Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

github.com/oxisto/gcp-jwt-go

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/oxisto/gcp-jwt-go

  • v2.0.1+incompatible
  • Source
  • Go
  • Socket score

Version published
Created
Source

gcp-jwt-go GoDoc Go Report Card Build Status Coverage Status

Google Cloud Platform (Cloud KMS, IAM API, & AppEngine App Identity API) jwt-go implementations

New with v2:

Google Cloud KMS now supports signatures and support has been added to gcp-jwt-go!

Breaking Changes with v2

  • Package name changed from gcp_jwt to gcpjwt
  • Refactoring of code (including exported functions/structs)
  • Certificate caching is now opt-in vs opt-out
  • Helper jwt.Keyfunc implementations introduced
  • Expected key for sign/verify changed
  • KeyID() helper functions
  • Basic oauth2.TokenSource and http middleware sub packages for basic service-to-service authentication (currently only supports IAM Api)

To continue using the older version, please import as follows: import "gopkg.in/someone1/gcp-jwt-go.v1"

Features

gcp-jwt-go has basic implementations of using Google Cloud KMS, Google IAM API (both signJwt and signBlob), and the App Identity API from AppEngine Standard on Google Cloud Platform to sign JWT tokens using the dgrijalva/jwt-go package. Should work across virtually all environments, on or off of Google's Cloud Platform.

Getting Started

Please read the documentation at https://godoc.org/github.com/someone1/gcp-jwt-go

Performance

There are many tradeoffs which the various signing mechanism available from Google's Cloud Platform. Below you will find a chart of performance for the different algorithms and APIs. Here are some overall takeaways:

  • AppEngine: The fastest option available though limited in that it can only sign on behalf of the default service account and only runs on AppEngine Standard. Keys are auto-rotated, limited to RS256.
  • IAM Api: Flexible in that you can sign on behalf of various service accounts (see Tips below), runs on any platform, keys are auto-rotated, but is the slowest option available and limited to RS256.
  • Cloud KMS: Fast (enough?), highly flexible (come up with your own keys/usage/algorithm/etc.), runs on any platform, however key rotation is left to the user.

note: all latency numbers are ordered as (50th %ile, 95th %ile, 99th %ile). Tests were run on a F1 AppEngine Standard instance in the us-central region. All Cloud KMS keys are set to global.

Signing Performance
SignerSignature LengthSign LatencySamples
AppEngine3429.14 ms, 17.56 ms, 79.15 ms100
IAMBlob342198.37 ms, 217.42 ms, 244.91 ms100
IAMJWT342109.03 ms, 208.46 ms, 212.65 ms100
KMSES2568631.57 ms, 44.09 ms, 44.54 ms50
KMSES38412834.67 ms, 51.16 ms, 59.48 ms50
KMSPS256 (2048)34238.20 ms, 57.75 ms, 70.47 ms50
KMSPS256 (3072)51242.77 ms, 58.24 ms, 62.86 ms50
KMSPS256 (4096)68352.02 ms, 64.70 ms, 92.15 ms50
KMSRS256 (2048)34237.94 ms, 61.94 ms, 77.33 ms50
KMSRS256 (3072)51239.85 ms, 50.52 ms, 56.17 ms50
KMSRS256 (4096)68350.19 ms, 68.48 ms, 86.02 ms50
Verify Performance
VerifierCacheVerify LatencySamples
AppEngineVerifyfalse6.42 ms, 9.33 ms, 10.86 ms50
AppEngineVerifytrue0.87 ms, 1.05 ms, 25.03 ms50
IAMVerifyfalse12.52 ms, 21.45 ms, 30.63 ms100
IAMVerifytrue0.86 ms, 1.01 ms, 53.19 ms100
KMSVerify (2048-PS256)always0.88 ms, 1.01 ms, 32.15 ms50
KMSVerify (2048-RS256)always0.93 ms, 1.11 ms, 19.96 ms50
KMSVerify (3072-PS256)always1.53 ms, 1.71 ms, 43.35 ms50
KMSVerify (3072-RS256)always1.61 ms, 2.11 ms, 42.39 ms50
KMSVerify (4096-PS256)always2.94 ms, 66.88 ms, 71.60 ms50
KMSVerify (4096-RS256)always2.70 ms, 55.25 ms, 72.34 ms50
KMSVerify (ES256)always0.15 ms, 0.20 ms, 0.29 ms50
KMSVerify (ES384)always181.21 ms, 193.25 ms, 195.08 ms50

Where cache=false is where we get the most value from these numbers as it shows the time to fetch/parse public certificates, the other cases are just the time to use a cached certificate to validate the JWT.

Tips

  • If using the IAM API - create a separate service account to sign on behalf of for your projects unless you NEED to use your default service account (e.g. the AppEngine service account). This way you can limit the scope of access for any leaked credentials. You'll have to grant the roles/iam.serviceAccountTokenCreator role to any user/group/serviceaccount you want to be able to sign on behalf of the new service account (resource: projects/-/serviceAccounts/<serviceaccount>). For example, create an api-signer service account, do NOT furnish any keys for it, grant your AppEngine/GCE/etc. default service account the proper role for that serviceAccount, and use the api-signer@... service account address in your configuration.
  • If using outside of GCP, be sure to put credentials for an account that can access the service account for signing tokens in a well known location:
    1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable.
    2. A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.

FAQs

Package last updated on 21 Sep 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc