Updated auth interface (#1384)

* Updated  auth interface

* Add Rule

* Remove Rule

* Return token from Renew

* Renew => Refresh

* Implement Tokens & Default Auth Implementation

* Change default auth to noop

* Change default auth to noop

* Move token.Token to auth.Token

* Remove Token from Account

* Auth service implementation

* Decode JWT locally

* Cookie for secret

* Move string to bottom of interface definition

* Depricate auth_exclude

* Update auth wrappers

* Update go.sum

Co-authored-by: Ben Toogood <ben@micro.mu>

auth/token/basic/basic.go

@@ -0,0 +1,95 @@
+package basic
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/micro/go-micro/v2/auth"
+	"github.com/micro/go-micro/v2/auth/token"
+	"github.com/micro/go-micro/v2/store"
+)
+
+// Basic implementation of token provider, backed by the store
+type Basic struct {
+	store store.Store
+}
+
+// NewTokenProvider returns an initialized basic provider
+func NewTokenProvider(opts ...token.Option) token.Provider {
+	options := token.NewOptions(opts...)
+
+	if options.Store == nil {
+		options.Store = store.DefaultStore
+	}
+
+	return &Basic{
+		store: options.Store,
+	}
+}
+
+// Generate a token for an account
+func (b *Basic) Generate(subject string, opts ...token.GenerateOption) (*auth.Token, error) {
+	options := token.NewGenerateOptions(opts...)
+
+	// construct the token
+	token := auth.Token{
+		Subject:  subject,
+		Type:     b.String(),
+		Token:    uuid.New().String(),
+		Created:  time.Now(),
+		Expiry:   time.Now().Add(options.Expiry),
+		Metadata: options.Metadata,
+		Roles:    options.Roles,
+	}
+
+	// marshal the account to bytes
+	bytes, err := json.Marshal(token)
+	if err != nil {
+		return nil, err
+	}
+
+	// write to the store
+	err = b.store.Write(&store.Record{
+		Key:    token.Token,
+		Value:  bytes,
+		Expiry: options.Expiry,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// return the token
+	return &token, nil
+}
+
+// Inspect a token
+func (b *Basic) Inspect(t string) (*auth.Token, error) {
+	// lookup the token in the store
+	recs, err := b.store.Read(t)
+	if err == store.ErrNotFound {
+		return nil, token.ErrInvalidToken
+	} else if err != nil {
+		return nil, err
+	}
+	bytes := recs[0].Value
+
+	// unmarshal the bytes
+	var tok *auth.Token
+	if err := json.Unmarshal(bytes, &tok); err != nil {
+		return nil, err
+	}
+
+	// ensure the token hasn't expired, the store should
+	// expire the token but we're checking again
+	if tok.Expiry.Unix() < time.Now().Unix() {
+		return nil, token.ErrInvalidToken
+	}
+
+	return tok, err
+}
+
+// String returns basic
+func (b *Basic) String() string {
+	return "basic"
+}

