oidc

package
v0.0.0-...-4f5e8d6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// The scope openid must be present.
	// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
	ScopeOpenID = "openid"
	// Scope "profile" is defined in
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeProfile = "profile"
	// Scope "email" is defined in
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeEmail = "email"
	// Scope "address" is defined in
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeAddress = "address"
	// Scope "phone" is defined in
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopePhone = "phone"
)
View Source
const IDTokenValidDuration = duration.Short

IDTokenValidDuration is the valid period of ID token. It can be short, since id_token_hint should accept expired ID tokens.

Variables

View Source
var ErrInvalidCustomURI = apierrors.Invalid.WithReason("WebUIInvalidCustomURI")
View Source
var ErrInvalidSettingsAction = apierrors.Invalid.WithReason("WebUIInvalidSettingsAction")

Functions

func BuildCustomUIEndpoint

func BuildCustomUIEndpoint(base string) (*url.URL, error)

func DecodeSID

func DecodeSID(sid string) (typ session.Type, sessionID string, ok bool)

func EncodeSID

func EncodeSID(s SessionLike) string

func EncodeSIDByRawValues

func EncodeSIDByRawValues(sessionType session.Type, sessionID string) string

func IsScopeAllowed

func IsScopeAllowed(scope string) bool

func ScopeAllowsClaim

func ScopeAllowsClaim(scope string, claimName string) bool

func ValidateScopes

func ValidateScopes(client *config.OAuthClientConfig, scopes []string) error

Types

type BaseURLProvider

type BaseURLProvider interface {
	Origin() *url.URL
}

type EndpointsProvider

type EndpointsProvider interface {
	Origin() *url.URL
	JWKSEndpointURL() *url.URL
	UserInfoEndpointURL() *url.URL
	EndSessionEndpointURL() *url.URL
}

type IDTokenHintResolver

type IDTokenHintResolver struct {
	Issuer              IDTokenHintResolverIssuer
	Sessions            IDTokenHintResolverSessionProvider
	OfflineGrantService IDTokenHintResolverOfflineGrantService
}

func (*IDTokenHintResolver) ResolveIDTokenHint

func (r *IDTokenHintResolver) ResolveIDTokenHint(ctx context.Context, client *config.OAuthClientConfig, req protocol.AuthorizationRequest) (idToken jwt.Token, sidSession session.ListableSession, err error)

type IDTokenHintResolverIssuer

type IDTokenHintResolverIssuer interface {
	VerifyIDToken(idTokenHint string) (idToken jwt.Token, err error)
}

type IDTokenHintResolverOfflineGrantService

type IDTokenHintResolverOfflineGrantService interface {
	GetOfflineGrant(ctx context.Context, id string) (*oauth.OfflineGrant, error)
}

type IDTokenHintResolverSessionProvider

type IDTokenHintResolverSessionProvider interface {
	Get(ctx context.Context, id string) (*idpsession.IDPSession, error)
}

type IDTokenIssuer

type IDTokenIssuer struct {
	Secrets        *config.OAuthKeyMaterials
	BaseURL        BaseURLProvider
	Users          UserProvider
	RolesAndGroups RolesAndGroupsProvider
	Clock          clock.Clock
}

func (*IDTokenIssuer) GetPublicKeySet

func (ti *IDTokenIssuer) GetPublicKeySet() (jwk.Set, error)

func (*IDTokenIssuer) GetUserInfo

func (ti *IDTokenIssuer) GetUserInfo(ctx context.Context, userID string, clientLike *oauth.ClientLike) (map[string]interface{}, error)

func (*IDTokenIssuer) Iss

func (ti *IDTokenIssuer) Iss() string

func (*IDTokenIssuer) IssueIDToken

func (ti *IDTokenIssuer) IssueIDToken(ctx context.Context, opts IssueIDTokenOptions) (string, error)

func (*IDTokenIssuer) PopulateUserClaimsInIDToken

func (ti *IDTokenIssuer) PopulateUserClaimsInIDToken(ctx context.Context, token jwt.Token, userID string, clientLike *oauth.ClientLike) error

func (*IDTokenIssuer) VerifyIDToken

func (ti *IDTokenIssuer) VerifyIDToken(idToken string) (token jwt.Token, err error)

type IssueIDTokenOptions

type IssueIDTokenOptions struct {
	ClientID           string
	SID                string
	Nonce              string
	AuthenticationInfo authenticationinfo.T
	ClientLike         *oauth.ClientLike
	DeviceSecretHash   string
}

type MetadataProvider

type MetadataProvider struct {
	Endpoints EndpointsProvider
}

func (*MetadataProvider) PopulateMetadata

func (p *MetadataProvider) PopulateMetadata(meta map[string]interface{})

type RolesAndGroupsProvider

type RolesAndGroupsProvider interface {
	ListEffectiveRolesByUserID(ctx context.Context, userID string) ([]*model.Role, error)
}

type SessionLike

type SessionLike interface {
	SessionID() string
	SessionType() session.Type
}

type UIInfo

type UIInfo struct {
	// ClientID is client_id
	ClientID string
	// RedirectURI is the redirect_uri the UI should redirect to.
	// The redirect_uri in the URL has lower precedence.
	// The rationale for this is if the end-user bookmarked the
	// authorization URL in the browser, redirect to the app is
	// possible.
	RedirectURI string
	// Prompt is the resolved prompt with prompt, max_age, and id_token_hint taken into account.
	Prompt []string
	// UILocales is ui_locales.
	UILocales string
	// UserIDHint is for reauthentication.
	UserIDHint string
	// CanUseIntentReauthenticate is for reauthentication.
	CanUseIntentReauthenticate bool
	// State is the state parameter
	State string
	// XState is the x_state parameter
	XState string
	// Page is the x_page parameter
	Page string
	// SuppressIDPSessionCookie is the x_suppress_idp_session_cookie and x_sso_enabled parameter.
	SuppressIDPSessionCookie bool
	// OAuthProviderAlias is the x_oauth_provider_alias parameter.
	OAuthProviderAlias string
	// LoginHint is the OIDC login_hint parameter.
	LoginHint string
	// IDTokenHint is the OIDC id_token_hint parameter.
	IDTokenHint string
}

UIInfo is a collection of information that is essential to the UI.

func (*UIInfo) ToUIParam

func (i *UIInfo) ToUIParam() uiparam.T

type UIInfoByProduct

type UIInfoByProduct struct {
	IDToken        jwt.Token
	SIDSession     session.ListableSession
	IDTokenHintSID string
}

type UIInfoClientResolver

type UIInfoClientResolver interface {
	ResolveClient(clientID string) *config.OAuthClientConfig
}

type UIInfoResolver

type UIInfoResolver struct {
	Config              *config.OAuthConfig
	EndpointsProvider   oauth.EndpointsProvider
	PromptResolver      UIInfoResolverPromptResolver
	IDTokenHintResolver UIInfoResolverIDTokenHintResolver
	Clock               clock.Clock
	Cookies             UIInfoResolverCookieManager
	ClientResolver      UIInfoClientResolver
}

func (*UIInfoResolver) GetOAuthSessionID

func (r *UIInfoResolver) GetOAuthSessionID(req *http.Request, urlQuery string) (string, bool)

func (*UIInfoResolver) GetOAuthSessionIDLegacy

func (r *UIInfoResolver) GetOAuthSessionIDLegacy(req *http.Request, urlQuery string) (string, bool)

func (*UIInfoResolver) RemoveOAuthSessionID

func (r *UIInfoResolver) RemoveOAuthSessionID(w http.ResponseWriter, req *http.Request)

func (*UIInfoResolver) ResolveForAuthorizationEndpoint

func (r *UIInfoResolver) ResolveForAuthorizationEndpoint(
	ctx context.Context,
	client *config.OAuthClientConfig,
	req protocol.AuthorizationRequest,
) (*UIInfo, *UIInfoByProduct, error)

func (*UIInfoResolver) ResolveForUI

func (r *UIInfoResolver) ResolveForUI(ctx context.Context, req protocol.AuthorizationRequest) (*UIInfo, error)

type UIInfoResolverCookieManager

type UIInfoResolverCookieManager interface {
	GetCookie(r *http.Request, def *httputil.CookieDef) (*http.Cookie, error)
	ClearCookie(def *httputil.CookieDef) *http.Cookie
}

type UIInfoResolverIDTokenHintResolver

type UIInfoResolverIDTokenHintResolver interface {
	ResolveIDTokenHint(ctx context.Context, client *config.OAuthClientConfig, r protocol.AuthorizationRequest) (idToken jwt.Token, sidSession session.ListableSession, err error)
}

type UIInfoResolverPromptResolver

type UIInfoResolverPromptResolver interface {
	ResolvePrompt(r protocol.AuthorizationRequest, sidSession session.ListableSession) (prompt []string)
}

type UIURLBuilder

type UIURLBuilder struct {
	Endpoints UIURLBuilderAuthUIEndpointsProvider
}

func (*UIURLBuilder) BuildAuthenticationURL

func (b *UIURLBuilder) BuildAuthenticationURL(client *config.OAuthClientConfig, r protocol.AuthorizationRequest, e *oauthsession.Entry) (*url.URL, error)

func (*UIURLBuilder) BuildSettingsActionURL

func (b *UIURLBuilder) BuildSettingsActionURL(client *config.OAuthClientConfig, r protocol.AuthorizationRequest, e *oauthsession.Entry) (*url.URL, error)

type UIURLBuilderAuthUIEndpointsProvider

type UIURLBuilderAuthUIEndpointsProvider interface {
	OAuthEntrypointURL() *url.URL
	SettingsChangePasswordURL() *url.URL
	SettingsDeleteAccountURL() *url.URL
}

type UserProvider

type UserProvider interface {
	Get(ctx context.Context, id string, role accesscontrol.Role) (*model.User, error)
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL