oauth2

package module
v0.1.19 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 27, 2024 License: Apache-2.0 Imports: 36 Imported by: 0

README

OAuth 2.0 Framework

This library is the Authelia OAuth 2.0 Framework which is internally used to deliver OAuth 2.0 and OpenID Connect 1.0 Flows to its users.

Notable Implemented or Intended Differences

In an effort to assist users who wish to use this library we aim to maintain the following list of differences:

  • Module path changed from github.com/ory/fosite to authelia.com/provider/oauth2.
  • Documentation:
    • Add spec support documentation
  • Overhaul testing:
    • Ensure all tests and subtests are well named
    • Ensure all tests are simplified where possible
    • Restore/Implement conformance tests
  • Rename interfaces and implementations:
    • OAuth2Provider to Provider.
    • Fosite to TBA.
  • Minimum dependency is go version 1.21
  • Replace string values with constants where applicable commit
  • Simplify the internal JWT logic to leverage github.com/golang-jwt/jwt/v5 or other such libraries
  • Implement internal JWKS logic
  • Higher Debug error information visibility (Debug Field includes the complete RFC6749 error with debug information if available)
  • Fixes:
    • Basic Scheme Rejects Special Characters commit
    • RFC9068 must condition ignored commit
    • Arguments are treated as case-insensitive commit
    • Refresh Flow:
      • Requested scope ignored commit
      • Original request id not set early enough commit
    • PKCE Flow:
      • Session generated needlessly commit
      • Failure to fetch session causes an error even when not enforced commit
    • OpenID Flows:
      • Absence of Redirect URI does not result in an error commit
    • Decode id_token_hint with correct signer
    • Write Revocation Response does not correctly error commit
    • Invalid Token base 64 error not mapped to RFC
    • Auth Request omitted Response Mode not validated
    • Refresh Grant if Token Invalid/Expired status is not 400 commit
    • Access Token iat and nbf in JWT Profile always original claims commit
  • Features:
  • Removal of the following dependencies:
    • go.opentelemetry.io/otel/trace
    • github.com/ecordell/optgen
    • github.com/asaskevich/govalidator
    • github.com/gorilla/websocket
    • github.com/magiconair/properties
    • github.com/mattn/goveralls
    • github.com/oleiade/reflections
    • github.com/ory/go-acc
    • github.com/ory/go-convenience
    • github.com/ory/x
    • github.com/gorilla/sessions
    • github.com/gobuffalo/packr
    • github.com/form3tech-oss/jwt-go
    • github.com/dgrijalva/jwt-go
  • Migration of the following dependencies:
    • github.com/go-jose/go-jose/v3 => github.com/go-jose/go-jose/v4
    • github.com/golang/mock => github.com/uber-go/mock
    • github.com/cristalhq/jwt/v4 => github.com/golang-jwt/jwt/v5

Thanks

This is a hard fork of ORY Fosite under the Apache 2.0 License for the purpose of performing self-maintenance of this critical Authelia dependency.

We however:

  • Acknowledge the amazing hard work of the ORY developers in making such an amazing framework that we can do this with.
  • Plan to continue to contribute back to te ORY fosite and related projects.
  • Have ensured the licensing is unchanged in this fork of the library.
  • Do not have a formal affiliation with ORY and individuals utilizing this library should not allow their usage to be a reflection on ORY as this library is not maintained by them.

Documentation

Index

Constants

View Source
const (
	ResponseModeDefault     = ResponseModeType("")
	ResponseModeFormPost    = ResponseModeType(consts.ResponseModeFormPost)
	ResponseModeQuery       = ResponseModeType(consts.ResponseModeQuery)
	ResponseModeFragment    = ResponseModeType(consts.ResponseModeFragment)
	ResponseModeFormPostJWT = ResponseModeType(consts.ResponseModeFormPostJWT)
	ResponseModeQueryJWT    = ResponseModeType(consts.ResponseModeQueryJWT)
	ResponseModeFragmentJWT = ResponseModeType(consts.ResponseModeFragmentJWT)
	ResponseModeJWT         = ResponseModeType(consts.ResponseModeJWT)
)
View Source
const (
	RequestContextKey           = ContextKey("request")
	AccessRequestContextKey     = ContextKey("accessRequest")
	AccessResponseContextKey    = ContextKey("accessResponse")
	AuthorizeRequestContextKey  = ContextKey("authorizeRequest")
	AuthorizeResponseContextKey = ContextKey("authorizeResponse")
	// PushedAuthorizeResponseContextKey is the response context
	PushedAuthorizeResponseContextKey = ContextKey("pushedAuthorizeResponse")
)
View Source
const (
	AccessToken  TokenType = consts.TokenTypeAccessToken
	RefreshToken TokenType = consts.TokenTypeRefreshToken
	DeviceCode   TokenType = consts.CodeDevice
	UserCode     TokenType = consts.CodeUser

	// PushedAuthorizeRequestContext represents the PAR context object
	PushedAuthorizeRequestContext TokenType = "par_context"

	AuthorizeCode TokenType = "authorize_code"
	IDToken       TokenType = "id_token"

	GrantTypeImplicit          GrantType = consts.GrantTypeImplicit
	GrantTypeRefreshToken      GrantType = consts.GrantTypeRefreshToken
	GrantTypeAuthorizationCode GrantType = consts.GrantTypeAuthorizationCode
	GrantTypePassword          GrantType = consts.GrantTypeResourceOwnerPasswordCredentials
	GrantTypeClientCredentials GrantType = consts.GrantTypeClientCredentials
	GrantTypeJWTBearer         GrantType = consts.GrantTypeOAuthJWTBearer
	GrantTypeDeviceCode        GrantType = consts.GrantTypeOAuthDeviceCode
	GrantTypeTokenExchange     GrantType = consts.GrantTypeOAuthTokenExchange

	BearerAccessToken string = "bearer"
)
View Source
const (
	ErrorPARNotSupported           = "The OAuth 2.0 provider does not support Pushed Authorization Requests"
	DebugPARStorageInvalid         = "'PARStorage' not implemented"
	DebugPARConfigMissing          = "'PushedAuthorizeRequestConfigProvider' not implemented"
	DebugPARRequestsHandlerMissing = "'PushedAuthorizeRequestHandlersProvider' not implemented"
)
View Source
const DefaultBCryptWorkFactor = 12
View Source
const MinParameterEntropy = 8

Variables

View Source
var (
	// ErrInvalidatedAuthorizeCode is an error indicating that an authorization code has been
	// used previously.
	ErrInvalidatedAuthorizeCode = errors.New("Authorization code has ben invalidated")

	// ErrInvalidatedDeviceCode is an error indicating that a device code has been used previously.
	ErrInvalidatedDeviceCode = errors.New("Device code has been invalidated")

	// ErrInvalidatedUserCode is an error indicating that a user code has been used previously.
	ErrInvalidatedUserCode = errors.New("user code has been invalidated")

	// ErrSerializationFailure is an error indicating that the transactional capable storage could not guarantee
	// consistency of Update & Delete operations on the same rows between multiple sessions.
	ErrSerializationFailure = errors.New("The request could not be completed due to concurrent access")

	ErrUnknownRequest = &RFC6749Error{
		ErrorField:       errUnknownErrorName,
		DescriptionField: "The handler is not responsible for this request.",
		CodeField:        http.StatusBadRequest,
	}
	ErrRequestForbidden = &RFC6749Error{
		ErrorField:       errRequestForbidden,
		DescriptionField: "The request is not allowed.",
		HintField:        "You are not allowed to perform this action.",
		CodeField:        http.StatusForbidden,
	}
	ErrInvalidRequest = &RFC6749Error{
		ErrorField:       errInvalidRequestName,
		DescriptionField: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
		HintField:        "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
		CodeField:        http.StatusBadRequest,
	}
	ErrUnauthorizedClient = &RFC6749Error{
		ErrorField:       errUnauthorizedClientName,
		DescriptionField: "The client is not authorized to request a token using this method.",
		HintField:        "Make sure that client id and secret are correctly specified and that the client exists.",
		CodeField:        http.StatusBadRequest,
	}
	ErrAccessDenied = &RFC6749Error{
		ErrorField:       errAccessDeniedName,
		DescriptionField: "The resource owner or authorization server denied the request.",
		HintField:        "Make sure that the request you are making is valid. Maybe the credential or request parameters you are using are limited in scope or otherwise restricted.",
		CodeField:        http.StatusForbidden,
	}
	ErrUnsupportedResponseType = &RFC6749Error{
		ErrorField:       errUnsupportedResponseTypeName,
		DescriptionField: "The authorization server does not support obtaining a token using this method.",
		CodeField:        http.StatusBadRequest,
	}
	ErrUnsupportedResponseMode = &RFC6749Error{
		ErrorField:       errUnsupportedResponseModeName,
		DescriptionField: "The authorization server does not support obtaining a response using this response mode.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidScope = &RFC6749Error{
		ErrorField:       errInvalidScopeName,
		DescriptionField: "The requested scope is invalid, unknown, or malformed.",
		CodeField:        http.StatusBadRequest,
	}
	ErrServerError = &RFC6749Error{
		ErrorField:       errServerErrorName,
		DescriptionField: "The authorization server encountered an unexpected condition that prevented it from fulfilling the request.",
		CodeField:        http.StatusInternalServerError,
	}
	ErrTemporarilyUnavailable = &RFC6749Error{
		ErrorField:       errTemporarilyUnavailableName,
		DescriptionField: "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.",
		CodeField:        http.StatusServiceUnavailable,
	}
	ErrUnsupportedGrantType = &RFC6749Error{
		ErrorField:       errUnsupportedGrantTypeName,
		DescriptionField: "The authorization grant type is not supported by the authorization server.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidGrant = &RFC6749Error{
		ErrorField:       errInvalidGrantName,
		DescriptionField: "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidClient = &RFC6749Error{
		ErrorField:       errInvalidClientName,
		DescriptionField: "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).",
		CodeField:        http.StatusUnauthorized,
	}
	ErrInvalidState = &RFC6749Error{
		ErrorField:       errInvalidStateName,
		DescriptionField: "The state is missing or does not have enough characters and is therefore considered too weak.",
		CodeField:        http.StatusBadRequest,
	}
	ErrMisconfiguration = &RFC6749Error{
		ErrorField:       errMisconfigurationName,
		DescriptionField: "The request failed because of an internal error that is probably caused by misconfiguration.",
		CodeField:        http.StatusInternalServerError,
	}
	ErrInsufficientEntropy = &RFC6749Error{
		ErrorField:       errInsufficientEntropyName,
		DescriptionField: "The request used a security parameter (e.g., anti-replay, anti-csrf) with insufficient entropy.",
		CodeField:        http.StatusBadRequest,
	}
	ErrNotFound = &RFC6749Error{
		ErrorField:       errNotFoundName,
		DescriptionField: "Could not find the requested resource(s).",
		CodeField:        http.StatusNotFound,
	}
	ErrRequestUnauthorized = &RFC6749Error{
		ErrorField:       errRequestUnauthorizedName,
		DescriptionField: "The request could not be authorized.",
		HintField:        "Check that you provided valid credentials in the right format.",
		CodeField:        http.StatusUnauthorized,
	}
	ErrTokenSignatureMismatch = &RFC6749Error{
		ErrorField:       errTokenSignatureMismatchName,
		DescriptionField: "Token signature mismatch.",
		HintField:        "Check that you provided a valid token in the right format.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidTokenFormat = &RFC6749Error{
		ErrorField:       errInvalidTokenFormatName,
		DescriptionField: "Invalid token format.",
		HintField:        "Check that you provided a valid token in the right format.",
		CodeField:        http.StatusBadRequest,
	}
	ErrTokenExpired = &RFC6749Error{
		ErrorField:       errTokenExpiredName,
		DescriptionField: "Token expired.",
		HintField:        "The token expired.",
		CodeField:        http.StatusUnauthorized,
	}
	ErrScopeNotGranted = &RFC6749Error{
		ErrorField:       errScopeNotGrantedName,
		DescriptionField: "The token was not granted the requested scope.",
		HintField:        "The resource owner did not grant the requested scope.",
		CodeField:        http.StatusForbidden,
	}
	ErrTokenClaim = &RFC6749Error{
		ErrorField:       errTokenClaimName,
		DescriptionField: "The token failed validation due to a claim mismatch.",
		HintField:        "One or more token claims failed validation.",
		CodeField:        http.StatusUnauthorized,
	}
	ErrInactiveToken = &RFC6749Error{
		ErrorField:       errTokenInactiveName,
		DescriptionField: "Token is inactive because it is malformed, expired or otherwise invalid.",
		HintField:        "Token validation failed.",
		CodeField:        http.StatusUnauthorized,
	}
	ErrLoginRequired = &RFC6749Error{
		ErrorField:       errLoginRequired,
		DescriptionField: "The Authorization Server requires End-User authentication.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInteractionRequired = &RFC6749Error{
		DescriptionField: "The Authorization Server requires End-User interaction of some form to proceed.",
		ErrorField:       errInteractionRequired,
		CodeField:        http.StatusBadRequest,
	}
	ErrConsentRequired = &RFC6749Error{
		DescriptionField: "The Authorization Server requires End-User consent.",
		ErrorField:       errConsentRequired,
		CodeField:        http.StatusBadRequest,
	}
	ErrRequestNotSupported = &RFC6749Error{
		DescriptionField: "The authorization server does not support the use of the request parameter.",
		ErrorField:       errRequestNotSupportedName,
		CodeField:        http.StatusBadRequest,
	}
	ErrRequestURINotSupported = &RFC6749Error{
		DescriptionField: "The authorization server does not support the use of the request_uri parameter.",
		ErrorField:       errRequestURINotSupportedName,
		CodeField:        http.StatusBadRequest,
	}
	ErrRegistrationNotSupported = &RFC6749Error{
		DescriptionField: "The OP does not support use of the registration parameter.",
		ErrorField:       errRegistrationNotSupportedName,
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidRequestURI = &RFC6749Error{
		DescriptionField: "The request_uri in the authorization request returns an error or contains invalid data.",
		ErrorField:       errInvalidRequestURI,
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidRequestObject = &RFC6749Error{
		DescriptionField: "The request parameter contains an invalid Request Object.",
		ErrorField:       errInvalidRequestObject,
		CodeField:        http.StatusBadRequest,
	}
	ErrJTIKnown = &RFC6749Error{
		DescriptionField: "The jti was already used.",
		ErrorField:       errJTIKnownName,
		CodeField:        http.StatusBadRequest,
	}
	ErrAuthorizationPending = &RFC6749Error{
		DescriptionField: "The authorization request is still pending as the end user hasn't yet completed the user-interaction steps.",
		ErrorField:       errAuthorizationPending,
		CodeField:        http.StatusBadRequest,
	}
	ErrDeviceExpiredToken = &RFC6749Error{
		DescriptionField: "The device_code has expired, and the device authorization session has concluded.",
		ErrorField:       errDeviceExpiredToken,
		CodeField:        http.StatusBadRequest,
	}
	ErrSlowDown = &RFC6749Error{
		DescriptionField: "Too many requests within a short time period.",
		ErrorField:       errSlowDown,
		CodeField:        http.StatusBadRequest,
	}
)
View Source
var (
	// RegexSpecificationVSCHAR matches strings which only contain the ASCII visible printable
	// range %x20-7E per https://datatracker.ietf.org/doc/html/rfc6749#appendix-A i.e. VSCHAR. Presumably the Visible
	// with Spaces characters.
	RegexSpecificationVSCHAR = regexp.MustCompile(`^[\pL\pM\pN\pP\pS ]+$`)

	// RegexSpecificationNQCHAR matches strings which only contain the ASCII visible printable
	// ranges %x21 / %x23-5B / %x5D-7E per https://datatracker.ietf.org/doc/html/rfc6749#appendix-A i.e. NQCHAR.
	// Presumably the Non-Quoted character range.
	RegexSpecificationNQCHAR = regexp.MustCompile(`^[\pL\pM\pN\pS!#-@_\[\]{}]+$`)

	// RegexSpecificationNQSCHAR matches strings which only contain the ASCII visible printable
	// ranges %x20-21 / %x23-5B / %x5D-7E per https://datatracker.ietf.org/doc/html/rfc6749#appendix-A i.e. NQSCHAR.
	// Presumably the Non-Quoted with Spaces character range.
	RegexSpecificationNQSCHAR = regexp.MustCompile(`^[\pL\pM\pN\pS!#-@_\[\]{}]+$`)
)
View Source
var DefaultFormPostTemplate = template.Must(template.New("form_post").Parse(`<html>
   <head>
      <title>Submit This Form</title>
   </head>
   <body onload="javascript:document.forms[0].submit()">
      <form method="post" action="{{ .RedirURL }}">
         {{ range $key,$value := .Parameters }}
            {{ range $parameter:= $value }}
		      <input type="hidden" name="{{ $key }}" value="{{ $parameter }}"/>
            {{ end }}
         {{ end }}
      </form>
   </body>
</html>`))
View Source
var (
	ErrClientSecretNotRegistered = errors.New("error occurred checking the client secret: the client is not registered with a secret")
)

Functions

func AccessTokenFromRequest

func AccessTokenFromRequest(req *http.Request) string

func AddLocalizerToErr

func AddLocalizerToErr(catalog i18n.MessageCatalog, err error, requester Requester) error

AddLocalizerToErr augments the error object with the localizer based on the language set in the requester object. This is primarily required for response writers like introspection that do not take in the requester in the Write* function that produces the translated message. See - WriteIntrospectionError, for example.

func AddLocalizerToErrWithLang

func AddLocalizerToErrWithLang(catalog i18n.MessageCatalog, lang language.Tag, err error) error

AddLocalizerToErrWithLang augments the error object with the localizer based on the language passed in. This is primarily required for response writers like introspection that do not take in the requester in the Write* function that produces the translated message. See - WriteIntrospectionError, for example.

func CompareClientSecret

func CompareClientSecret(ctx context.Context, client Client, rawSecret []byte) (err error)

CompareClientSecret compares a raw secret input from a client to the registered client secret. If the secret is valid it returns nil, otherwise it returns an error. The ErrClientSecretNotRegistered error indicates the ClientSecret is nil, all other errors are returned directly from the ClientSecret.Compare function.

func DefaultAudienceMatchingStrategy

func DefaultAudienceMatchingStrategy(haystack []string, needle []string) error

func DefaultFormPostResponseWriter

func DefaultFormPostResponseWriter(rw io.Writer, template *template.Template, redirectURL string, parameters url.Values)

func DeviceAuthorizeStatusToString

func DeviceAuthorizeStatusToString(status DeviceAuthorizeStatus) string

func ErrorToDebugRFC6749Error

func ErrorToDebugRFC6749Error(err error) (rfc error)

ErrorToDebugRFC6749Error converts the provided error to a *DebugRFC6749Error provided it is not nil and can be cast as a *RFC6749Error.

func EscapeJSONString

func EscapeJSONString(str string) string

EscapeJSONString does a poor man's JSON encoding. Useful when we do not want to use full JSON encoding because we just had an error doing the JSON encoding. The characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F). See: https://datatracker.ietf.org/doc/html/rfc8259#section-7

func ExactAudienceMatchingStrategy

func ExactAudienceMatchingStrategy(haystack []string, needle []string) error

ExactAudienceMatchingStrategy does not assume that audiences are URIs, but compares strings as-is and does matching with exact string comparison. It requires that all strings in "needle" are present in "haystack". Use this strategy when your audience values are not URIs (e.g., you use client IDs for audience and they are UUIDs or random strings).

func ExactScopeStrategy

func ExactScopeStrategy(haystack []string, needle string) bool

func FindClientPublicJWK

func FindClientPublicJWK(ctx context.Context, provider JWKSFetcherStrategyProvider, client JSONWebKeysClient, kid, alg, use string) (key any, err error)

FindClientPublicJWK takes a JARClient and a kid, alg, and use to resolve a Public JWK for the client.

func GetAudiences

func GetAudiences(form url.Values) []string

GetAudiences allows audiences to be provided as repeated "audience" form parameter, or as a space-delimited "audience" form parameter if it is not repeated. RFC 8693 in section 2.1 specifies that multiple audience values should be multiple query parameters, while RFC 6749 says that that request parameter must not be included more than once (and thus why we use space-delimited value). This function tries to satisfy both. If "audience" form parameter is repeated, we do not split the value by space.

func GetEffectiveLifespan

func GetEffectiveLifespan(c Client, gt GrantType, tt TokenType, fallback time.Duration) (lifespan time.Duration)

GetEffectiveLifespan either maps GrantType x TokenType to the client's configured lifespan, or returns the fallback value.

func HierarchicScopeStrategy

func HierarchicScopeStrategy(haystack []string, needle string) bool

func IsLocalhost

func IsLocalhost(redirectURI *url.URL) bool

func IsMatchingRedirectURI added in v0.1.4

func IsMatchingRedirectURI(uri string, haystack []string) (string, bool)

IsMatchingRedirectURI matches a requested redirect URI against a pool of registered client URIs.

Test a given redirect URI against a pool of URIs provided by a registered client. If the OAuth 2.0 Client has loopback URIs registered either an IPv4 URI http://127.0.0.1 or an IPv6 URI http://[::1] a client is allowed to request a dynamic port and the server MUST accept it as a valid redirection uri.

https://datatracker.ietf.org/doc/html/rfc8252#section-7.3 Native apps that are able to open a port on the loopback network interface without needing special permissions (typically, those on desktop operating systems) can use the loopback interface to receive the OAuth redirect.

Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on.

func IsRedirectURISecure

func IsRedirectURISecure(ctx context.Context, redirectURI *url.URL) bool

func IsRedirectURISecureStrict

func IsRedirectURISecureStrict(redirectURI *url.URL) bool

IsRedirectURISecureStrict is stricter than IsRedirectURISecure and it does not allow custom-scheme URLs because they can be hijacked for native apps. Use claimed HTTPS redirects instead. See discussion in https://github.com/ory/fosite/pull/489.

func IsValidRedirectURI

func IsValidRedirectURI(redirectURI *url.URL) bool

IsValidRedirectURI validates a redirect_uri as specified in:

* https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2

func JKWKSFetcherWithDefaultTTL

func JKWKSFetcherWithDefaultTTL(ttl time.Duration) func(*DefaultJWKSFetcherStrategy)

JKWKSFetcherWithDefaultTTL sets the default TTL for the cache.

func JWKSFetcherWithCache

func JWKSFetcherWithCache(cache *ristretto.Cache) func(*DefaultJWKSFetcherStrategy)

JWKSFetcherWithCache sets the cache to use.

func JWKSFetcherWithHTTPClient

func JWKSFetcherWithHTTPClient(client *retryablehttp.Client) func(*DefaultJWKSFetcherStrategy)

JWKSFetcherWithHTTPClient sets the HTTP client to use.

func JWKSFetcherWithHTTPClientSource

func JWKSFetcherWithHTTPClientSource(clientSourceFunc func(ctx context.Context) *retryablehttp.Client) func(*DefaultJWKSFetcherStrategy)

JWKSFetcherWithHTTPClientSource sets the HTTP client source function to use.

func MatchRedirectURIWithClientRedirectURIs

func MatchRedirectURIWithClientRedirectURIs(rawurl string, client Client) (*url.URL, error)

MatchRedirectURIWithClientRedirectURIs if the given uri is a registered redirect uri. Does not perform uri validation.

Considered specifications

  • https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.3 If multiple redirection URIs have been registered, if only part of the redirection URI has been registered, or if no redirection URI has been registered, the client MUST include a redirection URI with the authorization request using the "redirect_uri" request parameter.

    When a redirection URI is included in an authorization request, the authorization server MUST compare and match the value received against at least one of the registered redirection URIs (or URI components) as defined in [RFC3986] Section 6, if any redirection URIs were registered. If the client registration included the full redirection URI, the authorization server MUST compare the two URIs using simple string comparison as defined in [RFC3986] Section 6.2.1.

* https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.1.7

  • The authorization server may also enforce the usage and validation of pre-registered redirect URIs (see Section 5.2.3.5). This will allow for early recognition of authorization "code" disclosure to counterfeit clients.
  • The attacker will need to use another redirect URI for its authorization process rather than the target web site because it needs to intercept the flow. So, if the authorization server associates the authorization "code" with the redirect URI of a particular end-user authorization and validates this redirect URI with the redirect URI passed to the token's endpoint, such an attack is detected (see Section 5.2.4.5).

func NewContext

func NewContext() context.Context

func RemoveEmpty

func RemoveEmpty(args []string) (ret []string)

func StringInSlice

func StringInSlice(needle string, haystack []string) bool

StringInSlice returns true if needle exists in haystack

func StringInSliceFold

func StringInSliceFold(needle string, haystack []string) bool

StringInSliceFold returns true if needle exists in haystack (case-insensitive).

func WildcardScopeStrategy

func WildcardScopeStrategy(matchers []string, needle string) bool

Types

type AccessRequest

type AccessRequest struct {
	GrantTypes       Arguments `json:"grantTypes" gorethink:"grantTypes"`
	HandledGrantType Arguments `json:"handledGrantType" gorethink:"handledGrantType"`

	Request
}

func NewAccessRequest

func NewAccessRequest(session Session) *AccessRequest

func (*AccessRequest) GetGrantTypes

func (a *AccessRequest) GetGrantTypes() Arguments

func (*AccessRequest) SanitizeRestoreRefreshTokenOriginalRequester

func (a *AccessRequest) SanitizeRestoreRefreshTokenOriginalRequester(requester Requester) Requester

func (*AccessRequest) SetGrantedScopes

func (a *AccessRequest) SetGrantedScopes(scopes Arguments)

type AccessRequester

type AccessRequester interface {
	// GetGrantTypes returns the requests grant type.
	GetGrantTypes() (grantTypes Arguments)

	Requester
}

AccessRequester is a token endpoint's request context.

type AccessResponder

type AccessResponder interface {
	// SetExtra sets a key value pair for the access response.
	SetExtra(key string, value any)

	// GetExtra returns a key's value.
	GetExtra(key string) (extra any)

	SetExpiresIn(time.Duration)

	SetScopes(scopes Arguments)

	// SetAccessToken sets the responses mandatory access token.
	SetAccessToken(token string)

	// SetTokenType set's the responses mandatory token type
	SetTokenType(tokenType string)

	// GetAccessToken returns the responses access token.
	GetAccessToken() (token string)

	// GetTokenType returns the responses token type.
	GetTokenType() (token string)

	// ToMap converts the response to a map.
	ToMap() (values map[string]any)
}

AccessResponder is a token endpoint's response.

type AccessResponse

type AccessResponse struct {
	Extra       map[string]any
	AccessToken string
	TokenType   string
}

func NewAccessResponse

func NewAccessResponse() *AccessResponse

func (*AccessResponse) GetAccessToken

func (a *AccessResponse) GetAccessToken() string

func (*AccessResponse) GetExtra

func (a *AccessResponse) GetExtra(key string) any

func (*AccessResponse) GetTokenType

func (a *AccessResponse) GetTokenType() string

func (*AccessResponse) SetAccessToken

func (a *AccessResponse) SetAccessToken(token string)

func (*AccessResponse) SetExpiresIn

func (a *AccessResponse) SetExpiresIn(expiresIn time.Duration)

func (*AccessResponse) SetExtra

func (a *AccessResponse) SetExtra(key string, value any)

func (*AccessResponse) SetScopes

func (a *AccessResponse) SetScopes(scopes Arguments)

func (*AccessResponse) SetTokenType

func (a *AccessResponse) SetTokenType(name string)

func (*AccessResponse) ToMap

func (a *AccessResponse) ToMap() map[string]any

type AccessTokenIssuerProvider

type AccessTokenIssuerProvider interface {
	// GetAccessTokenIssuer returns the access token issuer.
	GetAccessTokenIssuer(ctx context.Context) (issuer string)
}

AccessTokenIssuerProvider returns the provider for configuring the JWT issuer.

type AccessTokenLifespanProvider

type AccessTokenLifespanProvider interface {
	// GetAccessTokenLifespan returns the access token lifespan.
	GetAccessTokenLifespan(ctx context.Context) time.Duration
}

AccessTokenLifespanProvider returns the provider for configuring the access token lifespan.

type AllowedJWTAssertionAudiencesProvider added in v0.1.17

type AllowedJWTAssertionAudiencesProvider interface {
	// GetAllowedJWTAssertionAudiences returns the permitted audience list for JWT Assertions.
	GetAllowedJWTAssertionAudiences(ctx context.Context) (audiences []string)
}

AllowedJWTAssertionAudiencesProvider is a provider used in contexts where the permitted audiences for a JWT assertion is required to validate a request.

type AllowedPromptsProvider

type AllowedPromptsProvider interface {
	// GetAllowedPrompts returns the allowed prompts.
	GetAllowedPrompts(ctx context.Context) (prompts []string)
}

AllowedPromptsProvider returns the provider for configuring the allowed prompts.

type Arguments

type Arguments []string

func (Arguments) ExactOne

func (r Arguments) ExactOne(name string) bool

ExactOne checks, by string case, that a single argument equals the provided string.

func (Arguments) Has

func (r Arguments) Has(items ...string) bool

Has checks, in a case-sensitive manner, that all of the items provided exists in arguments.

func (Arguments) HasFold

func (r Arguments) HasFold(items ...string) bool

HasFold checks, in a case-insensitive manner, that all of the items provided exists in arguments.

func (Arguments) HasOneOf

func (r Arguments) HasOneOf(items ...string) bool

HasOneOf checks, in a case-sensitive manner, that one of the items provided exists in arguments.

func (Arguments) HasOneOfFold

func (r Arguments) HasOneOfFold(items ...string) bool

HasOneOfFold checks, in a case-sensitive manner, that one of the items provided exists in arguments.

func (Arguments) Matches

func (r Arguments) Matches(items ...string) bool

Matches performs an case-sensitive, out-of-order check that the items provided exist and equal all of the args in arguments.

func (Arguments) MatchesExact

func (r Arguments) MatchesExact(items ...string) bool

MatchesExact checks, by order and string case, that the items provided equal those in arguments.

func (Arguments) MatchesFold

func (r Arguments) MatchesFold(items ...string) bool

MatchesFold performs an case-insensitive, out-of-order check that the items provided exist and equal all of the args in arguments. Note:

  • Providing a list that includes duplicate string-case items will return not matched.

type AudienceMatchingStrategy

type AudienceMatchingStrategy func(haystack []string, needle []string) error

type AudienceStrategyProvider

type AudienceStrategyProvider interface {
	// GetAudienceStrategy returns the audience strategy.
	GetAudienceStrategy(ctx context.Context) AudienceMatchingStrategy
}

AudienceStrategyProvider returns the provider for configuring the audience strategy.

type AuthenticationMethodClient added in v0.1.11

type AuthenticationMethodClient interface {
	// GetTokenEndpointAuthMethod is equivalent to the 'token_endpoint_auth_method' client metadata value which
	// determines the requested Client Authentication method for the Token Endpoint. The options are client_secret_post,
	// client_secret_basic, client_secret_jwt, private_key_jwt, and none.
	GetTokenEndpointAuthMethod() (method string)

	// GetTokenEndpointAuthSigningAlg is equivalent to the 'token_endpoint_auth_signing_alg' client metadata value which
	// determines the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the
	// Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods.
	GetTokenEndpointAuthSigningAlg() (alg string)

	// GetIntrospectionEndpointAuthMethod is equivalent to the 'introspection_endpoint_auth_method' client metadata
	// value which determines the Client Authentication method for the Introspection Endpoint. The options are
	// client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt.
	GetIntrospectionEndpointAuthMethod() (method string)

	// GetIntrospectionEndpointAuthSigningAlg is equivalent to the 'introspection_endpoint_auth_signing_alg' client
	// metadata value which determines the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT]
	// used to authenticate the Client at the Introspection Endpoint for the private_key_jwt and client_secret_jwt
	// authentication methods.
	GetIntrospectionEndpointAuthSigningAlg() (alg string)

	// GetRevocationEndpointAuthMethod is equivalent to the 'revocation_endpoint_auth_method' client metadata value
	// which determines the Client Authentication method for the Revocation Endpoint. The options are
	// client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt.
	GetRevocationEndpointAuthMethod() (method string)

	// GetRevocationEndpointAuthSigningAlg is equivalent to the 'revocation_endpoint_auth_signing_alg' client metadata
	// value which determines the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to
	// authenticate the Client at the Revocation Endpoint for the private_key_jwt and client_secret_jwt authentication
	// methods.
	GetRevocationEndpointAuthSigningAlg() (alg string)

	JSONWebKeysClient
}

AuthenticationMethodClient represents a client which has specific authentication methods.

type AuthorizationServerIssuerIdentificationProvider

type AuthorizationServerIssuerIdentificationProvider interface {
	GetAuthorizationServerIdentificationIssuer(ctx context.Context) (issuer string)
}

AuthorizationServerIssuerIdentificationProvider provides OAuth 2.0 Authorization Server Issuer Identification related methods.

type AuthorizeCodeLifespanProvider

type AuthorizeCodeLifespanProvider interface {
	// GetAuthorizeCodeLifespan returns the authorization code lifespan.
	GetAuthorizeCodeLifespan(ctx context.Context) time.Duration
}

AuthorizeCodeLifespanProvider returns the provider for configuring the authorization code lifespan.

type AuthorizeEndpointHandler

type AuthorizeEndpointHandler interface {
	// HandleAuthorizeEndpointRequest handles an authorize endpoint request. To extend the handler's capabilities, the http request
	// is passed along, if further information retrieval is required. If the handler feels that he is not responsible for
	// the authorize request, he must return nil and NOT modify session nor responder neither requester.
	//
	// The following spec is a good example of what HandleAuthorizeRequest should do.
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.1
	//   response_type REQUIRED.
	//   The value MUST be one of "code" for requesting an
	//   authorization code as described by Section 4.1.1, "token" for
	//   requesting an access token (implicit grant) as described by
	//   Section 4.2.1, or a registered extension value as described by Section 8.4.
	HandleAuthorizeEndpointRequest(ctx context.Context, requester AuthorizeRequester, responder AuthorizeResponder) error
}

type AuthorizeEndpointHandlers

type AuthorizeEndpointHandlers []AuthorizeEndpointHandler

AuthorizeEndpointHandlers is a list of AuthorizeEndpointHandler

func (*AuthorizeEndpointHandlers) Append

Append adds an AuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.

type AuthorizeEndpointHandlersProvider

type AuthorizeEndpointHandlersProvider interface {
	// GetAuthorizeEndpointHandlers returns the authorize endpoint handlers.
	GetAuthorizeEndpointHandlers(ctx context.Context) (handlers AuthorizeEndpointHandlers)
}

AuthorizeEndpointHandlersProvider returns the provider for configuring the authorize endpoint handlers.

type AuthorizeRequest

type AuthorizeRequest struct {
	ResponseTypes        Arguments        `json:"responseTypes" gorethink:"responseTypes"`
	RedirectURI          *url.URL         `json:"redirectUri" gorethink:"redirectUri"`
	State                string           `json:"state" gorethink:"state"`
	HandledResponseTypes Arguments        `json:"handledResponseTypes" gorethink:"handledResponseTypes"`
	ResponseMode         ResponseModeType `json:"ResponseModes" gorethink:"ResponseModes"`
	DefaultResponseMode  ResponseModeType `json:"DefaultResponseMode" gorethink:"DefaultResponseMode"`

	Request
}

AuthorizeRequest is an implementation of AuthorizeRequester

func NewAuthorizeRequest

func NewAuthorizeRequest() *AuthorizeRequest

func (*AuthorizeRequest) DidHandleAllResponseTypes

func (d *AuthorizeRequest) DidHandleAllResponseTypes() bool

func (*AuthorizeRequest) GetDefaultResponseMode

func (d *AuthorizeRequest) GetDefaultResponseMode() ResponseModeType

func (*AuthorizeRequest) GetRedirectURI

func (d *AuthorizeRequest) GetRedirectURI() *url.URL

func (*AuthorizeRequest) GetResponseMode

func (d *AuthorizeRequest) GetResponseMode() ResponseModeType

func (*AuthorizeRequest) GetResponseTypes

func (d *AuthorizeRequest) GetResponseTypes() Arguments

func (*AuthorizeRequest) GetState

func (d *AuthorizeRequest) GetState() string

func (*AuthorizeRequest) IsRedirectURIValid

func (d *AuthorizeRequest) IsRedirectURIValid() bool

func (*AuthorizeRequest) SetDefaultResponseMode

func (d *AuthorizeRequest) SetDefaultResponseMode(defaultResponseMode ResponseModeType)

func (*AuthorizeRequest) SetResponseTypeHandled

func (d *AuthorizeRequest) SetResponseTypeHandled(name string)

type AuthorizeRequester

type AuthorizeRequester interface {
	// GetResponseTypes returns the requested response types
	GetResponseTypes() (responseTypes Arguments)

	// SetResponseTypeHandled marks a response_type (e.g. token or code) as handled indicating that the response type
	// is supported.
	SetResponseTypeHandled(responseType string)

	// DidHandleAllResponseTypes returns if all requested response types have been handled correctly
	DidHandleAllResponseTypes() (didHandle bool)

	// GetRedirectURI returns the requested redirect URI
	GetRedirectURI() (redirectURL *url.URL)

	// IsRedirectURIValid returns false if the redirect is not rfc-conform (i.e. missing client, not on white list,
	// or malformed)
	IsRedirectURIValid() (isValid bool)

	// GetState returns the request's state.
	GetState() (state string)

	// GetResponseMode returns response_mode of the authorization request
	GetResponseMode() (responseMode ResponseModeType)

	// SetDefaultResponseMode sets default response mode for a response type in a flow
	SetDefaultResponseMode(responseMode ResponseModeType)

	// GetDefaultResponseMode gets default response mode for a response type in a flow
	GetDefaultResponseMode() (responseMode ResponseModeType)

	Requester
}

AuthorizeRequester is an authorize endpoint's request context.

type AuthorizeResponder

type AuthorizeResponder interface {
	// GetCode returns the response's authorize code if set.
	GetCode() (code string)

	// GetHeader returns the response's header
	GetHeader() (header http.Header)

	// AddHeader adds a header key value pair to the response
	AddHeader(key, value string)

	// GetParameters returns the response's parameters
	GetParameters() (query url.Values)

	// AddParameter adds key value pair to the response
	AddParameter(key, value string)
}

AuthorizeResponder is an authorization endpoint's response.

type AuthorizeResponse

type AuthorizeResponse struct {
	Header     http.Header
	Parameters url.Values
	// contains filtered or unexported fields
}

AuthorizeResponse is an implementation of AuthorizeResponder

func NewAuthorizeResponse

func NewAuthorizeResponse() *AuthorizeResponse

func (*AuthorizeResponse) AddHeader

func (a *AuthorizeResponse) AddHeader(key, value string)

func (*AuthorizeResponse) AddParameter

func (a *AuthorizeResponse) AddParameter(key, value string)

func (*AuthorizeResponse) GetCode

func (a *AuthorizeResponse) GetCode() string

func (*AuthorizeResponse) GetHeader

func (a *AuthorizeResponse) GetHeader() http.Header

func (*AuthorizeResponse) GetParameters

func (a *AuthorizeResponse) GetParameters() url.Values

type BCryptClientSecret

type BCryptClientSecret struct {
	// contains filtered or unexported fields
}

func NewBCryptClientSecret

func NewBCryptClientSecret(hash string) *BCryptClientSecret

NewBCryptClientSecret returns a new BCryptClientSecret given a hash.

func NewBCryptClientSecretPlain

func NewBCryptClientSecretPlain(rawSecret string, cost int) (secret *BCryptClientSecret, err error)

NewBCryptClientSecretPlain returns a new BCryptClientSecret given a plaintext secret.

func (*BCryptClientSecret) Compare

func (s *BCryptClientSecret) Compare(ctx context.Context, secret []byte) (err error)

func (*BCryptClientSecret) GetPlainTextValue

func (s *BCryptClientSecret) GetPlainTextValue() (secret []byte, err error)

func (*BCryptClientSecret) IsPlainText

func (s *BCryptClientSecret) IsPlainText() (is bool)

func (*BCryptClientSecret) Valid added in v0.1.10

func (s *BCryptClientSecret) Valid() (valid bool)

type Client

type Client interface {
	// GetID returns the client ID.
	GetID() (id string)

	GetClientSecret() (secret ClientSecret)

	// GetRedirectURIs returns the client's allowed redirect URIs.
	GetRedirectURIs() []string

	// GetGrantTypes returns the client's allowed grant types.
	GetGrantTypes() (types Arguments)

	// GetResponseTypes returns the client's allowed response types.
	// All allowed combinations of response types have to be listed, each combination having
	// response types of the combination separated by a space.
	GetResponseTypes() (types Arguments)

	// GetScopes returns the scopes this client is allowed to request.
	GetScopes() (scopes Arguments)

	// IsPublic returns true, if this client is marked as public.
	IsPublic() (public bool)

	// GetAudience returns the allowed audience(s) for this client.
	GetAudience() (audience Arguments)
}

Client represents a client or an app.

type ClientAssertion added in v0.1.3

type ClientAssertion struct {
	Raw, Type             string
	Parsed                bool
	ID, Method, Algorithm string
	Client                Client
}

func NewClientAssertion added in v0.1.3

func NewClientAssertion(ctx context.Context, store ClientManager, raw, assertionType string, resolver EndpointClientAuthHandler) (assertion *ClientAssertion, err error)

type ClientAuthenticationPolicyClient

type ClientAuthenticationPolicyClient interface {
	// GetAllowMultipleAuthenticationMethods should return true if the client policy allows multiple authentication
	// methods due to the client implementation breaching RFC6749 Section 2.3.
	//
	// See: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.
	GetAllowMultipleAuthenticationMethods() (allow bool)

	Client
}

ClientAuthenticationPolicyClient is a Client implementation which also provides client authentication policy values.

type ClientAuthenticationStrategy

type ClientAuthenticationStrategy interface {
	AuthenticateClient(ctx context.Context, r *http.Request, form url.Values, handler EndpointClientAuthHandler) (client Client, method string, err error)
}

ClientAuthenticationStrategy describes a client authentication strategy implementation.

type ClientAuthenticationStrategyProvider

type ClientAuthenticationStrategyProvider interface {
	// GetClientAuthenticationStrategy returns the client authentication strategy.
	GetClientAuthenticationStrategy(ctx context.Context) (strategy ClientAuthenticationStrategy)
}

ClientAuthenticationStrategyProvider returns the provider for configuring the client authentication strategy.

type ClientCredentialsFlowRequestedScopeImplicitClient

type ClientCredentialsFlowRequestedScopeImplicitClient interface {
	// GetClientCredentialsFlowRequestedScopeImplicit is indicative of if a client will implicitly request all scopes it
	// is allowed to request in the absence of requested scopes during the Client Credentials Flow.
	GetClientCredentialsFlowRequestedScopeImplicit() (implicit bool)

	Client
}

ClientCredentialsFlowRequestedScopeImplicitClient is a client which can allow implicit scopes in the client credentials flow.

type ClientCredentialsImplicitProvider

type ClientCredentialsImplicitProvider interface {
	// GetClientCredentialsFlowImplicitGrantRequested returns true if the PopulateTokenEndpointResponse portion of the
	// oauth2.ClientCredentialsGrantHandler should implicitly grant all requested and validated scopes and audiences.
	GetClientCredentialsFlowImplicitGrantRequested(ctx context.Context) (implicit bool)
}

ClientCredentialsImplicitProvider describes the provider of the Client Credentials Flow Implicit actions.

type ClientLifespanConfig

type ClientLifespanConfig struct {
	AuthorizationCodeGrantAccessTokenLifespan  *time.Duration `json:"authorization_code_grant_access_token_lifespan"`
	AuthorizationCodeGrantIDTokenLifespan      *time.Duration `json:"authorization_code_grant_id_token_lifespan"`
	AuthorizationCodeGrantRefreshTokenLifespan *time.Duration `json:"authorization_code_grant_refresh_token_lifespan"`
	ClientCredentialsGrantAccessTokenLifespan  *time.Duration `json:"client_credentials_grant_access_token_lifespan"`
	ImplicitGrantAccessTokenLifespan           *time.Duration `json:"implicit_grant_access_token_lifespan"`
	ImplicitGrantIDTokenLifespan               *time.Duration `json:"implicit_grant_id_token_lifespan"`
	JwtBearerGrantAccessTokenLifespan          *time.Duration `json:"jwt_bearer_grant_access_token_lifespan"`
	PasswordGrantAccessTokenLifespan           *time.Duration `json:"password_grant_access_token_lifespan"`
	PasswordGrantRefreshTokenLifespan          *time.Duration `json:"password_grant_refresh_token_lifespan"`
	RefreshTokenGrantIDTokenLifespan           *time.Duration `json:"refresh_token_grant_id_token_lifespan"`
	RefreshTokenGrantAccessTokenLifespan       *time.Duration `json:"refresh_token_grant_access_token_lifespan"`
	RefreshTokenGrantRefreshTokenLifespan      *time.Duration `json:"refresh_token_grant_refresh_token_lifespan"`
}

ClientLifespanConfig holds default lifespan configuration for the different token types that may be issued for the client. This configuration takes precedence over instance-wide default lifespan, but it may be overridden by a session's expires_at claim.

