Documentation ¶
Overview ¶
Package oauth implements some helper wrappers ontop of the existing google implementation of oauth.
Index ¶
- Constants
- Variables
- func MustSerializeState(state State) string
- func SerializeState(state State) (output string, err error)
- func ValidateJWTGoogle(m *Manager, jwtClaims *GoogleClaims) error
- func ValidateJWTOkta(m *Manager, jwtClaims *GoogleClaims) error
- type Any
- type Config
- type Error
- type GoogleClaims
- type Labels
- type Manager
- func (m *Manager) CreateState(options ...StateOption) (state State)
- func (m *Manager) FetchProfile(ctx context.Context, accessToken string) (profile Profile, err error)
- func (m *Manager) Finish(r *http.Request) (result *Result, err error)
- func (m *Manager) OAuthURL(r *http.Request, stateOptions ...StateOption) (oauthURL string, err error)
- func (m *Manager) ValidateState(state State) error
- type Option
- func OptAllowedDomains(allowedDomains ...string) Option
- func OptClientID(cliendID string) Option
- func OptClientSecret(clientSecret string) Option
- func OptConfig(cfg Config) Option
- func OptEndpoint(endpoint *oauth2.Endpoint) Option
- func OptHostedDomain(hostedDomain string) Option
- func OptIssuer(issuer string) Option
- func OptPublicKeyCache(publicCache *PublicKeyCache) Option
- func OptRedirectURI(redirectURI string) Option
- func OptScopes(scopes ...string) Option
- func OptSecret(secret []byte) Option
- func OptTracer(tracer Tracer) Option
- func OptValidateJWT(validateJWT ValidateJWTFunc) Option
- type Profile
- type PublicKeyCache
- type PublicKeysResponse
- type Response
- type Result
- type State
- type StateOption
- type TraceFinisher
- type Tracer
- type ValidateJWTFunc
- type Values
Constants ¶
const ( // GoogleKeysURL is the url we fetch google's public verification keys in JWK form. GoogleKeysURL = "https://www.googleapis.com/oauth2/v3/certs" // GoogleIssuer is the expected `iss` field on JWTs from google. GoogleIssuer = "https://accounts.google.com" // GoogleIssuerAlternate is the alternate expected `iss` field on JWTs from google. GoogleIssuerAlternate = "accounts.google.com" )
Variables ¶
var ( // DefaultScopes is the default oauth scopes. DefaultScopes = []string{ "openid", "email", "profile", } )
Functions ¶
func MustSerializeState ¶ added in v1.20201204.1
MustSerializeState serializes a state value but panics if there is an error.
func SerializeState ¶
SerializeState serializes the oauth state.
func ValidateJWTGoogle ¶ added in v1.20240719.1
func ValidateJWTGoogle(m *Manager, jwtClaims *GoogleClaims) error
ValidateJWTGoogle returns if the google issued jwt is valid or not.
func ValidateJWTOkta ¶ added in v1.20240719.1
func ValidateJWTOkta(m *Manager, jwtClaims *GoogleClaims) error
ValidateJWTOkta returns if the okta issued jwt is valid or not.
Types ¶
type Config ¶
type Config struct { // Secret is an encryption key used to verify oauth state. Secret string `json:"secret,omitempty" yaml:"secret,omitempty" env:"OAUTH_SECRET"` // RedirectURI is the oauth return url. RedirectURI string `json:"redirectURI,omitempty" yaml:"redirectURI,omitempty" env:"OAUTH_REDIRECT_URI"` // HostedDomain is a specific domain we want to filter identities to. HostedDomain string `json:"hostedDomain,omitempty" yaml:"hostedDomain,omitempty" env:"OAUTH_HOSTED_DOMAIN"` // AllowedDomains is a strict list of hosted domains to allow authenticated users from. // If it is unset or empty, it will allow users from *any* hosted domain. AllowedDomains []string `json:"allowedDomains,omitempty" yaml:"allowedDomains,omitempty"` // Scopes are oauth scopes to request. Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"` // ClientID is part of the oauth credential pair. ClientID string `json:"clientID,omitempty" yaml:"clientID,omitempty" env:"OAUTH_CLIENT_ID"` // ClientSecret is part of the oauth credential pair. ClientSecret string `json:"clientSecret,omitempty" yaml:"clientSecret,omitempty" env:"OAUTH_CLIENT_SECRET"` }
Config is the config options.
func (Config) DecodeSecret ¶ added in v1.20201204.1
DecodeSecret decodes the secret if set from base64 encoding.
func (*Config) Resolve ¶ added in v1.20201204.1
Resolve adds extra steps to perform during `configutil.Read(...)`.
