Documentation ¶
Index ¶
- Constants
- func CodeChallengeToOIDC(challenge *OIDCCodeChallenge) *oidc.CodeChallenge
- func MaxAgeToInternal(maxAge *uint) *time.Duration
- func PromptToInternal(oidcPrompt oidc.SpaceDelimitedArray) []string
- func RedirectGlobsClient(client *Client) op.Client
- func RefreshTokenRequestFromBusiness(token *RefreshToken) op.RefreshTokenRequest
- func RegisterClients(registerClients ...*Client)
- type AuthRequest
- func (a *AuthRequest) Done() bool
- func (a *AuthRequest) GetACR() string
- func (a *AuthRequest) GetAMR() []string
- func (a *AuthRequest) GetAudience() []string
- func (a *AuthRequest) GetAuthTime() time.Time
- func (a *AuthRequest) GetClientID() string
- func (a *AuthRequest) GetCodeChallenge() *oidc.CodeChallenge
- func (a *AuthRequest) GetID() string
- func (a *AuthRequest) GetNonce() string
- func (a *AuthRequest) GetRedirectURI() string
- func (a *AuthRequest) GetResponseMode() oidc.ResponseMode
- func (a *AuthRequest) GetResponseType() oidc.ResponseType
- func (a *AuthRequest) GetScopes() []string
- func (a *AuthRequest) GetState() string
- func (a *AuthRequest) GetSubject() string
- type Client
- func (c *Client) AccessTokenType() op.AccessTokenType
- func (c *Client) ApplicationType() op.ApplicationType
- func (c *Client) AuthMethod() oidc.AuthMethod
- func (c *Client) ClockSkew() time.Duration
- func (c *Client) DevMode() bool
- func (c *Client) GetID() string
- func (c *Client) GrantTypes() []oidc.GrantType
- func (c *Client) IDTokenLifetime() time.Duration
- func (c *Client) IDTokenUserinfoClaimsAssertion() bool
- func (c *Client) IsScopeAllowed(scope string) bool
- func (c *Client) LoginURL(id string) string
- func (c *Client) PostLogoutRedirectURIs() []string
- func (c *Client) RedirectURIs() []string
- func (c *Client) ResponseTypes() []oidc.ResponseType
- func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string
- func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string
- type OIDCCodeChallenge
- type RefreshToken
- type RefreshTokenRequest
- func (r *RefreshTokenRequest) GetAMR() []string
- func (r *RefreshTokenRequest) GetAudience() []string
- func (r *RefreshTokenRequest) GetAuthTime() time.Time
- func (r *RefreshTokenRequest) GetClientID() string
- func (r *RefreshTokenRequest) GetScopes() []string
- func (r *RefreshTokenRequest) GetSubject() string
- func (r *RefreshTokenRequest) SetCurrentScopes(scopes []string)
- type Service
- type Storage
- func (s *Storage) AuthRequestByCode(ctx context.Context, code string) (op.AuthRequest, error)
- func (s *Storage) AuthRequestByID(ctx context.Context, id string) (op.AuthRequest, error)
- func (s *Storage) AuthRequestDone(id string) error
- func (s *Storage) AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error
- func (s *Storage) ClientCredentials(ctx context.Context, clientID, clientSecret string) (op.Client, error)
- func (s *Storage) ClientCredentialsTokenRequest(ctx context.Context, clientID string, scopes []string) (op.TokenRequest, error)
- func (s *Storage) CompleteDeviceAuthorization(ctx context.Context, userCode, subject string) error
- func (s *Storage) CreateAccessAndRefreshTokens(ctx context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)
- func (s *Storage) CreateAccessToken(ctx context.Context, request op.TokenRequest) (string, time.Time, error)
- func (s *Storage) CreateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, userID string) (op.AuthRequest, error)
- func (s *Storage) CreateTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) error
- func (s *Storage) DeleteAuthRequest(ctx context.Context, id string) error
- func (s *Storage) DenyDeviceAuthorization(ctx context.Context, userCode string) error
- func (s *Storage) GetClientByClientID(ctx context.Context, clientID string) (op.Client, error)
