@@ -24,10 +24,19 @@ import (
2424type KMSClient interface {
2525 // Sign signs a digest with the given key using KMS.
2626 Sign (ctx context.Context , input * kms.SignInput , optFns ... func (* kms.Options )) (* kms.SignOutput , error )
27+
2728 // GetPublicKey retrieves the public key associated with the given key ID.
2829 GetPublicKey (ctx context.Context , input * kms.GetPublicKeyInput , optFns ... func (* kms.Options )) (* kms.GetPublicKeyOutput , error )
2930}
3031
32+ // KMSOptions defines the configuration options for the KMS signer.
33+ // It allows customization of the cache used for storing and retrieving public keys.
34+ // The default cache is a no-op cache, which means it does not store any keys.
35+ // You can provide a custom cache implementation that implements the cache.Cache interface.
36+ type KMSOptions struct {
37+ Cache cache.Cache // Cache for storing and retrieving public keys
38+ }
39+
3140// KMS represents a signer that uses AWS Key Management Service (KMS) to sign JWT tokens.
3241type KMS struct {
3342 kmsClient KMSClient // AWS KMS client
@@ -37,12 +46,22 @@ type KMS struct {
3746}
3847
3948// NewKMS creates a new instance of KMS with the given client, key ID, and signing algorithm.
40- func NewKMS (kmsClient KMSClient , keyID string , alg types.SigningAlgorithmSpec ) tokenbridge.Signer {
49+ // It also accepts optional configuration functions to customize the KMSOptions.
50+ func NewKMS (kmsClient KMSClient , keyID string , alg types.SigningAlgorithmSpec , optFns ... func (o * KMSOptions )) tokenbridge.Signer {
51+ opts := KMSOptions {
52+ Cache : cache .NewNoopCache (), // Default to a no-op cache
53+ }
54+
55+ // Apply custom options provided through optFns
56+ for _ , fn := range optFns {
57+ fn (& opts )
58+ }
59+
4160 return & KMS {
4261 kmsClient : kmsClient ,
4362 keyID : keyID ,
4463 alg : alg ,
45- cache : cache . NewNoopCache () ,
64+ cache : opts . Cache ,
4665 }
4766}
4867
0 commit comments