oauth

package
v0.0.0-...-2b8ec9a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 1, 2023 License: Apache-2.0 Imports: 33 Imported by: 1

Documentation

Index

Constants

View Source 
const FullAccessScope = "https://authgear.com/scopes/full-access"
View Source 
const FullUserInfoScope = "https://authgear.com/scopes/full-userinfo"

Variables

View Source 
var ClientLikeNotFound = &ClientLike{
	ClientParty: config.ClientPartyThird,
}
View Source 
var DependencySet = wire.NewSet(
	wire.Struct(new(MetadataProvider), "*"),
	wire.Struct(new(Resolver), "*"),
	wire.Struct(new(SessionManager), "*"),
	wire.Struct(new(URLProvider), "*"),
	wire.Struct(new(OfflineGrantService), "*"),

	wire.Struct(new(AccessTokenEncoding), "*"),
	wire.Bind(new(AccessTokenDecoder), new(*AccessTokenEncoding)),
	wire.Struct(new(AuthorizationService), "*"),
	wire.Bind(new(OfflineGrantSessionManager), new(*SessionManager)),
)
View Source 
var ErrAuthorizationNotFound = errors.New("oauth authorization not found")
View Source 
var ErrAuthorizationScopesNotGranted = errors.New("oauth authorization scopes not granted")
View Source 
var ErrGrantNotFound = errors.New("oauth grant not found")

Functions

func DecodeRefreshToken 

func DecodeRefreshToken(encodedToken string) (token string, grantID string, err error)

func EncodeRefreshToken 

func EncodeRefreshToken(token string, grantID string) string

func FormPost 

func FormPost(w http.ResponseWriter, r *http.Request, redirectURI *url.URL, response map[string]string)

func GenerateToken 

func GenerateToken() string

func HTMLRedirect 

func HTMLRedirect(rw http.ResponseWriter, r *http.Request, redirectURI string)

func HashToken 

func HashToken(token string) string

func RequireScope 

func RequireScope(scopes ...string) func(http.Handler) http.Handler

RequireScope allow request to pass if session contains one of the required scopes. If there is no required scopes, only validity of session is checked.

func SessionScopes 

func SessionScopes(s session.Session) []string

func WriteResponse 

func WriteResponse(w http.ResponseWriter, r *http.Request, redirectURI *url.URL, responseMode string, response map[string]string)

Types

type AccessGrant 

type AccessGrant struct {
	AppID           string           `json:"app_id"`
	AuthorizationID string           `json:"authz_id"`
	SessionID       string           `json:"session_id"`
	SessionKind     GrantSessionKind `json:"session_kind"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	Scopes    []string  `json:"scopes"`
	TokenHash string    `json:"token_hash"`
}

type AccessGrantStore 

type AccessGrantStore interface {
	GetAccessGrant(tokenHash string) (*AccessGrant, error)
	CreateAccessGrant(*AccessGrant) error
	DeleteAccessGrant(*AccessGrant) error
}

type AccessTokenDecoder 

type AccessTokenDecoder interface {
	DecodeAccessToken(encodedToken string) (tok string, isHash bool, err error)
}

type AccessTokenEncoding 

type AccessTokenEncoding struct {
	Secrets    *config.OAuthKeyMaterials
	Clock      clock.Clock
	UserClaims UserClaimsProvider
	BaseURL    BaseURLProvider
	Events     EventService
}

func (*AccessTokenEncoding) DecodeAccessToken 

func (e *AccessTokenEncoding) DecodeAccessToken(encodedToken string) (tok string, isHash bool, err error)

func (*AccessTokenEncoding) EncodeAccessToken 

func (e *AccessTokenEncoding) EncodeAccessToken(client *config.OAuthClientConfig, grant *AccessGrant, userID string, token string) (string, error)

type AppSession 

type AppSession struct {
	AppID          string `json:"app_id"`
	OfflineGrantID string `json:"offline_grant_id"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	TokenHash string    `json:"token_hash"`
}

type AppSessionStore 

type AppSessionStore interface {
	GetAppSession(tokenHash string) (*AppSession, error)
	CreateAppSession(*AppSession) error
	DeleteAppSession(*AppSession) error
}

type AppSessionToken 

type AppSessionToken struct {
	AppID          string `json:"app_id"`
	OfflineGrantID string `json:"offline_grant_id"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	TokenHash string    `json:"token_hash"`
}

type AppSessionTokenStore 

type AppSessionTokenStore interface {
	GetAppSessionToken(tokenHash string) (*AppSessionToken, error)
	CreateAppSessionToken(*AppSessionToken) error
	DeleteAppSessionToken(*AppSessionToken) error
}

type Authorization 

type Authorization struct {
	ID        string
	AppID     string
	ClientID  string
	UserID    string
	CreatedAt time.Time
	UpdatedAt time.Time
	Scopes    []string
}

func ApplyAuthorizationFilters 

func ApplyAuthorizationFilters(authzs []*Authorization, filters ...AuthorizationFilter) (out []*Authorization)

func (Authorization) IsAuthorized 

func (z Authorization) IsAuthorized(scopes []string) bool

func (Authorization) ToAPIModel 

func (z Authorization) ToAPIModel() *model.Authorization

func (Authorization) WithScopesAdded 

func (z Authorization) WithScopesAdded(scopes []string) *Authorization

type AuthorizationFilter 

type AuthorizationFilter interface {
	Keep(authz *Authorization) bool
}

type AuthorizationFilterFunc 

type AuthorizationFilterFunc func(a *Authorization) bool

func (AuthorizationFilterFunc) Keep 

func (f AuthorizationFilterFunc) Keep(a *Authorization) bool

type AuthorizationService 

type AuthorizationService struct {
	AppID               config.AppID
	Store               AuthorizationStore
	Clock               clock.Clock
	OAuthSessionManager OfflineGrantSessionManager
}

func (*AuthorizationService) Check 

func (s *AuthorizationService) Check(
	clientID string,
	userID string,
	scopes []string,
) (*Authorization, error)

func (*AuthorizationService) CheckAndGrant 

func (s *AuthorizationService) CheckAndGrant(
	clientID string,
	userID string,
	scopes []string,
) (*Authorization, error)

func (*AuthorizationService) Delete 

func (s *AuthorizationService) Delete(a *Authorization) error

func (*AuthorizationService) GetByID 

func (s *AuthorizationService) GetByID(id string) (*Authorization, error)

func (*AuthorizationService) ListByUser 

func (s *AuthorizationService) ListByUser(userID string, filters ...AuthorizationFilter) ([]*Authorization, error)

type AuthorizationStore 

type AuthorizationStore interface {
	Get(userID, clientID string) (*Authorization, error)
	GetByID(id string) (*Authorization, error)
	ListByUserID(userID string) ([]*Authorization, error)
	Create(*Authorization) error
	Delete(*Authorization) error
	ResetAll(userID string) error
	UpdateScopes(*Authorization) error
}

type BaseURLProvider 

type BaseURLProvider interface {
	BaseURL() *url.URL
}

type ClientLike 

type ClientLike struct {
	ClientParty config.ClientParty
	Scopes      []string
}

func SessionClientLike 

func SessionClientLike(s session.Session, c *config.OAuthConfig) *ClientLike

type CodeGrant 

type CodeGrant struct {
	AppID              string               `json:"app_id"`
	AuthorizationID    string               `json:"authz_id"`
	IDPSessionID       string               `json:"session_id"`
	AuthenticationInfo authenticationinfo.T `json:"authentication_info"`
	IDTokenHintSID     string               `json:"id_token_hint_sid"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	Scopes    []string  `json:"scopes"`
	CodeHash  string    `json:"code_hash"`

	RedirectURI   string `json:"redirect_uri"`
	OIDCNonce     string `json:"nonce,omitempty"`
	PKCEChallenge string `json:"challenge,omitempty"`