auth/token/basic/basic_test.go

@@ -0,0 +1,80 @@
+package basic
+
+import (
+	"testing"
+	"time"
+
+	"github.com/micro/go-micro/v2/auth/token"
+	"github.com/micro/go-micro/v2/store/memory"
+)
+
+func TestGenerate(t *testing.T) {
+	store := memory.NewStore()
+	b := NewTokenProvider(token.WithStore(store))
+
+	_, err := b.Generate("test")
+	if err != nil {
+		t.Fatalf("Generate returned %v error, expected nil", err)
+	}
+
+	recs, err := store.List()
+	if err != nil {
+		t.Fatalf("Unable to read from store: %v", err)
+	}
+	if len(recs) != 1 {
+		t.Errorf("Generate didn't write to the store, expected 1 record, got %v", len(recs))
+	}
+}
+
+func TestInspect(t *testing.T) {
+	store := memory.NewStore()
+	b := NewTokenProvider(token.WithStore(store))
+
+	t.Run("Valid token", func(t *testing.T) {
+		md := map[string]string{"foo": "bar"}
+		roles := []string{"admin"}
+		subject := "test"
+
+		opts := []token.GenerateOption{
+			token.WithMetadata(md),
+			token.WithRoles(roles),
+		}
+
+		tok, err := b.Generate(subject, opts...)
+		if err != nil {
+			t.Fatalf("Generate returned %v error, expected nil", err)
+		}
+
+		tok2, err := b.Inspect(tok.Token)
+		if err != nil {
+			t.Fatalf("Inspect returned %v error, expected nil", err)
+		}
+		if tok2.Subject != subject {
+			t.Errorf("Inspect returned %v as the token subject, expected %v", tok2.Subject, subject)
+		}
+		if len(tok2.Roles) != len(roles) {
+			t.Errorf("Inspect returned %v roles, expected %v", len(tok2.Roles), len(roles))
+		}
+		if len(tok2.Metadata) != len(md) {
+			t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md)
+		}
+	})
+
+	t.Run("Expired token", func(t *testing.T) {
+		tok, err := b.Generate("foo", token.WithExpiry(-10*time.Second))
+		if err != nil {
+			t.Fatalf("Generate returned %v error, expected nil", err)
+		}
+
+		if _, err = b.Inspect(tok.Token); err != token.ErrInvalidToken {
+			t.Fatalf("Inspect returned %v error, expected %v", err, token.ErrInvalidToken)
+		}
+	})
+
+	t.Run("Invalid token", func(t *testing.T) {
+		_, err := b.Inspect("Invalid token")
+		if err != token.ErrInvalidToken {
+			t.Fatalf("Inspect returned %v error, expected %v", err, token.ErrInvalidToken)
+		}
+	})
+}

auth/token/jwt/jwt.go

@@ -0,0 +1,111 @@
+package jwt
+
+import (
+	"encoding/base64"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/micro/go-micro/v2/auth"
+	"github.com/micro/go-micro/v2/auth/token"
+)
+
+// authClaims to be encoded in the JWT
+type authClaims struct {
+	Roles    []string          `json:"roles"`
+	Metadata map[string]string `json:"metadata"`
+
+	jwt.StandardClaims
+}
+
+// JWT implementation of token provider
+type JWT struct {
+	opts token.Options
+}
+
+// NewTokenProvider returns an initialized basic provider
+func NewTokenProvider(opts ...token.Option) token.Provider {
+	return &JWT{
+		opts: token.NewOptions(opts...),
+	}
+}
+
+// Generate a new JWT
+func (j *JWT) Generate(subject string, opts ...token.GenerateOption) (*auth.Token, error) {
+	// decode the private key
+	priv, err := base64.StdEncoding.DecodeString(j.opts.PrivateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// parse the private key
+	key, err := jwt.ParseRSAPrivateKeyFromPEM(priv)
+	if err != nil {
+		return nil, token.ErrEncodingToken
+	}
+
+	// parse the options
+	options := token.NewGenerateOptions(opts...)
+
+	// generate the JWT
+	expiry := time.Now().Add(options.Expiry)
+	t := jwt.NewWithClaims(jwt.SigningMethodRS256, authClaims{
+		options.Roles, options.Metadata, jwt.StandardClaims{
+			Subject:   subject,
+			ExpiresAt: expiry.Unix(),
+		},
+	})
+	tok, err := t.SignedString(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// return the token
+	return &auth.Token{
+		Subject:  subject,
+		Token:    tok,
+		Type:     j.String(),
+		Created:  time.Now(),
+		Expiry:   expiry,
+		Roles:    options.Roles,
+		Metadata: options.Metadata,
+	}, nil
+}
+
+// Inspect a JWT
+func (j *JWT) Inspect(t string) (*auth.Token, error) {
+	// decode the public key
+	pub, err := base64.StdEncoding.DecodeString(j.opts.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// parse the public key
+	res, err := jwt.ParseWithClaims(t, &authClaims{}, func(token *jwt.Token) (interface{}, error) {
+		return jwt.ParseRSAPublicKeyFromPEM(pub)
+	})
+	if err != nil {
+		return nil, token.ErrInvalidToken
+	}
+
+	// validate the token
+	if !res.Valid {
+		return nil, token.ErrInvalidToken
+	}
+	claims, ok := res.Claims.(*authClaims)
+	if !ok {
+		return nil, token.ErrInvalidToken
+	}
+
+	// return the token
+	return &auth.Token{
+		Token:    t,
+		Subject:  claims.Subject,
+		Metadata: claims.Metadata,
+		Roles:    claims.Roles,
+	}, nil
+}
+
+// String returns JWT
+func (j *JWT) String() string {
+	return "jwt"
+}

