Documentation ¶
Index ¶
- func StatusCodeForError(error *Error) int
- func WriteJSONResponse(w http.ResponseWriter, r *Response) error
- type AccessData
- type AccessRequest
- type AccessRequestAuthorizedCallback
- type AccessTokenGenerator
- type AccessTokenSubScoper
- type AllowedAccessTypes
- type AllowedAuthorizeTypes
- type AuthRequestAuthorizedCallback
- type AuthRequestGenerator
- type AuthorizationData
- type AuthorizationRequest
- type AuthorizeResponseType
- type AuthorizeTokenGenerator
- type BasicAuth
- type ClientData
- type DefaultAccessTokenGenerator
- type DefaultAccessTokenSubScoper
- type DefaultAuthorizeTokenGenerator
- type Error
- type ErrorCode
- type GrantType
- type NotFoundError
- type OnAuthSuccessCallback
- type PKCECodeChallengeMethod
- type RefreshTokenData
- type Response
- type ResponseData
- type ResponseType
- type Server
- func (s *Server) FinishAccessRequest(ctx context.Context, ar *AccessRequest) (*Response, error)
- func (s *Server) FinishAuthorizeRequest(ctx context.Context, ar *AuthorizationRequest) (*Response, error)
- func (s *Server) GenerateAccessRequest(ctx context.Context, r *http.Request) (*AccessRequest, error)
- func (s *Server) GenerateAuthorizationRequest(ctx context.Context, r *http.Request) (*AuthorizationRequest, error)
- func (s *Server) HandleAuthorizeRequest(ctx context.Context, f AuthRequestGenerator, ...) (*Response, error)
- func (s *Server) HandleHTTPAccessRequest(r *http.Request, isAuthorizedCb AccessRequestAuthorizedCallback) (*Response, error)
- func (s *Server) HandleHTTPAuthorizeRequest(r *http.Request, isAuthorizedCb AuthRequestAuthorizedCallback) (*Response, error)
- type ServerConfig
- type Storage
- type URIValidationError
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func StatusCodeForError ¶
StatusCodeForError returns http status code for a given error code as per (https://tools.ietf.org/html/rfc6749#section-5.2)
func WriteJSONResponse ¶
func WriteJSONResponse(w http.ResponseWriter, r *Response) error
WriteJSONResponse encodes the Response to JSON and writes to the http.ResponseWriter
Types ¶
type AccessData ¶
type AccessData struct { // ClientData information ClientID string // Access token AccessToken string // Token expiration in seconds ExpiresIn int32 // Requested scope Scope string // Redirect Uri from request RedirectURI string // Date created CreatedAt time.Time // Type of grant used to issue this token GrantedVia GrantType // Data to be passed to storage. Not used by the library. UserData interface{} }
AccessData represents an access grant (tokens, expiration, client, etc)
func (*AccessData) ExpireAt ¶
func (d *AccessData) ExpireAt() time.Time
ExpireAt returns the expiration date
func (*AccessData) IsExpiredAt ¶
func (d *AccessData) IsExpiredAt(t time.Time) bool
IsExpiredAt returns true if access expires at time 't'
type AccessRequest ¶
type AccessRequest struct { GrantType GrantType Code string ClientID string RefreshToken string RedirectURI string Scope string Username string Password string AssertionType string Assertion string // Token expiration in seconds. Change if different from default Expiration int32 // Set if a refresh token should be generated GenerateRefresh bool // Data to be passed to storage. Not used by the library. UserData interface{} // Optional code_verifier as described in rfc7636 CodeVerifier string }
AccessRequest is a request for access tokens
type AccessRequestAuthorizedCallback ¶
type AccessRequestAuthorizedCallback func(ar *AccessRequest) (bool, error)
AccessRequestAuthorizedCallback returns if an access request should succeed or access should be denied. errors returned by this function will result in internal server errors being returned
type AccessTokenGenerator ¶
type AccessTokenGenerator interface { GenerateAccessToken(ar *AccessData) (string, error) GenerateRefreshToken(ar *RefreshTokenData) (string, error) }
AccessTokenGenerator generates access tokens and refresh tokens
type AccessTokenSubScoper ¶
type AccessTokenSubScoper interface {
CheckSubScopes(accessTokenScopes string, refreshTokenScopes string) (string, error)
}
AccessTokenSubScoper checks if the requested scopes of AT are a subset of already granted scopes.
type AllowedAccessTypes ¶
type AllowedAccessTypes []GrantType
AllowedAccessTypes is a collection of allowed access request types
func (AllowedAccessTypes) Exists ¶
func (t AllowedAccessTypes) Exists(rt GrantType) bool
Exists returns true if the access type exists in the list
type AllowedAuthorizeTypes ¶
type AllowedAuthorizeTypes []AuthorizeResponseType
AllowedAuthorizeTypes is a collection of allowed auth request types
func (AllowedAuthorizeTypes) Exists ¶
func (t AllowedAuthorizeTypes) Exists(rt AuthorizeResponseType) bool
Exists returns true if the auth type exists in the list
type AuthRequestAuthorizedCallback ¶
type AuthRequestAuthorizedCallback func(ar *AuthorizationRequest) (bool, error)
AuthRequestAuthorizedCallback returns if an authorization request should succeed or access should be denied. errors returned by this function will result in internal server errors being returned
type AuthRequestGenerator ¶
type AuthRequestGenerator func() (*AuthorizationRequest, error)
AuthRequestGenerator generates and returns an AuthorizationRequest to process or an error.
type AuthorizationData ¶
type AuthorizationData struct { // ClientData information ClientID string // Authorization code Code string // Token expiration in seconds ExpiresIn int32 // Requested scope Scope string // Redirect Uri from request RedirectURI string // State data from request State string // Date created CreatedAt time.Time // Data to be passed to storage. Not used by the library. UserData interface{} // Optional code_challenge as described in rfc7636 CodeChallenge string // Optional code_challenge_method as described in rfc7636 CodeChallengeMethod PKCECodeChallengeMethod }
AuthorizationData represents an issued authorization code
func (*AuthorizationData) ExpireAt ¶
func (d *AuthorizationData) ExpireAt() time.Time
ExpireAt returns the expiration date
func (*AuthorizationData) IsExpiredAt ¶
func (d *AuthorizationData) IsExpiredAt(t time.Time) bool
IsExpiredAt is true if authorization has expired by time 't'
type AuthorizationRequest ¶
type AuthorizationRequest struct { ResponseType AuthorizeResponseType ClientID string Scope string RedirectURI string State string // Token expiration in seconds. Change if different from default. // If type = ResponseTypeToken, this expiration will be for the ACCESS token. Expiration int32 // Optional code_challenge as described in rfc7636 CodeChallenge string // Optional code_challenge_method as described in rfc7636 CodeChallengeMethod PKCECodeChallengeMethod // (optional) Data to be passed to storage. Not used by the library. UserData interface{} }
AuthorizationRequest represents an incoming authorization request
type AuthorizeResponseType ¶
type AuthorizeResponseType string
AuthorizeResponseType is the type for OAuth param `response_type`
const ( ResponseTypeCode AuthorizeResponseType = "code" ResponseTypeToken AuthorizeResponseType = "token" )
AuthorizeResponseType is either code or token
type AuthorizeTokenGenerator ¶
type AuthorizeTokenGenerator interface {
GenerateAuthorizeToken(data *AuthorizationData) (string, error)
}
AuthorizeTokenGenerator is the token generator interface
type ClientData ¶
type ClientData struct { ClientID string // Unique identifier for this client (https://tools.ietf.org/html/rfc6749#section-2.2) ClientSecret string // OAuth2 client secret (https://tools.ietf.org/html/rfc6749#section-2.3.1) RedirectURI string // OAuth2 redirect URI }
ClientData is the information stored for an OAuth2 client
func (*ClientData) ValidSecret ¶
func (c *ClientData) ValidSecret(secret string) bool
ValidSecret checks if the given secret is valid for this OAuth2 client
type DefaultAccessTokenGenerator ¶
type DefaultAccessTokenGenerator struct { }
DefaultAccessTokenGenerator is the default authorization token generator
func (*DefaultAccessTokenGenerator) GenerateAccessToken ¶
func (a *DefaultAccessTokenGenerator) GenerateAccessToken(ar *AccessData) (string, error)
GenerateAccessToken generates base64-encoded UUID access and refresh tokens
func (*DefaultAccessTokenGenerator) GenerateRefreshToken ¶
func (a *DefaultAccessTokenGenerator) GenerateRefreshToken(ar *RefreshTokenData) (string, error)
GenerateRefreshToken generates base64-encoded UUID access and refresh tokens
type DefaultAccessTokenSubScoper ¶
type DefaultAccessTokenSubScoper struct { }
DefaultAccessTokenSubScoper checks if the given scopes of AT request are a string subset of already granted scopes.
func (*DefaultAccessTokenSubScoper) CheckSubScopes ¶
func (a *DefaultAccessTokenSubScoper) CheckSubScopes(accessTokenScopes string, refreshTokenScopes string) (string, error)
CheckSubScopes checks the given access token scopes to see if they are granted by the refresh token's scope, and returns the resulting subset of scopes.
type DefaultAuthorizeTokenGenerator ¶
type DefaultAuthorizeTokenGenerator struct { }
DefaultAuthorizeTokenGenerator is the default authorization token generator
func (*DefaultAuthorizeTokenGenerator) GenerateAuthorizeToken ¶
func (a *DefaultAuthorizeTokenGenerator) GenerateAuthorizeToken(data *AuthorizationData) (string, error)
GenerateAuthorizeToken generates a base64-encoded UUID code
type Error ¶
type Error struct { Code ErrorCode Err error // Human readable description of the error that occurred Message string // contains filtered or unexported fields }
Error is a wrapper around an existing error with an OAuth2 error code
func NewWrappedError ¶
NewWrappedError creates a new Error for a response error code and wraps the original error with the given description
func (*Error) AsResponse ¶
AsResponse creates a response object from this error, containing it's body or a redirect if specified
func (*Error) GetRedirectURI ¶
GetRedirectURI returns location to redirect user to after processing this error, or empty string if there is none
func (*Error) GetResponseDict ¶
GetResponseDict returns the fields for an error response as defined in https://tools.ietf.org/html/rfc6749#section-4.2.2.1
func (*Error) SetRedirectURI ¶
SetRedirectURI set redirect uri for this error to redirect to when written to a HTTP response
type ErrorCode ¶
type ErrorCode string
ErrorCode is an OAuth2 error code
const ( EInvalidRequest ErrorCode = "invalid_request" EAccessDenied ErrorCode = "access_denied" EUnsupportedResponseType ErrorCode = "unsupported_response_type" EInvalidScope ErrorCode = "invalid_scope" EServerError ErrorCode = "server_error" EUnsupportedGrantType ErrorCode = "unsupported_grant_type" EInvalidGrant ErrorCode = "invalid_grant" EInvalidClient ErrorCode = "invalid_client" )
OAuth2 error codes (https://tools.ietf.org/html/rfc6749#section-4.1.2.1)
type GrantType ¶
type GrantType string
GrantType is the type for OAuth param `grant_type`
type NotFoundError ¶
type NotFoundError struct {
Err error
}
NotFoundError can be used to differentiate between internal server errors and an entity not existing in storage.
func (*NotFoundError) Error ¶
func (e *NotFoundError) Error() string
type OnAuthSuccessCallback ¶
type OnAuthSuccessCallback func(ar *AuthorizationRequest, resp *Response) error
OnAuthSuccessCallback is called after an authorize request is successful to allow any final manipulation of the response, whilst still having errors captures and handled as per the OAuth spec.
type PKCECodeChallengeMethod ¶
type PKCECodeChallengeMethod string
PKCECodeChallengeMethod is the code_challenge field as described in rfc7636
const ( PKCEPlain PKCECodeChallengeMethod = "plain" PKCES256 PKCECodeChallengeMethod = "S256" )
type RefreshTokenData ¶
type RefreshTokenData struct { // ID of the client used to issue this refresh token ClientID string // Refresh token string RefreshToken string // Time at which refresh token was created CreatedAt time.Time // Redirect Uri from request RedirectURI string // Scope requested for this refresh token Scope string // Previous refresh token (if one existed) PreviousRefreshToken string // Type of grant used to issue this token GrantedVia GrantType // Data to be passed to storage. Not used by the library. UserData interface{} }
RefreshTokenData represents an issued refresh token, which should be persisted to storage in it's entirety
type Response ¶
type Response struct { StatusCode int Data ResponseData Headers http.Header // contains filtered or unexported fields }
Response represents a HTTP response to be sent to the user
func (*Response) GetRedirectURL ¶
GetRedirectURL returns the redirect url with all query string parameters
func (*Response) SetRedirectFragment ¶
SetRedirectFragment sets redirect values to be passed in fragment instead of as query parameters
func (*Response) SetRedirectURL ¶
SetRedirectURL changes the response to redirect to the given url
type ResponseData ¶
type ResponseData map[string]interface{}
ResponseData is the data to be serialized for response output
type ResponseType ¶
type ResponseType int
ResponseType enum indicates type of response
const ( DATA ResponseType = iota REDIRECT )
Responses can either be data (an have a body to to be serialized) or are a redirect.
type Server ¶
type Server struct { Config *ServerConfig Storage Storage AuthorizeTokenGenerator AuthorizeTokenGenerator AccessTokenGenerator AccessTokenGenerator AccessTokenSubScoper AccessTokenSubScoper Now func() time.Time }
Server is an OAuth2 implementation
func NewServer ¶
func NewServer(config *ServerConfig, storage Storage) *Server
NewServer creates a new server instance
func (*Server) FinishAccessRequest ¶
FinishAccessRequest processes a given access request and returns the response or error to return to the user
func (*Server) FinishAuthorizeRequest ¶
func (s *Server) FinishAuthorizeRequest(ctx context.Context, ar *AuthorizationRequest) (*Response, error)
FinishAuthorizeRequest takes in a authorization request and returns a response to the client or an error
func (*Server) GenerateAccessRequest ¶
func (s *Server) GenerateAccessRequest(ctx context.Context, r *http.Request) (*AccessRequest, error)
GenerateAccessRequest generates an AccessRequest from a HTTP request.
func (*Server) GenerateAuthorizationRequest ¶
func (s *Server) GenerateAuthorizationRequest(ctx context.Context, r *http.Request) (*AuthorizationRequest, error)
GenerateAuthorizationRequest handles authorization requests. Generates an AuthorizationRequest from a HTTP request.
func (*Server) HandleAuthorizeRequest ¶
func (s *Server) HandleAuthorizeRequest( ctx context.Context, f AuthRequestGenerator, isAuthorizedCb AuthRequestAuthorizedCallback, onSuccessCb OnAuthSuccessCallback, ) (*Response, error)
HandleAuthorizeRequest is the main entry point for handling authorization requests. It can take a method which generates the AuthRequest struct to use for the authorization This method will always return a Response, even if there was an error processing the request, which should be rendered for a user. It may also return an error in the second argument which can be logged by the caller.
func (*Server) HandleHTTPAccessRequest ¶
func (s *Server) HandleHTTPAccessRequest(r *http.Request, isAuthorizedCb AccessRequestAuthorizedCallback) (*Response, error)
HandleHTTPAccessRequest is the main entry point for handling access requests. This method will always return a Response, even if there was an error processing the request, which should be rendered for a user. It may also return an error in the second argument which can be logged by the caller.
func (*Server) HandleHTTPAuthorizeRequest ¶
func (s *Server) HandleHTTPAuthorizeRequest(r *http.Request, isAuthorizedCb AuthRequestAuthorizedCallback) (*Response, error)
HandleHTTPAuthorizeRequest is the main entry point for handling authorization requests. This method will always return a Response, even if there was an error processing the request, which should be rendered for a user. It may also return an error in the second argument which can be logged by the caller.
type ServerConfig ¶
type ServerConfig struct { // Authorization token expiration in seconds (default 5 minutes) AuthorizationExpiration int32 // Access token expiration in seconds (default 1 hour) AccessExpiration int32 // Token type to return TokenType string // List of allowed authorize types (only ResponseTypeCode by default) AllowedAuthorizeTypes AllowedAuthorizeTypes // List of allowed access types (only GrantTypeAuthorizationCode by default) AllowedAccessTypes AllowedAccessTypes // If true allows client secret also in params, else only in // Authorization header - default false AllowClientSecretInParams bool // Require PKCE for code flows for public OAuth clients - default false RequirePKCEForPublicClients bool // Separator to support multiple URIs in ClientData.GetRedirectURI(). // If blank (the default), don't allow multiple URIs. RedirectURISeparator string // If true allows access request using GET, else only POST - default false AllowGetAccessRequest bool }
ServerConfig contains server configuration information
func NewServerConfig ¶
func NewServerConfig() *ServerConfig
NewServerConfig returns a new ServerConfig with default configuration
type Storage ¶
type Storage interface { // Close the resources the Storage potentially holds. (Implements io.Closer) Close() error // GetClientData fetches the data for a ClientData by id // Should return NotFoundError, so an EInvalidClient error will be returned instead of EServerError GetClientData(ctx context.Context, id string) (*ClientData, error) // GetAuthorizeData looks up AuthorizationData by a code. //// ClientData information MUST be loaded together. // Optionally can return error if expired. GetAuthorizeData(ctx context.Context, code string) (*AuthorizationData, error) // SaveAuthorizeData saves authorize data. SaveAuthorizeData(ctx context.Context, data *AuthorizationData) error // DeleteAuthorizeData revokes or deletes the authorization code. DeleteAuthorizeData(ctx context.Context, code string) error // SaveAccessData writes AccessData to storage. SaveAccessData(ctx context.Context, data *AccessData) error // GetRefreshTokenData retrieves refresh token data from the token string. GetRefreshTokenData(ctx context.Context, token string) (*RefreshTokenData, error) // SaveRefreshTokenData saves refresh token data so it can be retrieved with GetRefreshTokenData SaveRefreshTokenData(ctx context.Context, data *RefreshTokenData) error // DeleteRefreshTokenData revokes or deletes a RefreshToken. DeleteRefreshTokenData(ctx context.Context, token string) error }
Storage is a backend used to persist data generated by the OAuth2 server
type URIValidationError ¶
type URIValidationError string
URIValidationError is an error returned when a URI is invalid or does not match any URIs provided in the allowed URI list
func (URIValidationError) Error ¶
func (e URIValidationError) Error() string