package token import ( "github.com/pkg/errors" "gopkg.in/square/go-jose.v2" "gopkg.in/square/go-jose.v2/jwt" ) const ( jwtIssuer = "hydra-passwordless" ) type privateClaims struct { Challenge string `json:"challenge"` } func Generate(signingKey, encryptionKey, email, challenge string) (string, error) { sig, err := jose.NewSigner( jose.SigningKey{ Algorithm: jose.HS256, Key: []byte(signingKey), }, (&jose.SignerOptions{}).WithType("JWT"), ) if err != nil { return "", errors.Wrap(err, "could not create jwt signer") } enc, err := jose.NewEncrypter( jose.A256GCM, jose.Recipient{ Algorithm: jose.DIRECT, Key: []byte(encryptionKey), }, (&jose.EncrypterOptions{}).WithType("JWT").WithContentType("JWT")) if err != nil { return "", errors.Wrap(err, "could not create jwt encrypter") } claims := jwt.Claims{ Subject: email, Issuer: jwtIssuer, Audience: jwt.Audience{jwtIssuer}, } privateClaims := privateClaims{ Challenge: challenge, } raw, err := jwt.SignedAndEncrypted(sig, enc).Claims(claims).Claims(privateClaims).CompactSerialize() if err != nil { return "", errors.Wrap(err, "could not sign and encrypt jwt") } return raw, nil }