Documentation ¶
Index ¶
- Constants
- func GeneratePKCECodeChallenge(codeVerifier string) string
- func GeneratePKCECodeVerifier() (string, error)
- func ReusableReader(r io.Reader) (io.Reader, error)
- type API
- func (a *API) AuthorizationCodeTokenFlow(c echo.Context, payload TokenPayload) error
- func (a *API) AuthorizationHandler() func(echo.Context) error
- func (a *API) ClientCredentialsTokenFlow(c echo.Context, payload TokenPayload) error
- func (a *API) DiscoveryHandler() func(ctx echo.Context) error
- func (a *API) GetCredentialsHandler() func(echo.Context) error
- func (a *API) GetLoginHandler() func(ctx echo.Context) error
- func (a *API) HTTPAddress() (string, error)
- func (a *API) HealthHandler() func(echo.Context) error
- func (a *API) Initialise() error
- func (a *API) JWKSHandler() func(c echo.Context) error
- func (a *API) LoginSuccessHandler() func(echo.Context) error
- func (a *API) MetricsHandler() func(c echo.Context) error
- func (a *API) PostLoginHandler() func(echo.Context) error
- func (a *API) RaftStateHandler() func(c echo.Context) error
- func (a *API) RefreshTokenFlow(c echo.Context, payload TokenPayload) error
- func (a *API) ResumeAuthorizationHandler() func(echo.Context) error
- func (a *API) RotateCredentialsHandler() func(echo.Context) error
- func (a *API) Run(address string) error
- func (a *API) Shutdown(ctx context.Context) error
- func (a *API) TokenHandler() func(echo.Context) error
- func (a *API) TokenRevocationHandler() func(ctx echo.Context) error
- func (a *API) UserInfoHandler() func(ctx echo.Context) error
- func (a *API) Validate() error
- func (a *API) Watch()
- type AuthorizationContext
- type AuthorizationErrorResponse
- type AuthorizationFailedData
- type CredentialsErrorResponse
- type CredentialsSuccessResponse
- type DiscoveryErrorResponse
- type DiscoveryResponse
- type GetLoginErrorResponse
- type HealthSuccessResponse
- type JWKSErrorResponse
- type LoginSuccessErrorResponse
- type Option
- type PostLoginErrorResponse
- type Prometheus
- type RaftStateResponse
- type TokenErrorResponse
- type TokenPayload
- type TokenRevocationErrorResponse
- type TokenRevocationPayload
- type TokenSuccessResponse
- type Unmarshaler
- type UserInfoErrorResponse
Constants ¶
const ( // ResponseTypeAuthorizationCode must be passed as a query parameter during a call to the authorization endpoint. ResponseTypeAuthorizationCode = "code" ResponseTypeIDToken = "id_token" ResponseTypeCodeIDToken = "code id_token" SessionAuthenticate = "authenticate" )
const ( AccessTokenOnly = iota AccessTokenAndIDToken AccessTokenAndRefreshToken AccessTokenAndIDTokenAndRefreshToken )
const ( AuthMethodClientSecretBasic = "client_secret_basic" AuthMethodClientSecretPost = "client_secret_post" ResponseModeFragment = "fragment" ResponseModeQuery = "query" SubjectTypePairwise = "pairwise" )
const ( ErrInvalidClient = "invalid_client" ErrInvalidGrant = "invalid_grant" ErrInvalidRequest = "invalid_request" ErrInvalidScope = "invalid_scope" ErrServerError = "server_error" ErrUnsupportedGrantType = "unsupported_grant_type" ErrUnsupportedResponseType = "unsupported_response_type" )
https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 documents the below error codes for the client credentials flow. Note that the `server_error` is absent from the spec but has been added in the errata https://www.rfc-editor.org/errata/eid4745
const (
AlphaNumericCharset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
)
const DefaultWatchTime = 30 * time.Second
const (
// ErrInvalidToken is an OIDC error code
ErrInvalidToken = "invalid_token"
)
const ( // HintAccessToken is the token type hint for access tokens. // Revoking access tokens is not supported. HintAccessToken = "access_token" )
const (
PKCECodeVerifierLength = 128
)
const (
SessionIDQueryParameter = "s"
)
const (
TokenTypeBearer = "Bearer"
)
Variables ¶
This section is empty.
Functions ¶
func GeneratePKCECodeChallenge ¶
GeneratePKCECodeChallenge generates a PKCE code challenge.
func GeneratePKCECodeVerifier ¶
GeneratePKCECodeVerifier generates a PKCE code verifier (RFC 7636).
Types ¶
type API ¶
type API struct { Config *config.Config Echo *echo.Echo Prometheus *Prometheus // contains filtered or unexported fields }
API acts as the control plane of the project. It starts the raft backend, initialises the API and runs it.
func NewFromFile ¶
NewFromFile reads the configuration from the given filename and instantiates the API data structure.
func (*API) AuthorizationCodeTokenFlow ¶
func (a *API) AuthorizationCodeTokenFlow(c echo.Context, payload TokenPayload) error
AuthorizationCodeTokenFlow returns the OAuth 2.0 `authorization_code` flow described in RFC6749 https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
func (*API) AuthorizationHandler ¶
func (*API) ClientCredentialsTokenFlow ¶
func (a *API) ClientCredentialsTokenFlow(c echo.Context, payload TokenPayload) error
ClientCredentialsTokenFlow returns the OAuth 2.0 `client credentials` flow described in the RFC6749 https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
func (*API) DiscoveryHandler ¶
func (*API) GetCredentialsHandler ¶
func (*API) GetLoginHandler ¶
func (*API) HTTPAddress ¶
func (*API) HealthHandler ¶
func (*API) JWKSHandler ¶
func (*API) LoginSuccessHandler ¶
func (*API) MetricsHandler ¶
MetricsHandler is the handler that serves the Prometheus handler.
func (*API) PostLoginHandler ¶
func (*API) RaftStateHandler ¶
RaftStateHandler returns the current raft state.
func (*API) RefreshTokenFlow ¶
func (a *API) RefreshTokenFlow(c echo.Context, payload TokenPayload) error
func (*API) ResumeAuthorizationHandler ¶
func (*API) RotateCredentialsHandler ¶
func (*API) TokenHandler ¶
func (*API) TokenRevocationHandler ¶
func (*API) UserInfoHandler ¶
type AuthorizationContext ¶
type AuthorizationContext struct { Client *model.OAuthClient CodeChallenge string CodeChallengeMethod string Grant *model.CodeGrant GrantedScopes string Nonce string RedirectURI *url.URL Server *model.OAuthServer }
AuthorizationContext is the context of the authorization request.
type AuthorizationFailedData ¶
type CredentialsErrorResponse ¶
type CredentialsErrorResponse struct {
Error string `json:"error"`
}
CredentialsErrorResponse is the response returned by the credentials handler when an error occurs.
type CredentialsSuccessResponse ¶
type CredentialsSuccessResponse struct { ID string `json:"client_id"` Name string `json:"client_name"` Secret string `json:"client_secret,omitempty"` }
CredentialsSuccessResponse is the response returned by the credentials handler when successful.
type DiscoveryErrorResponse ¶
type DiscoveryErrorResponse struct { Error string `json:"error"` ErrorDescription string `json:"error_description,omitempty"` }
DiscoveryErrorResponse is the response of the OpenID Connect discovery endpoint when an error occurs.
type DiscoveryResponse ¶
type DiscoveryResponse struct { Issuer string `json:"issuer"` AuthorizationEndpoint string `json:"authorization_endpoint"` TokenEndpoint string `json:"token_endpoint"` UserInfoEndpoint string `json:"userinfo_endpoint"` RevocationEndpoint string `json:"revocation_endpoint"` JwksURI string `json:"jwks_uri"` ScopesSupported []string `json:"scopes_supported"` ResponseTypesSupported []string `json:"response_types_supported"` ResponseModesSupported []string `json:"response_modes_supported"` GrantTypesSupported []string `json:"grant_types_supported"` SubjectTypesSupported []string `json:"subject_types_supported"` IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"` UserInfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported"` TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` ClaimsSupported []string `json:"claims_supported"` }
DiscoveryResponse is the response of the OpenID Connect discovery endpoint.
type GetLoginErrorResponse ¶
type GetLoginErrorResponse struct {
Error string `json:"error"`
}
type HealthSuccessResponse ¶
type HealthSuccessResponse struct {
Status string `json:"status"`
}
type JWKSErrorResponse ¶
type LoginSuccessErrorResponse ¶
type LoginSuccessErrorResponse struct {
Error string `json:"error"`
}
type Option ¶
type Option func(*API)
Option is used to configure the API.
func BackendStarted ¶
BackendStarted is used to tell the API if the raft backend already started. It is usually not required to configure it and is used for testing purposes.
func ShouldWatchConfig ¶
ShouldWatchConfig tells the API whether it should watch the config for file changes. It is usually not required to configure it.
func WithBackend ¶
WithBackend sets the given raft backend on the API.
func WithConfig ¶
WithConfig sets the given config on the API.
func WithLogger ¶
func WithLogger(logger hclog.Logger) Option
WithLogger sets the given logger on the API.
type PostLoginErrorResponse ¶
type PostLoginErrorResponse struct {
Error string `json:"error"`
}
type Prometheus ¶
type Prometheus struct {
// contains filtered or unexported fields
}
Prometheus is the data structure that holds the sink and the registry.
func InitGlobalPrometheus ¶
func InitGlobalPrometheus(appName string) (*Prometheus, error)
InitGlobalPrometheus initialises the prometheus configuration so that metrics can be created globally across the packages.
type RaftStateResponse ¶
type RaftStateResponse struct {
State string `json:"state"`
}
type TokenErrorResponse ¶
type TokenErrorResponse struct { Error string `json:"error"` ErrorDescription string `json:"error_description,omitempty"` ErrorURI string `json:"error_uri,omitempty"` }
TokenErrorResponse is the response given by the API server when an error occurs.
type TokenPayload ¶
type TokenPayload struct { Scope string `json:"scope,omitempty"` ClientID string `json:"client_id"` ClientSecret string `json:"client_secret,omitempty"` Audience string `json:"audience"` GrantType string `json:"grant_type"` RedirectURI string `json:"redirect_uri"` Code string `json:"code"` State string `json:"state"` CodeVerifier string `json:"code_verifier,omitempty"` RefreshToken string `json:"refresh_token,omitempty"` }
TokenPayload is the payload passed to the token endpoint.
type TokenRevocationErrorResponse ¶
type TokenRevocationErrorResponse struct { Error string `json:"error"` ErrorDescription string `json:"error_description,omitempty"` }
TokenRevocationErrorResponse is the response of a token revocation request when an error occurs.
type TokenRevocationPayload ¶
type TokenRevocationPayload struct { ClientID string `json:"client_id"` ClientSecret string `json:"client_secret"` Token string `json:"token"` Hint string `json:"token_type_hint"` }
TokenRevocationPayload is the payload of a token revocation request.
func (TokenRevocationPayload) Validate ¶
func (payload TokenRevocationPayload) Validate() error
Validate validates the token revocation payload.
type TokenSuccessResponse ¶
type TokenSuccessResponse struct { AccessToken string `json:"access_token"` IDToken string `json:"id_token,omitempty"` RefreshToken string `json:"refresh_token,omitempty"` ExpiresIn int `json:"expires_in"` Scope string `json:"scope"` TokenType string `json:"token_type"` }
TokenSuccessResponse is the response given by the API server when successful.
type Unmarshaler ¶
type Unmarshaler[T any] struct { // contains filtered or unexported fields }
Unmarshaler is a generic type to unmarshal a io.Reader.
func NewUnmarshaler ¶
func NewUnmarshaler[T any](reader io.Reader) *Unmarshaler[T]
NewUnmarshaler instantiates a new Unmarshaler.
func (*Unmarshaler[T]) Unmarshal ¶
func (u *Unmarshaler[T]) Unmarshal() (T, error)
Unmarshal takes care of unmarshaling the data into the given type T.
type UserInfoErrorResponse ¶
Source Files ¶
- access_token.go
- api.go
- authorization_endpoint.go
- authz_code_token_flow.go
- client_credentials_token_flow.go
- credentials.go
- health.go
- helpers.go
- id_token.go
- issue_tokens.go
- jwks_endpoint.go
- login.go
- metrics.go
- openid_discovery_endpoint.go
- pkce.go
- proxy.go
- raft.go
- reader.go
- redirect.go
- refresh_token_flow.go
- refresh_token_helpers.go
- resume_authorization_endpoint.go
- successful_login.go
- template.go
- token_endpoint.go
- token_revocation_endpoint.go
- user_info_endpoint.go
- watch.go