oauth

package
v0.0.0-...-4f5e8d6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: Apache-2.0 Imports: 40 Imported by: 1

Documentation

Index

Constants

View Source
const DeviceSSOScope = "device_sso"
View Source
const FullAccessScope = "https://authgear.com/scopes/full-access"
View Source
const FullUserInfoScope = "https://authgear.com/scopes/full-userinfo"
View Source
const OfflineAccess = "offline_access"
View Source
const PreAuthenticatedURLScope = "https://authgear.com/scopes/pre-authenticated-url"
View Source
const (
	PreAuthenticatedURLTokenLifetime = duration.Short
)

Variables

View Source
var ClientLikeNotFound = &ClientLike{
	IsFirstParty:        false,
	PIIAllowedInIDToken: false,
}
View Source
var ErrAuthorizationNotFound = errors.New("oauth authorization not found")
View Source
var ErrAuthorizationScopesNotGranted = errors.New("oauth authorization scopes not granted")
View Source
var ErrGrantNotFound = errors.New("oauth grant not found")
View Source
var ErrUnmatchedClient = errors.New("unmatched client ID")
View Source
var ErrUnmatchedSession = errors.New("unmatched session ID")

Functions

func ContainsAllScopes

func ContainsAllScopes(scopes []string, shouldContainsScopes []string) bool

func DecodeRefreshToken

func DecodeRefreshToken(encodedToken string) (token string, grantID string, err error)

func EncodeRefreshToken

func EncodeRefreshToken(token string, grantID string) string

func FormPost

func FormPost(w http.ResponseWriter, r *http.Request, redirectURI *url.URL, response map[string]string)

func GenerateToken

func GenerateToken() string

func HTMLRedirect

func HTMLRedirect(rw http.ResponseWriter, r *http.Request, redirectURI string)

func HashToken

func HashToken(token string) string

func RequireScope

func RequireScope(scopes ...string) func(http.Handler) http.Handler

RequireScope allow request to pass if session contains one of the required scopes. If there is no required scopes, only validity of session is checked.

func SessionScopes

func SessionScopes(s session.ResolvedSession) []string

func WriteResponse

func WriteResponse(w http.ResponseWriter, r *http.Request, redirectURI *url.URL, responseMode string, response map[string]string)

Types

type AccessGrant

type AccessGrant struct {
	AppID           string           `json:"app_id"`
	AuthorizationID string           `json:"authz_id"`
	SessionID       string           `json:"session_id"`
	SessionKind     GrantSessionKind `json:"session_kind"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	Scopes    []string  `json:"scopes"`
	TokenHash string    `json:"token_hash"`
	// Only exist when session_kind is offline_grant
	RefreshTokenHash string `json:"refresh_token_hash"`
}

type AccessGrantService

type AccessGrantService struct {
	AppID config.AppID

	AccessGrants      AccessGrantStore
	AccessTokenIssuer AccessTokenEncoding
	Clock             clock.Clock
}

func (*AccessGrantService) IssueAccessGrant

func (s *AccessGrantService) IssueAccessGrant(
	ctx context.Context,
	client *config.OAuthClientConfig,
	scopes []string,
	authzID string,
	userID string,
	sessionID string,
	sessionKind GrantSessionKind,
	refreshTokenHash string,
) (*IssueAccessGrantResult, error)

type AccessGrantStore

type AccessGrantStore interface {
	GetAccessGrant(ctx context.Context, tokenHash string) (*AccessGrant, error)
	CreateAccessGrant(ctx context.Context, g *AccessGrant) error
	DeleteAccessGrant(ctx context.Context, g *AccessGrant) error
}

type AccessTokenDecoder

type AccessTokenDecoder interface {
	DecodeAccessToken(encodedToken string) (tok string, isHash bool, err error)
}

type AccessTokenEncoding

type AccessTokenEncoding struct {
	Secrets       *config.OAuthKeyMaterials
	Clock         clock.Clock
	IDTokenIssuer IDTokenIssuer
	BaseURL       BaseURLProvider
	Events        EventService
	Identities    AccessTokenEncodingIdentityService
}

func (*AccessTokenEncoding) DecodeAccessToken

func (e *AccessTokenEncoding) DecodeAccessToken(encodedToken string) (tok string, isHash bool, err error)

func (*AccessTokenEncoding) EncodeAccessToken

func (e *AccessTokenEncoding) EncodeAccessToken(ctx context.Context, client *config.OAuthClientConfig, clientLike *ClientLike, grant *AccessGrant, userID string, token string) (string, error)

type AccessTokenEncodingIdentityService

type AccessTokenEncodingIdentityService interface {
	ListIdentitiesThatHaveStandardAttributes(ctx context.Context, userID string) ([]*identity.Info, error)
}

type AppSession

type AppSession struct {
	AppID          string `json:"app_id"`
	OfflineGrantID string `json:"offline_grant_id"`

