"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/http/httptest"
	"net/url"
	"sync"
	"testing"
	"time"

	jwtgo "github.com/golang-jwt/jwt/v4"
	"github.com/minio/minio/internal/arn"
	"github.com/minio/minio/internal/config"
	jwtm "github.com/minio/minio/internal/jwt"
	xnet "github.com/minio/pkg/v3/net"
)

func TestUpdateClaimsExpiry(t *testing.T) {
	testCases := []struct {
		exp             interface{}

---

# The following policy enables authorization on workload:
# - Allow request principal ******@****.***/sub-1 to access path /token1
# - Allow request in group-2 to access path /token2
# - Allow request with any token to access path /tokenAny
# - Allow request with permission claim of "write" or "append" to access path /permission
# - Allow request with valid JWT token to access path /jwt1

// See the License for the specific language governing permissions and
// limitations under the License.

package jwt

const (
	PolicyThirdParty = "third-party-jwt"
	PolicyFirstParty = "first-party-jwt"
)

type JwksFetchMode int

const (
	// Istiod is used to indicate Istiod ALWAYS fetches the JWKs server
	Istiod JwksFetchMode = iota

	"net/http"
	"time"

	jwtgo "github.com/golang-jwt/jwt/v4"
	jwtreq "github.com/golang-jwt/jwt/v4/request"
	"github.com/hashicorp/golang-lru/v2/expirable"
	"github.com/minio/minio/internal/auth"
	xjwt "github.com/minio/minio/internal/jwt"
	"github.com/minio/minio/internal/logger"
	"github.com/minio/pkg/v3/policy"
)

const (
	jwtAlgorithm = "Bearer"

	// Default JWT token for web handlers is one day.

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jwt-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jwt-server
  template:
    metadata:
      labels:
        app: jwt-server
    spec:
      containers:
      - image: gcr.io/istio-testing/jwt-server:0.8
        imagePullPolicy: IfNotPresent
        name: jwt-server
        volumeMounts:

package openid

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"net/http"
	"sync"
	"time"

	jwtgo "github.com/golang-jwt/jwt/v4"
	"github.com/minio/minio/internal/arn"
	"github.com/minio/minio/internal/auth"
	xnet "github.com/minio/pkg/v3/net"
	"github.com/minio/pkg/v3/policy"
)

type publicKeys struct {
	*sync.RWMutex

apiVersion: release-notes/v2
kind: feature
area: security
releaseNotes:
- |
  **Improved** request JWT authentication to use the upstream Envoy JWT filter
  instead of the custom Istio Proxy filter. Because the new upstream JWT filter
  capabilities are needed, the feature is gated for the proxies that support
  them. Note that a custom Envoy or Wasm filter that used `istio_authn` dynamic
  metadata key  needs to be updated to use `envoy.filters.http.jwt_authn`

apiVersion: release-notes/v2
kind: bug-fix
area: security

releaseNotes:
- |

apiVersion: release-notes/v2
kind: feature
area: security
issue:
  - 49913
releaseNotes:
- |

```

JWT 字符串没有加密，任何人都能用它恢复原始信息。

但 JWT 使用了签名机制。接受令牌时，可以用签名校验令牌。

使用 JWT 创建有效期为一周的令牌。第二天，用户持令牌再次访问时，仍为登录状态。

令牌于一周后过期，届时，用户身份验证就会失败。只有再次登录，才能获得新的令牌。如果用户（或第三方）篡改令牌的过期时间，因为签名不匹配会导致身份验证失败。

如需深入了解 JWT 令牌，了解它的工作方式，请参阅 <a href="https://jwt.io/" class="external-link" target="_blank">https://jwt.io</a>。

## 安装 `python-jose`

安装 `python-jose`，在 Python 中生成和校验 JWT 令牌：

<div class="termy">

```console