- func (s *Storage) GetDeviceAuthorizationByUserCode(ctx context.Context, userCode string) (*op.DeviceAuthorizationState, error)
- func (s *Storage) GetDeviceAuthorizatonState(ctx context.Context, clientID, deviceCode string) (*op.DeviceAuthorizationState, error)
- func (s *Storage) GetKeyByIDAndClientID(ctx context.Context, keyID, clientID string) (*jose.JSONWebKey, error)
- func (s *Storage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (claims map[string]interface{}, err error)
- func (s *Storage) GetPrivateClaimsFromTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) (claims map[string]interface{}, err error)
- func (s *Storage) GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error)
- func (s *Storage) Health(ctx context.Context) error
- func (s *Storage) KeySet(ctx context.Context) ([]op.Key, error)
- func (s *Storage) RevokeToken(ctx context.Context, tokenIDOrToken string, userID string, clientID string) *oidc.Error
- func (s *Storage) SaveAuthCode(ctx context.Context, id string, code string) error
- func (s *Storage) SetIntrospectionFromToken(ctx context.Context, introspection *oidc.IntrospectionResponse, ...) error
- func (s *Storage) SetUserinfoFromRequest(ctx context.Context, userinfo *oidc.UserInfo, token op.IDTokenRequest, ...) error
- func (s *Storage) SetUserinfoFromScopes(ctx context.Context, userinfo *oidc.UserInfo, userID, clientID string, ...) error
- func (s *Storage) SetUserinfoFromToken(ctx context.Context, userinfo *oidc.UserInfo, tokenID, subject, origin string) error
- func (s *Storage) SetUserinfoFromTokenExchangeRequest(ctx context.Context, userinfo *oidc.UserInfo, request op.TokenExchangeRequest) error
- func (s *Storage) SignatureAlgorithms(context.Context) ([]jose.SignatureAlgorithm, error)
- func (s *Storage) SigningKey(ctx context.Context) (op.SigningKey, error)
- func (s *Storage) StoreDeviceAuthorization(ctx context.Context, clientID, deviceCode, userCode string, expires time.Time, ...) error
- func (s *Storage) TerminateSession(ctx context.Context, userID string, clientID string) error
- func (s *Storage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (op.RefreshTokenRequest, error)
- func (s *Storage) ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error)
- func (s *Storage) ValidateRequest(user *User, id string) error
- func (s *Storage) ValidateTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) error
- type Token
- type User
- type UserStore
Constants ¶
const ( // GroupsScope is an example for how to use custom scopes in this library //(in this scenario, when requested, it will return a custom claim) GroupsScope = "groups" // GroupsClaim is an example for how to return custom claims with this library GroupsClaim = "groups" // CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchage CustomScopeImpersonatePrefix = "custom_scope:impersonate:" )
Variables ¶
This section is empty.
Functions ¶
func CodeChallengeToOIDC ¶
func CodeChallengeToOIDC(challenge *OIDCCodeChallenge) *oidc.CodeChallenge
func MaxAgeToInternal ¶
func PromptToInternal ¶
func PromptToInternal(oidcPrompt oidc.SpaceDelimitedArray) []string
func RedirectGlobsClient ¶
RedirectGlobsClient wraps the client in a op.HasRedirectGlobs only if DevMode is enabled.
func RefreshTokenRequestFromBusiness ¶
func RefreshTokenRequestFromBusiness(token *RefreshToken) op.RefreshTokenRequest
RefreshTokenRequestFromBusiness will simply wrap the storage RefreshToken to implement the op.RefreshTokenRequest interface
func RegisterClients ¶
func RegisterClients(registerClients ...*Client)
RegisterClients enables you to register clients for the example implementation there are some clients (web and native) to try out different cases add more if necessary
RegisterClients should be called before the Storage is used so that there are no race conditions.