	CreatedAt        time.Time `json:"created_at"`
	ExpireAt         time.Time `json:"expire_at"`
	TokenHash        string    `json:"token_hash"`
	RefreshTokenHash string    `json:"refresh_token_hash"`
}

type AppSessionStore

type AppSessionStore interface {
	GetAppSession(ctx context.Context, tokenHash string) (*AppSession, error)
	CreateAppSession(ctx context.Context, s *AppSession) error
	DeleteAppSession(ctx context.Context, s *AppSession) error
}

type AppSessionToken

type AppSessionToken struct {
	AppID          string `json:"app_id"`
	OfflineGrantID string `json:"offline_grant_id"`

	CreatedAt        time.Time `json:"created_at"`
	ExpireAt         time.Time `json:"expire_at"`
	TokenHash        string    `json:"token_hash"`
	RefreshTokenHash string    `json:"refresh_token_hash"`
}

type AppSessionTokenInput

type AppSessionTokenInput struct {
	AppSessionToken string
	RedirectURI     string
}

type AppSessionTokenService

type AppSessionTokenService struct {
	AppSessions         AppSessionStore
	AppSessionTokens    AppSessionTokenStore
	OfflineGrantService AppSessionTokenServiceOfflineGrantService
	Cookies             AppSessionTokenServiceCookieManager
	Clock               clock.Clock
}

func (*AppSessionTokenService) Exchange

func (s *AppSessionTokenService) Exchange(ctx context.Context, appSessionToken string) (string, error)

func (*AppSessionTokenService) Handle

type AppSessionTokenServiceCookieManager

type AppSessionTokenServiceCookieManager interface {
	ValueCookie(def *httputil.CookieDef, value string) *http.Cookie
}

type AppSessionTokenServiceOfflineGrantService

type AppSessionTokenServiceOfflineGrantService interface {
	GetOfflineGrant(ctx context.Context, id string) (*OfflineGrant, error)
}

type AppSessionTokenStore

type AppSessionTokenStore interface {
	GetAppSessionToken(ctx context.Context, tokenHash string) (*AppSessionToken, error)
	CreateAppSessionToken(ctx context.Context, t *AppSessionToken) error
	DeleteAppSessionToken(ctx context.Context, t *AppSessionToken) error
}

type Authorization

type Authorization struct {
	ID        string
	AppID     string
	ClientID  string
	UserID    string
	CreatedAt time.Time
	UpdatedAt time.Time
	Scopes    []string
}

func ApplyAuthorizationFilters

func ApplyAuthorizationFilters(authzs []*Authorization, filters ...AuthorizationFilter) (out []*Authorization)

func (Authorization) IsAuthorized

func (z Authorization) IsAuthorized(scopes []string) bool

func (Authorization) ToAPIModel

func (z Authorization) ToAPIModel() *model.Authorization

func (Authorization) WithScopesAdded

func (z Authorization) WithScopesAdded(scopes []string) *Authorization

type AuthorizationFilter

type AuthorizationFilter interface {
	Keep(authz *Authorization) bool
}

type AuthorizationFilterFunc

type AuthorizationFilterFunc func(a *Authorization) bool

func (AuthorizationFilterFunc) Keep

type AuthorizationService

type AuthorizationService struct {
	AppID               config.AppID
	Store               AuthorizationStore
	Clock               clock.Clock
	OAuthSessionManager OfflineGrantSessionManager
	OfflineGrantService *OfflineGrantService
	OfflineGrantStore   OfflineGrantStore
}

func (*AuthorizationService) Check

func (s *AuthorizationService) Check(
	ctx context.Context,
	clientID string,
	userID string,
	scopes []string,
) (*Authorization, error)

func (*AuthorizationService) CheckAndGrant

func (s *AuthorizationService) CheckAndGrant(
	ctx context.Context,
	clientID string,
	userID string,
	scopes []string,
) (*Authorization, error)