func (Config) ScopesOrDefault ¶ added in v1.20201204.1
ScopesOrDefault gets oauth scopes to authenticate with or a default set of scopes.
type Error ¶
type Error string
Error is an error string.
const ( // ErrCodeMissing is returned if the code was missing from an oauth return request. ErrCodeMissing Error = "state missing from request" // ErrStateMissing is returned if the state was missing from an oauth return request. ErrStateMissing Error = "state missing from request" // ErrInvalidHostedDomain is an error returned if the JWT hosted zone doesn't match any of the whitelisted domains. ErrInvalidHostedDomain Error = "hosted domain validation failed" // ErrInvalidAntiforgeryToken is an error returns on oauth finish that indicates we didn't originate the auth request. ErrInvalidAntiforgeryToken Error = "invalid anti-forgery token" // ErrInvalidJWTAudience is an error in validing the token jwt. ErrInvalidJWTAudience Error = "invalid jwt audience; should match clientID" // ErrInvalidJWTIssuer is an error in validing the token jwt. ErrInvalidJWTIssuer Error = "invalid jwt issuer; should be a valid google issuer" // ErrInvalidJWTHostedDomain is an error in validing the token jwt. ErrInvalidJWTHostedDomain Error = "invalid jwt hosted domain; must be in the allowed domain list" // ErrInvalidJWT is returned when we fail to decode or verify the token jwt. ErrInvalidJWT Error = "invalid jwt; failed to decode or verify" // ErrProfileJSONUnmarshal is an error returned if the json unmarshal failed. ErrProfileJSONUnmarshal Error = "profile json unmarshal failed" // ErrFailedCodeExchange happens if the code exchange for an access token fails. ErrFailedCodeExchange Error = "oauth code exchange failed" // ErrGoogleResponseStatus is an error that can occur when querying the google apis. ErrGoogleResponseStatus Error = "google returned a non 2xx response" // ErrSecretRequired is a configuration error indicating we did not provide a secret. ErrSecretRequired Error = "manager secret required" // ErrClientIDRequired is a self validation error. ErrClientIDRequired Error = "clientID is required" // ErrClientSecretRequired is a self validation error. ErrClientSecretRequired Error = "clientSecret is required" // ErrRedirectURIRequired is a self validation error. ErrRedirectURIRequired Error = "redirectURI is required" // ErrInvalidRedirectURI is an error in validating the redirect uri. ErrInvalidRedirectURI Error = "invalid redirectURI" )
type GoogleClaims ¶ added in v1.20201204.1
type GoogleClaims struct { jwt.StandardClaims Email string `json:"email"` EmailVerified string `json:"email-verified"` HD string `json:"hd"` Nonce string `json:"nonce"` FamilyName string `json:"family_name"` GivenName string `json:"given_name"` Locale string `json:"locale"` Picture string `json:"picture"` Profile string `json:"profile"` }
GoogleClaims are extensions to the jwt standard claims for google oauth.
See additional documentation here: https://developers.google.com/identity/sign-in/web/backend-auth
func ParseTokenJWT ¶ added in v1.20201204.1
func ParseTokenJWT(tok *oauth2.Token, keyfunc jwt.Keyfunc) (*GoogleClaims, error)
ParseTokenJWT parses a jwt from a given oauth2 token.
type Manager ¶
type Manager struct { oauth2.Config Tracer Tracer Secret []byte HostedDomain string AllowedDomains []string Issuer string ValidateJWT ValidateJWTFunc FetchProfileDefaults []r2.Option PublicKeyCache *PublicKeyCache }
Manager is the oauth manager.
func MustNew ¶ added in v1.20201204.1
MustNew returns a new manager mutated by a given set of options and will panic on error.
func New ¶
New returns a new Google Auth manager if options do not specify an endpoint, PublicKeyCache and Issuer
func (*Manager) CreateState ¶
func (m *Manager) CreateState(options ...StateOption) (state State)
CreateState creates auth state.
func (*Manager) FetchProfile ¶
func (m *Manager) FetchProfile(ctx context.Context, accessToken string) (profile Profile, err error)
FetchProfile gets a google profile for an access token.
func (*Manager) Finish ¶
Finish processes the returned code, exchanging for an access token, and fetches the user profile.
func (*Manager) OAuthURL ¶
func (m *Manager) OAuthURL(r *http.Request, stateOptions ...StateOption) (oauthURL string, err error)
OAuthURL is the auth url for google with a given clientID. This is typically the link that a user will click on to start the auth process.
func (*Manager) ValidateState ¶
ValidateState validates oauth state.
type Option ¶ added in v1.20201204.1
Option is an option for oauth managers.
func OptAllowedDomains ¶ added in v1.20201204.1
OptAllowedDomains sets the manager allowedDomains.
func OptClientID ¶ added in v1.20201204.1
OptClientID sets the manager cliendID.
func OptClientSecret ¶ added in v1.20201204.1
OptClientSecret sets the manager clientSecret.
func OptEndpoint ¶ added in v1.20240719.1
OptEndpoint sets the manager public cache.
func OptHostedDomain ¶ added in v1.20201204.1
OptHostedDomain sets the manager hostedDomain.
func OptIssuer ¶ added in v1.20240719.1
OptIssuer sets the manager issuer url (for Okta Oauth variant).
func OptPublicKeyCache ¶ added in v1.20240719.1
func OptPublicKeyCache(publicCache *PublicKeyCache) Option
OptPublicKeyCache sets the manager public cache.
func OptRedirectURI ¶ added in v1.20201204.1
OptRedirectURI sets the manager redirectURI.
func OptValidateJWT ¶ added in v1.20240719.1
func OptValidateJWT(validateJWT ValidateJWTFunc) Option
OptValidateJWT sets the jwt token validator function.
type Profile ¶
type Profile struct { ID string `json:"id"` Email string `json:"email"` VerifiedEmail bool `json:"verified_email"` Name string `json:"name"` GivenName string `json:"given_name"` FamilyName string `json:"family_name"` Link string `json:"link"` Gender string `json:"gender"` Locale string `json:"locale"` PictureURL string `json:"picture"` }
Profile is a profile with google.
type PublicKeyCache ¶ added in v1.20201204.1
type PublicKeyCache struct { FetchPublicKeysDefaults []r2.Option // contains filtered or unexported fields }
PublicKeyCache holds cached signing certs.
func NewPublicKeyCache ¶ added in v1.20240719.1
func NewPublicKeyCache(keyURL string) *PublicKeyCache
NewPublicKeyCache creates a new public key cache.
func (*PublicKeyCache) FetchPublicKeys ¶ added in v1.20210615.7
func (pkc *PublicKeyCache) FetchPublicKeys(ctx context.Context, opts ...r2.Option) (*PublicKeysResponse, error)
FetchPublicKeys gets the google signing certs.
func (*PublicKeyCache) Keyfunc ¶ added in v1.20201204.1
func (pkc *PublicKeyCache) Keyfunc(ctx context.Context) jwt.Keyfunc
Keyfunc returns a jwt keyfunc for a specific exchange tied to context.
type PublicKeysResponse ¶ added in v1.20201204.1
PublicKeysResponse is a response for the google certs api.
func (PublicKeysResponse) IsExpired ¶ added in v1.20201204.1
func (pkr PublicKeysResponse) IsExpired() bool
IsExpired returns if the cert response is expired.
type Response ¶
type Response struct { AccessToken string TokenType string RefreshToken string Expiry time.Time HostedDomain string }
Response is the response details from the oauth exchange.
type Result ¶
Result is the final result of the oauth exchange. It is the user profile of the user and the state information.
type State ¶
type State struct { // Token is a plaintext random token. Token string // SecureToken is the hashed version of the token. // If a key is set, it validates that our app created the oauth state. SecureToken string // RedirectURI is the redirect uri. RedirectURI string // Extra includes other state you might need to encode. Extra map[string]interface{} }
State is the oauth state.
func DeserializeState ¶
DeserializeState deserializes the oauth state.
type StateOption ¶ added in v1.20201204.1
type StateOption func(*State)
StateOption is an option for state objects
func OptStateExtra ¶ added in v1.20201204.1
func OptStateExtra(key string, value interface{}) StateOption
OptStateExtra sets the redirect uri on the stae.
func OptStateRedirectURI ¶ added in v1.20201204.1
func OptStateRedirectURI(redirectURI string) StateOption
OptStateRedirectURI sets the redirect uri on the stae.
func OptStateSecureToken ¶ added in v1.20201204.1
func OptStateSecureToken(secureToken string) StateOption
OptStateSecureToken sets the secure token on the state.
type TraceFinisher ¶
TraceFinisher is a finisher for a trace.
type Tracer ¶
type Tracer interface {
Start(context.Context, *oauth2.Config) TraceFinisher
}
Tracer is a trace shim.
type ValidateJWTFunc ¶ added in v1.20240719.1
type ValidateJWTFunc func(m *Manager, jwtClaims *GoogleClaims) error
ValidateJWTFunc is a function type for function that validates a JWT token.