Types ¶
type AuthRequest ¶
type AuthRequest struct { ID string CreationDate time.Time ApplicationID string CallbackURI string TransferState string Prompt []string UiLocales []language.Tag LoginHint string MaxAuthAge *time.Duration UserID string Scopes []string ResponseType oidc.ResponseType Nonce string CodeChallenge *OIDCCodeChallenge // contains filtered or unexported fields }
func (*AuthRequest) Done ¶
func (a *AuthRequest) Done() bool
func (*AuthRequest) GetACR ¶
func (a *AuthRequest) GetACR() string
func (*AuthRequest) GetAMR ¶
func (a *AuthRequest) GetAMR() []string
func (*AuthRequest) GetAudience ¶
func (a *AuthRequest) GetAudience() []string
func (*AuthRequest) GetAuthTime ¶
func (a *AuthRequest) GetAuthTime() time.Time
func (*AuthRequest) GetClientID ¶
func (a *AuthRequest) GetClientID() string
func (*AuthRequest) GetCodeChallenge ¶
func (a *AuthRequest) GetCodeChallenge() *oidc.CodeChallenge
func (*AuthRequest) GetID ¶
func (a *AuthRequest) GetID() string
func (*AuthRequest) GetNonce ¶
func (a *AuthRequest) GetNonce() string
func (*AuthRequest) GetRedirectURI ¶
func (a *AuthRequest) GetRedirectURI() string
func (*AuthRequest) GetResponseMode ¶
func (a *AuthRequest) GetResponseMode() oidc.ResponseMode
func (*AuthRequest) GetResponseType ¶
func (a *AuthRequest) GetResponseType() oidc.ResponseType
func (*AuthRequest) GetScopes ¶
func (a *AuthRequest) GetScopes() []string
func (*AuthRequest) GetState ¶
func (a *AuthRequest) GetState() string
func (*AuthRequest) GetSubject ¶
func (a *AuthRequest) GetSubject() string
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client represents the storage model of an OAuth/OIDC client this could also be your database model
func WebClient ¶
WebClient will create a client of type web, which will always use Basic Auth and allow the use of refresh tokens user-defined redirectURIs may include: - http://localhost with port specification (e.g. http://localhost:9999/auth/callback) (the example will be used as default, if none is provided)
func (*Client) AccessTokenType ¶
func (c *Client) AccessTokenType() op.AccessTokenType
AccessTokenType must return the type of access token the client uses (Bearer (opaque) or JWT)
func (*Client) ApplicationType ¶
func (c *Client) ApplicationType() op.ApplicationType
ApplicationType must return the type of the client (app, native, user agent)
func (*Client) AuthMethod ¶
func (c *Client) AuthMethod() oidc.AuthMethod
AuthMethod must return the authentication method (client_secret_basic, client_secret_post, none, private_key_jwt)
func (*Client) ClockSkew ¶
ClockSkew enables clients to instruct the OP to apply a clock skew on the various times and expirations (subtract from issued_at, add to expiration, ...)
func (*Client) DevMode ¶
DevMode enables the use of non-compliant configs such as redirect_uris (e.g. http schema for user agent client)
func (*Client) GrantTypes ¶
GrantTypes must return all allowed grant types (authorization_code, refresh_token, urn:ietf:params:oauth:grant-type:jwt-bearer)
func (*Client) IDTokenLifetime ¶
IDTokenLifetime must return the lifetime of the client's id_tokens
func (*Client) IDTokenUserinfoClaimsAssertion ¶
IDTokenUserinfoClaimsAssertion allows specifying if claims of scope profile, email, phone and address are asserted into the id_token even if an access token if issued which violates the OIDC Core spec (5.4. Requesting Claims using Scope Values: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) some clients though require that e.g. email is always in the id_token when requested even if an access_token is issued
func (*Client) IsScopeAllowed ¶
IsScopeAllowed enables Client specific custom scopes validation in this example we allow the GroupsScope for all clients
func (*Client) LoginURL ¶
LoginURL will be called to redirect the user (agent) to the login UI you could implement some logic here to redirect the users to different login UIs depending on the client
func (*Client) PostLogoutRedirectURIs ¶
PostLogoutRedirectURIs must return the registered post_logout_redirect_uris for sign-outs
func (*Client) RedirectURIs ¶
RedirectURIs must return the registered redirect_uris for Code and Implicit Flow
func (*Client) ResponseTypes ¶
func (c *Client) ResponseTypes() []oidc.ResponseType
ResponseTypes must return all allowed response types (code, id_token token, id_token) these must match with the allowed grant types
func (*Client) RestrictAdditionalAccessTokenScopes ¶
RestrictAdditionalAccessTokenScopes allows specifying which custom scopes shall be asserted into the JWT access_token
func (*Client) RestrictAdditionalIdTokenScopes ¶
RestrictAdditionalIdTokenScopes allows specifying which custom scopes shall be asserted into the id_token
type OIDCCodeChallenge ¶
type RefreshToken ¶
type RefreshTokenRequest ¶
type RefreshTokenRequest struct {
*RefreshToken
}
func (*RefreshTokenRequest) GetAMR ¶
