Merge pull request #51 from synadia-io/sign-service

Update dependencies and streamline signing key operations

account_signingkeys.go

@@ -54,7 +54,7 @@ func (as *accountSigningKeys) Contains(sk string) (bool, bool) {
 }
 
 func (as *accountSigningKeys) AddScope(role string) (ScopeLimits, error) {
-	k, err := KeyFor(nkeys.PrefixByteAccount)
+	k, err := as.data.Operator.SigningService.NewKey(nkeys.PrefixByteAccount)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +109,7 @@ func (as *accountSigningKeys) Delete(key string) (bool, error) {
 func (as *accountSigningKeys) Rotate(key string) (string, error) {
 	v, ok := as.data.Claim.SigningKeys[key]
 	if ok {
-		k, err := KeyFor(nkeys.PrefixByteAccount)
+		k, err := as.data.Operator.SigningService.NewKey(nkeys.PrefixByteAccount)
 		if err != nil {
 			return "", err
 		}

accounts.go

@@ -35,7 +35,7 @@ func (a *AccountData) issue(key *Key) error {
 	if key == nil {
 		key = a.Key
 	}
-	token, err := a.Claim.Encode(key.Pair)
+	token, err := a.Operator.SigningService.Sign(a.Claim, key)
 	if err != nil {
 		return err
 	}

auth.go

@@ -9,22 +9,70 @@ import (
 	"github.com/nats-io/nkeys"
 )
 
+type KeysFn func(p nkeys.PrefixByte) (*Key, error)
+
+type Options struct {
+	SignFn jwt.SignFn
+	KeysFn KeysFn
+}
+
+type IssuingService interface {
+	Sign(c jwt.Claims, key *Key) (string, error)
+	NewKey(prefixByte nkeys.PrefixByte) (*Key, error)
+}
+
 type AuthImpl struct {
 	provider  AuthProvider
 	operators []*OperatorData
+	opts      *Options
 }
 
 func NewAuth(provider AuthProvider) (*AuthImpl, error) {
-	auth := &AuthImpl{provider: provider}
+	return NewAuthWithOptions(provider, nil)
+}
+
+func NewAuthWithOptions(provider AuthProvider, opts *Options) (*AuthImpl, error) {
+	if opts == nil {
+		opts = &Options{}
+	}
+	// initialize default key provider
+	if opts.KeysFn == nil {
+		opts.KeysFn = KeyFor
+	}
+
+	auth := &AuthImpl{provider: provider, opts: opts}
 	auth.provider = provider
 	operators, err := auth.provider.Load()
 	if err != nil {
 		return nil, err
 	}
 	auth.operators = operators
+	auth.initSigningService()
 	return auth, nil
 }
 
+func (a *AuthImpl) initSigningService() {
+	for _, op := range a.operators {
+		op.SigningService = a
+	}
+}
+
+func (a *AuthImpl) Sign(c jwt.Claims, key *Key) (string, error) {
+	kp := key.Pair
+	if a.opts.SignFn != nil {
+		var err error
+		kp, err = nkeys.FromPublicKey(key.Public)
+		if err != nil {
+			return "", err
+		}
+	}
+	return c.EncodeWithSigner(kp, a.opts.SignFn)
+}
+
+func (a *AuthImpl) NewKey(prefixByte nkeys.PrefixByte) (*Key, error) {
+	return a.opts.KeysFn(prefixByte)
+}
+
 type OperatorsImpl struct {
 	auth *AuthImpl
 }
@@ -71,9 +119,9 @@ func (a *OperatorsImpl) Get(name string) (Operator, error) {
 
 func (a *OperatorsImpl) Add(name string) (Operator, error) {
 	var err error
-	data := &OperatorData{}
+	data := &OperatorData{SigningService: a.auth}
 	data.EntityName = name
-	data.Key, err = KeyFor(nkeys.PrefixByteOperator)
+	data.Key, err = data.SigningService.NewKey(nkeys.PrefixByteOperator)
 	if err != nil {
 		return nil, err
 	}
@@ -126,7 +174,7 @@ func (a *OperatorsImpl) Import(token []byte, keys []string) (Operator, error) {
 	}
 