	SSOEnabled bool `json:"sso_enabled,omitempty"`
}

type CodeGrantStore 

type CodeGrantStore interface {
	GetCodeGrant(codeHash string) (*CodeGrant, error)
	CreateCodeGrant(*CodeGrant) error
	DeleteCodeGrant(*CodeGrant) error
}

type EndpointsProvider 

type EndpointsProvider interface {
	AuthorizeEndpointURL() *url.URL
	ConsentEndpointURL() *url.URL
	TokenEndpointURL() *url.URL
	RevokeEndpointURL() *url.URL
}

type EventService 

type EventService interface {
	DispatchEvent(payload event.Payload) error
}

type GrantSessionKind 

type GrantSessionKind string
const (
	GrantSessionKindOffline GrantSessionKind = "offline_grant"
	GrantSessionKindSession GrantSessionKind = "idp_session"
)

type KeepThirdPartyAuthorizationFilter 

type KeepThirdPartyAuthorizationFilter struct {
	ThirdPartyClientIDSet setutil.Set[string]
}

func NewKeepThirdPartyAuthorizationFilter 

func NewKeepThirdPartyAuthorizationFilter(oauthConfig *config.OAuthConfig) *KeepThirdPartyAuthorizationFilter

func (*KeepThirdPartyAuthorizationFilter) Keep 

func (f *KeepThirdPartyAuthorizationFilter) Keep(authz *Authorization) bool

type MetadataProvider 

type MetadataProvider struct {
	Endpoints EndpointsProvider
}

func (*MetadataProvider) PopulateMetadata 

func (p *MetadataProvider) PopulateMetadata(meta map[string]interface{})

type OfflineGrant 

type OfflineGrant struct {
	AppID           string `json:"app_id"`
	ID              string `json:"id"`
	ClientID        string `json:"client_id"`
	AuthorizationID string `json:"authz_id"`
	// IDPSessionID refers to the IDP session.
	IDPSessionID string `json:"idp_session_id,omitempty"`
	// IdentityID refers to the identity.
	// It is only set for biometric authentication.
	IdentityID string `json:"identity_id,omitempty"`

	CreatedAt       time.Time `json:"created_at"`
	AuthenticatedAt time.Time `json:"authenticated_at"`
	Scopes          []string  `json:"scopes"`
	TokenHash       string    `json:"token_hash"`

	Attrs      session.Attrs `json:"attrs"`
	AccessInfo access.Info   `json:"access_info"`

	DeviceInfo map[string]interface{} `json:"device_info,omitempty"`

	SSOEnabled bool `json:"sso_enabled,omitempty"`
}

func (*OfflineGrant) Equal 

func (g *OfflineGrant) Equal(ss session.Session) bool

func (*OfflineGrant) GetAccessInfo 

func (g *OfflineGrant) GetAccessInfo() *access.Info

func (*OfflineGrant) GetAuthenticatedAt 

func (g *OfflineGrant) GetAuthenticatedAt() time.Time

func (*OfflineGrant) GetAuthenticationInfo 

func (g *OfflineGrant) GetAuthenticationInfo() authenticationinfo.T

func (*OfflineGrant) GetClientID 

func (g *OfflineGrant) GetClientID() string

func (*OfflineGrant) GetCreatedAt 

func (g *OfflineGrant) GetCreatedAt() time.Time

func (*OfflineGrant) GetDeviceInfo 

func (g *OfflineGrant) GetDeviceInfo() (map[string]interface{}, bool)

func (*OfflineGrant) GetOIDCAMR 

func (g *OfflineGrant) GetOIDCAMR() ([]string, bool)

func (*OfflineGrant) GetUserID 

func (g *OfflineGrant) GetUserID() string

func (*OfflineGrant) IsSameSSOGroup 

func (g *OfflineGrant) IsSameSSOGroup(ss session.Session) bool

IsSameSSOGroup returns true when the session argument - is the same offline grant - is idp session in the same sso group (current offline grant needs to be sso enabled) - is offline grant in the same sso group (current offline grant needs to be sso enabled)

func (*OfflineGrant) SSOGroupIDPSessionID 

func (g *OfflineGrant) SSOGroupIDPSessionID() string

func (*OfflineGrant) SessionID 

func (g *OfflineGrant) SessionID() string

func (*OfflineGrant) SessionType 

func (g *OfflineGrant) SessionType() session.Type

func (*OfflineGrant) ToAPIModel 

func (g *OfflineGrant) ToAPIModel() *model.Session

type OfflineGrantService 

type OfflineGrantService struct {
	OAuthConfig *config.OAuthConfig
	Clock       clock.Clock
	IDPSessions ServiceIDPSessionProvider
}

func (*OfflineGrantService) CheckSessionExpired 

func (s *OfflineGrantService) CheckSessionExpired(session *OfflineGrant) (bool, time.Time, error)

func (*OfflineGrantService) ComputeOfflineGrantExpiry 

func (s *OfflineGrantService) ComputeOfflineGrantExpiry(session *OfflineGrant) (expiry time.Time, err error)

func (*OfflineGrantService) IsValid 

func (s *OfflineGrantService) IsValid(session *OfflineGrant) (bool, time.Time, error)

type OfflineGrantSessionManager 

type OfflineGrantSessionManager interface {
	List(userID string) ([]session.Session, error)
	Delete(session session.Session) error
}

type OfflineGrantStore 

type OfflineGrantStore interface {
	GetOfflineGrant(id string) (*OfflineGrant, error)
	CreateOfflineGrant(offlineGrant *OfflineGrant, expireAt time.Time) error
	DeleteOfflineGrant(*OfflineGrant) error

	AccessWithID(id string, accessEvent access.Event, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantDeviceInfo(id string, deviceInfo map[string]interface{}, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantAuthenticatedAt(id string, authenticatedAt time.Time, expireAt time.Time) (*OfflineGrant, error)

	ListOfflineGrants(userID string) ([]*OfflineGrant, error)
	ListClientOfflineGrants(clientID string, userID string) ([]*OfflineGrant, error)
}

type Resolver 

type Resolver struct {
	RemoteIP            httputil.RemoteIP
	UserAgentString     httputil.UserAgentString
	OAuthConfig         *config.OAuthConfig
	Authorizations      AuthorizationStore
	AccessGrants        AccessGrantStore
	OfflineGrants       OfflineGrantStore
	AppSessions         AppSessionStore
	AccessTokenDecoder  AccessTokenDecoder
	Sessions            ResolverSessionProvider
	Cookies             ResolverCookieManager
	Clock               clock.Clock
	OfflineGrantService OfflineGrantService
}

func (*Resolver) Resolve 

func (re *Resolver) Resolve(rw http.ResponseWriter, r *http.Request) (session.Session, error)

type ResolverCookieManager 

type ResolverCookieManager interface {
	GetCookie(r *http.Request, def *httputil.CookieDef) (*http.Cookie, error)
}

type ResolverSessionProvider 

type ResolverSessionProvider interface {
	AccessWithID(id string, accessEvent access.Event) (*idpsession.IDPSession, error)
}

type ServiceIDPSessionProvider 

type ServiceIDPSessionProvider interface {
	Get(id string) (*idpsession.IDPSession, error)
	CheckSessionExpired(session *idpsession.IDPSession) (expired bool)
}

type SessionManager 

type SessionManager struct {
	Store   OfflineGrantStore
	Config  *config.OAuthConfig
	Service OfflineGrantService
}

func (*SessionManager) ClearCookie 

func (m *SessionManager) ClearCookie() []*http.Cookie

func (*SessionManager) Delete 

func (m *SessionManager) Delete(session session.Session) error

func (*SessionManager) Get 

func (m *SessionManager) Get(id string) (session.Session, error)

func (*SessionManager) List 

func (m *SessionManager) List(userID string) ([]session.Session, error)

func (*SessionManager) TerminateAllExcept 

func (m *SessionManager) TerminateAllExcept(userID string, currentSession session.Session) ([]session.Session, error)

type URLProvider 

type URLProvider struct {
	Endpoints EndpointsProvider
}

func (*URLProvider) ConsentURL 

func (p *URLProvider) ConsentURL(r protocol.AuthorizationRequest) *url.URL

type UserClaimsProvider 

type UserClaimsProvider interface {
	PopulateNonPIIUserClaims(token jwt.Token, userID string) error
}

Source Files

View all Source files

Directories

Path Synopsis
handler
protocol

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.