func (r *RefreshTokenRequest) GetAMR() []string
func (*RefreshTokenRequest) GetAudience ¶
func (r *RefreshTokenRequest) GetAudience() []string
func (*RefreshTokenRequest) GetAuthTime ¶
func (r *RefreshTokenRequest) GetAuthTime() time.Time
func (*RefreshTokenRequest) GetClientID ¶
func (r *RefreshTokenRequest) GetClientID() string
func (*RefreshTokenRequest) GetScopes ¶
func (r *RefreshTokenRequest) GetScopes() []string
func (*RefreshTokenRequest) GetSubject ¶
func (r *RefreshTokenRequest) GetSubject() string
func (*RefreshTokenRequest) SetCurrentScopes ¶
func (r *RefreshTokenRequest) SetCurrentScopes(scopes []string)
type Storage ¶
type Storage struct {
// contains filtered or unexported fields
}
storage implements the op.Storage interface typically you would implement this as a layer on top of your database for simplicity this example keeps everything in-memory
func NewStorage ¶
func (*Storage) AuthRequestByCode ¶
AuthRequestByCode implements the op.Storage interface it will be called after parsing and validation of the token request (in an authorization code flow)
func (*Storage) AuthRequestByID ¶
AuthRequestByID implements the op.Storage interface it will be called after the Login UI redirects back to the OIDC endpoint
func (*Storage) AuthRequestDone ¶
AuthRequestDone is used by testing and is not required to implement op.Storage
func (*Storage) AuthorizeClientIDSecret ¶
AuthorizeClientIDSecret implements the op.Storage interface it will be called for validating the client_id, client_secret on token or introspection requests
func (*Storage) ClientCredentials ¶
func (*Storage) ClientCredentialsTokenRequest ¶
func (*Storage) CompleteDeviceAuthorization ¶
func (*Storage) CreateAccessAndRefreshTokens ¶
func (s *Storage) CreateAccessAndRefreshTokens(ctx context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)
CreateAccessAndRefreshTokens implements the op.Storage interface it will be called for all requests able to return an access and refresh token (Authorization Code Flow, Refresh Token Request)
func (*Storage) CreateAccessToken ¶
func (s *Storage) CreateAccessToken(ctx context.Context, request op.TokenRequest) (string, time.Time, error)
CreateAccessToken implements the op.Storage interface it will be called for all requests able to return an access token (Authorization Code Flow, Implicit Flow, JWT Profile, ...)
func (*Storage) CreateAuthRequest ¶
func (s *Storage) CreateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, userID string) (op.AuthRequest, error)
CreateAuthRequest implements the op.Storage interface it will be called after parsing and validation of the authentication request
func (*Storage) CreateTokenExchangeRequest ¶
func (s *Storage) CreateTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) error
ValidateTokenExchangeRequest implements the op.TokenExchangeStorage interface Common use case is to store request for audit purposes. For this example we skip the storing.
func (*Storage) DeleteAuthRequest ¶
DeleteAuthRequest implements the op.Storage interface it will be called after creating the token response (id and access tokens) for a valid - authentication request (in an implicit flow) - token request (in an authorization code flow)
func (*Storage) DenyDeviceAuthorization ¶
func (*Storage) GetClientByClientID ¶
GetClientByClientID implements the op.Storage interface it will be called whenever information (type, redirect_uris, ...) about the client behind the client_id is needed
func (*Storage) GetDeviceAuthorizationByUserCode ¶
func (*Storage) GetDeviceAuthorizatonState ¶
func (*Storage) GetKeyByIDAndClientID ¶
func (s *Storage) GetKeyByIDAndClientID(ctx context.Context, keyID, clientID string) (*jose.JSONWebKey, error)
GetKeyByIDAndClientID implements the op.Storage interface it will be called to validate the signatures of a JWT (JWT Profile Grant and Authentication)
func (*Storage) GetPrivateClaimsFromScopes ¶
func (s *Storage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (claims map[string]interface{}, err error)
GetPrivateClaimsFromScopes implements the op.Storage interface it will be called for the creation of a JWT access token to assert claims for custom scopes
func (*Storage) GetPrivateClaimsFromTokenExchangeRequest ¶
func (s *Storage) GetPrivateClaimsFromTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) (claims map[string]interface{}, err error)
GetPrivateClaimsFromScopesForTokenExchange implements the op.TokenExchangeStorage interface it will be called for the creation of an exchanged JWT access token to assert claims for custom scopes plus adding token exchange specific claims related to delegation or impersonation
func (*Storage) GetRefreshTokenInfo ¶
func (s *Storage) GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error)
GetRefreshTokenInfo looks up a refresh token and returns the token id and user id. If given something that is not a refresh token, it must return error.