auth/token/jwt/jwt_test.go

@@ -0,0 +1,90 @@
+package jwt
+
+import (
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/micro/go-micro/v2/auth/token"
+)
+
+func TestGenerate(t *testing.T) {
+	privKey, err := ioutil.ReadFile("test/sample_key")
+	if err != nil {
+		t.Fatalf("Unable to read private key: %v", err)
+	}
+
+	j := NewTokenProvider(
+		token.WithPrivateKey(string(privKey)),
+	)
+
+	_, err = j.Generate("test")
+	if err != nil {
+		t.Fatalf("Generate returned %v error, expected nil", err)
+	}
+}
+
+func TestInspect(t *testing.T) {
+	pubKey, err := ioutil.ReadFile("test/sample_key.pub")
+	if err != nil {
+		t.Fatalf("Unable to read public key: %v", err)
+	}
+	privKey, err := ioutil.ReadFile("test/sample_key")
+	if err != nil {
+		t.Fatalf("Unable to read private key: %v", err)
+	}
+
+	j := NewTokenProvider(
+		token.WithPublicKey(string(pubKey)),
+		token.WithPrivateKey(string(privKey)),
+	)
+
+	t.Run("Valid token", func(t *testing.T) {
+		md := map[string]string{"foo": "bar"}
+		roles := []string{"admin"}
+		subject := "test"
+
+		opts := []token.GenerateOption{
+			token.WithMetadata(md),
+			token.WithRoles(roles),
+		}
+
+		tok, err := j.Generate(subject, opts...)
+		if err != nil {
+			t.Fatalf("Generate returned %v error, expected nil", err)
+		}
+
+		tok2, err := j.Inspect(tok.Token)
+		if err != nil {
+			t.Fatalf("Inspect returned %v error, expected nil", err)
+		}
+		if tok2.Subject != subject {
+			t.Errorf("Inspect returned %v as the token subject, expected %v", tok2.Subject, subject)
+		}
+		if len(tok2.Roles) != len(roles) {
+			t.Errorf("Inspect returned %v roles, expected %v", len(tok2.Roles), len(roles))
+		}
+		if len(tok2.Metadata) != len(md) {
+			t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md)
+		}
+	})
+
+	t.Run("Expired token", func(t *testing.T) {
+		tok, err := j.Generate("foo", token.WithExpiry(-10*time.Second))
+		if err != nil {
+			t.Fatalf("Generate returned %v error, expected nil", err)
+		}
+
+		if _, err = j.Inspect(tok.Token); err != token.ErrInvalidToken {
+			t.Fatalf("Inspect returned %v error, expected %v", err, token.ErrInvalidToken)
+		}
+	})
+
+	t.Run("Invalid token", func(t *testing.T) {
+		_, err := j.Inspect("Invalid token")
+		if err != token.ErrInvalidToken {
+			t.Fatalf("Inspect returned %v error, expected %v", err, token.ErrInvalidToken)
+		}
+	})
+
+}

auth/token/jwt/test/sample_key

@@ -0,0 +1 @@
+LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS3dJQkFBS0NBZ0VBOFNiSlA1WGJFaWRSbTViMnNOcExHbzJlV2ZVNU9KZTBpemdySHdEOEg3RjZQa1BkCi9SbDkvMXBNVjdNaU8zTEh3dGhIQzJCUllxcisxd0Zkb1pDR0JZckxhWHVYRnFLMHZ1WmhQcUUzYXpqdUlIUXUKMEJIL2xYUU1xeUVxRjVNSTJ6ZWpDNHpNenIxNU9OK2dFNEpuaXBqcC9DZGpPUEFEbUpHK0JKOXFlRS9RUGVtLwptVWRJVC9MYUY3a1F4eVlLNVZLbitOZ09Xek1sektBQXBDbjdUVEtCVWU4RlpHNldTWDdMVjBlTEdIc29pYnhsCm85akRqbFk1b0JPY3pmcWVOV0hLNUdYQjdRd3BMTmg5NDZQelpucW9hcFdVZStZL1JPaUhpekpUY3I1Wk1TTDUKd2xFcThoTmhtaG01Tk5lL08rR2dqQkROU2ZVaDA2K3E0bmdtYm1OWDVoODM4QmJqUmN5YzM2ZHd6NkpVK2R1bwpSdFFoZ2lZOTEwcFBmOWJhdVhXcXdVQ1VhNHFzSHpqS1IwTC9OMVhYQXlsQ0RqeWVnWnp6Y093MkNIOFNrZkZVCnJnTHJQYkVCOWVnY0drMzgrYnBLczNaNlJyNSt0bkQxQklQSUZHTGVJMFVPQzAreGlCdjBvenhJRE9GbldhOVUKVEdEeFV4OG9qOFZJZVJuV0RxNk1jMWlKcDhVeWNpQklUUnR3NGRabzcweG1mbmVJV3pyM0tTTmFoU29nSmRSMApsYVF6QXVQM2FpV1hJTXAyc2M4U2MrQmwrTGpYbUJveEJyYUJIaDlLa0pKRWNnQUZ3czJib2pDbEpPWXhvRi9YCmdGS1NzSW5IRHJIVk95V1BCZTNmYWRFYzc3YituYi9leE96cjFFcnhoR2c5akZtcmtPK3M0eEdodjZNQ0F3RUEKQVFLQ0FnRUFqUzc1Q2VvUlRRcUtBNzZaaFNiNGEzNVlKRENtcEpSazFsRTNKYnFzNFYxRnhXaDBjZmJYeG9VMgpSdTRRYjUrZWhsdWJGSFQ2a1BxdG9uRWhRVExjMUNmVE9WbHJOb3hocDVZM2ZyUmlQcnNnNXcwK1R3RUtrcFJUCnltanJQTXdQbGxCM2U0NmVaYmVXWGc3R3FFVmptMGcxVFRRK0tocVM4R0w3VGJlTFhRN1ZTem9ydTNCNVRKMVEKeEN6TVB0dnQ2eDYrU3JrcmhvZG1iT3VNRkpDam1TbWxmck9pZzQ4Zkc3NUpERHRObXpLWHBEUVJpYUNodFJhVQpQRHpmUTlTamhYdFFqdkZvWFFFT3BqdkZVRjR2WldNUWNQNUw1VklDM3JRSWp4MFNzQTN6S0FwakVUbjJHNjN2CktZby8zVWttbzhkUCtGRHA3NCs5a3pLNHFFaFJycEl3bEtiN0VOZWtDUXZqUFl1K3pyKzMyUXdQNTJ2L2FveWQKdjJJaUY3M2laTU1vZDhhYjJuQStyVEI2T0cvOVlSYk5kV21tay9VTi9jUHYrN214TmZ6Y1d1ZU1XcThxMXh4eAptNTNpR0NSQ29PQ1lDQk4zcUFkb1JwYW5xd3lCOUxrLzFCQjBHUld3MjgxK3VhNXNYRnZBVDBKeTVURnduMncvClU1MlJKWFlNOXVhMFBvd214b0RDUWRuNFZYVkdNZGdXaHN4aXhHRlYwOUZObWJJQWJaN0xaWGtkS1gzc1ZVbTcKWU1WYWIzVVo2bEhtdXYzT1NzcHNVUlRqN1hiRzZpaVVlaDU1aW91OENWbnRndWtFcnEzQTQwT05FVzhjNDBzOQphVTBGaSs4eWZpQTViaVZHLzF0bWlucUVERkhuQStnWk1xNEhlSkZxcWZxaEZKa1JwRGtDZ2dFQkFQeGR1NGNKCm5Da1duZDdPWFlHMVM3UDdkVWhRUzgwSDlteW9uZFc5bGFCQm84RWRPeTVTZzNOUmsxQ2pNZFZ1a3FMcjhJSnkKeStLWk15SVpvSlJvbllaMEtIUUVMR3ZLbzFOS2NLQ1FJbnYvWHVCdFJpRzBVb1pQNVkwN0RpRFBRQWpYUjlXUwpBc0EzMmQ1eEtFOC91Y3h0