rp

package
v0.13.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2021 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AuthURL added in v0.9.0 

func AuthURL(state string, rp RelayingParty, opts ...AuthURLOpt) string

AuthURL returns the auth request url (wrapping the oauth2 `AuthCodeURL`)

func AuthURLHandler added in v0.9.0 

func AuthURLHandler(stateFn func() string, rp RelayingParty) http.HandlerFunc

AuthURLHandler extends the `AuthURL` method with a http redirect handler including handling setting cookie for secure `state` transfer

func CallTokenEndpoint added in v0.9.0 

func CallTokenEndpoint(request interface{}, rp RelayingParty) (newToken *oauth2.Token, err error)

func CallTokenEndpointAuthorized added in v0.12.0 

func CallTokenEndpointAuthorized(request interface{}, rp RelayingParty) (newToken *oauth2.Token, err error)

func ClientCredentials added in v0.9.0 

func ClientCredentials(ctx context.Context, rp RelayingParty, scopes ...string) (newToken *oauth2.Token, err error)

ClientCredentials is the `RelayingParty` interface implementation handling the oauth2 client credentials grant

func CodeExchange added in v0.9.0 

func CodeExchange(ctx context.Context, code string, rp RelayingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error)

CodeExchange handles the oauth2 code exchange, extracting and validating the id_token returning it parsed together with the oauth2 tokens (access, refresh)

func CodeExchangeHandler added in v0.9.0 

func CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc.Tokens, string), rp RelayingParty) http.HandlerFunc

CodeExchangeHandler extends the `CodeExchange` method with a http handler including cookie handling for secure `state` transfer and optional PKCE code verifier checking

func DelegationTokenExchange added in v0.9.0 

func DelegationTokenExchange(ctx context.Context, subjectToken string, rp RelayingParty, reqOpts ...tokenexchange.TokenExchangeOption) (newToken *oauth2.Token, err error)

DelegationTokenExchange handles the oauth2 token exchange for a delegation token

func DelegationTokenRequest 

func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest

DelegationTokenRequest is an implementation of TokenExchangeRequest it exchanges a "urn:ietf:params:oauth:token-type:access_token" with an optional "urn:ietf:params:oauth:token-type:access_token" actor token for a "urn:ietf:params:oauth:token-type:access_token" delegation token

func GenerateAndStoreCodeChallenge added in v0.9.0 

func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelayingParty) (string, error)

GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie

func GenerateJWTProfileToken added in v0.13.3 

func GenerateJWTProfileToken(assertion *oidc.JWTProfileAssertion) (string, error)

func JWTProfileAssertionExchange added in v0.12.0 

func JWTProfileAssertionExchange(ctx context.Context, assertion *oidc.JWTProfileAssertion, scopes oidc.Scopes, rp RelayingParty) (*oauth2.Token, error)

JWTProfileExchange handles the oauth2 jwt profile exchange

func JWTProfileExchange added in v0.9.0 

func JWTProfileExchange(ctx context.Context, jwtProfileRequest *tokenexchange.JWTProfileRequest, rp RelayingParty) (*oauth2.Token, error)

JWTProfileExchange handles the oauth2 jwt profile exchange

func NewRemoteKeySet 

func NewRemoteKeySet(client *http.Client, jwksURL string) oidc.KeySet

func TokenExchange added in v0.9.0 

func TokenExchange(ctx context.Context, request *tokenexchange.TokenExchangeRequest, rp RelayingParty) (newToken *oauth2.Token, err error)

TokenExchange handles the oauth2 token exchange

func VerifyAccessToken added in v0.9.0 

func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error

VerifyAccessToken validates the access token according to https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation

func VerifyIDToken added in v0.9.0 

func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error)

VerifyIDToken validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

func VerifyTokens added in v0.9.0 

func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error)

VerifyTokens implement the Token Response Validation as defined in OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation

func WithIssuedAtMaxAge 

func WithIssuedAtMaxAge(maxAge time.Duration) func(*idTokenVerifier)

WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now

func WithIssuedAtOffset 

func WithIssuedAtOffset(offset time.Duration) func(*idTokenVerifier)

WithIssuedAtOffset mitigates the risk of iat to be in the future because of clock skews with the ability to add an offset to the current time

Types

type AuthURLOpt 

type AuthURLOpt func() []oauth2.AuthCodeOption

func WithCodeChallenge 

func WithCodeChallenge(codeChallenge string) AuthURLOpt

WithCodeChallenge sets the `code_challenge` params in the auth request

func WithPrompt added in v0.10.0 

func WithPrompt(prompt oidc.Prompt) AuthURLOpt

WithPrompt sets the `prompt` params in the auth request

type CodeExchangeOpt 

type CodeExchangeOpt func() []oauth2.AuthCodeOption

func WithCodeVerifier 

func WithCodeVerifier(codeVerifier string) CodeExchangeOpt

WithCodeVerifier sets the `code_verifier` param in the token request

type DelegationTokenExchangeRP 

type DelegationTokenExchangeRP interface {
	TokenExchangeRP

	//DelegationTokenExchange implement the `Token Exchange Grant`
	//providing an access token in request for a `delegation` token for a given resource / audience
	DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error)
}

