storage

package
v0.0.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 20, 2024 License: GPL-3.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CustomScope is an example for how to use custom scopes in this library
	// (in this scenario, when requested, it will return a custom claim).
	CustomScope = "custom_scope"

	// CustomClaim is an example for how to return custom claims with this library.
	CustomClaim = "custom_claim"

	// CustomScopeImpersonatePrefix is an example scope prefix for
	// passing user id to impersonate using token exchange.
	CustomScopeImpersonatePrefix = "custom_scope:impersonate:"

	GroupsScope = "groups"

	// Custom claim representing groups.
	GroupsClaim = "groups"
)

Variables

View Source 
var ErrNotFound = errors.New("not found")

Functions

func RedirectGlobsClient 

func RedirectGlobsClient(client *Client) op.Client

RedirectGlobsClient wraps the client in a op.HasRedirectGlobs only if DevMode is enabled.

func RefreshTokenRequestFromBusiness 

func RefreshTokenRequestFromBusiness(token *RefreshToken) op.RefreshTokenRequest

RefreshTokenRequestFromBusiness will simply wrap the storage RefreshToken to implement the op.RefreshTokenRequest interface

Types

type AuthRequest 

type AuthRequest struct {
	*oidc.AuthRequest `json:",inline"`

	ID        string    `json:"id"`
	Code      string    `json:"code"`
	UserID    string    `json:"user_id"`
	CreatedAt time.Time `json:"created_at"`
	AuthTime  time.Time `json:"auth_time"`
	IsDone    bool      `json:"done,omitempty"`
}

AuthRequest type for database serialization.

func (*AuthRequest) Done 

func (a *AuthRequest) Done() bool

func (*AuthRequest) GetACR 

func (a *AuthRequest) GetACR() string

func (*AuthRequest) GetAMR 

func (a *AuthRequest) GetAMR() []string

func (*AuthRequest) GetAudience 

func (a *AuthRequest) GetAudience() []string

func (*AuthRequest) GetAuthTime 

func (a *AuthRequest) GetAuthTime() time.Time

func (*AuthRequest) GetClientID 

func (a *AuthRequest) GetClientID() string

func (*AuthRequest) GetCodeChallenge 

func (a *AuthRequest) GetCodeChallenge() *oidc.CodeChallenge

func (*AuthRequest) GetID 

func (a *AuthRequest) GetID() string

func (*AuthRequest) GetNonce 

func (a *AuthRequest) GetNonce() string

func (*AuthRequest) GetResponseMode 

func (a *AuthRequest) GetResponseMode() oidc.ResponseMode

func (*AuthRequest) GetScopes 

func (a *AuthRequest) GetScopes() []string

func (*AuthRequest) GetSubject 

func (a *AuthRequest) GetSubject() string

func (*AuthRequest) LogValue 

func (a *AuthRequest) LogValue() slog.Value

LogValue allows you to define which fields will be logged. Implements the slog.LogValuer

type Client 

type Client struct {
	*ClientSpec
	// contains filtered or unexported fields
}

Client represents the storage model of an OAuth/OIDC client.

func DeviceClient 

func DeviceClient(id, secret string) *Client

DeviceClient creates a device client with Basic authentication.

func NativeClient 

func NativeClient(id string, redirectURIs ...string) *Client

NativeClient will create a client of type native, which will always use PKCE and allow the use of refresh tokens user-defined redirectURIs may include: - http://localhost without port specification (e.g. http://localhost/auth/callback) - custom protocol (e.g. custom://auth/callback) (the examples will be used as default, if none is provided)

func WebClient 

func WebClient(id, secret string, redirectURIs ...string) *Client

WebClient will create a client of type web, which will always use Basic Auth and allow the use of refresh tokens user-defined redirectURIs may include: - http://localhost with port specification (e.g. http://localhost:9999/auth/callback)

func (*Client) AccessTokenType 

func (c *Client) AccessTokenType() op.AccessTokenType

AccessTokenType must return the type of access token the client uses (Bearer (opaque) or JWT)

func (*Client) ApplicationType 

func (c *Client) ApplicationType() op.ApplicationType

ApplicationType must return the type of the client (app, native, user agent)

func (*Client) AuthMethod 

func (c *Client) AuthMethod() oidc.AuthMethod

AuthMethod must return the authentication method (client_secret_basic, client_secret_post, none, private_key_jwt)

func (*Client) ClockSkew 

func (c *Client) ClockSkew() time.Duration

ClockSkew enables clients to instruct the OP to apply a clock skew on the various times and expirations (subtract from issued_at, add to expiration, ...)

func (*Client) DevMode 

func (c *Client) DevMode() bool

DevMode enables the use of non-compliant configs such as redirect_uris (e.g. http schema for user agent client)

func (*Client) GetID 

func (c *Client) GetID() string

GetID must return the client_id

func (*Client) GrantTypes 

func (c *Client) GrantTypes() []oidc.GrantType

GrantTypes must return all allowed grant types (authorization_code, refresh_token, urn:ietf:params:oauth:grant-type:jwt-bearer)

func (*Client) IDTokenLifetime 

func (c *Client) IDTokenLifetime() time.Duration

IDTokenLifetime must return the lifetime of the client's id_tokens

func (*Client) IDTokenUserinfoClaimsAssertion 

func (c *Client) IDTokenUserinfoClaimsAssertion() bool

IDTokenUserinfoClaimsAssertion allows specifying if claims of scope profile, email, phone and address are asserted into the id_token even if an access token if issued which violates the OIDC Core spec (5.4. Requesting Claims using Scope Values: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) some clients though require that e.g. email is always in the id_token when requested even if an access_token is issued

func (*Client) IsScopeAllowed 

func (c *Client) IsScopeAllowed(scope string) bool

IsScopeAllowed enables Client specific custom scopes validation. Allow the GroupsScope for all clients.

func (*Client) LoginURL 

func (c *Client) LoginURL(id string) string

LoginURL will be called to redirect the user (agent) to the login UI you could implement some logic here to redirect the users to different login UIs depending on the client

func (*Client) PostLogoutRedirectURIs 

func (c *Client) PostLogoutRedirectURIs() []string

PostLogoutRedirectURIs must return the registered post_logout_redirect_uris for sign-outs

func (*Client) RedirectURIs 

func (c *Client) RedirectURIs() []string

RedirectURIs must return the registered redirect_uris for Code and Implicit Flow

func (*Client) ResponseTypes 

func (c *Client) ResponseTypes() []oidc.ResponseType

ResponseTypes must return all allowed response types (code, id_token token, id_token) these must match with the allowed grant types

func (*Client) RestrictAdditionalAccessTokenScopes 

func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string

RestrictAdditionalAccessTokenScopes allows specifying which custom scopes shall be asserted into the JWT access_token

func (*Client) RestrictAdditionalIdTokenScopes 

func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string

RestrictAdditionalIdTokenScopes allows specifying which custom scopes shall be asserted into the id_token

func (*Client) UnmarshalYAML 

func (c *Client) UnmarshalYAML(node *yaml.Node) error

type ClientSpec 

type ClientSpec struct {
	ID               string                      `yaml:"-"`
	Type             string                      `yaml:"type" doc:"OIDC client type (web, native, device)"`
	Secret           string                      `yaml:"secret" doc:"client secret"`
	RedirectURIs     []string                    `yaml:"redirect_uris" doc:"callback URLs"`
	RedirectURIGlobs []string                    `yaml:"redirect_uri_globs" doc:"callback URL globs"`
	ServiceKeys      map[string]cryptutil.RSAKey `yaml:"service_keys"`
}

ClientSpec is the configurable simplified oidc.Client API.

type DB 

type DB struct {
	// contains filtered or unexported fields
}

func NewDB 

func NewDB(path string) (*DB, error)

func (*DB) Close 

func (s *DB) Close()

type DebugStorage 

type DebugStorage struct {
	*Storage
}

func Debug 

func Debug(s *Storage) *DebugStorage

func (*DebugStorage) AuthRequestByCode 

func (d *DebugStorage) AuthRequestByCode(ctx context.Context, code string) (op.AuthRequest, error)

func (*DebugStorage) AuthRequestByID 

func (d *DebugStorage) AuthRequestByID(ctx context.Context, id string) (op.AuthRequest, error)

func (DebugStorage) AuthorizeClientIDSecret 

func (s DebugStorage) AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error

AuthorizeClientIDSecret implements the op.Storage interface it will be called for validating the client_id, client_secret on token or introspection requests

func (*DebugStorage) ClientCredentials 

func (d *DebugStorage) ClientCredentials(ctx context.Context, clientID, clientSecret string) (op.Client, error)

func (*DebugStorage) ClientCredentialsTokenRequest 

func (d *DebugStorage) ClientCredentialsTokenRequest(ctx context.Context, clientID string, scopes []string) (op.TokenRequest, error)

func (DebugStorage) CompleteDeviceAuthorization 

func (s DebugStorage) CompleteDeviceAuthorization(ctx context.Context, userCode, subject string) error

func (*DebugStorage) CreateAccessAndRefreshTokens 

func (d *DebugStorage) CreateAccessAndRefreshTokens(ctx context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)

func (*DebugStorage) CreateAccessToken 

func (d *DebugStorage) CreateAccessToken(ctx context.Context, request op.TokenRequest) (string, time.Time, error)

func (*DebugStorage) CreateAuthRequest 

func (d *DebugStorage) CreateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, userID string) (op.AuthRequest, error)

func (DebugStorage) CreateTokenExchangeRequest 

func (s DebugStorage) CreateTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) error

ValidateTokenExchangeRequest implements the op.TokenExchangeStorage interface Common use case is to store request for audit purposes. For this example we skip the storing.

func (*DebugStorage) DeleteAuthRequest 

func (d *DebugStorage) DeleteAuthRequest(ctx context.Context, id string) error

func (DebugStorage) DenyDeviceAuthorization 

func (s DebugStorage) DenyDeviceAuthorization(ctx context.Context, userCode string) error

func (*DebugStorage) FinalizeAuthRequest 

func (d *DebugStorage) FinalizeAuthRequest(ctx context.Context, id, userID string) error

func (DebugStorage) GetClientByClientID 

func (s DebugStorage) GetClientByClientID(ctx context.Context, clientID string) (op.Client, error)

GetClientByClientID implements the op.Storage interface it will be called whenever information (type, redirect_uris, ...) about the client behind the client_id is needed

func (DebugStorage) GetDeviceAuthorizationByUserCode 

func (s DebugStorage) GetDeviceAuthorizationByUserCode(ctx context.Context, userCode string) (*op.DeviceAuthorizationState, error)

func (DebugStorage) GetDeviceAuthorizatonState 

func (s DebugStorage) GetDeviceAuthorizatonState(ctx context.Context, clientID, deviceCode string) (*op.DeviceAuthorizationState, error)

func (DebugStorage) GetKeyByIDAndClientID 

func (s DebugStorage) GetKeyByIDAndClientID(ctx context.Context, keyID, clientID string) (*jose.JSONWebKey, error)

GetKeyByIDAndClientID implements the op.Storage interface it will be called to validate the signatures of a JWT (JWT Profile Grant and Authentication)

func (DebugStorage) GetPrivateClaimsFromScopes 

func (s DebugStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (claims map[string]any, err error)

GetPrivateClaimsFromScopes implements the op.Storage interface it will be called for the creation of a JWT access token to assert claims for custom scopes

func (DebugStorage) GetPrivateClaimsFromTokenExchangeRequest 

func (s DebugStorage) GetPrivateClaimsFromTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) (claims map[string]any, err error)

GetPrivateClaimsFromScopesForTokenExchange implements the op.TokenExchangeStorage interface it will be called for the creation of an exchanged JWT access token to assert claims for custom scopes plus adding token exchange specific claims related to delegation or impersonation

func (*DebugStorage) GetRefreshTokenInfo 

func (d *DebugStorage) GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error)

func (DebugStorage) KeySet 

func (s DebugStorage) KeySet(ctx context.Context) ([]op.Key, error)

KeySet implements the op.Storage interface it will be called to get the current (public) keys, among others for the keys_endpoint or for validating access_tokens on the userinfo_endpoint, ...

func (*DebugStorage) RevokeToken 

func (d *DebugStorage) RevokeToken(ctx context.Context, tokenIDOrToken, userID, clientID string) *oidc.Error

func (*DebugStorage) SaveAuthCode 

func (d *DebugStorage) SaveAuthCode(ctx context.Context, id, code string) error

func (DebugStorage) SetIntrospectionFromToken 

func (s DebugStorage) SetIntrospectionFromToken(ctx context.Context, introspection *oidc.IntrospectionResponse, tokenID, subject, clientID string) error

SetIntrospectionFromToken implements the op.Storage interface it will be called for the introspection endpoint, so we read the token and pass the information from that to the private function

func (*DebugStorage) SetUserinfoFromRequest 

func (d *DebugStorage) SetUserinfoFromRequest(ctx context.Context, userinfo *oidc.UserInfo, token op.IDTokenRequest, scopes []string) error

func (DebugStorage) SetUserinfoFromScopes 

func (s DebugStorage) SetUserinfoFromScopes(ctx context.Context, userinfo *oidc.UserInfo, userID, clientID string, scopes []string) error

SetUserinfoFromScopes implements the op.Storage interface. Provide an empty implementation and use SetUserinfoFromRequest instead.

func (DebugStorage) SetUserinfoFromToken 

func (s DebugStorage) SetUserinfoFromToken(ctx context.Context, userinfo *oidc.UserInfo, tokenID, subject, origin string) error

SetUserinfoFromToken implements the op.Storage interface it will be called for the userinfo endpoint, so we read the token and pass the information from that to the private function

func (DebugStorage) SetUserinfoFromTokenExchangeRequest 

func (s DebugStorage) SetUserinfoFromTokenExchangeRequest(ctx context.Context, userinfo *oidc.UserInfo, request op.TokenExchangeRequest) error

SetUserinfoFromScopesForTokenExchange implements the op.TokenExchangeStorage interface it will be called for the creation of an id_token - we are using the same private function as for other flows, plus adding token exchange specific claims related to delegation or impersonation

func (DebugStorage) SignatureAlgorithms 

func (s DebugStorage) SignatureAlgorithms(ctx context.Context) ([]jose.SignatureAlgorithm, error)

SignatureAlgorithms implements the op.Storage interface it will be called to get the sign

func (DebugStorage) SigningKey 

func (s DebugStorage) SigningKey(ctx context.Context) (op.SigningKey, error)

SigningKey implements the op.Storage interface it will be called when creating the OpenID Provider

func (DebugStorage) StoreDeviceAuthorization 

func (s DebugStorage) StoreDeviceAuthorization(ctx context.Context, clientID, deviceCode, userCode string, expires time.Time, scopes []string) error

func (*DebugStorage) TerminateSession 

func (d *DebugStorage) TerminateSession(ctx context.Context, userID, clientID string) error

func (*DebugStorage) TokenRequestByRefreshToken 

func (d *DebugStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (op.RefreshTokenRequest, error)

func (DebugStorage) ValidateTokenExchangeRequest 

func (s DebugStorage) ValidateTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) error

ValidateTokenExchangeRequest implements the op.TokenExchangeStorage interface it will be called to validate parsed Token Exchange Grant request

type JWTKey 

type JWTKey struct {
	KeyID     string                   `yaml:"id"`
	Algorithm jose.SignatureAlgorithm  `yaml:"alg"`
	Key       *cryptutil.RSAPrivateKey `yaml:"key"`
}

func (*JWTKey) ID 

func (k *JWTKey) ID() string

type RefreshToken 

type RefreshToken struct {
	ID         string
	Token      string
	AuthTime   time.Time
	AMR        []string
	Audience   []string
	UserID     string
	ClientID   string
	Expiration time.Time
	Scopes     []string
}

type RefreshTokenRequest 

type RefreshTokenRequest struct {
	*RefreshToken
}

func (*RefreshTokenRequest) GetAMR 

func (r *RefreshTokenRequest) GetAMR() []string

func (*RefreshTokenRequest) GetAudience 

func (r *RefreshTokenRequest) GetAudience() []string

func (*RefreshTokenRequest) GetAuthTime 

func (r *RefreshTokenRequest) GetAuthTime() time.Time

func (*RefreshTokenRequest) GetClientID 

func (r *RefreshTokenRequest) GetClientID() string

func (*RefreshTokenRequest) GetScopes 

func (r *RefreshTokenRequest) GetScopes() []string

func (*RefreshTokenRequest) GetSubject 

func (r *RefreshTokenRequest) GetSubject() string

func (*RefreshTokenRequest) SetCurrentScopes 

func (r *RefreshTokenRequest) SetCurrentScopes(scopes []string)

type Storage 

type Storage struct {
	// contains filtered or unexported fields
}

Storage implements the op.Storage interface.

func NewStorageWithClients 

func NewStorageWithClients(dbPath string, users userdb.Backend, clients map[string]*Client) (*Storage, error)

func (Storage) AuthRequestByCode 

func (s Storage) AuthRequestByCode(ctx context.Context, code string) (op.AuthRequest, error)

AuthRequestByCode implements the op.Storage interface it will be called after parsing and validation of the token request (in an authorization code flow)

func (Storage) AuthRequestByID 

func (s Storage) AuthRequestByID(ctx context.Context, id string) (op.AuthRequest, error)

AuthRequestByID implements the op.Storage interface it will be called after the Login UI redirects back to the OIDC endpoint

func (Storage) AuthorizeClientIDSecret 

func (s Storage) AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error

AuthorizeClientIDSecret implements the op.Storage interface it will be called for validating the client_id, client_secret on token or introspection requests

func (*Storage) ClientCredentials 

func (s *Storage) ClientCredentials(ctx context.Context, clientID, clientSecret string) (op.Client, error)

func (*Storage) ClientCredentialsTokenRequest 

func (s *Storage) ClientCredentialsTokenRequest(ctx context.Context, clientID string, scopes []string) (op.TokenRequest, error)

func (*Storage) Close 

func (s *Storage) Close()

func (Storage) CompleteDeviceAuthorization 

func (s Storage) CompleteDeviceAuthorization(ctx context.Context, userCode, subject string) error

func (Storage) CreateAccessAndRefreshTokens 

func (s Storage) CreateAccessAndRefreshTokens(ctx context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)

CreateAccessAndRefreshTokens implements the op.Storage interface it will be called for all requests able to return an access and refresh token (Authorization Code Flow, Refresh Token Request)

func (Storage) CreateAccessToken 

func (s Storage) CreateAccessToken(ctx context.Context, request op.TokenRequest) (string, time.Time, error)

CreateAccessToken implements the op.Storage interface it will be called for all requests able to return an access token (Authorization Code Flow, Implicit Flow, JWT Profile, ...)

func (Storage) CreateAuthRequest 

func (s Storage) CreateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, userID string) (op.AuthRequest, error)

CreateAuthRequest implements the op.Storage interface it will be called after parsing and validation of the authentication request

func (Storage) CreateTokenExchangeRequest 

func (s Storage) CreateTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) error

ValidateTokenExchangeRequest implements the op.TokenExchangeStorage interface Common use case is to store request for audit purposes. For this example we skip the storing.

func (Storage) DeleteAuthRequest 

func (s Storage) DeleteAuthRequest(ctx context.Context, id string) error

DeleteAuthRequest implements the op.Storage interface it will be called after creating the token response (id and access tokens) for a valid - authentication request (in an implicit flow) - token request (in an authorization code flow)

func (Storage) DenyDeviceAuthorization 

func (s Storage) DenyDeviceAuthorization(ctx context.Context, userCode string) error

func (Storage) FinalizeAuthRequest 

func (s Storage) FinalizeAuthRequest(ctx context.Context, id, userID string) error

func (Storage) GetClientByClientID 

func (s Storage) GetClientByClientID(ctx context.Context, clientID string) (op.Client, error)

GetClientByClientID implements the op.Storage interface it will be called whenever information (type, redirect_uris, ...) about the client behind the client_id is needed

func (Storage) GetDeviceAuthorizationByUserCode 

func (s Storage) GetDeviceAuthorizationByUserCode(ctx context.Context, userCode string) (*op.DeviceAuthorizationState, error)

func (Storage) GetDeviceAuthorizatonState 

func (s Storage) GetDeviceAuthorizatonState(ctx context.Context, clientID, deviceCode string) (*op.DeviceAuthorizationState, error)

func (Storage) GetKeyByIDAndClientID 

func (s Storage) GetKeyByIDAndClientID(ctx context.Context, keyID, clientID string) (*jose.JSONWebKey, error)

GetKeyByIDAndClientID implements the op.Storage interface it will be called to validate the signatures of a JWT (JWT Profile Grant and Authentication)

func (Storage) GetPrivateClaimsFromScopes 

func (s Storage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (claims map[string]any, err error)

GetPrivateClaimsFromScopes implements the op.Storage interface it will be called for the creation of a JWT access token to assert claims for custom scopes

func (Storage) GetPrivateClaimsFromTokenExchangeRequest 

func (s Storage) GetPrivateClaimsFromTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) (claims map[string]any, err error)

GetPrivateClaimsFromScopesForTokenExchange implements the op.TokenExchangeStorage interface it will be called for the creation of an exchanged JWT access token to assert claims for custom scopes plus adding token exchange specific claims related to delegation or impersonation

func (Storage) GetRefreshTokenInfo 

func (s Storage) GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error)

GetRefreshTokenInfo looks up a refresh token and returns the token id and user id. If given something that is not a refresh token, it must return error.

func (*Storage) Health 

func (s *Storage) Health(ctx context.Context) error

Health implements the op.Storage interface

func (Storage) KeySet 

func (s Storage) KeySet(ctx context.Context) ([]op.Key, error)

KeySet implements the op.Storage interface it will be called to get the current (public) keys, among others for the keys_endpoint or for validating access_tokens on the userinfo_endpoint, ...

func (Storage) RevokeToken 

func (s Storage) RevokeToken(ctx context.Context, tokenIDOrToken string, userID string, clientID string) *oidc.Error

RevokeToken implements the op.Storage interface it will be called after parsing and validation of the token revocation request

func (Storage) SaveAuthCode 

func (s Storage) SaveAuthCode(ctx context.Context, id string, code string) error

SaveAuthCode implements the op.Storage interface it will be called after the authentication has been successful and before redirecting the user agent to the redirect_uri (in an authorization code flow)

func (Storage) SetIntrospectionFromToken 

func (s Storage) SetIntrospectionFromToken(ctx context.Context, introspection *oidc.IntrospectionResponse, tokenID, subject, clientID string) error

SetIntrospectionFromToken implements the op.Storage interface it will be called for the introspection endpoint, so we read the token and pass the information from that to the private function

func (Storage) SetUserinfoFromRequest 

func (s Storage) SetUserinfoFromRequest(ctx context.Context, userinfo *oidc.UserInfo, token op.IDTokenRequest, scopes []string) error

SetUserinfoFromRequests implements the op.CanSetUserinfoFromRequest interface. In the next major release, it will be required for op.Storage. It will be called for the creation of an id_token, so we'll just pass it to the private function without any further check

func (Storage) SetUserinfoFromScopes 

func (s Storage) SetUserinfoFromScopes(ctx context.Context, userinfo *oidc.UserInfo, userID, clientID string, scopes []string) error

SetUserinfoFromScopes implements the op.Storage interface. Provide an empty implementation and use SetUserinfoFromRequest instead.

func (Storage) SetUserinfoFromToken 

func (s Storage) SetUserinfoFromToken(ctx context.Context, userinfo *oidc.UserInfo, tokenID, subject, origin string) error

SetUserinfoFromToken implements the op.Storage interface it will be called for the userinfo endpoint, so we read the token and pass the information from that to the private function

func (Storage) SetUserinfoFromTokenExchangeRequest 

func (s Storage) SetUserinfoFromTokenExchangeRequest(ctx context.Context, userinfo *oidc.UserInfo, request op.TokenExchangeRequest) error

SetUserinfoFromScopesForTokenExchange implements the op.TokenExchangeStorage interface it will be called for the creation of an id_token - we are using the same private function as for other flows, plus adding token exchange specific claims related to delegation or impersonation

func (Storage) SignatureAlgorithms 

func (s Storage) SignatureAlgorithms(ctx context.Context) ([]jose.SignatureAlgorithm, error)

SignatureAlgorithms implements the op.Storage interface it will be called to get the sign

func (Storage) SigningKey 

func (s Storage) SigningKey(ctx context.Context) (op.SigningKey, error)

SigningKey implements the op.Storage interface it will be called when creating the OpenID Provider

func (Storage) StoreDeviceAuthorization 

func (s Storage) StoreDeviceAuthorization(ctx context.Context, clientID, deviceCode, userCode string, expires time.Time, scopes []string) error

func (Storage) TerminateSession 

func (s Storage) TerminateSession(ctx context.Context, userID string, clientID string) error

TerminateSession implements the op.Storage interface it will be called after the user signed out, therefore the access and refresh token of the user of this client must be removed

func (Storage) TokenRequestByRefreshToken 

func (s Storage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (op.RefreshTokenRequest, error)

TokenRequestByRefreshToken implements the op.Storage interface it will be called after parsing and validation of the refresh token request

func (*Storage) ValidateJWTProfileScopes 

func (s *Storage) ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error)

ValidateJWTProfileScopes implements the op.Storage interface it will be called to validate the scopes of a JWT Profile Authorization Grant request

func (Storage) ValidateTokenExchangeRequest 

func (s Storage) ValidateTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) error

ValidateTokenExchangeRequest implements the op.TokenExchangeStorage interface it will be called to validate parsed Token Exchange Grant request

type Token 

type Token struct {
	ID             string
	ClientID       string
	Subject        string
	RefreshTokenID string
	Audience       []string
	Expiration     time.Time
	Scopes         []string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.