JWKS fetching by adding support for multiple sources (multiple Authorization Servers). The sources can be DIDs or JWKS Urls.
DID Usage:
```
didFetcher := new(fetcher.DidFetcher)
err = didFetcher.Initialize([]string{"did:web:12345"}, time.Second)
if err != nil {
t.Error()
}
jwt.RegisterFetcher("DID1", didFetcher)
```
or
JWKS Usage:
```
jwksFetcher := new(fetcher.JwksFetcher)
jwksFetcher.Initialize([]string{jwks.URL}, time.Second)
jwt.RegisterFetcher("JWKS1", jwksFetcher)
```
within the API:
```
tok, err := jwt.ParseRequest(r)
```
Sources will be cached and updated automatically.
## Use of External Crypto Provider
To sign tokens with external providers the signing interceptor can be enabled/disabled by using:
```
EnableCryptoProvider("yournamespace", provider)
DisableCryptoProvider()
```
After this, a normal signing and verify action can be used, with the only difference that the "key" in "WithKey" function must carry the keyID of the key in the cryptoprovider namespace. The cryptoprovider will intercept all signing/verify calls and redirect it to the external provider.
```
signed, err := jwt.Sign(tok, jwt.WithKey(jwa.PS256, "tenant_space:testK"))
```
Note: the namespace is the first part of the key followed by ":" and the key name. Means for namespace and group namespace/test:key1