func (*AuthorizationService) Delete

func (*AuthorizationService) GetByID

func (*AuthorizationService) ListByUser

func (s *AuthorizationService) ListByUser(ctx context.Context, userID string, filters ...AuthorizationFilter) ([]*Authorization, error)

type AuthorizationStore

type AuthorizationStore interface {
	Get(ctx context.Context, userID, clientID string) (*Authorization, error)
	GetByID(ctx context.Context, id string) (*Authorization, error)
	ListByUserID(ctx context.Context, userID string) ([]*Authorization, error)
	Create(ctx context.Context, a *Authorization) error
	Delete(ctx context.Context, a *Authorization) error
	ResetAll(ctx context.Context, userID string) error
	UpdateScopes(ctx context.Context, a *Authorization) error
}

type BaseURLProvider

type BaseURLProvider interface {
	Origin() *url.URL
}

type ClientLike

type ClientLike struct {
	IsFirstParty        bool
	PIIAllowedInIDToken bool
	Scopes              []string
}

func ClientClientLike

func ClientClientLike(client *config.OAuthClientConfig, scopes []string) *ClientLike

func SessionClientLike

func SessionClientLike(s session.ResolvedSession, clientResolver OAuthClientResolver) *ClientLike

type CodeGrant

type CodeGrant struct {
	AppID              string               `json:"app_id"`
	AuthorizationID    string               `json:"authz_id"`
	AuthenticationInfo authenticationinfo.T `json:"authentication_info"`
	IDTokenHintSID     string               `json:"id_token_hint_sid"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	CodeHash  string    `json:"code_hash"`
	DPoPJKT   string    `json:"dpop_jkt"`

	RedirectURI          string                        `json:"redirect_uri"`
	AuthorizationRequest protocol.AuthorizationRequest `json:"authorization_request"`
}

func (*CodeGrant) MatchDPoPJKT

func (g *CodeGrant) MatchDPoPJKT(proof *dpop.DPoPProof) bool

type CodeGrantStore

type CodeGrantStore interface {
	GetCodeGrant(ctx context.Context, codeHash string) (*CodeGrant, error)
	CreateCodeGrant(ctx context.Context, g *CodeGrant) error
	DeleteCodeGrant(ctx context.Context, g *CodeGrant) error
}

type CreateNewRefreshTokenResult

type CreateNewRefreshTokenResult struct {
	Token     string
	TokenHash string
}

type EndpointsProvider

type EndpointsProvider interface {
	AuthorizeEndpointURL() *url.URL
	ConsentEndpointURL() *url.URL
	TokenEndpointURL() *url.URL
	RevokeEndpointURL() *url.URL
}

type EventService

type EventService interface {
	DispatchEventOnCommit(ctx context.Context, payload event.Payload) error
}

type GrantSessionKind

type GrantSessionKind string
const (
	GrantSessionKindOffline GrantSessionKind = "offline_grant"
	GrantSessionKindSession GrantSessionKind = "idp_session"
)

type IDTokenIssuer

type IDTokenIssuer interface {
	Iss() string
	PopulateUserClaimsInIDToken(ctx context.Context, token jwt.Token, userID string, clientLike *ClientLike) error
}

type IssueAccessGrantResult

type IssueAccessGrantResult struct {
	Token     string
	TokenType string
	ExpiresIn int
}

type KeepThirdPartyAuthorizationFilter

type KeepThirdPartyAuthorizationFilter struct {
	ThirdPartyClientIDSet setutil.Set[string]
}

func NewKeepThirdPartyAuthorizationFilter

func NewKeepThirdPartyAuthorizationFilter(oauthConfig *config.OAuthConfig) *KeepThirdPartyAuthorizationFilter

func (*KeepThirdPartyAuthorizationFilter) Keep

type LoginHint

type LoginHint struct {
	Type    LoginHintType
	Enforce bool

	// Specific to LoginHintTypeAnonymous
	PromotionCode string
	JWT           string

	// Specific to LoginHintTypeAppSessionToken
	AppSessionToken string

	// Specific to LoginHintTypeLoginID
	LoginIDEmail    string
	LoginIDUsername string
	LoginIDPhone    string
}

func ParseLoginHint

func ParseLoginHint(s string) (*LoginHint, error)

func (*LoginHint) String

func (h *LoginHint) String() string

type LoginHintType

type LoginHintType string
const (
	LoginHintTypeAnonymous LoginHintType = "anonymous"
	// nolint: gosec
	LoginHintTypeAppSessionToken LoginHintType = "app_session_token"
	LoginHintTypeLoginID         LoginHintType = "login_id"
)

type MetadataProvider

type MetadataProvider struct {
	Endpoints EndpointsProvider
}

func (*MetadataProvider) PopulateMetadata

func (p *MetadataProvider) PopulateMetadata(meta map[string]interface{})

type OAuthClientResolver

type OAuthClientResolver interface {
	ResolveClient(clientID string) *config.OAuthClientConfig
}

type OfflineGrant

type OfflineGrant struct {
	AppID           string `json:"app_id"`
	ID              string `json:"id"`
	InitialClientID string `json:"client_id"`
	// IDPSessionID refers to the IDP session.
	IDPSessionID string `json:"idp_session_id,omitempty"`
	// IdentityID refers to the identity.
	// It is only set for biometric authentication.
	IdentityID string `json:"identity_id,omitempty"`

	CreatedAt       time.Time `json:"created_at"`
	AuthenticatedAt time.Time `json:"authenticated_at"`

	Attrs      session.Attrs `json:"attrs"`
	AccessInfo access.Info   `json:"access_info"`

	DeviceInfo map[string]interface{} `json:"device_info,omitempty"`

	SSOEnabled bool `json:"sso_enabled,omitempty"`

	App2AppDeviceKeyJWKJSON string `json:"app2app_device_key_jwk_json"`
	DeviceSecretHash        string `json:"device_secret_hash"`
	DeviceSecretDPoPJKT     string `json:"device_secret_dpop_jkt"`

	RefreshTokens []OfflineGrantRefreshToken `json:"refresh_tokens,omitempty"`

	ParticipatedSAMLServiceProviderIDs []string `json:"participated_saml_service_provider_ids,omitempty"`

	// Readonly fields for backward compatibility.
	// Write these fields in OfflineGrantRefreshToken
	Deprecated_AuthorizationID string   `json:"authz_id"`
	Deprecated_Scopes          []string `json:"scopes"`
	Deprecated_TokenHash       string   `json:"token_hash"`

	// ExpireAtForResolvedSession is a transient field that tells when the session will exire at, computed now.
	// Note that ExpireAtForResolvedSession will keep changing if idle timeout is enabled.
	// This is NOT supposed to be stored, hence it is json-ignored.
	ExpireAtForResolvedSession time.Time `json:"-"`
}

func (*OfflineGrant) EqualSession

func (g *OfflineGrant) EqualSession(ss session.SessionBase) bool

func (*OfflineGrant) GetAccessInfo

func (g *OfflineGrant) GetAccessInfo() *access.Info

func (*OfflineGrant) GetAllRemovableTokenHashesExcludeClientIDs

func (g *OfflineGrant) GetAllRemovableTokenHashesExcludeClientIDs(
	clientIDs []string) (tokenHashes []string, shouldRemoveOfflinegrant bool)

func (*OfflineGrant) GetAuthenticatedAt

func (g *OfflineGrant) GetAuthenticatedAt() time.Time

func (*OfflineGrant) GetAuthenticationInfo

func (g *OfflineGrant) GetAuthenticationInfo() authenticationinfo.T

func (*OfflineGrant) GetCreatedAt

func (g *OfflineGrant) GetCreatedAt() time.Time

func (*OfflineGrant) GetDeviceInfo

func (g *OfflineGrant) GetDeviceInfo() (map[string]interface{}, bool)

func (*OfflineGrant) GetOIDCAMR

func (g *OfflineGrant) GetOIDCAMR() ([]string, bool)

func (*OfflineGrant) GetParticipatedSAMLServiceProviderIDsSet

func (s *OfflineGrant) GetParticipatedSAMLServiceProviderIDsSet() setutil.Set[string]

func (*OfflineGrant) GetRemovableTokenHashesByAuthorizationID

func (g *OfflineGrant) GetRemovableTokenHashesByAuthorizationID(
	authorizationID string) (tokenHashes []string, shouldRemoveOfflinegrant bool)

func (*OfflineGrant) GetScopes

func (g *OfflineGrant) GetScopes(clientID string) []string

func (*OfflineGrant) GetUserID

func (g *OfflineGrant) GetUserID() string

func (*OfflineGrant) HasAllScopes

func (g *OfflineGrant) HasAllScopes(clientID string, requiredScopes []string) bool

func (*OfflineGrant) HasClientID

func (g *OfflineGrant) HasClientID(clientID string) bool

func (*OfflineGrant) HasValidTokens

func (g *OfflineGrant) HasValidTokens() bool

func (*OfflineGrant) IsOnlyUsedInClientIDs

func (g *OfflineGrant) IsOnlyUsedInClientIDs(clientIDs []string) bool

func (*OfflineGrant) IsSameSSOGroup

func (g *OfflineGrant) IsSameSSOGroup(ss session.SessionBase) bool

IsSameSSOGroup returns true when the session argument - is the same offline grant - is idp session in the same sso group (current offline grant needs to be sso enabled) - is offline grant in the same sso group (current offline grant needs to be sso enabled)

func (*OfflineGrant) ListableSession

func (g *OfflineGrant) ListableSession()

func (*OfflineGrant) MatchDeviceSecretDPoPJKT

func (g *OfflineGrant) MatchDeviceSecretDPoPJKT(proof *dpop.DPoPProof) bool

func (*OfflineGrant) MatchHash

func (g *OfflineGrant) MatchHash(refreshTokenHash string) bool

func (*OfflineGrant) SSOGroupIDPSessionID

func (g *OfflineGrant) SSOGroupIDPSessionID() string

func (*OfflineGrant) SessionID

func (g *OfflineGrant) SessionID() string

func (*OfflineGrant) SessionType

func (g *OfflineGrant) SessionType() session.Type

func (*OfflineGrant) ToAPIModel

func (g *OfflineGrant) ToAPIModel() *model.Session

func (*OfflineGrant) ToSession

func (g *OfflineGrant) ToSession(refreshTokenHash string) (*OfflineGrantSession, bool)

type OfflineGrantRefreshToken

type OfflineGrantRefreshToken struct {
	TokenHash       string    `json:"token_hash"`
	ClientID        string    `json:"client_id"`
	CreatedAt       time.Time `json:"created_at"`
	Scopes          []string  `json:"scopes"`
	AuthorizationID string    `json:"authz_id"`
	DPoPJKT         string    `json:"dpop_jkt"`
}

type OfflineGrantService

type OfflineGrantService struct {
	OAuthConfig    *config.OAuthConfig
	Clock          clock.Clock
	IDPSessions    ServiceIDPSessionProvider
	ClientResolver OAuthClientResolver
	AccessEvents   OfflineGrantServiceAccessEventProvider
	MeterService   OfflineGrantServiceMeterService

	OfflineGrants OfflineGrantStore
}

func (*OfflineGrantService) AccessOfflineGrant

func (s *OfflineGrantService) AccessOfflineGrant(ctx context.Context, grantID string, accessEvent *access.Event, expireAt time.Time) (*OfflineGrant, error)

AccessOfflineGrant accesses oauth offline grant with 3 targeted side effects 1. set grant.AccessInfo.LastAccess to new accessEvent (inside UpdateOfflineGrantLastAccess) 2. call RecordAccess 3. call TrackActiveUser

func (*OfflineGrantService) AddSAMLServiceProviderParticipant

func (s *OfflineGrantService) AddSAMLServiceProviderParticipant(
	ctx context.Context,
	grant *OfflineGrant,
	serviceProviderID string,
) (*OfflineGrant, error)

func (*OfflineGrantService) CheckSessionExpired

func (s *OfflineGrantService) CheckSessionExpired(session *OfflineGrant) (bool, time.Time, error)

func (*OfflineGrantService) ComputeOfflineGrantExpiry

func (s *OfflineGrantService) ComputeOfflineGrantExpiry(session *OfflineGrant) (expiry time.Time, err error)

func (*OfflineGrantService) CreateNewRefreshToken

func (s *OfflineGrantService) CreateNewRefreshToken(
	ctx context.Context,
	grant *OfflineGrant,
	clientID string,
	scopes []string,
	authorizationID string,
	dpopJKT string,
) (*CreateNewRefreshTokenResult, *OfflineGrant, error)

func (*OfflineGrantService) GetOfflineGrant

func (s *OfflineGrantService) GetOfflineGrant(ctx context.Context, id string) (*OfflineGrant, error)

type OfflineGrantServiceAccessEventProvider

type OfflineGrantServiceAccessEventProvider interface {
	RecordAccess(ctx context.Context, sessionID string, expiry time.Time, event *access.Event) error
}