The OIDC Hybrid grant type inherits token lifespan configuration from the implicit grant.

type ClientManager

type ClientManager interface {
	// GetClient loads the client by its ID or returns an error
	// if the client does not exist or another error occurred.
	GetClient(ctx context.Context, id string) (Client, error)
	// ClientAssertionJWTValid returns an error if the JTI is
	// known or the DB check failed and nil if the JTI is not known.
	ClientAssertionJWTValid(ctx context.Context, jti string) error
	// SetClientAssertionJWT marks a JTI as known for the given
	// expiry time. Before inserting the new JTI, it will clean
	// up any existing JTIs that have expired as those tokens can
	// not be replayed due to the expiry.
	SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) error
}

ClientManager defines the (persistent) manager interface for clients.

type ClientSecret

type ClientSecret interface {
	// Compare is the primary function of the interface which is used to compare this ClientSecret to the form input.
	// This function SHOULD return nil if the secret input matches the expected value, otherwise it should return an
	// error.
	Compare(ctx context.Context, secret []byte) (err error)

	// IsPlainText is a utility function to determine if this secret is in a plaintext format making it usable for the
	// client_secret_jwt authentication method.
	IsPlainText() (is bool)

	// GetPlainTextValue is a utility function to return the secret in the plaintext format making it usable for the
	// client_secret_jwt authentication method.
	GetPlainTextValue() (secret []byte, err error)

	// Valid should return false if the secret is nil or otherwise invalid.
	Valid() (valid bool)
}

ClientSecret is a service interface for client secret comparisons and functionality.

type Config

type Config struct {
	// AccessTokenLifespan sets how long an access token is going to be valid. Defaults to one hour.
	AccessTokenLifespan time.Duration

	// VerifiableCredentialsNonceLifespan sets how long a verifiable credentials nonce is going to be valid. Defaults to one hour.
	VerifiableCredentialsNonceLifespan time.Duration

	// RefreshTokenLifespan sets how long a refresh token is going to be valid. Defaults to 30 days. Set to -1 for
	// refresh tokens that never expire.
	RefreshTokenLifespan time.Duration

	// AuthorizeCodeLifespan sets how long an authorize code is going to be valid. Defaults to fifteen minutes.
	AuthorizeCodeLifespan time.Duration

	// IDTokenLifespan sets the default id token lifetime. Defaults to one hour.
	IDTokenLifespan time.Duration

	// Sets how long a device user/device code pair is valid for
	RFC8628CodeLifespan time.Duration

	// IDTokenIssuer sets the default issuer of the ID Token.
	IDTokenIssuer string

	// AccessTokenIssuer is the issuer to be used when generating access tokens.
	AccessTokenIssuer string

	// 	AuthorizationServerIdentificationIssuer string sets the issuer identifier for authorization responses (RFC9207).
	AuthorizationServerIdentificationIssuer string

	// IntrospectionIssuer is the issuer to be used when generating signed introspection responses.
	IntrospectionIssuer string

	// IntrospectionJWTResponseSigner is the signer for Introspection Responses. Has no default.
	IntrospectionJWTResponseSigner jwt.Signer

	// HashCost sets the cost of the password hashing cost. Defaults to 12.
	HashCost int

	// DisableRefreshTokenValidation sets the introspection endpoint to disable refresh token validation.
	DisableRefreshTokenValidation bool

	// SendDebugMessagesToClients if set to true, includes error debug messages in response payloads. Be aware that sensitive
	// data may be exposed, depending on your implementation of Fosite. Such sensitive data might include database error
	// codes or other information. Proceed with caution!
	SendDebugMessagesToClients bool

	// RevokeRefreshTokensExplicit determines if Refresh Tokens should only be revoked explicitly.
	RevokeRefreshTokensExplicit bool

	// EnforceRevokeFlowRevokeRefreshTokensExplicitClient determines if a RevokeFlowRevokeRefreshTokensExplicitClient
	// should be prioritized even if it returns false.
	EnforceRevokeFlowRevokeRefreshTokensExplicitClient bool

	// ScopeStrategy sets the scope strategy that should be supported, for example oauth2.WildcardScopeStrategy.
	ScopeStrategy ScopeStrategy

	// AudienceMatchingStrategy sets the audience matching strategy that should be supported, defaults to oauth2.DefaultsAudienceMatchingStrategy.
	AudienceMatchingStrategy AudienceMatchingStrategy

	ClientCredentialsFlowImplicitGrantRequested bool

	// EnforcePKCE, if set to true, requires clients to perform authorize code flows with PKCE. Defaults to false.
	EnforcePKCE bool

	// EnforcePKCEForPublicClients requires only public clients to use PKCE with the authorize code flow. Defaults to false.
	EnforcePKCEForPublicClients bool

	// EnablePKCEPlainChallengeMethod sets whether or not to allow the plain challenge method (S256 should be used whenever possible, plain is really discouraged). Defaults to false.
	EnablePKCEPlainChallengeMethod bool

	// AllowedPromptValues sets which OpenID Connect prompt values the server supports. Defaults to []string{"login", "none", "consent", "select_account"}.
	AllowedPromptValues []string

	// AllowedJWTAssertionAudiences is a list of permitted client assertion audiences. If the authorization server is
	// intended to be compatible with the client_secret_jwt or private_key_jwt client authentication methods
	// (see http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth), this value MUST be set.
	AllowedJWTAssertionAudiences []string

	// JWKSFetcherStrategy is responsible for fetching JSON Web Keys from remote URLs. This is required when the private_key_jwt
	// client authentication method is used. Defaults to oauth2.DefaultJWKSFetcherStrategy.
	JWKSFetcherStrategy JWKSFetcherStrategy

	// TokenEntropy indicates the entropy of the random string, used as the "message" part of the HMAC token.
	// Defaults to 32.
	TokenEntropy int

	// RFC8628UserVerificationURL is the URL of the device verification endpoint, this is is included with the device code request responses
	RFC8628UserVerificationURL string

	// RFC8628TokenPollingInterval sets the interval that clients should check for device code grants
	RFC8628TokenPollingInterval time.Duration

	// RedirectSecureChecker is a function that returns true if the provided URL can be securely used as a redirect URL.
	RedirectSecureChecker func(context.Context, *url.URL) bool

	// RefreshTokenScopes defines which OAuth scopes will be given refresh tokens during the authorization code grant exchange. This defaults to "offline" and "offline_access". When set to an empty array, all exchanges will be given refresh tokens.
	RefreshTokenScopes []string

	// MinParameterEntropy controls the minimum size of state and nonce parameters. Defaults to oauth2.MinParameterEntropy.
	MinParameterEntropy int

	// UseLegacyErrorFormat controls whether the legacy error format (with `error_debug`, `error_hint`, ...)
	// should be used or not.
	UseLegacyErrorFormat bool

	// GrantTypeJWTBearerCanSkipClientAuth indicates, if client authentication can be skipped, when using jwt as assertion.
	GrantTypeJWTBearerCanSkipClientAuth bool

	// GrantTypeJWTBearerIDOptional indicates, if jti (JWT ID) claim required or not in JWT.
	GrantTypeJWTBearerIDOptional bool

	// GrantTypeJWTBearerIssuedDateOptional indicates, if "iat" (issued at) claim required or not in JWT.
	GrantTypeJWTBearerIssuedDateOptional bool

	// GrantTypeJWTBearerMaxDuration sets the maximum time after JWT issued date, during which the JWT is considered valid.
	GrantTypeJWTBearerMaxDuration time.Duration

	// ClientAuthenticationStrategy indicates the Strategy to authenticate client requests
	ClientAuthenticationStrategy ClientAuthenticationStrategy

	// ResponseModeHandlers provides the handlers for performing response mode formatting.
	ResponseModeHandlers ResponseModeHandlers

	// ResponseModeParameterHandlers provides handlers for injecting additional parameters into the authorize responses.
	ResponseModeParameterHandlers ResponseModeParameterHandlers

	// MessageCatalog is the message bundle used for i18n
	MessageCatalog i18n.MessageCatalog

	// FormPostHTMLTemplate sets html template for rendering the authorization response when the request has response_mode=form_post.
	FormPostHTMLTemplate *template.Template

	// FormPostResponseWriter is the FormPostResponseWriter used for writing the form post response. Useful for
	// overwriting the behaviour of this element.
	FormPostResponseWriter FormPostResponseWriter

	// OmitRedirectScopeParam indicates whether the "scope" parameter should be omitted from the redirect URL.
	OmitRedirectScopeParam bool

	// SanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values
	// are safe for storage in a database (cleartext).
	SanitationWhiteList []string

	// JWTScopeClaimKey defines the claim key to be used to set the scope in. Valid fields are "scope" or "scp" or both.
	JWTScopeClaimKey jwt.JWTScopeFieldEnum

	// JWTSecuredAuthorizeResponseModeIssuer sets the default issuer for the JWT Secured Authorization Response Mode.
	JWTSecuredAuthorizeResponseModeIssuer string

	// JWTSecuredAuthorizeResponseModeLifespan sets the default lifetime for the tokens issued in the
	// JWT Secured Authorization Response Mode. Defaults to 10 minutes.
	JWTSecuredAuthorizeResponseModeLifespan time.Duration

	// JWTSecuredAuthorizeResponseModeSigner is the signer for JWT Secured Authorization Response Mode. Has no default.
	JWTSecuredAuthorizeResponseModeSigner jwt.Signer

	// EnforceJWTProfileAccessTokens forces the issuer to return JWT Profile Access Tokens to all clients.
	EnforceJWTProfileAccessTokens bool

	// HTTPClient is the HTTP client to use for requests.
	HTTPClient *retryablehttp.Client

	// AuthorizeEndpointHandlers is a list of handlers that are called before the authorization endpoint is served.
	AuthorizeEndpointHandlers AuthorizeEndpointHandlers

	// TokenEndpointHandlers is a list of handlers that are called before the token endpoint is served.
	TokenEndpointHandlers TokenEndpointHandlers

	// TokenIntrospectionHandlers is a list of handlers that are called before the token introspection endpoint is served.
	TokenIntrospectionHandlers TokenIntrospectionHandlers

	// RevocationHandlers is a list of handlers that are called before the revocation endpoint is served.
	RevocationHandlers RevocationHandlers

	// PushedAuthorizeEndpointHandlers is a list of handlers that are called before the PAR endpoint is served.
	PushedAuthorizeEndpointHandlers PushedAuthorizeEndpointHandlers

	// RFC8628DeviceAuthorizeEndpointHandlers is a list of handlers that are called before the device authorization endpoint is served.
	RFC8628DeviceAuthorizeEndpointHandlers RFC8628DeviceAuthorizeEndpointHandlers

	// RFC8628UserAuthorizeEndpointHandlers is a list of handlers that are called before the device grant user interaction endpoint is served.
	RFC8628UserAuthorizeEndpointHandlers RFC8628UserAuthorizeEndpointHandlers

	// GlobalSecret is the global secret used to sign and verify signatures.
	GlobalSecret []byte

	// RotatedGlobalSecrets is a list of global secrets that are used to verify signatures.
	RotatedGlobalSecrets [][]byte

	// HMACHasher is the hasher used to generate HMAC signatures.
	HMACHasher func() hash.Hash

	// PushedAuthorizeRequestURIPrefix is the URI prefix for the PAR request_uri.
	// This is defaulted to 'urn:ietf:params:oauth:request_uri:'.
	PushedAuthorizeRequestURIPrefix string

	// PushedAuthorizeContextLifespan is the lifespan of the PAR context
	PushedAuthorizeContextLifespan time.Duration

	// RequirePushedAuthorizationRequests requires pushed authorization request for /authorize
	RequirePushedAuthorizationRequests bool

	RFC8693TokenTypes map[string]RFC8693TokenType

	DefaultRequestedTokenType string
}

func (*Config) GetAccessTokenIssuer

func (c *Config) GetAccessTokenIssuer(ctx context.Context) string

func (*Config) GetAccessTokenLifespan

func (c *Config) GetAccessTokenLifespan(_ context.Context) time.Duration

GetAccessTokenLifespan returns how long an access token should be valid. Defaults to one hour.

func (*Config) GetAllowedJWTAssertionAudiences added in v0.1.17

func (c *Config) GetAllowedJWTAssertionAudiences(ctx context.Context) []string

func (*Config) GetAllowedPrompts

func (c *Config) GetAllowedPrompts(_ context.Context) []string

func (*Config) GetAudienceStrategy

func (c *Config) GetAudienceStrategy(_ context.Context) AudienceMatchingStrategy

GetAudienceStrategy returns the scope strategy to be used. Defaults to glob scope strategy.

func (*Config) GetAuthorizationServerIdentificationIssuer

func (c *Config) GetAuthorizationServerIdentificationIssuer(ctx context.Context) (issuer string)

func (*Config) GetAuthorizeCodeLifespan

func (c *Config) GetAuthorizeCodeLifespan(_ context.Context) time.Duration

GetAuthorizeCodeLifespan returns how long an authorize code should be valid. Defaults to one fifteen minutes.

func (*Config) GetAuthorizeEndpointHandlers

func (c *Config) GetAuthorizeEndpointHandlers(ctx context.Context) AuthorizeEndpointHandlers

func (*Config) GetBCryptCost

func (c *Config) GetBCryptCost(_ context.Context) int

GetBCryptCost returns the bcrypt cost factor. Defaults to 12.

func (*Config) GetClientAuthenticationStrategy

func (c *Config) GetClientAuthenticationStrategy(_ context.Context) ClientAuthenticationStrategy

GetClientAuthenticationStrategy returns the configured client authentication strategy. Defaults to nil. Note that on a nil strategy `oauth2.Fosite` fallbacks to its default client authentication strategy `oauth2.Fosite.DefaultClientAuthenticationStrategy`

func (*Config) GetClientCredentialsFlowImplicitGrantRequested

func (c *Config) GetClientCredentialsFlowImplicitGrantRequested(_ context.Context) bool

func (*Config) GetDefaultRFC8693RequestedTokenType

func (c *Config) GetDefaultRFC8693RequestedTokenType(ctx context.Context) string

func (*Config) GetDisableRefreshTokenValidation

func (c *Config) GetDisableRefreshTokenValidation(_ context.Context) bool

GetDisableRefreshTokenValidation returns whether to disable the validation of the refresh token.

func (*Config) GetEnablePKCEPlainChallengeMethod

func (c *Config) GetEnablePKCEPlainChallengeMethod(ctx context.Context) bool

GetEnablePKCEPlainChallengeMethod returns whether or not to allow the plain challenge method (S256 should be used whenever possible, plain is really discouraged).

func (*Config) GetEnforceJWTProfileAccessTokens

func (c *Config) GetEnforceJWTProfileAccessTokens(ctx context.Context) (enable bool)

func (*Config) GetEnforcePKCE

func (c *Config) GetEnforcePKCE(ctx context.Context) bool

GetEnforcePKCE If set to true, public clients must use PKCE.

func (*Config) GetEnforcePKCEForPublicClients

func (c *Config) GetEnforcePKCEForPublicClients(ctx context.Context) bool

GetEnforcePKCEForPublicClients returns the value of EnforcePKCEForPublicClients.

func (*Config) GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient

func (c *Config) GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient(ctx context.Context) bool

func (*Config) GetFormPostHTMLTemplate

func (c *Config) GetFormPostHTMLTemplate(ctx context.Context) *template.Template

func (*Config) GetFormPostResponseWriter

func (c *Config) GetFormPostResponseWriter(ctx context.Context) FormPostResponseWriter

func (*Config) GetGlobalSecret

func (c *Config) GetGlobalSecret(ctx context.Context) ([]byte, error)

func (*Config) GetGrantTypeJWTBearerCanSkipClientAuth

func (c *Config) GetGrantTypeJWTBearerCanSkipClientAuth(ctx context.Context) bool

GetGrantTypeJWTBearerCanSkipClientAuth returns the GrantTypeJWTBearerCanSkipClientAuth field.

func (*Config) GetGrantTypeJWTBearerIDOptional

func (c *Config) GetGrantTypeJWTBearerIDOptional(ctx context.Context) bool

GetGrantTypeJWTBearerIDOptional returns the GrantTypeJWTBearerIDOptional field.

func (*Config) GetGrantTypeJWTBearerIssuedDateOptional

func (c *Config) GetGrantTypeJWTBearerIssuedDateOptional(ctx context.Context) bool

GetGrantTypeJWTBearerIssuedDateOptional returns the GrantTypeJWTBearerIssuedDateOptional field.

func (*Config) GetHMACHasher

func (c *Config) GetHMACHasher(ctx context.Context) func() hash.Hash

func (*Config) GetHTTPClient

func (c *Config) GetHTTPClient(ctx context.Context) *retryablehttp.Client

func (*Config) GetIDTokenIssuer

func (c *Config) GetIDTokenIssuer(ctx context.Context) string

func (*Config) GetIDTokenLifespan

func (c *Config) GetIDTokenLifespan(_ context.Context) time.Duration

GetIDTokenLifespan returns how long an id token should be valid. Defaults to one hour.

func (*Config) GetIntrospectionIssuer added in v0.1.4

func (c *Config) GetIntrospectionIssuer(ctx context.Context) string

func (*Config) GetIntrospectionJWTResponseSigner added in v0.1.4

func (c *Config) GetIntrospectionJWTResponseSigner(ctx context.Context) jwt.Signer

func (*Config) GetJWKSFetcherStrategy

func (c *Config) GetJWKSFetcherStrategy(_ context.Context) JWKSFetcherStrategy

GetJWKSFetcherStrategy returns the JWKSFetcherStrategy.

func (*Config) GetJWTMaxDuration

func (c *Config) GetJWTMaxDuration(_ context.Context) time.Duration

GetJWTMaxDuration specified the maximum amount of allowed `exp` time for a JWT. It compares the time with the JWT's `exp` time if the JWT time is larger, will cause the JWT to be invalid.