 	var ok bool
-	data := &OperatorData{}
+	data := &OperatorData{SigningService: a.auth}
 	data.Claim = claim
 	data.EntityName = claim.Name
 	data.Key, ok = m[claim.Subject]
@@ -154,7 +202,11 @@ func (a *AuthImpl) Commit() error {
 func (a *AuthImpl) Reload() error {
 	var err error
 	a.operators, err = a.provider.Load()
-	return err
+	if err != nil {
+		return err
+	}
+	a.initSigningService()
+	return nil
 }
 
 func (b *BaseData) JWT() string {

exports.go

@@ -227,5 +227,5 @@ func (b *baseExportImpl) GenerateActivationForSubject(account string, issuer str
 	if signingKey {
 		ac.IssuerAccount = b.data.Claim.Subject
 	}
-	return ac.Encode(k.Pair)
+	return b.data.Operator.SigningService.Sign(ac, k)
 }

go.mod

@@ -1,29 +1,30 @@
 module github.com/synadia-io/jwt-auth-builder.go
 
-go 1.21
+go 1.22
 
 require (
-	github.com/nats-io/jsm.go v0.1.1-0.20240314150821-1c7f0e424978
-	github.com/nats-io/jwt/v2 v2.5.6
-	github.com/nats-io/nats-server/v2 v2.11.0-dev.0.20240313175812-f1cd3ed141b0
-	github.com/nats-io/nats.go v1.33.1
-	github.com/nats-io/nkeys v0.4.7
-	github.com/nats-io/nsc/v2 v2.8.6-0.20231220104935-3f89317df670
+	github.com/nats-io/jsm.go v0.1.2
+	github.com/nats-io/jwt/v2 v2.7.3-0.20241126234803-5297029e9786
+	github.com/nats-io/nats-server/v2 v2.11.0-preview.2
+	github.com/nats-io/nats.go v1.37.0
+	github.com/nats-io/nkeys v0.4.8
+	github.com/nats-io/nsc/v2 v2.10.0
 	github.com/nats-io/nuid v1.0.1
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
-	github.com/minio/highwayhash v1.0.2 // indirect
+	github.com/minio/highwayhash v1.0.3 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/net v0.22.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/net v0.31.0 // indirect
+	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/time v0.8.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,50 +1,52 @@
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg=
-github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
+github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
-github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLTk+kldvVxY=
+github.com/minio/highwayhash v1.0.3 h1:kbnuUMoHYyVl7szWjSxJnxw11k2U709jqFPPmIUyD6Q=
+github.com/minio/highwayhash v1.0.3/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/nats-io/jsm.go v0.1.1-0.20240314150821-1c7f0e424978 h1:VodpGrRg6AwgWMwcgLE9O9Z/ztICwyj8RKAIP0itNRA=
-github.com/nats-io/jsm.go v0.1.1-0.20240314150821-1c7f0e424978/go.mod h1:Sa4oF+OP1GyNAfbZSPVlIGrEiE0FzEcYN2gqGsTE1ls=
-github.com/nats-io/jwt/v2 v2.5.6 h1:Cp618+z4q042sWqHiSoIHFT08OZtAskui0hTmRfmGGQ=
-github.com/nats-io/jwt/v2 v2.5.6/go.mod h1:ZdWS1nZa6WMZfFwwgpEaqBV8EPGVgOTDHN/wTbz0Y5A=
-github.com/nats-io/nats-server/v2 v2.11.0-dev.0.20240313175812-f1cd3ed141b0 h1:h+JREIhWsW3tradSo2WEsZE+GzFhPYguNtc7CeCXXgw=
-github.com/nats-io/nats-server/v2 v2.11.0-dev.0.20240313175812-f1cd3ed141b0/go.mod h1:H1n6zXtYLFCgXcf/SF8QNTSIFuS8tyZQMN9NguUHdEs=
-github.com/nats-io/nats.go v1.33.1 h1:8TxLZZ/seeEfR97qV0/Bl939tpDnt2Z2fK3HkPypj70=
-github.com/nats-io/nats.go v1.33.1/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8=
-github.com/nats-io/nkeys v0.4.7 h1:RwNJbbIdYCoClSDNY7QVKZlyb/wfT6ugvFCiKy6vDvI=
-github.com/nats-io/nkeys v0.4.7/go.mod h1:kqXRgRDPlGy7nGaEDMuYzmiJCIAAWDK0IMBtDmGD0nc=
-github.com/nats-io/nsc/v2 v2.8.6-0.20231220104935-3f89317df670 h1:NQzs7g/+Z4kC4XsYsKCQlwRcM4Hk0VyKuz7F4zUgjvQ=
-github.com/nats-io/nsc/v2 v2.8.6-0.20231220104935-3f89317df670/go.mod h1:Z2+aDD1PzpXk8kF1ro17cfGBzmBoWPbtvGW8hBssAdA=
+github.com/nats-io/jsm.go v0.1.2 h1:T4Fq88a03sPAPWYwrOLQ85oanYsC2Bs6517rUiWBMpQ=
+github.com/nats-io/jsm.go v0.1.2/go.mod h1:tnubE70CAKi5TNfQiq6XHFqWTuSIe1H7X4sDwfq6ZK8=
+github.com/nats-io/jwt/v2 v2.7.3-0.20241126234803-5297029e9786 h1:HKCwbkbdrgGxepr+GQnX+M3N+CRJQ0jv7za+DUnXMZE=
+github.com/nats-io/jwt/v2 v2.7.3-0.20241126234803-5297029e9786/go.mod h1:juFmOKd5skggbifBWcXcuRrhP+4nc/FH6sBTAV2f3d8=
+github.com/nats-io/nats-server/v2 v2.11.0-preview.2 h1:tT/UeBbFzHRzwy77T/+/Rbw58XP9F3CY3VmtcDltZ68=
+github.com/nats-io/nats-server/v2 v2.11.0-preview.2/go.mod h1:ILDVzrTqMco4rQMOgEZimBjJHb1oZDlz1J+qhJtZlRM=
+github.com/nats-io/nats.go v1.37.0 h1:07rauXbVnnJvv1gfIyghFEo6lUcYRY0WXc3x7x0vUxE=
+github.com/nats-io/nats.go v1.37.0/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8=
+github.com/nats-io/nkeys v0.4.8 h1:+wee30071y3vCZAYRsnrmIPaOe47A/SkK/UBDPdIV70=
+github.com/nats-io/nkeys v0.4.8/go.mod h1:kqXRgRDPlGy7nGaEDMuYzmiJCIAAWDK0IMBtDmGD0nc=
+github.com/nats-io/nsc/v2 v2.10.0 h1:ueDjDA6nEuIrcaxLw6DSWbUTURO3bKfsfoez9qtqwHo=
+github.com/nats-io/nsc/v2 v2.10.0/go.mod h1:j/e5w6xBlYR4eGLJ9KriNXRFtmjKN/+qaQDZl5TXKVk=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

operator.go

@@ -81,7 +81,7 @@ func (o *OperatorData) SetSystemAccount(account Account) error {
 }
 
 func (o *OperatorData) Add(name string) (Account, error) {
-	sk, err := KeyFor(nkeys.PrefixByteAccount)
+	sk, err := o.SigningService.NewKey(nkeys.PrefixByteAccount)
 	if err != nil {
 		return nil, err
 	}
@@ -142,8 +142,7 @@ func (o *OperatorData) update() error {
 	if vr.IsBlocking(true) {
 		return vr.Errors()[0]
 	}
-
-	token, err := o.Claim.Encode(o.Key.Pair)
+	token, err := o.SigningService.Sign(o.Claim, o.Key)
 	if err != nil {
 		return err
 	}

operator_signingkeys.go

@@ -15,7 +15,7 @@ func (os *operatorSigningKeys) Add() (string, error) {
 }
 
 func (os *operatorSigningKeys) add() (*Key, error) {
-	key, err := KeyFor(nkeys.PrefixByteOperator)
+	key, err := os.data.SigningService.NewKey(nkeys.PrefixByteOperator)
 	if err != nil {
 		return nil, err
 	}

providers/kv/kv.go

@@ -7,8 +7,8 @@ import (
 	"strings"
 
 	"github.com/nats-io/jsm.go/natscontext"
-	"github.com/nats-io/jwt/v2"
-	"github.com/nats-io/nats.go"
+	jwt "github.com/nats-io/jwt/v2"
+	nats "github.com/nats-io/nats.go"
 	"github.com/nats-io/nats.go/jetstream"
 	"github.com/nats-io/nkeys"
 	ab "github.com/synadia-io/jwt-auth-builder.go"

taskfile.dist.yaml

@@ -16,3 +16,6 @@ tasks:
   lint:
     cmds:
       - golangci-lint run
+  fmt:
+    cmds:
+      - gofumpt -l -w .

tests/external_test.go

@@ -0,0 +1,54 @@
+package tests
+
+import (
+	"fmt"
+	"github.com/nats-io/nkeys"
+	"github.com/stretchr/testify/assert"
+	authb "github.com/synadia-io/jwt-auth-builder.go"
+	nsc "github.com/synadia-io/jwt-auth-builder.go/providers/nsc"
+	"testing"
+)
+
+func TestExternal(v *testing.T) {
+	t := assert.New(v)
+
+	store := NewNscStore(v)
+	defer store.Cleanup()
+	p := nsc.NewNscProvider(store.StoresDir(), store.KeysDir())
+
+	keys := make(map[string]nkeys.KeyPair)
+	signFn := func(pub string, data []byte) ([]byte, error) {
+		kp := keys[pub]
+		if kp == nil {
+			return nil, fmt.Errorf("secret key not found %s", pub)
+		}
+		return kp.Sign(data)
+	}
+	keysFn := func(p nkeys.PrefixByte) (*authb.Key, error) {
+		k, err := authb.KeyFor(p)
+		if err != nil {
+			return nil, err
+		}
+
+		pub, err := authb.KeyFrom(k.Public)
+		if err != nil {
+			return nil, err
+		}
+		keys[k.Public] = k.Pair
+		return pub, nil
+	}
+
+	opts := &authb.Options{KeysFn: keysFn, SignFn: signFn}
+	auth, err := authb.NewAuthWithOptions(p, opts)
+
+	t.NoError(err)
+	o, err := auth.Operators().Add("O")
+	t.NoError(err)
+	a, err := o.Accounts().Add("A")
+	t.NoError(err)
+	u, err := a.Users().Add("U", "")
+	t.NoError(err)
+	t.NotNil(u)
+
+	t.Len(keys, 3)
+}

types.go

@@ -71,6 +71,8 @@ type OperatorData struct {
 	AddedKeys []*Key `json:"-"`
 	// List of deleted keys related to the operator entity tree
 	DeletedKeys []string `json:"-"`
+
+	SigningService IssuingService `json:"-"`
 }
 
 func (o *OperatorData) MarshalJSON() ([]byte, error) {

user.go

@@ -21,7 +21,7 @@ func (u *UserData) IsScoped() bool {
 }
 
 func (u *UserData) issue(key *Key) error {
-	token, err := u.Claim.Encode(key.Pair)
+	token, err := u.AccountData.Operator.SigningService.Sign(u.Claim, key)
 	if err != nil {
 		return err
 	}
@@ -44,7 +44,7 @@ func (u *UserData) update() error {
 	if err != nil {
 		return err
 	}
-	token, err := u.Claim.Encode(k.Pair)
+	token, err := u.AccountData.Operator.SigningService.Sign(u.Claim, k)
 	if err != nil {
 		return err
 	}