Documentation ¶
Index ¶
- Variables
- type BrowserStateUserSessionResolver
- type ConsentRecordResolver
- type GrantedScopeCollector
- type IdTokenHintUserSessionResolver
- type InteractionStateCollector
- func (c *InteractionStateCollector) AddScope(scope oidc.Scope)
- func (c *InteractionStateCollector) AddSession(session *user.Session)
- func (c *InteractionStateCollector) ClearAllScopes()
- func (c *InteractionStateCollector) ClearAllSessions()
- func (c *InteractionStateCollector) ContainsScope(scope oidc.Scope) bool
- func (c *InteractionStateCollector) ForEachGrantedScope(callback func(scope oidc.Scope) error) error
- func (c *InteractionStateCollector) ForEachSession(callback func(session *user.Session) error) error
- func (c *InteractionStateCollector) GetFirst() *user.Session
- func (c *InteractionStateCollector) HasGrantedScope(scope oidc.Scope) bool
- func (c *InteractionStateCollector) HasMarkedConsentStage() bool
- func (c *InteractionStateCollector) HasMarkedSubjectStage() bool
- func (c *InteractionStateCollector) MarkConsentStage()
- func (c *InteractionStateCollector) MarkSubjectStage()
- func (c *InteractionStateCollector) MarshalJSON() ([]byte, error)
- func (c *InteractionStateCollector) NumberOfGrantedScopes() int
- func (c *InteractionStateCollector) NumberOfSessions() int
- func (c *InteractionStateCollector) RemoveSession(subject string)
- func (c *InteractionStateCollector) UnmarshalJSON(raw []byte) error
- type Params
- type Parser
- func (s *Parser) ParseFirstAuthorize(ctx context.Context, r *http.Request) (req *Request, err error)
- func (s *Parser) ParseInteraction(ctx context.Context, r *http.Request) (req *Request, err error)
- func (s *Parser) ParseResumeAuthorize(ctx context.Context, r *http.Request) (req *Request, err error)
- type PromptLogicConsentResolver
- type PromptLogicUserSessionResolver
- type RedisRequestStorage
- type Request
- type RequestObjectStrategy
- type RequestStorage
- type Response
- type Rule
- type RuleSet
- type UserConsentResolver
- type UserSessionCollector
- type UserSessionResolver
Constants ¶
This section is empty.
Variables ¶
var ( ErrRequestObjectAndReference = fmt.Errorf(`%w: only one of "request" or "request_uri" may be specified'`, oidc.ErrInvalidRequest) ErrRequestExpired = fmt.Errorf(`%w: request had expired`, oidc.ErrInvalidRequest) ErrRequestUriUnregistered = fmt.Errorf(`%w: "request_uri" was not pre-registered`, oidc.ErrInvalidRequestUri) )
var (
ErrClientIdMismatch = fmt.Errorf(`%w: "client_id" mismatch`, oidc.ErrInvalidRequest)
)
var (
ErrRequestNotFound = fmt.Errorf("%w: request not found or have expired", oidc.ErrInvalidRequest)
)
var (
InteractionSignal = errors.New("interaction required")
)
Functions ¶
This section is empty.
Types ¶
type BrowserStateUserSessionResolver ¶
type BrowserStateUserSessionResolver struct{}
BrowserStateUserSessionResolver resolves user subject by adding all valid user sessions represented by the browser state into the collector. A valid session must not be expired and must not exceed request max age. This implementation assumes browser state has been set on the context.
func (BrowserStateUserSessionResolver) Resolve ¶
func (r BrowserStateUserSessionResolver) Resolve(ctx context.Context, ar *Request, collector UserSessionCollector) error
type ConsentRecordResolver ¶
type ConsentRecordResolver struct {
ConsentStorage user.ConsentStorage
}
ConsentRecordResolver is an implementation of UserConsentResolver that go through the granted scopes of all non-expired user consent record, and add any requested scope to the collector. To use this resolver, Request.Interaction must have resolved a single user session, which indicates the subject for consent records.
func (*ConsentRecordResolver) Resolve ¶
func (r *ConsentRecordResolver) Resolve(ctx context.Context, ar *Request, collector GrantedScopeCollector) error
type GrantedScopeCollector ¶
type GrantedScopeCollector interface { // AddScope adds a scope to collector AddScope(scope oidc.Scope) // ContainsScope returns true if the collector has the scope ContainsScope(scope oidc.Scope) bool // ClearAllScopes removes all scopes from collector ClearAllScopes() // NumberOfGrantedScopes returns the total number of collected scopes NumberOfGrantedScopes() int // ForEachGrantedScope iterates all collected granted scopes and invoke the callback. // Iteration order is not stable. Any error is immediately returned. ForEachGrantedScope(callback func(scope oidc.Scope) error) error }
GrantedScopeCollector holds candidate of previously granted scopes by the user.
type IdTokenHintUserSessionResolver ¶
type IdTokenHintUserSessionResolver struct { ServerJwks *gojosev2.JSONWebKeySet ClientJwksStrategy client.KeySetStrategy PairwiseSalt []byte Logger *zerolog.Logger }
IdTokenHintUserSessionResolver is an implementation of UserSessionResolver that selects the hinted subject session from current candidates and eliminates non-hinted candidate sessions. For any session to be eliminated, the subject field of the id_token_hint must match the subject field of the candidate user session, according to subject_type rules (i.e. may need to perform pseudonymous subject calculation on the candidate subject in order to match).
func (*IdTokenHintUserSessionResolver) Resolve ¶
func (r *IdTokenHintUserSessionResolver) Resolve(ctx context.Context, ar *Request, collector UserSessionCollector) error
type InteractionStateCollector ¶
type InteractionStateCollector struct {
// contains filtered or unexported fields
}
InteractionStateCollector maintains the state before and during the user interaction process. Its result will directly determined if the request can be forwarded to process, or redirected to user interaction, or just denied.
func NewInteractionStateCollector ¶
func NewInteractionStateCollector() *InteractionStateCollector
Create a new interaction state collector with fields initialized to non-nil
func (*InteractionStateCollector) AddScope ¶
func (c *InteractionStateCollector) AddScope(scope oidc.Scope)
func (*InteractionStateCollector) AddSession ¶
func (c *InteractionStateCollector) AddSession(session *user.Session)
func (*InteractionStateCollector) ClearAllScopes ¶
func (c *InteractionStateCollector) ClearAllScopes()
func (*InteractionStateCollector) ClearAllSessions ¶
func (c *InteractionStateCollector) ClearAllSessions()
func (*InteractionStateCollector) ContainsScope ¶
func (c *InteractionStateCollector) ContainsScope(scope oidc.Scope) bool
func (*InteractionStateCollector) ForEachGrantedScope ¶
func (c *InteractionStateCollector) ForEachGrantedScope(callback func(scope oidc.Scope) error) error
func (*InteractionStateCollector) ForEachSession ¶
func (c *InteractionStateCollector) ForEachSession(callback func(session *user.Session) error) error
func (*InteractionStateCollector) GetFirst ¶
func (c *InteractionStateCollector) GetFirst() *user.Session
func (*InteractionStateCollector) HasGrantedScope ¶
func (c *InteractionStateCollector) HasGrantedScope(scope oidc.Scope) bool
func (*InteractionStateCollector) HasMarkedConsentStage ¶
func (c *InteractionStateCollector) HasMarkedConsentStage() bool
func (*InteractionStateCollector) HasMarkedSubjectStage ¶
func (c *InteractionStateCollector) HasMarkedSubjectStage() bool
func (*InteractionStateCollector) MarkConsentStage ¶
func (c *InteractionStateCollector) MarkConsentStage()
func (*InteractionStateCollector) MarkSubjectStage ¶
func (c *InteractionStateCollector) MarkSubjectStage()
func (*InteractionStateCollector) MarshalJSON ¶
func (c *InteractionStateCollector) MarshalJSON() ([]byte, error)
func (*InteractionStateCollector) NumberOfGrantedScopes ¶
func (c *InteractionStateCollector) NumberOfGrantedScopes() int
func (*InteractionStateCollector) NumberOfSessions ¶
func (c *InteractionStateCollector) NumberOfSessions() int
func (*InteractionStateCollector) RemoveSession ¶
func (c *InteractionStateCollector) RemoveSession(subject string)
func (*InteractionStateCollector) UnmarshalJSON ¶
func (c *InteractionStateCollector) UnmarshalJSON(raw []byte) error
type Params ¶
type Params struct { ClientId string `json:"client_id"` ResponseType string `json:"response_type"` RedirectUri string `json:"redirect_uri"` Scope string `json:"scope"` State string `json:"state"` ResponseMode string `json:"response_mode"` Nonce string `json:"nonce"` Display string `json:"display"` Prompt string `json:"prompt"` MaxAge string `json:"max_age"` UiLocales string `json:"ui_locales"` IdTokenHint string `json:"id_token_hint"` LoginHint string `json:"login_hint"` AcrValues string `json:"acr_values"` Claims json.RawMessage `json:"claims"` ClaimsLocales string `json:"claims_locales"` CodeChallenge string `json:"code_challenge"` CodeChallengeMethod string `json:"code_challenge_method"` // AudienceHint is a custom parameter that requests may include a space delimited // case-sensitive string to indicate the intended audiences for access token and/or id token. AudienceHint string `json:"aud_hint"` }
Params represents the parameters in the raw http request.
func (*Params) FillRequest ¶
ToRequest converts the parameters to proper types in the request. The provided request prototype must have client already set.
type Parser ¶
type Parser struct { ServerJwks *gojosev2.JSONWebKeySet ClientLookup client.Lookup ClientJwksStrategy client.KeySetStrategy RequestStorage RequestStorage RequestObjectStrategy RequestObjectStrategy Provider *pkg.Provider }
func (*Parser) ParseFirstAuthorize ¶
func (*Parser) ParseInteraction ¶
type PromptLogicConsentResolver ¶
type PromptLogicConsentResolver struct {
DownstreamResolvers []UserConsentResolver
}
PromptLogicConsentResolver wraps one or more downstream UserConsentResolver with OpenID Connect prompt parameter logic.
func (*PromptLogicConsentResolver) Resolve ¶
func (r *PromptLogicConsentResolver) Resolve(ctx context.Context, ar *Request, collector GrantedScopeCollector) error
type PromptLogicUserSessionResolver ¶
type PromptLogicUserSessionResolver struct {
DownstreamResolvers []UserSessionResolver
}
PromptLogicUserSessionResolver wraps one or more downstream UserSessionResolver with OpenID Connect prompt parameter logic.
func (*PromptLogicUserSessionResolver) Resolve ¶
func (r *PromptLogicUserSessionResolver) Resolve(ctx context.Context, ar *Request, collector UserSessionCollector) error
type RedisRequestStorage ¶
type RedisRequestStorage struct { RedisClient redis.UniversalClient ClientLookup client.Lookup Logger *zerolog.Logger }
func (*RedisRequestStorage) Delete ¶
func (s *RedisRequestStorage) Delete(ctx context.Context, id string) error
type Request ¶
type Request struct { Id string Expiry time.Time Client *client.Client ResponseType oidc.ResponseType RedirectUri oidc.RedirectUri Scopes oidc.ScopeSet State string Nonce string ResponseMode oidc.ResponseMode Display oidc.Display Prompts oidc.PromptSet MaxAge oidc.MaxAge UiLocales []string IdTokenHint string LoginHint string AcrValues []string Claims *oidc.Claims ClaimsLocales []string AudienceHint []string CodeChallenge string CodeChallengeMethod oidc.CodeChallengeMethod Interaction *InteractionStateCollector }
Request is the model of a parsed OpenID Connect authentication request.
func (*Request) AllScopesGranted ¶
HasNotGrantedScopes returns true if there's one or more scope that was not granted.
func (*Request) MarshalJSON ¶
func (*Request) RequestedScope ¶
RequestedScope returns true if the scope is requested.
type RequestObjectStrategy ¶
type RequestObjectStrategy interface {
Resolve(ctx context.Context, ref string) (raw string, err error)
}
RequestObjectStrategy abstracts how is a raw request object resolved from a reference uri.
func FetchRequestObjectStrategy ¶
func FetchRequestObjectStrategy() RequestObjectStrategy
FetchRequestObjectStrategy is a RequestObjectStrategy implementation that directly fetches request object from the remote reference URI. The process respects the context and can be cancelled. If the reference URI has a fragment component, the fragment is treated as an expected SHA-256 hash which is used to further validate the fetched payload.
type RequestStorage ¶
type RequestStorage interface { // Save the request. Save(ctx context.Context, request *Request) error // Get the request by its id. Get(ctx context.Context, id string) (*Request, error) // Delete request by its id from the store. Delete(ctx context.Context, id string) error }
RequestStorage persists the request.
func MemoryRequestStorage ¶
func MemoryRequestStorage() RequestStorage
MemoryRequestStorage returns an in-memory implementation of RequestStorage. It is not thread-safe and is not intended for production usage.
type Response ¶
Response is the response to OpenID Connect authentication request. Because we made a conscious decision to now allow access tokens be returned on the authorization endpoint. This model does not contain any access token fields.
type UserConsentResolver ¶
type UserConsentResolver interface { // Resolve collects or eliminate user granted scopes candidates from various sources. Implementation should not return // errors when it is unable to resolve candidates. The error return value is reserved for hard failures only. Resolve(ctx context.Context, ar *Request, collector GrantedScopeCollector) error }
UserConsentResolver defines a unified interface to resolve (or eliminate) user granted scopes from various sources. Its ultimate goal is to collect as many valid granted scopes so we can avoid prompting user.
type UserSessionCollector ¶
type UserSessionCollector interface { // AddSession adds a new user.Session to the collector. If a previous session // by the same subject exists, overwrites it. AddSession(session *user.Session) // RemoveSession removes all sessions by the subject. RemoveSession(subject string) // ClearAllSessions resets the collector. ClearAllSessions() // ForEachSession iterates all collected sessions and invokes the callback. The iteration order // is not guaranteed to be stable. Any error is immediately returned. ForEachSession(callback func(session *user.Session) error) error // NumberOfSessions return the total number of collected sessions. NumberOfSessions() int // GetFirst returns the first session in the collection. It is usually used in conjunction with // NumberOfSessions to retrieve the only session in the collection. GetFirst() *user.Session }
UserSessionCollector holds candidate user.Session during the process of SessionResolver. The candidates may be added, removed at the discretion of each SessionResolver.
type UserSessionResolver ¶
type UserSessionResolver interface { // Resolve collects or eliminate user session candidates from various sources. Implementation should not return // errors when it is unable to resolve candidates. The error return value is reserved for hard failures only. Resolve(ctx context.Context, ar *Request, collector UserSessionCollector) error }
UserSessionResolver defines a unified interface to resolve (or eliminate) user sessions from various sources. Its ultimate goal is to find a single user session that can be used as the subject for the request.