DelegationTokenExchangeRP extends the `TokenExchangeRP` interface for the specific `delegation token` request

type Endpoints 

type Endpoints struct {
	oauth2.Endpoint
	IntrospectURL string
	UserinfoURL   string
	JKWsURL       string
}

func Discover added in v0.9.0 

func Discover(issuer string, httpClient *http.Client) (Endpoints, error)

Discover calls the discovery endpoint of the provided issuer and returns the found endpoints

func GetEndpoints 

func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints

type ErrorHandler added in v0.9.0 

type ErrorHandler func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string)
var (
	DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
		http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError)
	}
)

type IDTokenVerifier added in v0.9.0 

type IDTokenVerifier interface {
	oidc.Verifier
	ClientID() string
	SupportedSignAlgs() []string
	KeySet() oidc.KeySet
	Nonce(context.Context) string
	ACR() oidc.ACRVerifier
	MaxAge() time.Duration
}

func NewIDTokenVerifier added in v0.9.0 

func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) IDTokenVerifier

NewIDTokenVerifier returns an implementation of `IDTokenVerifier` for `VerifyTokens` and `VerifyIDToken`

type Option added in v0.9.0 

type Option func(*relayingParty)

DefaultRPOpts is the type for providing dynamic options to the DefaultRP

func WithCookieHandler 

func WithCookieHandler(cookieHandler *utils.CookieHandler) Option

WithCookieHandler set a `CookieHandler` for securing the various redirects

func WithErrorHandler added in v0.9.0 

func WithErrorHandler(errorHandler ErrorHandler) Option

func WithHTTPClient 

func WithHTTPClient(client *http.Client) Option

WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier

func WithPKCE 

func WithPKCE(cookieHandler *utils.CookieHandler) Option

WithPKCE sets the RP to use PKCE (oauth2 code challenge) it also sets a `CookieHandler` for securing the various redirects and exchanging the code challenge

func WithVerifierOpts added in v0.8.0 

func WithVerifierOpts(opts ...VerifierOption) Option

type OptionFunc 

type OptionFunc func(RelayingParty)

type RelayingParty 

type RelayingParty interface {
	//OAuthConfig returns the oauth2 Config
	OAuthConfig() *oauth2.Config

	//IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)`
	IsPKCE() bool

	//CookieHandler returns a http cookie handler used for various state transfer cookies
	CookieHandler() *utils.CookieHandler

	//HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
	HttpClient() *http.Client

	//IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls
	IsOAuth2Only() bool

	//IDTokenVerifier returns the verifier interface used for oidc id_token verification
	IDTokenVerifier() IDTokenVerifier

	//ErrorHandler returns the handler used for callback errors
	ErrorHandler() func(http.ResponseWriter, *http.Request, string, string, string)
}

RelayingParty declares the minimal interface for oidc clients

func NewRelayingPartyOAuth added in v0.9.0 

func NewRelayingPartyOAuth(config *oauth2.Config, options ...Option) (RelayingParty, error)

NewRelayingPartyOAuth creates an (OAuth2) RelayingParty with the given OAuth2 Config and possible configOptions it will use the AuthURL and TokenURL set in config

func NewRelayingPartyOIDC added in v0.9.0 

func NewRelayingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelayingParty, error)

NewRelayingPartyOIDC creates an (OIDC) RelayingParty with the given issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions it will run discovery on the provided issuer and use the found endpoints

type TokenExchangeRP 

type TokenExchangeRP interface {
	RelayingParty

	//TokenExchange implement the `Token Exchange Grant` exchanging some token for an other
	TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error)
}

TokenExchangeRP extends the `RelayingParty` interface for the *draft* oauth2 `Token Exchange`

type Verifier 

type Verifier interface {

	//Verify checks the access_token and id_token and returns the `id token claims`
	Verify(ctx context.Context, accessToken, idTokenString string) (*oidc.IDTokenClaims, error)

	//VerifyIDToken checks the id_token only and returns its `id token claims`
	VerifyIDToken(ctx context.Context, idTokenString string) (*oidc.IDTokenClaims, error)
}

deprecated: Use IDTokenVerifier (or oidc.Verifier)

type VerifierOption added in v0.9.0 

type VerifierOption func(*idTokenVerifier)

VerifierOption is the type for providing dynamic options to the IDTokenVerifier

func WithACRVerifier 

func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption

WithACRVerifier sets the verifier for the acr claim

func WithAuthTimeMaxAge 

func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption

WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now

func WithNonce 

func WithNonce(nonce func(context.Context) string) VerifierOption

WithNonce sets the function to check the nonce

func WithSupportedSigningAlgorithms 

func WithSupportedSigningAlgorithms(algs ...string) VerifierOption

WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm

Source Files

View all Source files

Directories

Path Synopsis
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.