Defaults to a day.

func (*Config) GetJWTScopeField

func (c *Config) GetJWTScopeField(ctx context.Context) jwt.JWTScopeFieldEnum

func (*Config) GetJWTSecuredAuthorizeResponseModeIssuer

func (c *Config) GetJWTSecuredAuthorizeResponseModeIssuer(ctx context.Context) string

func (*Config) GetJWTSecuredAuthorizeResponseModeLifespan

func (c *Config) GetJWTSecuredAuthorizeResponseModeLifespan(_ context.Context) time.Duration

GetJWTSecuredAuthorizeResponseModeLifespan returns how long a JWT issued by the JWT Secured Authorize Response Mode should be valid. Defaults to 10 minutes.

func (*Config) GetJWTSecuredAuthorizeResponseModeSigner

func (c *Config) GetJWTSecuredAuthorizeResponseModeSigner(ctx context.Context) jwt.Signer

func (*Config) GetMessageCatalog

func (c *Config) GetMessageCatalog(ctx context.Context) i18n.MessageCatalog

func (*Config) GetMinParameterEntropy

func (c *Config) GetMinParameterEntropy(_ context.Context) int

GetMinParameterEntropy returns MinParameterEntropy if set. Defaults to oauth2.MinParameterEntropy.

func (*Config) GetOmitRedirectScopeParam

func (c *Config) GetOmitRedirectScopeParam(ctx context.Context) bool

func (*Config) GetPushedAuthorizeContextLifespan

func (c *Config) GetPushedAuthorizeContextLifespan(ctx context.Context) time.Duration

GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context.

func (*Config) GetPushedAuthorizeEndpointHandlers

func (c *Config) GetPushedAuthorizeEndpointHandlers(ctx context.Context) PushedAuthorizeEndpointHandlers

GetPushedAuthorizeEndpointHandlers returns the handlers.

func (*Config) GetPushedAuthorizeRequestURIPrefix

func (c *Config) GetPushedAuthorizeRequestURIPrefix(ctx context.Context) string

GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is usually 'urn:ietf:params:oauth:request_uri:'.

func (*Config) GetRFC8628CodeLifespan

func (c *Config) GetRFC8628CodeLifespan(_ context.Context) time.Duration

GetRFC8628CodeLifespan returns the device and user code lifespan.

func (*Config) GetRFC8628DeviceAuthorizeEndpointHandlers

func (c *Config) GetRFC8628DeviceAuthorizeEndpointHandlers(_ context.Context) RFC8628DeviceAuthorizeEndpointHandlers

func (*Config) GetRFC8628TokenPollingInterval

func (c *Config) GetRFC8628TokenPollingInterval(_ context.Context) time.Duration

func (*Config) GetRFC8628UserAuthorizeEndpointHandlers

func (c *Config) GetRFC8628UserAuthorizeEndpointHandlers(_ context.Context) RFC8628UserAuthorizeEndpointHandlers

func (*Config) GetRFC8628UserVerificationURL

func (c *Config) GetRFC8628UserVerificationURL(_ context.Context) string

func (*Config) GetRFC8693TokenTypes

func (c *Config) GetRFC8693TokenTypes(ctx context.Context) map[string]RFC8693TokenType

func (*Config) GetRedirectSecureChecker

func (c *Config) GetRedirectSecureChecker(_ context.Context) func(context.Context, *url.URL) bool

GetRedirectSecureChecker returns the checker to check if redirect URI is secure. Defaults to oauth2.IsRedirectURISecure.

func (*Config) GetRefreshTokenLifespan

func (c *Config) GetRefreshTokenLifespan(_ context.Context) time.Duration

GetRefreshTokenLifespan sets how long a refresh token is going to be valid. Defaults to 30 days. Set to -1 for refresh tokens that never expire.

func (*Config) GetRefreshTokenScopes

func (c *Config) GetRefreshTokenScopes(_ context.Context) []string

GetRefreshTokenScopes returns which scopes will provide refresh tokens.

func (*Config) GetRequirePushedAuthorizationRequests

func (c *Config) GetRequirePushedAuthorizationRequests(ctx context.Context) bool

EnforcePushedAuthorize indicates if PAR is enforced. In this mode, a client cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint must contain the PAR request_uri.

func (*Config) GetResponseModeHandlers

func (c *Config) GetResponseModeHandlers(ctx context.Context) ResponseModeHandlers

func (*Config) GetResponseModeParameterHandlers added in v0.1.3

func (c *Config) GetResponseModeParameterHandlers(ctx context.Context) ResponseModeParameterHandlers

func (*Config) GetRevocationHandlers

func (c *Config) GetRevocationHandlers(ctx context.Context) RevocationHandlers

func (*Config) GetRevokeRefreshTokensExplicit

func (c *Config) GetRevokeRefreshTokensExplicit(ctx context.Context) bool

func (*Config) GetRotatedGlobalSecrets

func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) ([][]byte, error)

func (*Config) GetSanitationWhiteList

func (c *Config) GetSanitationWhiteList(ctx context.Context) []string

GetSanitationWhiteList returns a list of allowed form values that are required by the token endpoint. These values are safe for storage in a database (cleartext).

func (*Config) GetScopeStrategy

func (c *Config) GetScopeStrategy(_ context.Context) ScopeStrategy

GetScopeStrategy returns the scope strategy to be used. Defaults to glob scope strategy.

func (*Config) GetSendDebugMessagesToClients

func (c *Config) GetSendDebugMessagesToClients(ctx context.Context) bool

func (*Config) GetTokenEndpointHandlers

func (c *Config) GetTokenEndpointHandlers(ctx context.Context) TokenEndpointHandlers

func (*Config) GetTokenEntropy

func (c *Config) GetTokenEntropy(_ context.Context) int

GetTokenEntropy returns the entropy of the "message" part of a HMAC Token. Defaults to 32.

func (*Config) GetTokenIntrospectionHandlers

func (c *Config) GetTokenIntrospectionHandlers(ctx context.Context) TokenIntrospectionHandlers

func (*Config) GetUseLegacyErrorFormat

func (c *Config) GetUseLegacyErrorFormat(ctx context.Context) bool

func (*Config) GetVerifiableCredentialsNonceLifespan

func (c *Config) GetVerifiableCredentialsNonceLifespan(_ context.Context) time.Duration

GetVerifiableCredentialsNonceLifespan returns how long a nonce should be valid. Defaults to one hour.

type Configurator

type Configurator interface {
	IDTokenIssuerProvider
	IDTokenLifespanProvider
	AuthorizationServerIssuerIdentificationProvider
	AllowedPromptsProvider
	EnforcePKCEProvider
	EnforcePKCEForPublicClientsProvider
	EnablePKCEPlainChallengeMethodProvider
	GrantTypeJWTBearerCanSkipClientAuthProvider
	GrantTypeJWTBearerIDOptionalProvider
	GrantTypeJWTBearerIssuedDateOptionalProvider
	GetJWTMaxDurationProvider
	ScopeStrategyProvider
	AudienceStrategyProvider
	ClientCredentialsImplicitProvider
	RedirectSecureCheckerProvider
	OmitRedirectScopeParamProvider
	SanitationAllowedProvider
	JWTScopeFieldProvider
	JWTSecuredAuthorizeResponseModeIssuerProvider
	JWTSecuredAuthorizeResponseModeSignerProvider
	JWTSecuredAuthorizeResponseModeLifespanProvider
	JWTProfileAccessTokensProvider
	AccessTokenIssuerProvider
	DisableRefreshTokenValidationProvider
	RefreshTokenScopesProvider
	AccessTokenLifespanProvider
	RefreshTokenLifespanProvider
	VerifiableCredentialsNonceLifespanProvider
	AuthorizeCodeLifespanProvider
	TokenEntropyProvider
	RotatedGlobalSecretsProvider
	GlobalSecretProvider
	JWKSFetcherStrategyProvider
	HTTPClientProvider
	ScopeStrategyProvider
	AudienceStrategyProvider
	MinParameterEntropyProvider
	HMACHashingProvider
	ClientAuthenticationStrategyProvider
	ResponseModeHandlerProvider
	SendDebugMessagesToClientsProvider
	RevokeRefreshTokensExplicitlyProvider
	JWKSFetcherStrategyProvider
	ClientAuthenticationStrategyProvider
	MessageCatalogProvider
	FormPostHTMLTemplateProvider
	FormPostResponseProvider
	AllowedJWTAssertionAudiencesProvider
	AuthorizeEndpointHandlersProvider
	TokenEndpointHandlersProvider
	TokenIntrospectionHandlersProvider
	RevocationHandlersProvider
	PushedAuthorizeRequestHandlersProvider
	PushedAuthorizeRequestConfigProvider
	RFC8693ConfigProvider
	RFC8628DeviceAuthorizeEndpointHandlersProvider
	RFC8628UserAuthorizeEndpointHandlersProvider
	RFC9628DeviceAuthorizeConfigProvider
	IntrospectionIssuerProvider
	IntrospectionJWTResponseSignerProvider
	UseLegacyErrorFormatProvider
}

type ContextKey

type ContextKey string

type CustomTokenLifespansClient

type CustomTokenLifespansClient interface {
	// GetEffectiveLifespan either maps GrantType x TokenType to the client's configured lifespan, or returns the fallback value.
	GetEffectiveLifespan(gt GrantType, tt TokenType, fallback time.Duration) (lifespan time.Duration)

	Client
}

CustomTokenLifespansClient is a Client with specific lifespans.

type DebugRFC6749Error

type DebugRFC6749Error struct {
	*RFC6749Error
}

DebugRFC6749Error is a decorator type which makes the underlying *RFC6749Error expose debug information and show the full error description.

func (*DebugRFC6749Error) Error

func (err *DebugRFC6749Error) Error() string

Error implements the builtin error interface and shows the error with its debug info and description.

type DefaultClient

type DefaultClient struct {
	ID                   string         `json:"id"`
	ClientSecret         ClientSecret   `json:"-"`
	RotatedClientSecrets []ClientSecret `json:"-"`
	RedirectURIs         []string       `json:"redirect_uris"`
	GrantTypes           []string       `json:"grant_types"`
	ResponseTypes        []string       `json:"response_types"`
	Scopes               []string       `json:"scopes"`
	Audience             []string       `json:"audience"`
	Public               bool           `json:"public"`
}

DefaultClient is a simple default implementation of the Client interface.

func (*DefaultClient) GetAudience

func (c *DefaultClient) GetAudience() Arguments

func (*DefaultClient) GetClientSecret

func (c *DefaultClient) GetClientSecret() (secret ClientSecret)

func (*DefaultClient) GetGrantTypes

func (c *DefaultClient) GetGrantTypes() Arguments

func (*DefaultClient) GetID

func (c *DefaultClient) GetID() string

func (*DefaultClient) GetRedirectURIs

func (c *DefaultClient) GetRedirectURIs() []string

func (*DefaultClient) GetResponseTypes

func (c *DefaultClient) GetResponseTypes() Arguments

func (*DefaultClient) GetRotatedClientSecrets

func (c *DefaultClient) GetRotatedClientSecrets() (secrets []ClientSecret)

func (*DefaultClient) GetScopes

func (c *DefaultClient) GetScopes() Arguments

func (*DefaultClient) IsPublic

func (c *DefaultClient) IsPublic() bool

type DefaultClientAuthenticationStrategy

type DefaultClientAuthenticationStrategy struct {
	Store interface {
		ClientManager
	}
	Config interface {
		JWKSFetcherStrategyProvider
		AllowedJWTAssertionAudiencesProvider
	}
}

func (*DefaultClientAuthenticationStrategy) AuthenticateClient

func (s *DefaultClientAuthenticationStrategy) AuthenticateClient(ctx context.Context, r *http.Request, form url.Values, resolver EndpointClientAuthHandler) (client Client, method string, err error)

type DefaultClientWithCustomTokenLifespans

type DefaultClientWithCustomTokenLifespans struct {
	*DefaultClient
	TokenLifespans *ClientLifespanConfig `json:"token_lifespans"`
}

func (*DefaultClientWithCustomTokenLifespans) GetEffectiveLifespan

func (c *DefaultClientWithCustomTokenLifespans) GetEffectiveLifespan(gt GrantType, tt TokenType, fallback time.Duration) time.Duration

GetEffectiveLifespan either maps GrantType x TokenType to the client's configured lifespan, or returns the fallback value.

TODO: Refactor time permitting.

func (*DefaultClientWithCustomTokenLifespans) GetTokenLifespans

func (*DefaultClientWithCustomTokenLifespans) SetTokenLifespans

func (c *DefaultClientWithCustomTokenLifespans) SetTokenLifespans(lifespans *ClientLifespanConfig)

type DefaultJARClient added in v0.1.15

type DefaultJARClient struct {
	*DefaultClient
	JSONWebKeysURI                      string              `json:"jwks_uri"`
	JSONWebKeys                         *jose.JSONWebKeySet `json:"jwks"`
	TokenEndpointAuthMethod             string              `json:"token_endpoint_auth_method"`
	IntrospectionEndpointAuthMethod     string              `json:"introspection_endpoint_auth_method"`
	RevocationEndpointAuthMethod        string              `json:"revocation_endpoint_auth_method"`
	RequestURIs                         []string            `json:"request_uris"`
	RequestObjectSigningKeyID           string              `json:"request_object_signing_kid"`
	RequestObjectSigningAlg             string              `json:"request_object_signing_alg"`
	RequestObjectEncryptionKeyID        string              `json:"request_object_encryption_kid"`
	RequestObjectEncryptionAlg          string              `json:"request_object_encryption_alg"`
	RequestObjectEncryptionEnc          string              `json:"request_object_encryption_enc"`
	TokenEndpointAuthSigningAlg         string              `json:"token_endpoint_auth_signing_alg"`
	IntrospectionEndpointAuthSigningAlg string              `json:"introspection_endpoint_auth_signing_alg"`
	RevocationEndpointAuthSigningAlg    string              `json:"revocation_endpoint_auth_signing_alg"`
}

func (*DefaultJARClient) GetIntrospectionEndpointAuthMethod added in v0.1.15

func (c *DefaultJARClient) GetIntrospectionEndpointAuthMethod() string

func (*DefaultJARClient) GetIntrospectionEndpointAuthSigningAlg added in v0.1.15

func (c *DefaultJARClient) GetIntrospectionEndpointAuthSigningAlg() string

func (*DefaultJARClient) GetJSONWebKeys added in v0.1.15

func (c *DefaultJARClient) GetJSONWebKeys() *jose.JSONWebKeySet

func (*DefaultJARClient) GetJSONWebKeysURI added in v0.1.15

func (c *DefaultJARClient) GetJSONWebKeysURI() string

func (*DefaultJARClient) GetRequestObjectEncryptionAlg added in v0.1.15

func (c *DefaultJARClient) GetRequestObjectEncryptionAlg() string

func (*DefaultJARClient) GetRequestObjectEncryptionEnc added in v0.1.15

func (c *DefaultJARClient) GetRequestObjectEncryptionEnc() string

func (*DefaultJARClient) GetRequestObjectEncryptionKeyID added in v0.1.15

func (c *DefaultJARClient) GetRequestObjectEncryptionKeyID() string

func (*DefaultJARClient) GetRequestObjectSigningAlg added in v0.1.15

func (c *DefaultJARClient) GetRequestObjectSigningAlg() string

func (*DefaultJARClient) GetRequestObjectSigningKeyID added in v0.1.15

func (c *DefaultJARClient) GetRequestObjectSigningKeyID() string

func (*DefaultJARClient) GetRequestURIs added in v0.1.15

func (c *DefaultJARClient) GetRequestURIs() []string

func (*DefaultJARClient) GetRevocationEndpointAuthMethod added in v0.1.15

func (c *DefaultJARClient) GetRevocationEndpointAuthMethod() string

func (*DefaultJARClient) GetRevocationEndpointAuthSigningAlg added in v0.1.15

func (c *DefaultJARClient) GetRevocationEndpointAuthSigningAlg() string

func (*DefaultJARClient) GetTokenEndpointAuthMethod added in v0.1.15

func (c *DefaultJARClient) GetTokenEndpointAuthMethod() string

func (*DefaultJARClient) GetTokenEndpointAuthSigningAlg added in v0.1.15

func (c *DefaultJARClient) GetTokenEndpointAuthSigningAlg() string

type DefaultJWKSFetcherStrategy

type DefaultJWKSFetcherStrategy struct {
	// contains filtered or unexported fields
}

DefaultJWKSFetcherStrategy is a default implementation of the JWKSFetcherStrategy interface.

func (*DefaultJWKSFetcherStrategy) Resolve

func (s *DefaultJWKSFetcherStrategy) Resolve(ctx context.Context, location string, ignoreCache bool) (*jose.JSONWebKeySet, error)

Resolve returns the JSON Web Key Set, or an error if something went wrong. The forceRefresh, if true, forces the strategy to fetch the key from the remote. If forceRefresh is false, the strategy may use a caching strategy to fetch the key.

func (*DefaultJWKSFetcherStrategy) WaitForCache

func (s *DefaultJWKSFetcherStrategy) WaitForCache()

type DefaultResponseModeClient

type DefaultResponseModeClient struct {
	*DefaultClient
	ResponseModes []ResponseModeType `json:"response_modes"`
}

func (*DefaultResponseModeClient) GetResponseModes

func (c *DefaultResponseModeClient) GetResponseModes() []ResponseModeType

type DefaultResponseModeHandler

type DefaultResponseModeHandler struct {
	Config ResponseModeHandlerConfigurator
}

func (*DefaultResponseModeHandler) EncodeResponseForm

func (h *DefaultResponseModeHandler) EncodeResponseForm(ctx context.Context, rm ResponseModeType, requester AuthorizeRequester, parameters url.Values) (form url.Values, err error)

EncodeResponseForm encodes the response form if necessary.

func (*DefaultResponseModeHandler) ResponseModes

func (h *DefaultResponseModeHandler) ResponseModes() ResponseModeTypes

ResponseModes returns the response modes this fosite.ResponseModeHandler is responsible for.

func (*DefaultResponseModeHandler) WriteAuthorizeError

func (h *DefaultResponseModeHandler) WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, e error)

WriteAuthorizeError writes authorization errors.

func (*DefaultResponseModeHandler) WriteAuthorizeResponse

func (h *DefaultResponseModeHandler) WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)

WriteAuthorizeResponse writes authorization responses.

type DefaultSession

type DefaultSession struct {
	ExpiresAt map[TokenType]time.Time `json:"expires_at"`
	Username  string                  `json:"username"`
	Subject   string                  `json:"subject"`
	Extra     map[string]any          `json:"extra"`
}

DefaultSession is a default implementation of the session interface.

func (*DefaultSession) Clone

func (s *DefaultSession) Clone() Session

func (*DefaultSession) GetExpiresAt

func (s *DefaultSession) GetExpiresAt(key TokenType) time.Time

func (*DefaultSession) GetExtraClaims

func (s *DefaultSession) GetExtraClaims() map[string]any

GetExtraClaims implements ExtraClaimsSession for DefaultSession. The returned value can be modified in-place.

func (*DefaultSession) GetSubject

func (s *DefaultSession) GetSubject() string

func (*DefaultSession) GetUsername

func (s *DefaultSession) GetUsername() string

func (*DefaultSession) SetExpiresAt

func (s *DefaultSession) SetExpiresAt(key TokenType, exp time.Time)

func (*DefaultSession) SetSubject

func (s *DefaultSession) SetSubject(subject string)

type DeviceAuthorizeRequest

type DeviceAuthorizeRequest struct {
	Request
	DeviceCodeSignature string
	UserCodeSignature   string
	Status              DeviceAuthorizeStatus
	LastChecked         time.Time
}

DeviceAuthorizeRequest is an implementation of DeviceAuthorizeRequester

func NewDeviceAuthorizeRequest

func NewDeviceAuthorizeRequest() *DeviceAuthorizeRequest

func (*DeviceAuthorizeRequest) GetDeviceCodeSignature

func (d *DeviceAuthorizeRequest) GetDeviceCodeSignature() string

GetDeviceCodeSignature returns the device code signature

func (*DeviceAuthorizeRequest) GetLastChecked

func (d *DeviceAuthorizeRequest) GetLastChecked() time.Time

func (*DeviceAuthorizeRequest) GetStatus

func (*DeviceAuthorizeRequest) GetUserCodeSignature

func (d *DeviceAuthorizeRequest) GetUserCodeSignature() string

GetUserCodeSignature returns the user code signature

func (*DeviceAuthorizeRequest) Merge

func (d *DeviceAuthorizeRequest) Merge(requester Requester)

func (*DeviceAuthorizeRequest) SetDeviceCodeSignature

func (d *DeviceAuthorizeRequest) SetDeviceCodeSignature(signature string)

SetDeviceCodeSignature set the device code signature

func (*DeviceAuthorizeRequest) SetLastChecked

func (d *DeviceAuthorizeRequest) SetLastChecked(lastChecked time.Time)

func (*DeviceAuthorizeRequest) SetStatus

func (d *DeviceAuthorizeRequest) SetStatus(status DeviceAuthorizeStatus)

func (*DeviceAuthorizeRequest) SetUserCodeSignature

func (d *DeviceAuthorizeRequest) SetUserCodeSignature(signature string)

SetUserCodeSignature set the user code signature

type DeviceAuthorizeRequester

type DeviceAuthorizeRequester interface {
	// SetDeviceCodeSignature set the device code signature
	SetDeviceCodeSignature(signature string)

	// GetDeviceCodeSignature returns the device code signature
	GetDeviceCodeSignature() (signature string)

	// SetUserCodeSignature set the user code signature
	SetUserCodeSignature(signature string)

	// GetUserCodeSignature returns the user code signature
	GetUserCodeSignature() (signature string)

	SetStatus(status DeviceAuthorizeStatus)

	GetStatus() (status DeviceAuthorizeStatus)

	SetLastChecked(lastChecked time.Time)

	GetLastChecked() (lastChecked time.Time)

	Requester
}

DeviceAuthorizeRequester is a device authorization endpoint's request context.

type DeviceAuthorizeResponder

type DeviceAuthorizeResponder interface {
	GetDeviceCode() string

	SetDeviceCode(code string)

	// GetHeader returns the response's header
	GetHeader() (header http.Header)

	// AddHeader adds an header key value pair to the response
	AddHeader(key, value string)

	GetUserCode() (code string)

	SetUserCode(code string)

	GetVerificationURI() (uri string)

	SetVerificationURI(uri string)

	GetVerificationURIComplete() (completeURI string)

	SetVerificationURIComplete(uri string)

	GetExpiresIn() (expires int64)

	SetExpiresIn(seconds int64)

	GetInterval() (interval int)

	SetInterval(seconds int)

	// SetExtra sets a key value pair for the access response.
	SetExtra(key string, value any)

	// GetExtra returns a key's value.
	GetExtra(key string) (extra any)

	// ToMap converts the response to a map.
	ToMap() (values map[string]any)
}

type DeviceAuthorizeResponse

type DeviceAuthorizeResponse struct {
	Header                  http.Header    `json:"-"`
	DeviceCode              string         `json:"device_code"`
	UserCode                string         `json:"user_code"`
	VerificationURI         string         `json:"verification_uri"`
	VerificationURIComplete string         `json:"verification_uri_complete,omitempty"`
	ExpiresIn               int64          `json:"expires_in"`
	Interval                int            `json:"interval,omitempty"`
	Extra                   map[string]any `json:"-"`
}

func NewDeviceAuthorizeResponse

func NewDeviceAuthorizeResponse() *DeviceAuthorizeResponse

func (*DeviceAuthorizeResponse) AddHeader

func (d *DeviceAuthorizeResponse) AddHeader(key, value string)

func (*DeviceAuthorizeResponse) FromJson

func (d *DeviceAuthorizeResponse) FromJson(r io.Reader) error

func (*DeviceAuthorizeResponse) GetDeviceCode

func (d *DeviceAuthorizeResponse) GetDeviceCode() string

func (*DeviceAuthorizeResponse) GetExpiresIn

func (d *DeviceAuthorizeResponse) GetExpiresIn() int64

GetExpiresIn returns the response's device code and user code lifetime in seconds if set

func (*DeviceAuthorizeResponse) GetExtra

func (d *DeviceAuthorizeResponse) GetExtra(key string) any

func (*DeviceAuthorizeResponse) GetHeader

func (d *DeviceAuthorizeResponse) GetHeader() http.Header

func (*DeviceAuthorizeResponse) GetInterval

func (d *DeviceAuthorizeResponse) GetInterval() int

GetInterval returns the response's polling interval if set

func (*DeviceAuthorizeResponse) GetUserCode

func (d *DeviceAuthorizeResponse) GetUserCode() string

func (*DeviceAuthorizeResponse) GetVerificationURI

func (d *DeviceAuthorizeResponse) GetVerificationURI() string

GetVerificationURI returns the response's verification uri

func (*DeviceAuthorizeResponse) GetVerificationURIComplete

func (d *DeviceAuthorizeResponse) GetVerificationURIComplete() string

GetVerificationURIComplete returns the response's complete verification uri if set

func (*DeviceAuthorizeResponse) SetDeviceCode

func (d *DeviceAuthorizeResponse) SetDeviceCode(code string)

SetDeviceCode returns the response's user code

func (*DeviceAuthorizeResponse) SetExpiresIn

func (d *DeviceAuthorizeResponse) SetExpiresIn(seconds int64)

func (*DeviceAuthorizeResponse) SetExtra

func (d *DeviceAuthorizeResponse) SetExtra(key string, value any)

func (*DeviceAuthorizeResponse) SetInterval

func (d *DeviceAuthorizeResponse) SetInterval(seconds int)

func (*DeviceAuthorizeResponse) SetUserCode

func (d *DeviceAuthorizeResponse) SetUserCode(code string)

func (*DeviceAuthorizeResponse) SetVerificationURI

func (d *DeviceAuthorizeResponse) SetVerificationURI(uri string)

func (*DeviceAuthorizeResponse) SetVerificationURIComplete

func (d *DeviceAuthorizeResponse) SetVerificationURIComplete(uri string)

func (*DeviceAuthorizeResponse) ToMap

func (d *DeviceAuthorizeResponse) ToMap() map[string]any

ToMap converts the response to a map.

type DeviceAuthorizeStatus

type DeviceAuthorizeStatus int
const (
	DeviceAuthorizeStatusNew DeviceAuthorizeStatus = iota
	DeviceAuthorizeStatusApproved
	DeviceAuthorizeStatusDenied
)

type DeviceUserAuthorizeResponder added in v0.1.9

type DeviceUserAuthorizeResponder interface {
	// GetHeader returns the response's header
	GetHeader() (header http.Header)

	// AddHeader adds an header key value pair to the response
	AddHeader(key, value string)

	// GetParameters returns the response's parameters
	GetParameters() (query url.Values)

	// AddParameter adds key value pair to the response
	AddParameter(key, value string)

	// GetStatus returns the device grant user verification status
	GetStatus() (status string)

	// SetStatus sets the device grant user verification status
	SetStatus(status string)

	// SetExtra sets a key value pair for the access response.
	SetExtra(key string, value any)

	// GetExtra returns a key's value.
	GetExtra(key string) (extra any)

	// ToMap converts the response to a map.
	ToMap() (values map[string]any)
}

DeviceUserAuthorizeResponder is device grant user verification endpoint response.

type DisableRefreshTokenValidationProvider

type DisableRefreshTokenValidationProvider interface {
	// GetDisableRefreshTokenValidation returns the disable refresh token validation flag.
	GetDisableRefreshTokenValidation(ctx context.Context) bool
}

DisableRefreshTokenValidationProvider returns the provider for configuring the refresh token validation.

type EnablePKCEPlainChallengeMethodProvider

type EnablePKCEPlainChallengeMethodProvider interface {
	// GetEnablePKCEPlainChallengeMethod returns the enable PKCE plain challenge method.
	GetEnablePKCEPlainChallengeMethod(ctx context.Context) (enable bool)
}

EnablePKCEPlainChallengeMethodProvider returns the provider for configuring the enable PKCE plain challenge method.

type EndpointClientAuthHandler added in v0.1.12

type EndpointClientAuthHandler interface {
	// GetAuthMethod returns the appropriate auth method for this client.
	GetAuthMethod(client AuthenticationMethodClient) string

	// GetAuthSigningAlg returns the appropriate auth signature algorithm for this client.
	GetAuthSigningAlg(client AuthenticationMethodClient) string

	// Name returns the appropriate name for this endpoint for logging purposes.
	Name() string

	// AllowAuthMethodAny returns true if this endpoint client auth handler is allowed to be used for any method if not configured.
	AllowAuthMethodAny() bool
}

EndpointClientAuthHandler is a helper implementation to assist with producing the correct values while using multiple endpoint implementations.

type EnforcePKCEForPublicClientsProvider

type EnforcePKCEForPublicClientsProvider interface {
	// GetEnforcePKCEForPublicClients returns the enforcement of PKCE for public clients.
	GetEnforcePKCEForPublicClients(ctx context.Context) (enforce bool)
}

EnforcePKCEForPublicClientsProvider returns the provider for configuring the enforcement of PKCE for public clients.

type EnforcePKCEProvider

type EnforcePKCEProvider interface {
	// GetEnforcePKCE returns the enforcement of PKCE.
	GetEnforcePKCE(ctx context.Context) (enforce bool)
}

EnforcePKCEProvider returns the provider for configuring the enforcement of PKCE.

type ExtraClaimsSession

type ExtraClaimsSession interface {
	// GetExtraClaims returns a map to store extra claims.
	// The returned value can be modified in-place.
	GetExtraClaims() map[string]any
}

ExtraClaimsSession provides an interface for session to store any extra claims.

type FormPostHTMLTemplateProvider

type FormPostHTMLTemplateProvider interface {
	// GetFormPostHTMLTemplate returns the form post HTML template.
	GetFormPostHTMLTemplate(ctx context.Context) (tmpl *template.Template)
}

FormPostHTMLTemplateProvider returns the provider for configuring the form post HTML template.

type FormPostResponseProvider

type FormPostResponseProvider interface {
	// GetFormPostResponseWriter returns a FormPostResponseWriter which should be utilized for writing the
	// form post response type.
	GetFormPostResponseWriter(ctx context.Context) FormPostResponseWriter
}

FormPostResponseProvider provides a writer interface for writing the form post responses.

type FormPostResponseWriter

type FormPostResponseWriter func(wr io.Writer, template *template.Template, redirectURL string, parameters url.Values)

type Fosite

type Fosite struct {
	Store  Storage
	Config Configurator
}

Fosite implements Provider.

func New

func New(store Storage, config Configurator) *Fosite

func (*Fosite) AuthenticateClient

func (f *Fosite) AuthenticateClient(ctx context.Context, r *http.Request, form url.Values) (client Client, method string, err error)

AuthenticateClient authenticates client requests using the configured strategy returned by the oauth2.Configurator function GetClientAuthenticationStrategy, if nil it uses `oauth2.DefaultClientAuthenticationStrategy`.

func (*Fosite) AuthenticateClientWithAuthHandler added in v0.1.12

func (f *Fosite) AuthenticateClientWithAuthHandler(ctx context.Context, r *http.Request, form url.Values, handler EndpointClientAuthHandler) (client Client, method string, err error)

func (*Fosite) GetMinParameterEntropy

func (f *Fosite) GetMinParameterEntropy(ctx context.Context) int

GetMinParameterEntropy returns MinParameterEntropy if set. Defaults to oauth2.MinParameterEntropy.

func (*Fosite) IntrospectToken

func (f *Fosite) IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, session Session, scopes ...string) (TokenUse, AccessRequester, error)

func (*Fosite) NewAccessRequest

func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session Session) (AccessRequester, error)

NewAccessRequest Implements

  • https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password. The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password. Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). The parameters can only be transmitted in the request-body and MUST NOT be included in the request URI.
  • https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1
  • Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.
  • If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.

TODO: Refactor time permitting.

func (*Fosite) NewAccessResponse

func (f *Fosite) NewAccessResponse(ctx context.Context, requester AccessRequester) (AccessResponder, error)

func (*Fosite) NewAuthorizeRequest

func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (AuthorizeRequester, error)

func (*Fosite) NewAuthorizeResponse

func (f *Fosite) NewAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (responder AuthorizeResponder, err error)

func (*Fosite) NewIntrospectionRequest

func (f *Fosite) NewIntrospectionRequest(ctx context.Context, r *http.Request, session Session) (responder IntrospectionResponder, err error)

NewIntrospectionRequest initiates token introspection as defined in https://datatracker.ietf.org/doc/html/rfc7662#section-2.1

The protected resource calls the introspection endpoint using an HTTP POST [RFC7231] request with parameters sent as "application/x-www-form-urlencoded" data as defined in [W3C.REC-html5-20141028]. The protected resource sends a parameter representing the token along with optional parameters representing additional context that is known by the protected resource to aid the authorization server in its response.

* token REQUIRED. The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens, this is the "refresh_token" value returned from the token endpoint as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types are outside the scope of this specification.

* token_type_hint OPTIONAL. A hint about the type of the token submitted for introspection. The protected resource MAY pass this parameter to help the authorization server optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. Values for this field are defined in the "OAuth Token Type Hints" registry defined in OAuth Token Revocation [RFC7009].

The introspection endpoint MAY accept other OPTIONAL parameters to provide further context to the query. For instance, an authorization server may desire to know the IP address of the client accessing the protected resource to determine if the correct client is likely to be presenting the token. The definition of this or any other parameters are outside the scope of this specification, to be defined by service documentation or extensions to this specification. If the authorization server is unable to determine the state of the token without additional information, it SHOULD return an introspection response indicating the token is not active as described in Section 2.2.

To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint, such as client authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth 2.0 access token such as the bearer token described in OAuth 2.0 Bearer Token Usage [RFC6750]. The methods of managing and validating these authentication credentials are out of scope of this specification.

For example, the following shows a protected resource calling the token introspection endpoint to query about an OAuth 2.0 bearer token. The protected resource is using a separate OAuth 2.0 bearer token to authorize this call.

The following is a non-normative example request:

POST /introspect HTTP/1.1
Host: server.example.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer 23410913-abewfq.123483

token=2YotnFZFEjr1zCsicMWpAA

In this example, the protected resource uses a client identifier and client secret to authenticate itself to the introspection endpoint. The protected resource also sends a token type hint indicating that it is inquiring about an access token.

The following is a non-normative example request:

POST /introspect HTTP/1.1
Host: server.example.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=mF_9.B5f-4.1JqM&token_type_hint=access_token

func (*Fosite) NewPushedAuthorizeRequest

func (f *Fosite) NewPushedAuthorizeRequest(ctx context.Context, r *http.Request) (AuthorizeRequester, error)

NewPushedAuthorizeRequest validates the request and produces an AuthorizeRequester object that can be stored

func (*Fosite) NewPushedAuthorizeResponse

func (f *Fosite) NewPushedAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (responder PushedAuthorizeResponder, err error)

NewPushedAuthorizeResponse executes the handlers and builds the response

func (*Fosite) NewRFC8628UserAuthorizeRequest

func (f *Fosite) NewRFC8628UserAuthorizeRequest(ctx context.Context, req *http.Request) (DeviceAuthorizeRequester, error)

func (*Fosite) NewRFC8628UserAuthorizeResponse

func (f *Fosite) NewRFC8628UserAuthorizeResponse(ctx context.Context, requester DeviceAuthorizeRequester, session Session) (DeviceUserAuthorizeResponder, error)

func (*Fosite) NewRFC862DeviceAuthorizeRequest

func (f *Fosite) NewRFC862DeviceAuthorizeRequest(ctx context.Context, req *http.Request) (DeviceAuthorizeRequester, error)

func (*Fosite) NewRFC862DeviceAuthorizeResponse

func (f *Fosite) NewRFC862DeviceAuthorizeResponse(ctx context.Context, r DeviceAuthorizeRequester, session Session) (DeviceAuthorizeResponder, error)

func (*Fosite) NewRevocationRequest

func (f *Fosite) NewRevocationRequest(ctx context.Context, r *http.Request) error

NewRevocationRequest handles incoming token revocation requests and validates various parameters as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1

The authorization server first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below.

In the next step, the authorization server invalidates the token. The invalidation takes place immediately, and the token cannot be used again after the revocation.

* https://datatracker.ietf.org/doc/html/rfc7009#section-2.2 An invalid token type hint value is ignored by the authorization server and does not influence the revocation response.

func (*Fosite) ParseResponseMode

func (f *Fosite) ParseResponseMode(ctx context.Context, r *http.Request, request *AuthorizeRequest) error

func (*Fosite) WriteAccessError

func (f *Fosite) WriteAccessError(ctx context.Context, rw http.ResponseWriter, req AccessRequester, err error)

func (*Fosite) WriteAccessResponse

func (f *Fosite) WriteAccessResponse(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)

func (*Fosite) WriteAuthorizeError

func (f *Fosite) WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)

func (*Fosite) WriteAuthorizeResponse

func (f *Fosite) WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)

func (*Fosite) WriteIntrospectionError

func (f *Fosite) WriteIntrospectionError(ctx context.Context, rw http.ResponseWriter, err error)

WriteIntrospectionError responds with token metadata discovered by token introspection as defined in https://datatracker.ietf.org/doc/html/rfc7662#section-2.2

If the protected resource uses OAuth 2.0 client credentials to authenticate to the introspection endpoint and its credentials are invalid, the authorization server responds with an HTTP 401 (Unauthorized) as described in Section 5.2 of OAuth 2.0 [RFC6749].

If the protected resource uses an OAuth 2.0 bearer token to authorize its call to the introspection endpoint and the token used for authorization does not contain sufficient privileges or is otherwise invalid for this request, the authorization server responds with an HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token Usage [RFC6750].

Note that a properly formed and authorized query for an inactive or otherwise invalid token (or a token the protected resource is not allowed to know about) is not considered an error response by this specification. In these cases, the authorization server MUST instead respond with an introspection response with the "active" field set to "false" as described in Section 2.2.

func (*Fosite) WriteIntrospectionResponse

func (f *Fosite) WriteIntrospectionResponse(ctx context.Context, rw http.ResponseWriter, r IntrospectionResponder)

WriteIntrospectionResponse responds with an error if token introspection failed as defined in https://datatracker.ietf.org/doc/html/rfc7662#section-2.3

The server responds with a JSON object [RFC7159] in "application/ json" format with the following top-level members.

* active REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). See Section 4 for information on implementation of such checks.

* scope OPTIONAL. A JSON string containing a space-separated list of scopes associated with this token, in the format described in Section 3.3 of OAuth 2.0 [RFC6749].

* client_id OPTIONAL. Client identifier for the OAuth 2.0 client that requested this token.

* username OPTIONAL. Human-readable identifier for the resource owner who authorized this token.

* token_type OPTIONAL. Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].

* exp OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire, as defined in JWT [RFC7519].

* iat OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued, as defined in JWT [RFC7519].

* nbf OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before, as defined in JWT [RFC7519].

* sub OPTIONAL. Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token.

* aud OPTIONAL. Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519].

* iss OPTIONAL. String representing the issuer of this token, as defined in JWT [RFC7519].

* jti OPTIONAL. String identifier for the token, as defined in JWT [RFC7519].

Specific implementations MAY extend this structure with their own service-specific response names as top-level members of this JSON object. Response names intended to be used across domains MUST be registered in the "OAuth Token Introspection Response" registry defined in Section 3.1.

The authorization server MAY respond differently to different protected resources making the same request. For instance, an authorization server MAY limit which scopes from a given token are returned for each protected resource to prevent a protected resource from learning more about the larger network than is necessary for its operation.

The response MAY be cached by the protected resource to improve performance and reduce load on the introspection endpoint, but at the cost of liveness of the information used by the protected resource to make authorization decisions. See Section 4 for more information regarding the trade off when the response is cached.

For example, the following response contains a set of information about an active token:

The following is a non-normative example response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "active": true,
  "client_id": "l238j323ds-23ij4",
  "username": "jdoe",
  "scope": "read write dolphin",
  "sub": "Z5O3upPC88QrAjx00dis",
  "aud": "https://protected.example.net/resource",
  "iss": "https://server.example.com/",
  "exp": 1419356238,
  "iat": 1419350238,
  "extension_field": "twenty-seven"
}

If the introspection call is properly authorized but the token is not active, does not exist on this server, or the protected resource is not allowed to introspect this particular token, then the authorization server MUST return an introspection response with the "active" field set to "false". Note that to avoid disclosing too much of the authorization server's state to a third party, the authorization server SHOULD NOT include any additional information about an inactive token, including why the token is inactive.

The following is a non-normative example response for a token that has been revoked or is otherwise invalid:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "active": false
}

func (*Fosite) WritePushedAuthorizeError

func (f *Fosite) WritePushedAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)

WritePushedAuthorizeError writes the PAR error

func (*Fosite) WritePushedAuthorizeResponse

func (f *Fosite) WritePushedAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder PushedAuthorizeResponder)

WritePushedAuthorizeResponse writes the PAR response

func (*Fosite) WriteRFC8628UserAuthorizeError

func (f *Fosite) WriteRFC8628UserAuthorizeError(ctx context.Context, rw http.ResponseWriter, req DeviceAuthorizeRequester, err error)

func (*Fosite) WriteRFC8628UserAuthorizeResponse

func (f *Fosite) WriteRFC8628UserAuthorizeResponse(_ context.Context, rw http.ResponseWriter, _ DeviceAuthorizeRequester, responder DeviceUserAuthorizeResponder)

func (*Fosite) WriteRFC862DeviceAuthorizeResponse

func (f *Fosite) WriteRFC862DeviceAuthorizeResponse(_ context.Context, rw http.ResponseWriter, _ DeviceAuthorizeRequester, responder DeviceAuthorizeResponder)

func (*Fosite) WriteRevocationResponse

func (f *Fosite) WriteRevocationResponse(ctx context.Context, rw http.ResponseWriter, err error)

WriteRevocationResponse writes a token revocation response as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.2

The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.

Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.

type G11NContext

type G11NContext interface {
	// GetLang returns the current language in the context
	GetLang() (lang language.Tag)
}

G11NContext is the globalization context

type GetJWTMaxDurationProvider

type GetJWTMaxDurationProvider interface {
	// GetJWTMaxDuration returns the JWT max duration.
	GetJWTMaxDuration(ctx context.Context) (max time.Duration)
}

GetJWTMaxDurationProvider returns the provider for configuring the JWT max duration.

type GlobalSecretProvider

type GlobalSecretProvider interface {
	// GetGlobalSecret returns the global secret.
	GetGlobalSecret(ctx context.Context) (secret []byte, err error)
}

GlobalSecretProvider returns the provider for configuring the global secret.

type GrantType

type GrantType string

type GrantTypeJWTBearerCanSkipClientAuthProvider

type GrantTypeJWTBearerCanSkipClientAuthProvider interface {
	// GetGrantTypeJWTBearerCanSkipClientAuth returns the grant type JWT bearer can skip client auth.
	GetGrantTypeJWTBearerCanSkipClientAuth(ctx context.Context) (permitted bool)
}

GrantTypeJWTBearerCanSkipClientAuthProvider returns the provider for configuring the grant type JWT bearer can skip client auth.

type GrantTypeJWTBearerIDOptionalProvider

type GrantTypeJWTBearerIDOptionalProvider interface {
	// GetGrantTypeJWTBearerIDOptional returns the grant type JWT bearer ID optional.
	GetGrantTypeJWTBearerIDOptional(ctx context.Context) (optional bool)
}

GrantTypeJWTBearerIDOptionalProvider returns the provider for configuring the grant type JWT bearer ID optional.

type GrantTypeJWTBearerIssuedDateOptionalProvider

type GrantTypeJWTBearerIssuedDateOptionalProvider interface {
	// GetGrantTypeJWTBearerIssuedDateOptional returns the grant type JWT bearer issued date optional.
	GetGrantTypeJWTBearerIssuedDateOptional(ctx context.Context) (optional bool)
}

GrantTypeJWTBearerIssuedDateOptionalProvider returns the provider for configuring the grant type JWT bearer issued date optional.

type HMACHashingProvider

type HMACHashingProvider interface {
	// GetHMACHasher returns the hash function.
	GetHMACHasher(ctx context.Context) func() (hasher hash.Hash)
}

HMACHashingProvider returns the provider for configuring the hash function.

type HTTPClientProvider

type HTTPClientProvider interface {
	// GetHTTPClient returns the HTTP client provider.
	GetHTTPClient(ctx context.Context) (client *retryablehttp.Client)
}

HTTPClientProvider returns the provider for configuring the HTTP client.

type IDTokenClient added in v0.1.15

type IDTokenClient interface {
	// GetIDTokenSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the ID
	// Token specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetIDTokenSignedResponseKeyID() (kid string)

	// GetIDTokenSignedResponseAlg is equivalent to the 'id_token_signed_response_alg' client metadata value which
	// determines the JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The value none
	// MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token
	// from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted,
	// is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the
	// jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
	GetIDTokenSignedResponseAlg() (alg string)

	// GetIDTokenEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the ID
	// Token specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetIDTokenEncryptedResponseKeyID() (kid string)

	// GetIDTokenEncryptedResponseAlg is equivalent to the 'id_token_encrypted_response_alg' client metadata value which
	// determines the JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is
	// requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT].
	// The default, if omitted, is that no encryption is performed.
	GetIDTokenEncryptedResponseAlg() (alg string)

	// GetIDTokenEncryptedResponseEnc is equivalent to the 'id_token_encrypted_response_enc' client metadata value which
	// determines the JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If
	// id_token_encrypted_response_alg is specified, the default id_token_encrypted_response_enc value is A128CBC-HS256.
	// When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
	GetIDTokenEncryptedResponseEnc() (enc string)

	JSONWebKeysClient
}

IDTokenClient is a client which can satisfy all JWS and JWE requirements of the ID Token responses.

type IDTokenIssuerProvider

type IDTokenIssuerProvider interface {
	// GetIDTokenIssuer returns the ID token issuer.
	GetIDTokenIssuer(ctx context.Context) (issuer string)
}

IDTokenIssuerProvider returns the provider for configuring the ID token issuer.

type IDTokenLifespanProvider

type IDTokenLifespanProvider interface {
	// GetIDTokenLifespan returns the ID token lifespan.
	GetIDTokenLifespan(ctx context.Context) time.Duration
}

IDTokenLifespanProvider returns the provider for configuring the ID token lifespan.

type IntrospectionEndpointClientAuthHandler added in v0.1.12

type IntrospectionEndpointClientAuthHandler struct{}

func (*IntrospectionEndpointClientAuthHandler) AllowAuthMethodAny added in v0.1.12

func (h *IntrospectionEndpointClientAuthHandler) AllowAuthMethodAny() bool

func (*IntrospectionEndpointClientAuthHandler) GetAuthMethod added in v0.1.12

func (*IntrospectionEndpointClientAuthHandler) GetAuthSigningAlg added in v0.1.12

func (*IntrospectionEndpointClientAuthHandler) Name added in v0.1.12

type IntrospectionIssuerProvider added in v0.1.4

type IntrospectionIssuerProvider interface {
	// GetIntrospectionIssuer returns the Introspection token issuer.
	GetIntrospectionIssuer(ctx context.Context) (issuer string)
}

IntrospectionIssuerProvider returns the provider for configuring the Introspection issuer.

type IntrospectionJWTResponseClient added in v0.1.4

type IntrospectionJWTResponseClient interface {
	// GetIntrospectionSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements for
	// OAuth 2.0 JWT introspection response specifications. If unspecified the other available parameters will be
	//	// utilized to select an appropriate key.
	GetIntrospectionSignedResponseKeyID() (kid string)

	// GetIntrospectionSignedResponseAlg is equivalent to the 'introspection_signed_response_alg' client metadata
	// value which determines the JWS [RFC7515] algorithm (alg value) as defined in JWA [RFC7518] for signing
	// introspection responses. If this is specified, the response will be signed using JWS and the configured
	// algorithm. The default, if omitted, is RS256.
	GetIntrospectionSignedResponseAlg() (alg string)

	// GetIntrospectionEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements for
	// OAuth 2.0 JWT introspection response specifications. If unspecified the other available parameters will be
	//	// utilized to select an appropriate key.
	GetIntrospectionEncryptedResponseKeyID() (kid string)

	// GetIntrospectionEncryptedResponseAlg is equivalent to the 'introspection_encrypted_response_alg' client metadata
	// value which determines the JWE [RFC7516] algorithm (alg value) as defined in JWA [RFC7518] for content key
	// encryption. If this is specified, the response will be encrypted using JWE and the configured content encryption
	// algorithm (introspection_encrypted_response_enc). The default, if omitted, is that no encryption is performed.
	// If both signing and encryption are requested, the response will be signed then encrypted, with the result being
	// a Nested JWT, as defined in JWT [RFC7519].
	GetIntrospectionEncryptedResponseAlg() (alg string)

	// GetIntrospectionEncryptedResponseEnc is equivalent to the 'introspection_encrypted_response_enc' client metadata
	// value which determines the  JWE [RFC7516] algorithm (enc value) as defined in JWA [RFC7518] for content
	// encryption of introspection responses. The default, if omitted, is A128CBC-HS256. Note: This parameter MUST NOT
	// be specified without setting introspection_encrypted_response_alg.
	GetIntrospectionEncryptedResponseEnc() (enc string)

	Client
}

IntrospectionJWTResponseClient is a client which can potentially sign Introspection responses.

See: https://www.ietf.org/id/draft-ietf-oauth-jwt-introspection-response-12.html

type IntrospectionJWTResponseSignerProvider added in v0.1.4

type IntrospectionJWTResponseSignerProvider interface {
	// GetIntrospectionJWTResponseSigner returns the Introspection JWT signer.
	GetIntrospectionJWTResponseSigner(ctx context.Context) jwt.Signer
}

IntrospectionJWTResponseSignerProvider returns the provider for configuring the Introspection signer.

type IntrospectionResponder

type IntrospectionResponder interface {
	// IsActive returns true if the introspected token is active and false otherwise.
	IsActive() (active bool)

	// GetAccessRequester returns the AccessRequester which returns nil when IsActive() is false and the original access request object otherwise.
	GetAccessRequester() (requester AccessRequester)

	// GetTokenUse optionally returns the type of the token that was introspected. This could be "access_token", "refresh_token",
	// or if the type can not be determined an empty string.
	GetTokenUse() (tokenUse TokenUse)

	// GetAccessTokenType optionally returns the type of the access token that was introspected. This could be "bearer", "mac",
	// or empty string if the type of the token is refresh token.
	GetAccessTokenType() (tokenType string)

	// ToMap returns the audience values for this introspection for use with signed introspection responses, and map
	// values for this introspection regardless of what kind of introspection response.
	ToMap() (audience []string, introspection map[string]any)
}

IntrospectionResponder is the response object that will be returned when token introspection was successful, for example when the client is allowed to perform token introspection. Refer to https://datatracker.ietf.org/doc/html/rfc7662#section-2.2 for more details.

type IntrospectionResponse

type IntrospectionResponse struct {
	Client          Client          `json:"-"`
	Active          bool            `json:"active"`
	AccessRequester AccessRequester `json:"extra"`
	TokenUse        TokenUse        `json:"token_use,omitempty"`
	AccessTokenType string          `json:"token_type,omitempty"`
	Lang            language.Tag    `json:"-"`
}

func (*IntrospectionResponse) GetAccessRequester

func (r *IntrospectionResponse) GetAccessRequester() AccessRequester

func (*IntrospectionResponse) GetAccessTokenType

func (r *IntrospectionResponse) GetAccessTokenType() string

func (*IntrospectionResponse) GetClient

func (r *IntrospectionResponse) GetClient() Client

GetClient returns the client related to the introspected token.

func (*IntrospectionResponse) GetTokenUse

func (r *IntrospectionResponse) GetTokenUse() TokenUse

func (*IntrospectionResponse) IsActive

func (r *IntrospectionResponse) IsActive() bool

func (*IntrospectionResponse) ToMap

func (r *IntrospectionResponse) ToMap() (audience []string, introspection map[string]any)

type JARClient added in v0.1.15

type JARClient interface {
	// GetRequestObjectSigningKeyID returns the specific key identifier used to satisfy JWS requirements of the request
	// object specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetRequestObjectSigningKeyID() (kid string)

	// GetRequestObjectSigningAlg is equivalent to the 'request_object_signing_alg' client metadata
	// value which determines the JWS alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP.
	// All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are
	// described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the
	// Request Object is passed by value (using the request parameter) and when it is passed by reference (using the
	// request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is
	// that any algorithm supported by the OP and the RP MAY be used.
	GetRequestObjectSigningAlg() (alg string)

	// GetRequestObjectEncryptionKeyID returns the specific key identifier used to satisfy JWE requirements of the
	// request object specifications. If unspecified the other available parameters will be utilized to select an
	// appropriate key.
	GetRequestObjectEncryptionKeyID() (kid string)

	// GetRequestObjectEncryptionAlg is equivalent to the 'request_object_encryption_alg' client metadata value which
	// determines the JWE alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to
	// the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP
	// that a client_secret value needs to be returned from which the symmetric key will be derived, that might not
	// otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request
	// Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object
	// will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted,
	// is that the RP is not declaring whether it might encrypt any Request Objects.
	GetRequestObjectEncryptionAlg() (alg string)

	// GetRequestObjectEncryptionEnc is equivalent to the 'request_object_encryption_enc' client metadata value which
	// determines the JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to
	// the OP. If request_object_encryption_alg is specified, the default request_object_encryption_enc value is
	// A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be
	// provided.
	GetRequestObjectEncryptionEnc() (enc string)

	// GetRequestURIs is an array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY
	// cache the contents of the files referenced by these URIs and not retrieve them at the time they are used in a request.
	// OPs can require that request_uri values used be pre-registered with the require_request_uri_registration
	// discovery parameter.
	GetRequestURIs() (requestURIs []string)

	JSONWebKeysClient
}

JARClient represents a client capable of performing OpenID Connect requests.

See: https://www.rfc-editor.org/rfc/rfc9101

type JARMClient

type JARMClient interface {
	// GetAuthorizationSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the
	// JWT-secured Authorization Response Method (JARM) specifications. If unspecified the other available parameters
	// will be utilized to select an appropriate key.
	GetAuthorizationSignedResponseKeyID() (kid string)

	// GetAuthorizationSignedResponseAlg is equivalent to the 'authorization_signed_response_alg' client metadata
	// value which determines the JWS [RFC7515] alg algorithm JWA [RFC7518] REQUIRED for signing authorization
	// responses. If this is specified, the response will be signed using JWS and the configured algorithm. The
	// algorithm none is not allowed. The default, if omitted, is RS256.
	GetAuthorizationSignedResponseAlg() (alg string)

	// GetAuthorizationEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of
	// the JWT-secured Authorization Response Method (JARM) specifications. If unspecified the other available parameters will be
	// utilized to select an appropriate key.
	GetAuthorizationEncryptedResponseKeyID() (kid string)

	// GetAuthorizationEncryptedResponseAlg is equivalent to the 'authorization_encrypted_response_alg' client metadata
	// value which determines the JWE [RFC7516] alg algorithm JWA [RFC7518] REQUIRED for encrypting authorization
	// responses. If both signing and encryption are requested, the response will be signed then encrypted, with the
	// result being a Nested JWT, as defined in JWT [RFC7519]. The default, if omitted, is that no encryption is
	// performed.
	GetAuthorizationEncryptedResponseAlg() (alg string)

	// GetAuthorizationEncryptedResponseEnc is equivalent to the 'authorization_encrypted_response_enc' client
	// metadata value which determines the JWE [RFC7516] enc algorithm JWA [RFC7518] REQUIRED for encrypting
	// authorization responses. If authorization_encrypted_response_alg is specified, the default for this value is
	// A128CBC-HS256. When authorization_encrypted_response_enc is included, authorization_encrypted_response_alg MUST
	// also be provided.
	GetAuthorizationEncryptedResponseEnc() (alg string)

	Client
}

JARMClient is a client which supports JARM.

See: https://openid.net/specs/oauth-v2-jarm.html

type JSONWebKeysClient added in v0.1.11

type JSONWebKeysClient interface {
	// GetJSONWebKeys returns the JSON Web Key Set containing the public key used by the client to authenticate.
	GetJSONWebKeys() (jwks *jose.JSONWebKeySet)

	// GetJSONWebKeysURI returns the URL for lookup of JSON Web Key Set containing the
	// public key used by the client to authenticate.
	GetJSONWebKeysURI() (uri string)

	Client
}

JSONWebKeysClient is a client base which includes a JSON Web Key Set registration.

type JWKSFetcherStrategy

type JWKSFetcherStrategy interface {
	// Resolve returns the JSON Web Key Set, or an error if something went wrong. The forceRefresh, if true, forces
	// the strategy to fetch the key from the remote. If forceRefresh is false, the strategy may use a caching strategy
	// to fetch the key.
	Resolve(ctx context.Context, location string, ignoreCache bool) (*jose.JSONWebKeySet, error)
}

JWKSFetcherStrategy is a strategy which pulls (optionally caches) JSON Web Key Sets from a location, typically a client's jwks_uri.

func NewDefaultJWKSFetcherStrategy

func NewDefaultJWKSFetcherStrategy(opts ...func(*DefaultJWKSFetcherStrategy)) JWKSFetcherStrategy

NewDefaultJWKSFetcherStrategy returns a new instance of the DefaultJWKSFetcherStrategy.

type JWKSFetcherStrategyProvider

type JWKSFetcherStrategyProvider interface {
	// GetJWKSFetcherStrategy returns the JWKS fetcher strategy.
	GetJWKSFetcherStrategy(ctx context.Context) (strategy JWKSFetcherStrategy)
}

JWKSFetcherStrategyProvider returns the provider for configuring the JWKS fetcher strategy.

type JWTProfileAccessTokensProvider

type JWTProfileAccessTokensProvider interface {
	// GetEnforceJWTProfileAccessTokens when returning true will disregard the registered client capabilities for
	// Access Token generation and produce only JWT Profile Access Tokens.
	GetEnforceJWTProfileAccessTokens(ctx context.Context) (enable bool)
}

JWTProfileAccessTokensProvider provides configuration options to the JWT Profile strategies.

type JWTProfileClient

type JWTProfileClient interface {
	// GetAccessTokenSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements for
	// JWT Profile for OAuth 2.0 Access Tokens specifications. If unspecified the other available parameters will be
	// utilized to select an appropriate key.
	GetAccessTokenSignedResponseKeyID() (kid string)

	// GetAccessTokenSignedResponseAlg determines the JWS [RFC7515] algorithm (alg value) as defined in JWA [RFC7518]
	// for signing JWT Profile Access Token responses. If this is specified, the response will be signed using JWS and
	// the configured algorithm. The default, if omitted, is none; i.e. unsigned responses unless the
	// GetEnableJWTProfileOAuthAccessTokens receiver returns true in which case the default is RS256.
	GetAccessTokenSignedResponseAlg() (alg string)

	// GetAccessTokenEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements for
	// JWT Profile for OAuth 2.0 Access Tokens specifications. If unspecified the other available parameters will be
	// utilized to select an appropriate key.
	GetAccessTokenEncryptedResponseKeyID() (kid string)

	// GetAccessTokenEncryptedResponseAlg determines the JWE [RFC7516] algorithm (alg value) as defined in JWA [RFC7518]
	// for content key encryption. If this is specified, the response will be encrypted using JWE and the configured
	// content encryption algorithm (access_token_encrypted_response_enc). The default, if omitted, is that no
	// encryption is performed. If both signing and encryption are requested, the response will be signed then
	// encrypted, with the result being a Nested JWT, as defined in JWT [RFC7519].
	GetAccessTokenEncryptedResponseAlg() (alg string)

	// GetAccessTokenEncryptedResponseEnc determines the JWE [RFC7516] algorithm (enc value) as defined in JWA [RFC7518]
	// for content encryption of access token responses. The default, if omitted, is A128CBC-HS256. Note: This parameter
	// MUST NOT be specified without setting access_token_encrypted_response_alg.
	GetAccessTokenEncryptedResponseEnc() (alg string)

	// GetEnableJWTProfileOAuthAccessTokens indicates this client should or should not issue JWT Profile Access Tokens.
	GetEnableJWTProfileOAuthAccessTokens() (enforce bool)

	Client
}

JWTProfileClient represents a client with can handle RFC9068 responses; i.e. the JWT Profile for OAuth 2.0 Access Tokens.

type JWTScopeFieldProvider

type JWTScopeFieldProvider interface {
	// GetJWTScopeField returns the JWT scope field.
	GetJWTScopeField(ctx context.Context) jwt.JWTScopeFieldEnum
}

JWTScopeFieldProvider returns the provider for configuring the JWT scope field.

type JWTSecuredAuthorizeResponseModeIssuerProvider

type JWTSecuredAuthorizeResponseModeIssuerProvider interface {
	// GetJWTSecuredAuthorizeResponseModeIssuer returns the JARM issuer.
	GetJWTSecuredAuthorizeResponseModeIssuer(ctx context.Context) string
}

JWTSecuredAuthorizeResponseModeIssuerProvider returns the provider for configuring the JARM issuer.

type JWTSecuredAuthorizeResponseModeLifespanProvider

type JWTSecuredAuthorizeResponseModeLifespanProvider interface {
	GetJWTSecuredAuthorizeResponseModeLifespan(ctx context.Context) time.Duration
}

JWTSecuredAuthorizeResponseModeLifespanProvider returns the provider for configuring the JWT Secured Authorize Response Mode token lifespan.

type JWTSecuredAuthorizeResponseModeSignerProvider

type JWTSecuredAuthorizeResponseModeSignerProvider interface {
	// GetJWTSecuredAuthorizeResponseModeSigner returns the JARM signer.
	GetJWTSecuredAuthorizeResponseModeSigner(ctx context.Context) jwt.Signer
}

JWTSecuredAuthorizeResponseModeSignerProvider returns the provider for configuring the JARM signer.

type MessageCatalogProvider

type MessageCatalogProvider interface {
	// GetMessageCatalog returns the message catalog.
	GetMessageCatalog(ctx context.Context) (catalog i18n.MessageCatalog)
}

MessageCatalogProvider returns the provider for configuring the message catalog.

type MinParameterEntropyProvider

type MinParameterEntropyProvider interface {
	// GetMinParameterEntropy returns the minimum parameter entropy.
	GetMinParameterEntropy(_ context.Context) (min int)
}

MinParameterEntropyProvider returns the provider for configuring the minimum parameter entropy.

type OmitRedirectScopeParamProvider

type OmitRedirectScopeParamProvider interface {
	// GetOmitRedirectScopeParam must be set to true if the scope query param is to be omitted
	// in the authorization's redirect URI
	GetOmitRedirectScopeParam(ctx context.Context) (omit bool)
}

OmitRedirectScopeParamProvider returns the provider for configuring the omit redirect scope param.

type PARStorage

type PARStorage interface {
	// CreatePARSession stores the pushed authorization request context. The requestURI is used to derive the key.
	CreatePARSession(ctx context.Context, requestURI string, request AuthorizeRequester) error
	// GetPARSession gets the push authorization request context. The caller is expected to merge the AuthorizeRequest.
	GetPARSession(ctx context.Context, requestURI string) (AuthorizeRequester, error)
	// DeletePARSession deletes the context.
	DeletePARSession(ctx context.Context, requestURI string) (err error)
}

PARStorage holds information needed to store and retrieve PAR context.

type PrivateKey

type PrivateKey interface {
	Public() crypto.PublicKey
	Equal(x crypto.PrivateKey) bool
}

PrivateKey properly describes crypto.PrivateKey.

type ProofKeyCodeExchangeClient

type ProofKeyCodeExchangeClient interface {
	GetEnforcePKCE() (enforce bool)
	GetEnforcePKCEChallengeMethod() (enforce bool)
	GetPKCEChallengeMethod() (method string)

	Client
}

ProofKeyCodeExchangeClient is a Client implementation which provides PKCE client policy values.

type Provider

type Provider interface {
	// NewAuthorizeRequest returns an AuthorizeRequest.
	//
	// The following specs must be considered in any implementation of this method:
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
	//	 Extension response types MAY contain a space-delimited (%x20) list of
	//	 values, where the order of values does not matter (e.g., response
	//	 type "a b" is the same as "b a").  The meaning of such composite
	//	 response types is defined by their respective specifications.
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
	//   The redirection endpoint URI MUST be an absolute URI as defined by
	//   [RFC3986] Section 4.3.  The endpoint URI MAY include an
	//   "application/x-www-form-urlencoded" formatted (per Appendix B) query
	//   component ([RFC3986] Section 3.4), which MUST be retained when adding
	//   additional query parameters.  The endpoint URI MUST NOT include a
	//   fragment component.
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
	NewAuthorizeRequest(ctx context.Context, r *http.Request) (requester AuthorizeRequester, err error)

	// NewAuthorizeResponse iterates through all response type handlers and returns their result or
	// ErrUnsupportedResponseType if none of the handlers were able to handle it.
	//
	// The following specs must be considered in any implementation of this method:
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.1
	//	 Extension response types MAY contain a space-delimited (%x20) list of
	//	 values, where the order of values does not matter (e.g., response
	//	 type "a b" is the same as "b a").  The meaning of such composite
	//	 response types is defined by their respective specifications.
	//	 If an authorization request is missing the "response_type" parameter,
	//	 or if the response type is not understood, the authorization server
	//	 MUST return an error response as described in Section 4.1.2.1.
	NewAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (responder AuthorizeResponder, err error)

	// WriteAuthorizeError returns the error codes to the redirection endpoint or shows the error to the user, if no valid
	// redirect uri was given. Implements rfc6749#section-4.1.2.1
	//
	// The following specs must be considered in any implementation of this method:
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
	//   The redirection endpoint URI MUST be an absolute URI as defined by
	//   [RFC3986] Section 4.3.  The endpoint URI MAY include an
	//   "application/x-www-form-urlencoded" formatted (per Appendix B) query
	//   component ([RFC3986] Section 3.4), which MUST be retained when adding
	//   additional query parameters.  The endpoint URI MUST NOT include a
	//   fragment component.
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 (everything)
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
	WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)

	// WriteAuthorizeResponse persists the AuthorizeSession in the store and redirects the user agent to the provided
	// redirect url or returns an error if storage failed.
	//
	// The following specs must be considered in any implementation of this method:
	// * https://datatracker.ietf.org/doc/html/rfc6749#rfc6749#section-4.1.2.1
	//   After completing its interaction with the resource owner, the
	//   authorization server directs the resource owner's user-agent back to
	//   the client.  The authorization server redirects the user-agent to the
	//   client's redirection endpoint previously established with the
	//   authorization server during the client registration process or when
	//   making the authorization request.
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
	WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)

	// NewAccessRequest creates a new access request object and validates
	// various parameters.
	//
	// The following specs must be considered in any implementation of this method:
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.2 (everything)
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1 (everything)
	//
	// Furthermore the registered handlers should implement their specs accordingly.
	NewAccessRequest(ctx context.Context, r *http.Request, session Session) (requester AccessRequester, err error)

	// NewAccessResponse creates a new access response and validates that access_token and token_type are set.
	//
	// The following specs must be considered in any implementation of this method:
	// https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
	NewAccessResponse(ctx context.Context, requester AccessRequester) (responder AccessResponder, err error)

	// WriteAccessError writes an access request error response.
	//
	// The following specs must be considered in any implementation of this method:
	// * https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 (everything)
	WriteAccessError(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, err error)

	// WriteAccessResponse writes the access response.
	//
	// The following specs must be considered in any implementation of this method:
	// https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
	WriteAccessResponse(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)

	// NewRevocationRequest handles incoming token revocation requests and validates various parameters.
	//
	// The following specs must be considered in any implementation of this method:
	// https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
	NewRevocationRequest(ctx context.Context, r *http.Request) (err error)

	// WriteRevocationResponse writes the revoke response.
	//
	// The following specs must be considered in any implementation of this method:
	// https://datatracker.ietf.org/doc/html/rfc7009#section-2.2
	WriteRevocationResponse(ctx context.Context, rw http.ResponseWriter, err error)

	// IntrospectToken returns token metadata, if the token is valid. Tokens generated by the authorization endpoint,
	// such as the authorization code, can not be introspected.
	IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, session Session, scope ...string) (actualTokenUse TokenUse, requester AccessRequester, err error)

	// NewIntrospectionRequest initiates token introspection as defined in
	//https://datatracker.ietf.org/doc/html/rfc7662#section-2.1
	NewIntrospectionRequest(ctx context.Context, r *http.Request, session Session) (responder IntrospectionResponder, err error)

	// WriteIntrospectionError responds with an error if token introspection failed as defined in
	//https://datatracker.ietf.org/doc/html/rfc7662#section-2.3
	WriteIntrospectionError(ctx context.Context, rw http.ResponseWriter, err error)

	// WriteIntrospectionResponse responds with token metadata discovered by token introspection as defined in
	//https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
	WriteIntrospectionResponse(ctx context.Context, rw http.ResponseWriter, r IntrospectionResponder)

	// NewPushedAuthorizeRequest validates the request and produces an AuthorizeRequester object that can be stored
	NewPushedAuthorizeRequest(ctx context.Context, r *http.Request) (requester AuthorizeRequester, err error)

	// NewPushedAuthorizeResponse executes the handlers and builds the response
	NewPushedAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (responder PushedAuthorizeResponder, err error)

	// WritePushedAuthorizeResponse writes the PAR response
	WritePushedAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder PushedAuthorizeResponder)

	// WritePushedAuthorizeError writes the PAR error
	WritePushedAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)

	// NewRFC862DeviceAuthorizeRequest validate the OAuth 2.0 Device Authorization Flow Request
	//
	// The following specs must be considered in any implementation of this method:
	// * https://www.rfc-editor.org/rfc/rfc8628#section-3.1 (everything MUST be implemented)
	// Parameters sent without a value MUST be treated as if they were
	// omitted from the request.  The authorization server MUST ignore
	// unrecognized request parameters.  Request and response parameters
	// MUST NOT be included more than once.
	NewRFC862DeviceAuthorizeRequest(ctx context.Context, req *http.Request) (requester DeviceAuthorizeRequester, err error)

	// NewRFC862DeviceAuthorizeResponse persists the DeviceCodeSession and UserCodeSession in the store
	//
	// The following specs must be considered in any implementation of this method:
	// * https://www.rfc-editor.org/rfc/rfc8628#section-3.2 (everything MUST be implemented)
	// In response, the authorization server generates a unique device
	// verification code and an end-user code that are valid for a limited
	// time
	NewRFC862DeviceAuthorizeResponse(ctx context.Context, requester DeviceAuthorizeRequester, session Session) (responder DeviceAuthorizeResponder, err error)

	// WriteRFC862DeviceAuthorizeResponse return to the user both codes and
	// some configuration information in a JSON formatted manner
	//
	// The following specs must be considered in any implementation of this method:
	// * https://www.rfc-editor.org/rfc/rfc8628#section-3.2 (everything MUST be implemented)
	// Response is a HTTP response body using the
	// "application/json" format [RFC8259] with a 200 (OK) status code.
	WriteRFC862DeviceAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester DeviceAuthorizeRequester, responder DeviceAuthorizeResponder)

	// WriteRFC8628UserAuthorizeResponse returns the device grant user verification result in a JSON formatted manner.
	//
	// The following specs must be considered in any implementation of this method:
	// * https://www.rfc-editor.org/rfc/rfc8628#section-3.3 (everything MUST be implemented)
	// Response is a HTTP response body using the
	// "application/json" format [RFC8259] with a 200 (OK) status code.
	WriteRFC8628UserAuthorizeResponse(cxt context.Context, rw http.ResponseWriter, requester DeviceAuthorizeRequester, responder DeviceUserAuthorizeResponder)

	// WriteRFC8628UserAuthorizeError returns the device grant user verification error in a JSON formatted manner.
	//
	// The following specs must be considered in any implementation of this method:
	// * https://www.rfc-editor.org/rfc/rfc8628#section-3.3 (everything MUST be implemented)
	// Response is a HTTP response body using the
	// "application/json" format [RFC8259] with a 200 (OK) status code.
	WriteRFC8628UserAuthorizeError(_ context.Context, rw http.ResponseWriter, requester DeviceAuthorizeRequester, err error)

	// NewRFC8628UserAuthorizeRequest validate the OAuth 2.0 Device Authorization Flow - User interaction Request
	//
	// The following specs must be considered in any implementation of this method:
	// * https://www.rfc-editor.org/rfc/rfc8628#section-3.3 (everything MUST be implemented)
	// Parameters sent without a value MUST be treated as if they were
	// omitted from the request. The authorization server MUST ignore
	// unrecognized request parameters. Request and response parameters
	// MUST NOT be included more than once.
	NewRFC8628UserAuthorizeRequest(ctx context.Context, req *http.Request) (requester DeviceAuthorizeRequester, err error)

	// NewRFC8628UserAuthorizeResponse persists the DeviceCodeSession and UserCodeSession in the store
	//
	// The following specs must be considered in any implementation of this method:
	// * https://www.rfc-editor.org/rfc/rfc8628#section-3.2 (everything MUST be implemented)
	// In response, the authorization server generates a unique device
	// verification code and an end-user code that are valid for a limited
	// time
	NewRFC8628UserAuthorizeResponse(ctx context.Context, requester DeviceAuthorizeRequester, session Session) (responder DeviceUserAuthorizeResponder, err error)
}

Provider is an interface that enables you to write OAuth2 handlers with only a few lines of code. Check Fosite for an implementation of this interface.

type PushedAuthorizationRequestClient

type PushedAuthorizationRequestClient interface {
	// GetRequirePushedAuthorizationRequests should return true if this client MUST use a Pushed Authorization Request.
	GetRequirePushedAuthorizationRequests() (require bool)

	// GetPushedAuthorizeContextLifespan should return a custom lifespan or a duration of 0 seconds to utilize the
	// global lifespan.
	GetPushedAuthorizeContextLifespan() (lifespan time.Duration)

	Client
}

PushedAuthorizationRequestClient is a client with custom requirements for Pushed Authorization requests.

type PushedAuthorizeEndpointHandler

type PushedAuthorizeEndpointHandler interface {
	// HandlePushedAuthorizeEndpointRequest handles a pushed authorize endpoint request. To extend the handler's capabilities, the http request
	// is passed along, if further information retrieval is required. If the handler feels that he is not responsible for
	// the pushed authorize request, he must return nil and NOT modify session nor responder neither requester.
	HandlePushedAuthorizeEndpointRequest(ctx context.Context, requester AuthorizeRequester, responder PushedAuthorizeResponder) error
}

PushedAuthorizeEndpointHandler is the interface that handles PAR (https://datatracker.ietf.org/doc/html/rfc9126)

type PushedAuthorizeEndpointHandlers

type PushedAuthorizeEndpointHandlers []PushedAuthorizeEndpointHandler

PushedAuthorizeEndpointHandlers is a list of PushedAuthorizeEndpointHandler

func (*PushedAuthorizeEndpointHandlers) Append

Append adds an AuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.

type PushedAuthorizeRequestConfigProvider

type PushedAuthorizeRequestConfigProvider interface {
	// GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is
	// usually 'urn:ietf:params:oauth:request_uri:'.
	GetPushedAuthorizeRequestURIPrefix(ctx context.Context) (prefix string)

	// GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context.
	GetPushedAuthorizeContextLifespan(ctx context.Context) (lifespan time.Duration)

	// GetRequirePushedAuthorizationRequests indicates if the use of Pushed Authorization Requests is gobally required.
	// In this mode, a client cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint
	// must contain the PAR request_uri.
	GetRequirePushedAuthorizationRequests(ctx context.Context) (enforce bool)
}

PushedAuthorizeRequestConfigProvider is the configuration provider for pushed authorization request.

type PushedAuthorizeRequestHandlersProvider

type PushedAuthorizeRequestHandlersProvider interface {
	// GetPushedAuthorizeEndpointHandlers returns the handlers.
	GetPushedAuthorizeEndpointHandlers(ctx context.Context) (handlers PushedAuthorizeEndpointHandlers)
}

PushedAuthorizeRequestHandlersProvider returns the provider for configuring the PAR handlers.

type PushedAuthorizeResponder

type PushedAuthorizeResponder interface {
	// GetRequestURI returns the request_uri
	GetRequestURI() (uri string)

	// SetRequestURI sets the request_uri
	SetRequestURI(requestURI string)

	// GetExpiresIn gets the expires_in
	GetExpiresIn() (expires int)

	// SetExpiresIn sets the expires_in
	SetExpiresIn(seconds int)

	// GetHeader returns the response's header
	GetHeader() (header http.Header)

	// AddHeader adds a header key value pair to the response
	AddHeader(key, value string)

	// SetExtra sets a key value pair for the response.
	SetExtra(key string, value any)

	// GetExtra returns a key's value.
	GetExtra(key string) (extra any)

	// ToMap converts the response to a map.
	ToMap() (values map[string]any)
}

PushedAuthorizeResponder is the response object for PAR

type PushedAuthorizeResponse

type PushedAuthorizeResponse struct {
	RequestURI string `json:"request_uri"`
	ExpiresIn  int    `json:"expires_in"`
	Header     http.Header
	Extra      map[string]any
}

PushedAuthorizeResponse is the response object for PAR

func (*PushedAuthorizeResponse) AddHeader

func (a *PushedAuthorizeResponse) AddHeader(key, value string)

AddHeader adds

func (*PushedAuthorizeResponse) GetExpiresIn

func (a *PushedAuthorizeResponse) GetExpiresIn() int

GetExpiresIn gets

func (*PushedAuthorizeResponse) GetExtra

func (a *PushedAuthorizeResponse) GetExtra(key string) any

GetExtra gets

func (*PushedAuthorizeResponse) GetHeader

func (a *PushedAuthorizeResponse) GetHeader() http.Header

GetHeader gets

func (*PushedAuthorizeResponse) GetRequestURI

func (a *PushedAuthorizeResponse) GetRequestURI() string

GetRequestURI gets

func (*PushedAuthorizeResponse) SetExpiresIn

func (a *PushedAuthorizeResponse) SetExpiresIn(seconds int)

SetExpiresIn sets

func (*PushedAuthorizeResponse) SetExtra

func (a *PushedAuthorizeResponse) SetExtra(key string, value any)

SetExtra sets

func (*PushedAuthorizeResponse) SetRequestURI

func (a *PushedAuthorizeResponse) SetRequestURI(requestURI string)

SetRequestURI sets

func (*PushedAuthorizeResponse) ToMap

func (a *PushedAuthorizeResponse) ToMap() map[string]any

ToMap converts to a map

type RFC6749Error

type RFC6749Error struct {
	ErrorField       string
	DescriptionField string
	HintField        string
	CodeField        int
	DebugField       string
	// contains filtered or unexported fields
}

func ErrorToRFC6749Error

func ErrorToRFC6749Error(err error) *RFC6749Error

func ErrorToRFC6749ErrorFallback

func ErrorToRFC6749ErrorFallback(err error, fallback *RFC6749Error) *RFC6749Error

func (*RFC6749Error) Cause

func (e *RFC6749Error) Cause() error

func (*RFC6749Error) Debug

func (e *RFC6749Error) Debug() string

func (*RFC6749Error) Details

func (e *RFC6749Error) Details() map[string]any

func (RFC6749Error) Error

func (e RFC6749Error) Error() string

func (*RFC6749Error) GetDescription

func (e *RFC6749Error) GetDescription() string

GetDescription returns a more descriptive description, combined with hint and debug (when available).

func (RFC6749Error) Is

func (e RFC6749Error) Is(err error) bool

func (RFC6749Error) IsEmpty

func (e RFC6749Error) IsEmpty() bool

IsEmpty returns true if the error is an empty error.

func (RFC6749Error) MarshalJSON

func (e RFC6749Error) MarshalJSON() ([]byte, error)

func (*RFC6749Error) Reason

func (e *RFC6749Error) Reason() string

func (*RFC6749Error) RequestID

func (e *RFC6749Error) RequestID() string

func (*RFC6749Error) Sanitize deprecated

func (e *RFC6749Error) Sanitize() *RFC6749Error

Sanitize strips the debug field

Deprecated: Use WithExposeDebug instead.

func (*RFC6749Error) StackTrace

func (e *RFC6749Error) StackTrace() (trace errors.StackTrace)

StackTrace returns the error's stack trace.

func (*RFC6749Error) Status

func (e *RFC6749Error) Status() string

func (*RFC6749Error) StatusCode

func (e *RFC6749Error) StatusCode() int

func (*RFC6749Error) ToValues

func (e *RFC6749Error) ToValues() url.Values

func (*RFC6749Error) UnmarshalJSON

func (e *RFC6749Error) UnmarshalJSON(b []byte) error

func (RFC6749Error) Unwrap

func (e RFC6749Error) Unwrap() error

func (*RFC6749Error) WithDebug

func (e *RFC6749Error) WithDebug(debug string) *RFC6749Error

func (*RFC6749Error) WithDebugError

func (e *RFC6749Error) WithDebugError(debug error) *RFC6749Error

func (*RFC6749Error) WithDebugf

func (e *RFC6749Error) WithDebugf(debug string, args ...any) *RFC6749Error

func (*RFC6749Error) WithDescription

func (e *RFC6749Error) WithDescription(description string) *RFC6749Error

func (*RFC6749Error) WithExposeDebug

func (e *RFC6749Error) WithExposeDebug(exposeDebug bool) *RFC6749Error

WithExposeDebug if set to true exposes debug messages.

func (*RFC6749Error) WithHint

func (e *RFC6749Error) WithHint(hint string) *RFC6749Error

func (*RFC6749Error) WithHintIDOrDefaultf

func (e *RFC6749Error) WithHintIDOrDefaultf(id string, def string, args ...any) *RFC6749Error

WithHintIDOrDefaultf accepts the ID of the hint message

func (*RFC6749Error) WithHintTranslationID

func (e *RFC6749Error) WithHintTranslationID(id string) *RFC6749Error

WithHintTranslationID accepts the ID of the hint message and should be paired with WithHint and WithHintf to add a default message and vaargs.

func (*RFC6749Error) WithHintf

func (e *RFC6749Error) WithHintf(hint string, args ...any) *RFC6749Error

func (RFC6749Error) WithLegacyFormat

func (e RFC6749Error) WithLegacyFormat(useLegacyFormat bool) *RFC6749Error

func (*RFC6749Error) WithLocalizer

func (e *RFC6749Error) WithLocalizer(catalog i18n.MessageCatalog, lang language.Tag) *RFC6749Error

func (*RFC6749Error) WithTrace

func (e *RFC6749Error) WithTrace(err error) *RFC6749Error

func (RFC6749Error) WithWrap

func (e RFC6749Error) WithWrap(cause error) *RFC6749Error

func (*RFC6749Error) Wrap

func (e *RFC6749Error) Wrap(err error)

type RFC6749ErrorJson

type RFC6749ErrorJson struct {
	Name        string `json:"error"`
	Description string `json:"error_description"`
	Hint        string `json:"error_hint,omitempty"`
	Code        int    `json:"status_code,omitempty"`
	Debug       string `json:"error_debug,omitempty"`
}

RFC6749ErrorJson is a helper struct for JSON encoding/decoding of RFC6749Error.

type RFC8628DeviceAuthorizeEndpointHandler

type RFC8628DeviceAuthorizeEndpointHandler interface {
	// HandleRFC8628DeviceAuthorizeEndpointRequest handles a device authorize endpoint request. To extend the handler's capabilities, the http request
	// is passed along, if further information retrieval is required. If the handler feels that he is not responsible for
	// the device authorize request, he must return nil and NOT modify session nor responder neither requester.
	//
	// The following spec is a good example of what HandleDeviceAuthorizeRequest should do.
	// * https://tools.ietf.org/html/rfc8628#section-3.2
	HandleRFC8628DeviceAuthorizeEndpointRequest(ctx context.Context, requester DeviceAuthorizeRequester, responder DeviceAuthorizeResponder) error
}

type RFC8628DeviceAuthorizeEndpointHandlers

type RFC8628DeviceAuthorizeEndpointHandlers []RFC8628DeviceAuthorizeEndpointHandler

RFC8628DeviceAuthorizeEndpointHandlers is a list of RFC8628DeviceAuthorizeEndpointHandler

func (*RFC8628DeviceAuthorizeEndpointHandlers) Append

Append adds an RFC8628DeviceAuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.

type RFC8628DeviceAuthorizeEndpointHandlersProvider

type RFC8628DeviceAuthorizeEndpointHandlersProvider interface {
	// GetRFC8628DeviceAuthorizeEndpointHandlers returns the handlers.
	GetRFC8628DeviceAuthorizeEndpointHandlers(ctx context.Context) (handlers RFC8628DeviceAuthorizeEndpointHandlers)
}

RFC8628DeviceAuthorizeEndpointHandlersProvider returns the provider for setting up the Device authorization handlers.

type RFC8628UserAuthorizeEndpointHandler

type RFC8628UserAuthorizeEndpointHandler interface {
	// HandleRFC8628UserAuthorizeEndpointRequest validates the request with the given user code.
	//
	// The following spec is a good example of what PopulateRFC8628UserAuthorizeEndpointResponse should do.
	// * https://www.rfc-editor.org/rfc/rfc8628#section-3.3
	HandleRFC8628UserAuthorizeEndpointRequest(ctx context.Context, request DeviceAuthorizeRequester) error

	// PopulateRFC8628UserAuthorizeEndpointResponse populates the response object as an outcome of user authorization during
	// the device authorization grant flow.
	//
	PopulateRFC8628UserAuthorizeEndpointResponse(ctx context.Context, requester DeviceAuthorizeRequester, responder DeviceUserAuthorizeResponder) error
}

type RFC8628UserAuthorizeEndpointHandlers

type RFC8628UserAuthorizeEndpointHandlers []RFC8628UserAuthorizeEndpointHandler

RFC8628UserAuthorizeEndpointHandlers is a list of RFC8628UserAuthorizeEndpointHandler

func (*RFC8628UserAuthorizeEndpointHandlers) Append

Append adds an RFC8628UserAuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.

type RFC8628UserAuthorizeEndpointHandlersProvider

type RFC8628UserAuthorizeEndpointHandlersProvider interface {
	// GetRFC8628UserAuthorizeEndpointHandlers returns the handlers.
	GetRFC8628UserAuthorizeEndpointHandlers(ctx context.Context) (handlers RFC8628UserAuthorizeEndpointHandlers)
}

RFC8628UserAuthorizeEndpointHandlersProvider returns the provider for setting up the Device grant user interaction handlers.

type RFC8628UserAuthorizeResponse

type RFC8628UserAuthorizeResponse struct {
	Header     http.Header    `json:"-"`
	Parameters url.Values     `json:"-"`
	Status     string         `json:"status"`
	Extra      map[string]any `json:"-"`
}

RFC8628UserAuthorizeResponse is an implementation of DeviceUserAuthorizeResponder

func NewRFC8628UserAuthorizeResponse

func NewRFC8628UserAuthorizeResponse() *RFC8628UserAuthorizeResponse

func (*RFC8628UserAuthorizeResponse) AddHeader

func (d *RFC8628UserAuthorizeResponse) AddHeader(key, value string)

func (*RFC8628UserAuthorizeResponse) AddParameter

func (d *RFC8628UserAuthorizeResponse) AddParameter(key, value string)

func (*RFC8628UserAuthorizeResponse) FromJson

func (*RFC8628UserAuthorizeResponse) GetExtra

func (d *RFC8628UserAuthorizeResponse) GetExtra(key string) any

func (*RFC8628UserAuthorizeResponse) GetHeader

func (d *RFC8628UserAuthorizeResponse) GetHeader() http.Header

func (*RFC8628UserAuthorizeResponse) GetParameters

func (d *RFC8628UserAuthorizeResponse) GetParameters() url.Values

func (*RFC8628UserAuthorizeResponse) GetStatus

func (d *RFC8628UserAuthorizeResponse) GetStatus() string

func (*RFC8628UserAuthorizeResponse) SetExtra

func (d *RFC8628UserAuthorizeResponse) SetExtra(key string, value any)

func (*RFC8628UserAuthorizeResponse) SetStatus

func (d *RFC8628UserAuthorizeResponse) SetStatus(status string)

func (*RFC8628UserAuthorizeResponse) ToJson

func (*RFC8628UserAuthorizeResponse) ToMap

func (d *RFC8628UserAuthorizeResponse) ToMap() map[string]any

ToMap converts the response to a map.

type RFC8693ConfigProvider

type RFC8693ConfigProvider interface {
	GetRFC8693TokenTypes(ctx context.Context) (types map[string]RFC8693TokenType)

	GetDefaultRFC8693RequestedTokenType(ctx context.Context) (tokenType string)
}

RFC8693ConfigProvider is the configuration provider for RFC8693 Token Exchange.

type RFC8693TokenType

type RFC8693TokenType interface {
	GetName(ctx context.Context) (name string)

	GetType(ctx context.Context) (tokenType string)
}

type RFC9207ResponseModeParameterHandler added in v0.1.3

type RFC9207ResponseModeParameterHandler struct {
	Config interface {
		AuthorizationServerIssuerIdentificationProvider
	}
}

RFC9207ResponseModeParameterHandler adds the RFC9207

func (*RFC9207ResponseModeParameterHandler) ResponseModes added in v0.1.3

func (*RFC9207ResponseModeParameterHandler) WriteParameters added in v0.1.3

func (h *RFC9207ResponseModeParameterHandler) WriteParameters(ctx context.Context, requester AuthorizeRequester, parameters url.Values)

type RFC9628DeviceAuthorizeConfigProvider

type RFC9628DeviceAuthorizeConfigProvider interface {
	// GetRFC8628CodeLifespan returns the device and user code lifespan.
	GetRFC8628CodeLifespan(ctx context.Context) (lifespan time.Duration)

	GetRFC8628UserVerificationURL(ctx context.Context) (url string)

	GetRFC8628TokenPollingInterval(ctx context.Context) (interval time.Duration)
}

RFC9628DeviceAuthorizeConfigProvider returns the provider for configuring the device authorization response.

See: https://www.rfc-editor.org/rfc/rfc8628#section-3.2

type RedirectSecureCheckerProvider

type RedirectSecureCheckerProvider interface {
	// GetRedirectSecureChecker returns the redirect URL security validator.
	GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) bool
}

RedirectSecureCheckerProvider returns the provider for configuring the redirect URL security validator.

type RefreshFlowScopeClient

type RefreshFlowScopeClient interface {
	GetRefreshFlowIgnoreOriginalGrantedScopes(ctx context.Context) (ignoreOriginalGrantedScopes bool)

	Client
}

RefreshFlowScopeClient is a client which can be customized to ignore scopes that were not originally granted.

type RefreshTokenAccessRequester

type RefreshTokenAccessRequester interface {
	// SanitizeRestoreRefreshTokenOriginalRequester returns a sanitized copy of this Requester and mutates the relevant
	// values from the provided Requester which is the original refresh token session Requester.
	SanitizeRestoreRefreshTokenOriginalRequester(requester Requester) (sanitized Requester)

	AccessRequester
}

RefreshTokenAccessRequester is an extended AccessRequester implementation that allows preserving the original Requester.

type RefreshTokenLifespanProvider

type RefreshTokenLifespanProvider interface {
	// GetRefreshTokenLifespan returns the refresh token lifespan.
	GetRefreshTokenLifespan(ctx context.Context) time.Duration
}

RefreshTokenLifespanProvider returns the provider for configuring the refresh token lifespan.

type RefreshTokenScopesProvider

type RefreshTokenScopesProvider interface {
	// GetRefreshTokenScopes returns the refresh token scopes.
	GetRefreshTokenScopes(ctx context.Context) []string
}

RefreshTokenScopesProvider returns the provider for configuring the refresh token scopes.

type Request

type Request struct {
	ID                string       `json:"id" gorethink:"id"`
	RequestedAt       time.Time    `json:"requestedAt" gorethink:"requestedAt"`
	Client            Client       `json:"-" gorethink:"client"`
	RequestedScope    Arguments    `json:"scopes" gorethink:"scopes"`
	GrantedScope      Arguments    `json:"grantedScopes" gorethink:"grantedScopes"`
	Form              url.Values   `json:"form" gorethink:"form"`
	Session           Session      `json:"session" gorethink:"session"`
	RequestedAudience Arguments    `json:"requestedAudience"`
	GrantedAudience   Arguments    `json:"grantedAudience"`
	Lang              language.Tag `json:"-"`
}

Request is an implementation of Requester

func NewRequest

func NewRequest() *Request

func (*Request) AppendRequestedAudience

func (a *Request) AppendRequestedAudience(audience string)

func (*Request) AppendRequestedScope

func (a *Request) AppendRequestedScope(scope string)

func (*Request) GetClient

func (a *Request) GetClient() Client

func (*Request) GetGrantedAudience

func (a *Request) GetGrantedAudience() Arguments

func (*Request) GetGrantedScopes

func (a *Request) GetGrantedScopes() Arguments

func (*Request) GetID

func (a *Request) GetID() string

func (*Request) GetLang

func (a *Request) GetLang() language.Tag

func (*Request) GetRequestForm

func (a *Request) GetRequestForm() url.Values

func (*Request) GetRequestedAt

func (a *Request) GetRequestedAt() time.Time

func (*Request) GetRequestedAudience

func (a *Request) GetRequestedAudience() (audience Arguments)

func (*Request) GetRequestedScopes

func (a *Request) GetRequestedScopes() Arguments

func (*Request) GetSession

func (a *Request) GetSession() Session

func (*Request) GrantAudience

func (a *Request) GrantAudience(audience string)

func (*Request) GrantScope

func (a *Request) GrantScope(scope string)

func (*Request) Merge

func (a *Request) Merge(request Requester)

func (*Request) Sanitize

func (a *Request) Sanitize(allowedParameters []string) Requester

func (*Request) SetID

func (a *Request) SetID(id string)

func (*Request) SetRequestedAudience

func (a *Request) SetRequestedAudience(s Arguments)

func (*Request) SetRequestedScopes

func (a *Request) SetRequestedScopes(s Arguments)

func (*Request) SetSession

func (a *Request) SetSession(session Session)

type RequestedAudienceImplicitClient

type RequestedAudienceImplicitClient interface {
	// GetRequestedAudienceImplicit is indicative of if a client will implicitly request all audiences it is allowed to
	// request in the absence of requested audience during an Authorization Endpoint Flow or Client Credentials Flow.
	GetRequestedAudienceImplicit() (implicit bool)

	Client
}

RequestedAudienceImplicitClient is a client which can potentially implicitly grant permitted audiences given the absence of a request parameter.

type Requester

type Requester interface {
	// SetID sets the unique identifier.
	SetID(id string)

	// GetID returns a unique identifier.
	GetID() (id string)

	// GetRequestedAt returns the time the request was created.
	GetRequestedAt() (requestedAt time.Time)

	// GetClient returns the request's client.
	GetClient() (client Client)

	// GetRequestedScopes returns the request's scopes.
	GetRequestedScopes() (scopes Arguments)

	// GetRequestedAudience returns the requested audiences for this request.
	GetRequestedAudience() (audience Arguments)

	// SetRequestedScopes sets the request's scopes.
	SetRequestedScopes(scopes Arguments)

	// SetRequestedAudience sets the requested audience.
	SetRequestedAudience(audience Arguments)

	// AppendRequestedScope appends a scope to the request.
	AppendRequestedScope(scope string)

	// GetGrantedScopes returns all granted scopes.
	GetGrantedScopes() (grantedScopes Arguments)

	// GetGrantedAudience returns all granted audiences.
	GetGrantedAudience() (grantedAudience Arguments)

	// GrantScope marks a request's scope as granted.
	GrantScope(scope string)

	// GrantAudience marks a request's audience as granted.
	GrantAudience(audience string)

	// GetSession returns a pointer to the request's session or nil if none is set.
	GetSession() (session Session)

	// SetSession sets the request's session pointer.
	SetSession(session Session)

	// GetRequestForm returns the request's form input.
	GetRequestForm() (form url.Values)

	// Merge merges the argument into the method receiver.
	Merge(requester Requester)

	// Sanitize returns a sanitized clone of the request which can be used for storage.
	Sanitize(allowedParameters []string) (sanitized Requester)
}

Requester is an abstract interface for handling requests in Fosite.

type ResponseModeClient

type ResponseModeClient interface {
	// GetResponseModes returns the response modes that client is allowed to send
	GetResponseModes() (modes []ResponseModeType)

	Client
}

ResponseModeClient represents a client capable of handling response_mode

type ResponseModeHandler

type ResponseModeHandler interface {
	// ResponseModes returns a set of supported response modes handled
	// by the interface implementation.
	//
	// In an authorize request with any of the provide response modes
	// methods `WriteAuthorizeResponse` and `WriteAuthorizeError` will be
	// invoked to write the successful or error authorization responses respectively.
	ResponseModes() ResponseModeTypes

	// WriteAuthorizeResponse writes successful responses
	//
	// The following headers are expected to be set by implementations of this interface:
	// header.Set(consts.HeaderCacheControl, consts.CacheControlNoStore)
	// header.Set(consts.HeaderPragma, consts.PragmaNoCache)
	WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)

	// WriteAuthorizeError writes error responses
	//
	// The following headers are expected to be set by implementations of this interface:
	// header.Set(consts.HeaderCacheControl, consts.CacheControlNoStore)
	// header.Set(consts.HeaderPragma, consts.PragmaNoCache)
	WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)
}

ResponseModeHandler provides a contract for handling response modes.

type ResponseModeHandlerProvider

type ResponseModeHandlerProvider interface {
	// GetResponseModeHandlers returns the response mode handlers in order of execution.
	GetResponseModeHandlers(ctx context.Context) (handlers ResponseModeHandlers)
}

ResponseModeHandlerProvider returns the provider for configuring the response mode handlers.

type ResponseModeHandlers added in v0.1.3

type ResponseModeHandlers []ResponseModeHandler

ResponseModeHandlers is a list of ResponseModeHandler.

func (*ResponseModeHandlers) Append added in v0.1.3

Append adds an ResponseModeHandler to this list. Ignores duplicates based on reflect.TypeOf.

type ResponseModeParameterHandler added in v0.1.3

type ResponseModeParameterHandler interface {
	// ResponseModes returns a set of supported response modes handled
	// by the interface implementation.
	//
	// In an authorize request with any of the provide response modes
	// methods `WriteAuthorizeResponse` and `WriteAuthorizeError` will be
	// invoked to write the successful or error authorization responses respectively.
	ResponseModes() ResponseModeTypes

	// WriteParameters is handed the parameters just before handing of to the response writer.
	WriteParameters(ctx context.Context, requester AuthorizeRequester, parameters url.Values)
}

type ResponseModeParameterHandlerProvider added in v0.1.3

type ResponseModeParameterHandlerProvider interface {
	// GetResponseModeParameterHandlers returns the ResponseModeParameterHandler's to process.
	GetResponseModeParameterHandlers(ctx context.Context) (handlers ResponseModeParameterHandlers)
}

ResponseModeParameterHandlerProvider returns the providers for configuring additional parameters in the response mode phase of an Authorization Request which may not be possible to determine until the final response mode is known.

type ResponseModeParameterHandlers added in v0.1.3

type ResponseModeParameterHandlers []ResponseModeParameterHandler

ResponseModeParameterHandlers is a list of ResponseModeParameterHandler.

func (*ResponseModeParameterHandlers) Append added in v0.1.3

Append adds an ResponseModeParameterHandler to this list. Ignores duplicates based on reflect.TypeOf.

type ResponseModeType

type ResponseModeType string

type ResponseModeTypes

type ResponseModeTypes []ResponseModeType

func (ResponseModeTypes) Has

type RevocationEndpointClientAuthHandler added in v0.1.12

type RevocationEndpointClientAuthHandler struct{}

func (*RevocationEndpointClientAuthHandler) AllowAuthMethodAny added in v0.1.12

func (h *RevocationEndpointClientAuthHandler) AllowAuthMethodAny() bool

func (*RevocationEndpointClientAuthHandler) GetAuthMethod added in v0.1.12

func (*RevocationEndpointClientAuthHandler) GetAuthSigningAlg added in v0.1.12

func (*RevocationEndpointClientAuthHandler) Name added in v0.1.12

type RevocationHandler

type RevocationHandler interface {
	// RevokeToken handles access and refresh token revocation.
	RevokeToken(ctx context.Context, token string, tokenType TokenType, client Client) error
}

RevocationHandler is the interface that allows token revocation for an OAuth2.0 provider. https://datatracker.ietf.org/doc/html/rfc7009

RevokeToken is invoked after a new token revocation request is parsed.

https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note). If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.

type RevocationHandlers

type RevocationHandlers []RevocationHandler

RevocationHandlers is a list of RevocationHandler

func (*RevocationHandlers) Append

Append adds an RevocationHandler to this list. Ignores duplicates based on reflect.TypeOf.

type RevocationHandlersProvider

type RevocationHandlersProvider interface {
	// GetRevocationHandlers returns the revocation handlers.
	GetRevocationHandlers(ctx context.Context) (handlers RevocationHandlers)
}

RevocationHandlersProvider returns the provider for configuring the revocation handlers.

type RevokeFlowRevokeRefreshTokensExplicitClient

type RevokeFlowRevokeRefreshTokensExplicitClient interface {
	// GetRevokeRefreshTokensExplicit returns true if this client will only revoke refresh tokens explicitly.
	GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool)

	Client
}

RevokeFlowRevokeRefreshTokensExplicitClient is a client which can be customized to only revoke Refresh Tokens explicitly.

type RevokeRefreshTokensExplicitlyProvider

type RevokeRefreshTokensExplicitlyProvider interface {
	// GetRevokeRefreshTokensExplicit returns true if a refresh token should only be revoked explicitly.
	GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool)

	// GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient returns true if a
	// RevokeFlowRevokeRefreshTokensExplicitClient returning false should be enforced.
	GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient(ctx context.Context) (explicit bool)
}

RevokeRefreshTokensExplicitlyProvider returns the provider for configuring the Refresh Token Explicit Revocation policy.

type RotatedClientSecretsClient

type RotatedClientSecretsClient interface {
	GetRotatedClientSecrets() (secrets []ClientSecret)

	Client
}

RotatedClientSecretsClient extends Client interface by a method providing a slice of rotated secrets.

type RotatedGlobalSecretsProvider

type RotatedGlobalSecretsProvider interface {
	// GetRotatedGlobalSecrets returns the rotated global secrets.
	GetRotatedGlobalSecrets(ctx context.Context) (secrets [][]byte, err error)
}

RotatedGlobalSecretsProvider returns the provider for configuring the rotated global secrets.

type SanitationAllowedProvider

type SanitationAllowedProvider interface {
	// GetSanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values
	// are safe for storage in a database (cleartext).
	GetSanitationWhiteList(ctx context.Context) (whitelist []string)
}

SanitationAllowedProvider returns the provider for configuring the sanitation white list.

type ScopeStrategy

type ScopeStrategy func(haystack []string, needle string) bool

ScopeStrategy is a strategy for matching scopes.

type ScopeStrategyProvider

type ScopeStrategyProvider interface {
	// GetScopeStrategy returns the scope strategy.
	GetScopeStrategy(ctx context.Context) ScopeStrategy
}

ScopeStrategyProvider returns the provider for configuring the scope strategy.

type SendDebugMessagesToClientsProvider

type SendDebugMessagesToClientsProvider interface {
	// GetSendDebugMessagesToClients returns the send debug messages to clients.
	GetSendDebugMessagesToClients(ctx context.Context) (send bool)
}

SendDebugMessagesToClientsProvider returns the provider for configuring the send debug messages to clients.

type Session

type Session interface {
	// SetExpiresAt sets the expiration time of a token.
	//
	//  session.SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(time.Hour))
	SetExpiresAt(key TokenType, exp time.Time)

	// GetExpiresAt returns the expiration time of a token if set, or time.IsZero() if not.
	//
	//  session.GetExpiresAt(oauth2.AccessToken)
	GetExpiresAt(key TokenType) time.Time

	// GetUsername returns the username, if set. This is optional and only used during token introspection.
	GetUsername() string

	// GetSubject returns the subject, if set. This is optional and only used during token introspection.
	GetSubject() string

	// Clone clones the session.
	Clone() Session
}

Session is an interface that is used to store session data between OAuth2 requests. It can be used to look up when a session expires or what the subject's name was.

type Storage

type Storage interface {
	ClientManager
}

Storage defines the minimal storage interface.

type TokenEndpointClientAuthHandler added in v0.1.12

type TokenEndpointClientAuthHandler struct{}

func (*TokenEndpointClientAuthHandler) AllowAuthMethodAny added in v0.1.12

func (h *TokenEndpointClientAuthHandler) AllowAuthMethodAny() bool

func (*TokenEndpointClientAuthHandler) GetAuthMethod added in v0.1.12

func (*TokenEndpointClientAuthHandler) GetAuthSigningAlg added in v0.1.12

func (*TokenEndpointClientAuthHandler) Name added in v0.1.12

type TokenEndpointHandler

type TokenEndpointHandler interface {
	// PopulateTokenEndpointResponse is responsible for setting return values and should only be executed if
	// the handler's HandleTokenEndpointRequest did not return ErrUnknownRequest.
	PopulateTokenEndpointResponse(ctx context.Context, requester AccessRequester, responder AccessResponder) error

	// HandleTokenEndpointRequest handles an authorize request. If the handler is not responsible for handling
	// the request, this method should return ErrUnknownRequest and otherwise handle the request.
	HandleTokenEndpointRequest(ctx context.Context, requester AccessRequester) error

	// CanSkipClientAuth indicates if client authentication can be skipped. By default it MUST be false, unless you are
	// implementing extension grant type, which allows unauthenticated client. CanSkipClientAuth must be called
	// before HandleTokenEndpointRequest to decide, if AccessRequester will contain authenticated client.
	CanSkipClientAuth(ctx context.Context, requester AccessRequester) bool

	// CanHandleTokenEndpointRequest indicates, if TokenEndpointHandler can handle this request or not. If true,
	// HandleTokenEndpointRequest can be called.
	CanHandleTokenEndpointRequest(ctx context.Context, requester AccessRequester) bool
}

type TokenEndpointHandlers

type TokenEndpointHandlers []TokenEndpointHandler

TokenEndpointHandlers is a list of TokenEndpointHandler

func (*TokenEndpointHandlers) Append

Append adds an TokenEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.

type TokenEndpointHandlersProvider

type TokenEndpointHandlersProvider interface {
	// GetTokenEndpointHandlers returns the token endpoint handlers.
	GetTokenEndpointHandlers(ctx context.Context) (handlers TokenEndpointHandlers)
}

TokenEndpointHandlersProvider returns the provider for configuring the token endpoint handlers.

type TokenEntropyProvider

type TokenEntropyProvider interface {
	// GetTokenEntropy returns the token entropy.
	GetTokenEntropy(ctx context.Context) (entropy int)
}

TokenEntropyProvider returns the provider for configuring the token entropy.

type TokenIntrospectionHandlers

type TokenIntrospectionHandlers []TokenIntrospector

TokenIntrospectionHandlers is a list of TokenValidator

func (*TokenIntrospectionHandlers) Append

Append adds an AccessTokenValidator to this list. Ignores duplicates based on reflect.TypeOf.

type TokenIntrospectionHandlersProvider

type TokenIntrospectionHandlersProvider interface {
	// GetTokenIntrospectionHandlers returns the token introspection handlers.
	GetTokenIntrospectionHandlers(ctx context.Context) (handlers TokenIntrospectionHandlers)
}

TokenIntrospectionHandlersProvider returns the provider for configuring the token introspection handlers.

type TokenIntrospector

type TokenIntrospector interface {
	IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, accessRequest AccessRequester, scopes []string) (TokenUse, error)
}

type TokenType

type TokenType string

type TokenUse

type TokenUse = TokenType

type UseLegacyErrorFormatProvider deprecated

type UseLegacyErrorFormatProvider interface {
	// GetUseLegacyErrorFormat returns whether to use the legacy error format.
	//
	// Deprecated: Do not use this flag anymore.
	GetUseLegacyErrorFormat(ctx context.Context) (use bool)
}

UseLegacyErrorFormatProvider returns the provider for configuring whether to use the legacy error format.

Deprecated: Do not use this flag anymore.

type UserInfoClient added in v0.1.15

type UserInfoClient interface {
	// GetUserinfoSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the User
	// Info specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetUserinfoSignedResponseKeyID() (kid string)

	// GetUserinfoSignedResponseAlg is equivalent to the 'userinfo_signed_response_alg' client metadata value which
	// determines the JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the
	// response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo
	// Response to return the Claims as a UTF-8 [RFC3629] encoded JSON object using the application/json content-type.
	GetUserinfoSignedResponseAlg() (alg string)

	// GetUserinfoEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the
	// User Info specifications. If unspecified the other available parameters will be utilized to select an appropriate
	// key.
	GetUserinfoEncryptedResponseKeyID() (kid string)

	// GetUserinfoEncryptedResponseAlg is equivalent to the 'userinfo_encrypted_response_alg' client metadata value
	// which determines the JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If
	// this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in
	// [JWT]. The default, if omitted, is that no encryption is performed.
	GetUserinfoEncryptedResponseAlg() (alg string)

	// GetUserinfoEncryptedResponseEnc is equivalent to the 'userinfo_encrypted_response_enc' client metadata value
	// which determines the JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If
	// userinfo_encrypted_response_alg is specified, the default userinfo_encrypted_response_enc value is A128CBC-HS256.
	// When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
	GetUserinfoEncryptedResponseEnc() (enc string)

	JSONWebKeysClient
}

UserInfoClient is a client which can satisfy all JWS and JWE requirements of the User Info responses.

type VerifiableCredentialsNonceLifespanProvider

type VerifiableCredentialsNonceLifespanProvider interface {
	// GetVerifiableCredentialsNonceLifespan returns the nonce lifespan.
	GetVerifiableCredentialsNonceLifespan(ctx context.Context) time.Duration
}

VerifiableCredentialsNonceLifespanProvider returns the provider for configuring the access token lifespan.

Directories

Path Synopsis
handler
par
gen
testing
mock
Package mock is a generated GoMock package.
Package mock is a generated GoMock package.
token
jwt
x

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL