Documentation ¶
Index ¶
- Variables
- func ErrorJSONResponse(w http.ResponseWriter, code int, errType ErrorType, errMsg string) error
- func ErrorRedirectResponse(w http.ResponseWriter, r *http.Request, redirectUrl string, errType ErrorType, ...)
- type ErrorType
- type Flags
- type Policies
- type Server
- func (s *Server) AddGrantType(gt types.GrantType)
- func (s *Server) Cleanup()
- func (s *Server) HandleAuthorizationCodeAuthorizationRequest(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleAuthorizationCodeTokenRequest(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleClientCredentialsRequest(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleDeviceCodeAuthorizationRequest(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleDeviceCodeTokenRequest(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleDeviceCodeUserAuthorization(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleImplicitAuthorizationRequest(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleResourceOwnerPasswordCredentialsRequest(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleUserLogin(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HandleUserLogout(w http.ResponseWriter, r *http.Request) error
- func (s *Server) HasGrantType(gt types.GrantType) bool
- func (s *Server) RemoveGrantType(gt types.GrantType)
- func (s *Server) ResetGrantTypes()
- type Session
- type Storage
- type Templates
- type URLs
Constants ¶
This section is empty.
Variables ¶
var (
ErrLoggedIn = errors.New("user is already logged in")
)
Functions ¶
func ErrorJSONResponse ¶
func ErrorRedirectResponse ¶
Types ¶
type Flags ¶
type Flags struct { // PKCE = Proof Key for Code Exchange. Used on top of the Authorization Code Grant. PKCE bool // OIDC = OpenID Connect. If you set this to true, PKCE is enabled regardless of value. OIDC bool }
Flags contains feature flags for the Authorization Code Grant to enable/disable particular features.
type Policies ¶
type Policies struct { // DeviceCodeLength sets the length in bytes a generated device code for the Device Code Grant should have. DeviceCodeLength int // UserCodeLength sets the length in bytes a generated user code for the Device Code Grant should have. // // Deprecated: use the new UserCodeGenerator field instead. UserCodeLength int // AccessTokenLength sets the length in bytes of a generated access token. AccessTokenLength int // RefreshTokenLength sets the length in bytes of a generated refresh token. RefreshTokenLength int // ClientSecretLength sets the length in bytes of a generated client secret for newly created client. ClientSecretLength int // IDTokenLength relates to OpenID Connect and sets the length in bytes of a generated ID token. IDTokenLength int // SessionLifetime sets the maximum lifetime of a user session. SessionLifetime time.Duration // SessionLifetime sets the maximum lifetime of an access token. AccessTokenLifetime time.Duration // RefreshTokenLifetime sets the maximum lifetime of a refresh token. RefreshTokenLifetime time.Duration }
Policies represents constraints and requirements for proper operation.
type Server ¶
type Server struct { // PublicBaseURL is the public facing URL containing scheme, hostname and port, if required. // it is used to construct redirect URLs. PublicBaseURL string // Storage contains the necessary storage implementations. Storage Storage // Template contains HTML templates as byte slices used for displaying to the user, e.g. login form. Template Templates // Flags are feature flags meant to enable certain features. Flags Flags // Policies can restrict how certain values have to be restricted, e.g. the length of certain strings or the // validitdy durations. Policies Policies // Session contains session and cookie configuration values. Session Session // URLs contain paths and URLs for internal redirects. URLs URLs // TokenGenerator is a source used to generate tokens. TokenGenerator token.TokenGenerator // UserCodeGenerator is a source used to generate user codes for the device flow UserCodeGenerator usercode.Generator ErrorRedirect func(http.ResponseWriter, *http.Request, string, ErrorType, string, string) ErrorResponse func(http.ResponseWriter, int, ErrorType, string) error // contains filtered or unexported fields }
A Server handles all HTTP requests relevant to the OAuth2 authorization processes. If a Server's exported fields are modified after first use, the behavior is undefined.
func NewDefaultServer ¶
func NewDefaultServer() *Server
NewDefaultServer returns a *Server with set default values:
PublicBaseURL: is set to 'http://localhost' without a port. It is required for redirect-based authorization flows.
Storage: each store uses a corresponding in-memory implementation, e.g. MemoryClientStorage.
Templates: the default templates from this library are used. They are not overly pretty, but they get their job done.
Flags: all flags remain at their default value.
Policies: sensible lengths and lifetime which ensure a certain degree of security.
TokenGenerator: uses a ready-to-use in-memory implementation, namely DefaultTokenGenerator.
DefaultUserCodeGenerator: uses a ready-to-use in-memory implementation, namely DefaultUserCodeGenerator.
grantTypes: all implemented grant types are listed here.
You should probably alter the PublicBaseURL and add at least one Client and one User.
func NewEmptyServer ¶
func NewEmptyServer() *Server
NewEmptyServer returns a *Server with just the base setup.
func (*Server) AddGrantType ¶
AddGrantType adds the given grant type to the current list of enabled grant types for the server s. A grant type not listed might not be available, depending on the caller's usage. You can use this call to change the availability of a given grant type while the Server is in use.
func (*Server) Cleanup ¶ added in v0.2.1
func (s *Server) Cleanup()
Cleanup should be executed when the Server is not required anymore, typically at app shutdown. Cleanup frees resources used by the Server.
func (*Server) HandleAuthorizationCodeAuthorizationRequest ¶
func (s *Server) HandleAuthorizationCodeAuthorizationRequest(w http.ResponseWriter, r *http.Request) error
HandleAuthorizationCodeAuthorizationRequest handles the initial user authorization of scopes and returns a code. This is step 1 of 2.
func (*Server) HandleAuthorizationCodeTokenRequest ¶
HandleAuthorizationCodeTokenRequest exchanges a code for an access token. This is step 2 of 2.
func (*Server) HandleClientCredentialsRequest ¶
HandleClientCredentialsRequest expects a POST request sending client ID and client secret of a client and, in case of correct credentials, exchanges them for an access token.
func (*Server) HandleDeviceCodeAuthorizationRequest ¶
HandleDeviceCodeAuthorizationRequest handles the request to initiate the device code flow by returning the device code, the user code and a validation URL. This is step 1 of 3.
func (*Server) HandleDeviceCodeTokenRequest ¶
HandleDeviceCodeTokenRequest exchanges a device code for an access token. This is step 3 of 3.
func (*Server) HandleDeviceCodeUserAuthorization ¶
HandleDeviceCodeUserAuthorization displays a template that allows the user authorize or cancel the request. This is step 2 of 3.
func (*Server) HandleImplicitAuthorizationRequest ¶
func (*Server) HandleResourceOwnerPasswordCredentialsRequest ¶
func (s *Server) HandleResourceOwnerPasswordCredentialsRequest(w http.ResponseWriter, r *http.Request) error
HandleResourceOwnerPasswordCredentialsRequest expects a POST request sending username and password of a resource owner and, in case of correct credentials, exchanges them for an access token.
func (*Server) HandleUserLogin ¶
HandleUserLogin displays the login template on a GET request and handles the login process on a POST request. On success, HandleUserLogin sets a session cookie and saves the session, linked to the user.
func (*Server) HandleUserLogout ¶
HandleUserLogout reads the session cookie and removes the session linked to the user, effectively logging the user out.
func (*Server) RemoveGrantType ¶
RemoveGrantType removes the given grant type from the current list of enabled grant types for the server s. You can use this call to change the availability of a given grant type while the Server is in use.
func (*Server) ResetGrantTypes ¶
func (s *Server) ResetGrantTypes()
ResetGrantTypes empties the internal list of enabled grant types.
type Session ¶
type Session struct { // CookieName represents the name of the cookie to be set for storing the session ID. CookieName string // HTTPOnly specifies whether the session cookie has the HTTPOnly flag set. HTTPOnly bool // Secure specifies whether the session cookie has the Secure flag set (only for HTTPS). Secure bool }
Session contains session and cookie settings.
type Storage ¶
type Storage struct { // DeviceCodeRequestStorage stores requests for the Device Code Grant. Must be set for Device Code Grant. DeviceCodeRequestStorage storage.DeviceCodeStorage // AuthorizationCodeRequestStorage stores requests for the Authorization Code Grant. AuthorizationCodeRequestStorage storage.AuthorizationCodeRequestStorage // SessionStorage stores active user sessions. Required for all redirect-based grant flows. SessionStorage storage.SessionStorage // UserStorage stores user information and credentials. Required for all flows but the Client Credentials Grant flow. UserStorage storage.UserStorage // ClientStorage stores client information. Required for all grant flows. ClientStorage storage.ClientStorage // TokenStorage stores tokens, refresh tokens and related information. Required for all grant flows. TokenStorage storage.TokenStorage }
Storage contains the storage implementations required for operations.
type Templates ¶
type Templates struct { // Login represents the login HTML template for redirect based flows. Login []byte // AuthorizationCode represents the authorization page shown to the user when authorizing using the Authorization Code Grant. AuthorizationCode []byte // ImplicitGrant represents the authorization page shown to the user when authorizing using the Implicit Grant. ImplicitGrant []byte // DeviceCode represents the authorization page shown to the user when authorizing using the Device Code Grant. DeviceCode []byte //Though PKCE is based on the Authorization Code Grant, you can still choose a different template. PKCE []byte //Though OIDC is based on the Authorization Code Grant, you can still choose a different template. OIDC []byte }
Templates contains the HTML templates displayed for the user.
type URLs ¶
type URLs struct { // Login is the target URL for the user login page, e.g. /user_login. Login string // Logout is the target URL for the user logout page, e.g. /user_logout. Logout string // DeviceCode is the target URL for the user Device Code user authorization page. DeviceCode string // AuthorizationCode is the target URL for the Authorization Code user authorization page. AuthorizationCode string // Implicit is the target URL for the Implicit Grant user authorization page. Implicit string }
URLs contains paths and/or URLs to the endpoints/routes defined by the caller. If you only use Client Credentials Grant + Resource Owner Password Credentials Grant, no URLs need to be set, since these grant flows are not redirect-based.