MjVQVzJFakNBUmtVeHQ5d0tKazN3bC9JdXVYRlExTDdDWjJsOVlFUjlHeWxUbzhNCmxXUEY3YndtUFV4UVNKaTNVS0FjTzZweTVUU1lkdWQ2aGpQeXJwSXByNU42VGpmTlRFWkVBeU9LbXVpOHVkUkoKMUg3T3RQVEhGZElKQjNrNEJnRDZtRE1HbjB2SXBLaDhZN3NtRUZBbFkvaXlCZjMvOHk5VHVMb1BycEdqR3RHbgp4Y2RpMHFud2p0SGFNbFVDZ2dFQkFQU2Z0dVFCQ2dTU2JLUSswUEFSR2VVeEQyTmlvZk1teENNTmdHUzJ5Ull3CjRGaGV4ZWkwMVJoaFk1NjE3UjduR1dzb0czd1RQa3dvRTJtbE1aQkoxeWEvUU9RRnQ3WG02OVl0RGh0T2FWbDgKL0o4dlVuSTBtWmxtT2pjTlRoYnVPZDlNSDlRdGxIRUMxMlhYdHJNb3Fsb0U2a05TT0pJalNxYm9wcDRXc1BqcApvZTZ0Nkdyd1RhOHBHeUJWWS90Mi85Ym5ORHVPVlpjODBaODdtY2gzcDNQclBqU3h5di9saGxYMFMwYUdHTkhTCk1XVjdUa25OaGo1TWlIRXFnZ1pZemtBWTkyd1JoVENnU1A2M0VNcitUWXFudXVuMXJHbndPYm95TDR2aFRpV0UKcU42UDNCTFlCZ1FpMllDTDludEJrOEl6RHZyd096dW5GVnhhZ0g5SVVoY0NnZ0VCQUwzQXlLa1BlOENWUmR6cQpzL284VkJDZmFSOFhhUGRnSGxTek1BSXZpNXEwNENqckRyMlV3MHZwTVdnM1hOZ0xUT3g5bFJpd3NrYk9SRmxHCmhhd3hRUWlBdkk0SE9WTlBTU0R1WHVNTG5USTQ0S0RFNlMrY2cxU0VMS2pWbDVqcDNFOEpkL1RJMVpLc0xBQUsKZTNHakM5UC9ZbE8xL21ndW4xNjVkWk01cFAwWHBPb2FaeFV2RHFFTktyekR0V1g0RngyOTZlUzdaSFJodFpCNwovQ2t1VUhlcmxrN2RDNnZzdWhTaTh2eTM3c0tPbmQ0K3c4cVM4czhZYVZxSDl3ZzVScUxxakp0bmJBUnc3alVDCm9KQ053M1hNdnc3clhaYzRTbnhVQUNMRGJNV2lLQy9xL1ZGWW9oTEs2WkpUVkJscWd5cjBSYzBRWmpDMlNJb0kKMjRwRWt3VUNnZ0VCQUpqb0FJVVNsVFY0WlVwaExXN3g4WkxPa01UWjBVdFFyd2NPR0hSYndPUUxGeUNGMVFWNQppejNiR2s4SmZyZHpVdk1sTmREZm9uQXVHTHhQa3VTVEUxWlg4L0xVRkJveXhyV3dvZ0cxaUtwME11QTV6em90CjROai9DbUtCQVkvWnh2anA5M2RFS21aZGxWQkdmeUFMeWpmTW5MWUovZXh5L09YSnhPUktZTUttSHg4M08zRWsKMWhvb0FwbTZabTIzMjRGME1iVU1ham5Idld2ZjhHZGJTNk5zcHd4L0dkbk1tYVMrdUJMVUhVMkNLbmc1bEIwVAp4OWJITmY0dXlPbTR0dXRmNzhCd1R5V3UreEdrVW0zZ2VZMnkvR1hqdDZyY2l1ajFGNzFDenZzcXFmZThTcDdJCnd6SHdxcTNzVHR5S2lCYTZuYUdEYWpNR1pKYSt4MVZJV204Q2dnRUJBT001ajFZR25Ba0pxR0czQWJSVDIvNUMKaVVxN0loYkswOGZsSGs5a2YwUlVjZWc0ZVlKY3dIRXJVaE4rdWQyLzE3MC81dDYra0JUdTVZOUg3bkpLREtESQpoeEg5SStyamNlVkR0RVNTRkluSXdDQ1lrOHhOUzZ0cHZMV1U5b0pibGFKMlZsalV2NGRFWGVQb0hkREh1Zk9ZClVLa0lsV2E3Uit1QzNEOHF5U1JrQnFLa3ZXZ1RxcFNmTVNkc1ZTeFIzU2Q4SVhFSHFjTDNUNEtMWGtYNEdEamYKMmZOSTFpZkx6ekhJMTN3Tk5IUTVRNU9SUC9pell2QzVzZkx4U2ZIUXJiMXJZVkpKWkI5ZjVBUjRmWFpHSVFsbApjMG8xd0JmZFlqMnZxVDlpR09IQnNSSTlSL2M2RzJQcUt3aFRpSzJVR2lmVFNEUVFuUkF6b2tpQVkrbE8vUjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

auth/token/jwt/test/sample_key.pub

@@ -0,0 +1 @@
+LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUE4U2JKUDVYYkVpZFJtNWIyc05wTApHbzJlV2ZVNU9KZTBpemdySHdEOEg3RjZQa1BkL1JsOS8xcE1WN01pTzNMSHd0aEhDMkJSWXFyKzF3RmRvWkNHCkJZckxhWHVYRnFLMHZ1WmhQcUUzYXpqdUlIUXUwQkgvbFhRTXF5RXFGNU1JMnplakM0ek16cjE1T04rZ0U0Sm4KaXBqcC9DZGpPUEFEbUpHK0JKOXFlRS9RUGVtL21VZElUL0xhRjdrUXh5WUs1VktuK05nT1d6TWx6S0FBcENuNwpUVEtCVWU4RlpHNldTWDdMVjBlTEdIc29pYnhsbzlqRGpsWTVvQk9jemZxZU5XSEs1R1hCN1F3cExOaDk0NlB6ClpucW9hcFdVZStZL1JPaUhpekpUY3I1Wk1TTDV3bEVxOGhOaG1obTVOTmUvTytHZ2pCRE5TZlVoMDYrcTRuZ20KYm1OWDVoODM4QmJqUmN5YzM2ZHd6NkpVK2R1b1J0UWhnaVk5MTBwUGY5YmF1WFdxd1VDVWE0cXNIempLUjBMLwpOMVhYQXlsQ0RqeWVnWnp6Y093MkNIOFNrZkZVcmdMclBiRUI5ZWdjR2szOCticEtzM1o2UnI1K3RuRDFCSVBJCkZHTGVJMFVPQzAreGlCdjBvenhJRE9GbldhOVVUR0R4VXg4b2o4VkllUm5XRHE2TWMxaUpwOFV5Y2lCSVRSdHcKNGRabzcweG1mbmVJV3pyM0tTTmFoU29nSmRSMGxhUXpBdVAzYWlXWElNcDJzYzhTYytCbCtMalhtQm94QnJhQgpIaDlLa0pKRWNnQUZ3czJib2pDbEpPWXhvRi9YZ0ZLU3NJbkhEckhWT3lXUEJlM2ZhZEVjNzdiK25iL2V4T3pyCjFFcnhoR2c5akZtcmtPK3M0eEdodjZNQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=

auth/token/options.go

@@ -0,0 +1,96 @@
+package token
+
+import (
+	"time"
+
+	"github.com/micro/go-micro/v2/store"
+)
+
+type Options struct {
+	// Store to persist the tokens
+	Store store.Store
+	// PublicKey base64 encoded, used by JWT
+	PublicKey string
+	// PrivateKey base64 encoded, used by JWT
+	PrivateKey string
+}
+
+type Option func(o *Options)
+
+// WithStore sets the token providers store
+func WithStore(s store.Store) Option {
+	return func(o *Options) {
+		o.Store = s
+	}
+}
+
+// WithPublicKey sets the JWT public key
+func WithPublicKey(key string) Option {
+	return func(o *Options) {
+		o.PublicKey = key
+	}
+}
+
+// WithPrivateKey sets the JWT private key
+func WithPrivateKey(key string) Option {
+	return func(o *Options) {
+		o.PrivateKey = key
+	}
+}
+
+func NewOptions(opts ...Option) Options {
+	var options Options
+	for _, o := range opts {
+		o(&options)
+	}
+	//set default store
+	if options.Store == nil {
+		options.Store = store.DefaultStore
+	}
+	return options
+}
+
+type GenerateOptions struct {
+	// Expiry for the token
+	Expiry time.Duration
+	// Metadata associated with the account
+	Metadata map[string]string
+	// Roles/scopes associated with the account
+	Roles []string
+}
+
+type GenerateOption func(o *GenerateOptions)
+
+// WithExpiry for the generated account's token expires
+func WithExpiry(d time.Duration) GenerateOption {
+	return func(o *GenerateOptions) {
+		o.Expiry = d
+	}
+}
+
+// WithMetadata for the token
+func WithMetadata(md map[string]string) func(o *GenerateOptions) {
+	return func(o *GenerateOptions) {
+		o.Metadata = md
+	}
+}
+
+// WithRoles for the token
+func WithRoles(rs []string) func(o *GenerateOptions) {
+	return func(o *GenerateOptions) {
+		o.Roles = rs
+	}
+}
+
+// NewGenerateOptions from a slice of options
+func NewGenerateOptions(opts ...GenerateOption) GenerateOptions {
+	var options GenerateOptions
+	for _, o := range opts {
+		o(&options)
+	}
+	//set default Expiry of token
+	if options.Expiry == 0 {
+		options.Expiry = time.Minute * 15
+	}
+	return options
+}

auth/token/token.go

@@ -0,0 +1,23 @@
+package token
+
+import (
+	"errors"
+
+	"github.com/micro/go-micro/v2/auth"
+)
+
+var (
+	// ErrNotFound is returned when a token cannot be found
+	ErrNotFound = errors.New("token not found")
+	// ErrEncodingToken is returned when the service encounters an error during encoding
+	ErrEncodingToken = errors.New("error encoding the token")
+	// ErrInvalidToken is returned when the token provided is not valid
+	ErrInvalidToken = errors.New("invalid token provided")
+)
+
+// Provider generates and inspects tokens
+type Provider interface {
+	Generate(subject string, opts ...GenerateOption) (*auth.Token, error)
+	Inspect(token string) (*auth.Token, error)
+	String() string
+}