func (*Storage) KeySet ¶
KeySet implements the op.Storage interface it will be called to get the current (public) keys, among others for the keys_endpoint or for validating access_tokens on the userinfo_endpoint, ...
func (*Storage) RevokeToken ¶
func (s *Storage) RevokeToken(ctx context.Context, tokenIDOrToken string, userID string, clientID string) *oidc.Error
RevokeToken implements the op.Storage interface it will be called after parsing and validation of the token revocation request
func (*Storage) SaveAuthCode ¶
SaveAuthCode implements the op.Storage interface it will be called after the authentication has been successful and before redirecting the user agent to the redirect_uri (in an authorization code flow)
func (*Storage) SetIntrospectionFromToken ¶
func (s *Storage) SetIntrospectionFromToken(ctx context.Context, introspection *oidc.IntrospectionResponse, tokenID, subject, clientID string) error
SetIntrospectionFromToken implements the op.Storage interface it will be called for the introspection endpoint, so we read the token and pass the information from that to the private function
func (*Storage) SetUserinfoFromRequest ¶
func (s *Storage) SetUserinfoFromRequest(ctx context.Context, userinfo *oidc.UserInfo, token op.IDTokenRequest, scopes []string) error
SetUserinfoFromRequests implements the op.CanSetUserinfoFromRequest interface. In the next major release, it will be required for op.Storage. It will be called for the creation of an id_token, so we'll just pass it to the private function without any further check
func (*Storage) SetUserinfoFromScopes ¶
func (s *Storage) SetUserinfoFromScopes(ctx context.Context, userinfo *oidc.UserInfo, userID, clientID string, scopes []string) error
SetUserinfoFromScopes implements the op.Storage interface. Provide an empty implementation and use SetUserinfoFromRequest instead.
func (*Storage) SetUserinfoFromToken ¶
func (s *Storage) SetUserinfoFromToken(ctx context.Context, userinfo *oidc.UserInfo, tokenID, subject, origin string) error
SetUserinfoFromToken implements the op.Storage interface it will be called for the userinfo endpoint, so we read the token and pass the information from that to the private function
func (*Storage) SetUserinfoFromTokenExchangeRequest ¶
func (s *Storage) SetUserinfoFromTokenExchangeRequest(ctx context.Context, userinfo *oidc.UserInfo, request op.TokenExchangeRequest) error
SetUserinfoFromScopesForTokenExchange implements the op.TokenExchangeStorage interface it will be called for the creation of an id_token - we are using the same private function as for other flows, plus adding token exchange specific claims related to delegation or impersonation
func (*Storage) SignatureAlgorithms ¶
SignatureAlgorithms implements the op.Storage interface it will be called to get the sign
func (*Storage) SigningKey ¶
SigningKey implements the op.Storage interface it will be called when creating the OpenID Provider
func (*Storage) StoreDeviceAuthorization ¶
func (*Storage) TerminateSession ¶
TerminateSession implements the op.Storage interface it will be called after the user signed out, therefore the access and refresh token of the user of this client must be removed
func (*Storage) TokenRequestByRefreshToken ¶
func (s *Storage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (op.RefreshTokenRequest, error)
TokenRequestByRefreshToken implements the op.Storage interface it will be called after parsing and validation of the refresh token request
func (*Storage) ValidateJWTProfileScopes ¶
func (s *Storage) ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error)
ValidateJWTProfileScopes implements the op.Storage interface it will be called to validate the scopes of a JWT Profile Authorization Grant request
func (*Storage) ValidateTokenExchangeRequest ¶
func (s *Storage) ValidateTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) error
ValidateTokenExchangeRequest implements the op.TokenExchangeStorage interface it will be called to validate parsed Token Exchange Grant request