type OfflineGrantServiceMeterService

type OfflineGrantServiceMeterService interface {
	TrackActiveUser(ctx context.Context, userID string) error
}

type OfflineGrantSession

type OfflineGrantSession struct {
	OfflineGrant    *OfflineGrant
	CreatedAt       time.Time
	TokenHash       string
	ClientID        string
	Scopes          []string
	AuthorizationID string
	DPoPJKT         string
}

func (*OfflineGrantSession) CreateNewAuthenticationInfoByThisSession

func (o *OfflineGrantSession) CreateNewAuthenticationInfoByThisSession() authenticationinfo.T

func (*OfflineGrantSession) GetAccessInfo

func (o *OfflineGrantSession) GetAccessInfo() *access.Info

func (*OfflineGrantSession) GetAuthenticationInfo

func (o *OfflineGrantSession) GetAuthenticationInfo() authenticationinfo.T

func (*OfflineGrantSession) GetCreatedAt

func (o *OfflineGrantSession) GetCreatedAt() time.Time

func (*OfflineGrantSession) GetExpireAt

func (o *OfflineGrantSession) GetExpireAt() time.Time

func (*OfflineGrantSession) MatchDPoPJKT

func (g *OfflineGrantSession) MatchDPoPJKT(proof *dpop.DPoPProof) bool

func (*OfflineGrantSession) SSOGroupIDPSessionID

func (o *OfflineGrantSession) SSOGroupIDPSessionID() string

func (*OfflineGrantSession) Session

func (o *OfflineGrantSession) Session()

func (*OfflineGrantSession) SessionID

func (o *OfflineGrantSession) SessionID() string

func (*OfflineGrantSession) SessionType

func (o *OfflineGrantSession) SessionType() session.Type

type OfflineGrantSessionManager

type OfflineGrantSessionManager interface {
	List(ctx context.Context, userID string) ([]session.ListableSession, error)
	Delete(ctx context.Context, session session.ListableSession) error
}

type OfflineGrantStore

type OfflineGrantStore interface {
	GetOfflineGrantWithoutExpireAt(ctx context.Context, id string) (*OfflineGrant, error)
	CreateOfflineGrant(ctx context.Context, offlineGrant *OfflineGrant) error
	DeleteOfflineGrant(ctx context.Context, g *OfflineGrant) error

	UpdateOfflineGrantLastAccess(ctx context.Context, id string, accessEvent access.Event, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantDeviceInfo(ctx context.Context, id string, deviceInfo map[string]interface{}, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantAuthenticatedAt(ctx context.Context, id string, authenticatedAt time.Time, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantApp2AppDeviceKey(ctx context.Context, id string, newKey string, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantDeviceSecretHash(
		ctx context.Context,
		grantID string,
		newDeviceSecretHash string,
		dpopJKT string,
		expireAt time.Time) (*OfflineGrant, error)
	RemoveOfflineGrantRefreshTokens(ctx context.Context, grantID string, tokenHashes []string, expireAt time.Time) (*OfflineGrant, error)
	AddOfflineGrantRefreshToken(
		ctx context.Context,
		grantID string,
		expireAt time.Time,
		tokenHash string,
		clientID string,
		scopes []string,
		authorizationID string,
		dpopJKT string,
	) (*OfflineGrant, error)
	AddOfflineGrantSAMLServiceProviderParticipant(
		ctx context.Context,
		grantID string,
		newServiceProviderID string,
		expireAt time.Time,
	) (*OfflineGrant, error)

	ListOfflineGrants(ctx context.Context, userID string) ([]*OfflineGrant, error)
	ListClientOfflineGrants(ctx context.Context, clientID string, userID string) ([]*OfflineGrant, error)

	CleanUpForDeletingUserID(ctx context.Context, userID string) error
}

type PreAuthenticatedURLToken

type PreAuthenticatedURLToken struct {
	AppID           string   `json:"app_id"`
	AuthorizationID string   `json:"authorization_id"`
	ClientID        string   `json:"client_id"`
	OfflineGrantID  string   `json:"offline_grant_id"`
	Scopes          []string `json:"scopes"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	TokenHash string    `json:"token_hash"`
}

type PreAuthenticatedURLTokenAccessGrantService

type PreAuthenticatedURLTokenAccessGrantService interface {
	IssueAccessGrant(
		ctx context.Context,
		client *config.OAuthClientConfig,
		scopes []string,
		authzID string,
		userID string,
		sessionID string,
		sessionKind GrantSessionKind,
		refreshTokenHash string,
	) (*IssueAccessGrantResult, error)
}

type PreAuthenticatedURLTokenOfflineGrantService

type PreAuthenticatedURLTokenOfflineGrantService interface {
	GetOfflineGrant(ctx context.Context, id string) (*OfflineGrant, error)
	CreateNewRefreshToken(
		ctx context.Context,
		grant *OfflineGrant,
		clientID string,
		scopes []string,
		authorizationID string,
		dpopJKT string,
	) (*CreateNewRefreshTokenResult, *OfflineGrant, error)
}

type PreAuthenticatedURLTokenStore

type PreAuthenticatedURLTokenStore interface {
	CreatePreAuthenticatedURLToken(ctx context.Context, t *PreAuthenticatedURLToken) error
	ConsumePreAuthenticatedURLToken(ctx context.Context, tokenHash string) (*PreAuthenticatedURLToken, error)
}

type PromptResolver

type PromptResolver struct {
	Clock clock.Clock
}

func (*PromptResolver) ResolvePrompt

func (r *PromptResolver) ResolvePrompt(req protocol.AuthorizationRequest, sidSession session.ListableSession) (prompt []string)

type Resolver

type Resolver struct {
	RemoteIP            httputil.RemoteIP
	UserAgentString     httputil.UserAgentString
	OAuthConfig         *config.OAuthConfig
	Authorizations      AuthorizationStore
	AccessGrants        AccessGrantStore
	AppSessions         AppSessionStore
	AccessTokenDecoder  AccessTokenDecoder
	Sessions            ResolverSessionProvider
	Cookies             ResolverCookieManager
	Clock               clock.Clock
	OfflineGrantService ResolverOfflineGrantService
}

func (*Resolver) Resolve

type ResolverCookieManager

type ResolverCookieManager interface {
	GetCookie(r *http.Request, def *httputil.CookieDef) (*http.Cookie, error)
}

type ResolverOfflineGrantService

type ResolverOfflineGrantService interface {
	AccessOfflineGrant(ctx context.Context, grantID string, accessEvent *access.Event, expireAt time.Time) (*OfflineGrant, error)
	GetOfflineGrant(ctx context.Context, id string) (*OfflineGrant, error)
}

type ResolverSessionProvider

type ResolverSessionProvider interface {
	AccessWithID(ctx context.Context, id string, accessEvent access.Event) (*idpsession.IDPSession, error)
}

type ServiceIDPSessionProvider

type ServiceIDPSessionProvider interface {
	Get(ctx context.Context, id string) (*idpsession.IDPSession, error)
	CheckSessionExpired(session *idpsession.IDPSession) (expired bool)
}

type SessionManager

type SessionManager struct {
	Store   OfflineGrantStore
	Config  *config.OAuthConfig
	Service OfflineGrantService
}

func (*SessionManager) CleanUpForDeletingUserID

func (m *SessionManager) CleanUpForDeletingUserID(ctx context.Context, userID string) error

func (*SessionManager) ClearCookie

func (m *SessionManager) ClearCookie() []*http.Cookie

func (*SessionManager) Delete

func (m *SessionManager) Delete(ctx context.Context, session session.ListableSession) error

func (*SessionManager) Get

func (*SessionManager) List

func (m *SessionManager) List(ctx context.Context, userID string) ([]session.ListableSession, error)

func (*SessionManager) TerminateAllExcept

func (m *SessionManager) TerminateAllExcept(ctx context.Context, userID string, currentSession session.ResolvedSession) ([]session.ListableSession, error)

type SettingsActionGrant

type SettingsActionGrant struct {
	AppID string `json:"app_id"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	CodeHash  string    `json:"code_hash"`

	RedirectURI          string                        `json:"redirect_uri"`
	AuthorizationRequest protocol.AuthorizationRequest `json:"authorization_request"`
}

type SettingsActionGrantStore

type SettingsActionGrantStore interface {
	GetSettingsActionGrant(ctx context.Context, codeHash string) (*SettingsActionGrant, error)
	CreateSettingsActionGrant(ctx context.Context, g *SettingsActionGrant) error
	DeleteSettingsActionGrant(ctx context.Context, g *SettingsActionGrant) error
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL