op

package
v2.0.0-dynamic-issuer.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 25, 2022 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidIssuerPath        = errors.New("no fragments or query allowed for issuer")
	ErrInvalidIssuerNoIssuer    = errors.New("missing issuer")
	ErrInvalidIssuerURL         = errors.New("invalid url for issuer")
	ErrInvalidIssuerMissingHost = errors.New("host for issuer missing")
	ErrInvalidIssuerHTTPS       = errors.New("scheme for issuer must be `https`")
)
View Source 
var (
	DefaultEndpoints = &endpoints{
		Authorization: NewEndpoint(defaultAuthorizationEndpoint),
		Token:         NewEndpoint(defaultTokenEndpoint),
		Introspection: NewEndpoint(defaultIntrospectEndpoint),
		Userinfo:      NewEndpoint(defaultUserinfoEndpoint),
		Revocation:    NewEndpoint(defaultRevocationEndpoint),
		EndSession:    NewEndpoint(defaultEndSessionEndpoint),
		JwksURI:       NewEndpoint(defaultKeysEndpoint),
	}
)
View Source 
var DefaultSupportedScopes = []string{
	oidc.ScopeOpenID,
	oidc.ScopeProfile,
	oidc.ScopeEmail,
	oidc.ScopePhone,
	oidc.ScopeAddress,
	oidc.ScopeOfflineAccess,
}
View Source 
var (
	ErrSignerCreationFailed = errors.New("signer creation failed")
)

Functions

func AuthCallbackURL 

func AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string

AuthCallbackURL builds the url for the redirect (with the requestID) after a successful login

func AuthMethodsIntrospectionEndpoint 

func AuthMethodsIntrospectionEndpoint(c Configuration) []oidc.AuthMethod

func AuthMethodsRevocationEndpoint 

func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod

func AuthMethodsTokenEndpoint 

func AuthMethodsTokenEndpoint(c Configuration) []oidc.AuthMethod

func AuthRequestError 

func AuthRequestError(w http.ResponseWriter, r *http.Request, authReq ErrAuthRequest, err error, encoder httphelper.Encoder)

func AuthResponse 

func AuthResponse(authReq AuthRequest, authorizer Authorizer, w http.ResponseWriter, r *http.Request)

AuthResponse creates the successful authentication response (either code or tokens)

func AuthResponseCode 

func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer)

AuthResponseCode creates the successful code authentication response

func AuthResponseToken 

func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client)

AuthResponseToken creates the successful token(s) authentication response

func AuthResponseURL 

func AuthResponseURL(redirectURI string, responseType oidc.ResponseType, responseMode oidc.ResponseMode, response interface{}, encoder httphelper.Encoder) (string, error)

AuthResponseURL encodes the authorization response (successful and error) and sets it as query or fragment values depending on the response_mode and response_type

func Authorize 

func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer)

Authorize handles the authorization request, including parsing, validating, storing and finally redirecting to the login handler

func AuthorizeCallback 

func AuthorizeCallback(w http.ResponseWriter, r *http.Request, authorizer Authorizer)

AuthorizeCallback handles the callback after authentication in the Login UI

func AuthorizeClientIDSecret 

func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error

AuthorizeClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)

func AuthorizeCodeChallenge 

func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error

AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent code_challenge of the auth request (PKCE)

func AuthorizeCodeClient 

func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error)

AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. It than returns the auth request corresponding to the auth code

func AuthorizeRefreshClient 

func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (request RefreshTokenRequest, client Client, err error)

AuthorizeRefreshClient checks the authorization of the client and that the used method was the one previously registered. It than returns the data representing the original auth request corresponding to the refresh_token

func BuildAuthRequestCode 

func BuildAuthRequestCode(authReq AuthRequest, crypto Crypto) (string, error)

BuildAuthRequestCode builds the string representation of the auth code

func CodeChallengeMethods 

func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod

func CodeExchange 

func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)

CodeExchange handles the OAuth 2.0 authorization_code grant, including parsing, validating, authorizing the client and finally exchanging the code for tokens

func ContainsResponseType 

func ContainsResponseType(types []oidc.ResponseType, responseType oidc.ResponseType) bool

func CopyRequestObjectToAuthRequest 

func CopyRequestObjectToAuthRequest(authReq *oidc.AuthRequest, requestObject *oidc.RequestObject)

CopyRequestObjectToAuthRequest overwrites present values from the Request Object into the auth request and clears the `RequestParam` of the auth request

func CreateAccessToken 

func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTokenType AccessTokenType, creator TokenCreator, client Client, refreshToken string) (accessToken, newRefreshToken string, validity time.Duration, err error)

func CreateAuthRequestCode 

func CreateAuthRequestCode(ctx context.Context, authReq AuthRequest, storage Storage, crypto Crypto) (string, error)

CreateAuthRequestCode creates and stores a code for the auth code response

func CreateBearerToken 

func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error)

func CreateDiscoveryConfig 

func CreateDiscoveryConfig(r *http.Request, config Configuration, storage DiscoverStorage) *oidc.DiscoveryConfiguration

func CreateIDToken 

func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, validity time.Duration, accessToken, code string, storage Storage, client Client) (string, error)

func CreateJWT 

func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, client Client, storage Storage) (string, error)

func CreateJWTTokenResponse 

func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error)

CreateJWTTokenResponse creates

func CreateRouter 

func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router

func CreateTokenResponse 

func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Client, creator TokenCreator, createAccessToken bool, code, refreshToken string) (*oidc.AccessTokenResponse, error)

func Discover 

func Discover(w http.ResponseWriter, config *oidc.DiscoveryConfiguration)

func EndSession 

func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder)

func GrantTypes 

func GrantTypes(c Configuration) []oidc.GrantType

func HTTPLoopbackOrLocalhost 

func HTTPLoopbackOrLocalhost(rawurl string) (*url.URL, bool)

func Introspect 

func Introspect(w http.ResponseWriter, r *http.Request, introspector Introspector)

func IntrospectionSigAlgorithms 

func IntrospectionSigAlgorithms(c Configuration) []string

func IsConfidentialType 

func IsConfidentialType(c Client) bool

func IssuerFromContext 

func IssuerFromContext(ctx context.Context) string

IssuerFromContext reads the issuer from the context (set by an IssuerInterceptor) it will return an empty string if not found

func IssuerFromHost 

func IssuerFromHost(path string) func(bool) (IssuerFromRequest, error)

func JWTProfile 

func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger)

JWTProfile handles the OAuth 2.0 JWT Profile Authorization Grant https://tools.ietf.org/html/rfc7523#section-2.1

func Keys 

func Keys(w http.ResponseWriter, r *http.Request, k KeyProvider)

func ParseAccessTokenRequest 

func ParseAccessTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AccessTokenRequest, error)

ParseAccessTokenRequest parsed the http request into a oidc.AccessTokenRequest

func ParseAuthenticatedTokenRequest 

func ParseAuthenticatedTokenRequest(r *http.Request, decoder httphelper.Decoder, request AuthenticatedTokenRequest) error

ParseAuthenticatedTokenRequest parses the client_id and client_secret from the HTTP request from either HTTP Basic Auth header or form body and sets them into the provided authenticatedTokenRequest interface

func ParseAuthorizeRequest 

func ParseAuthorizeRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AuthRequest, error)

ParseAuthorizeRequest parsed the http request into an oidc.AuthRequest

func ParseEndSessionRequest 

func ParseEndSessionRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.EndSessionRequest, error)

func ParseJWTProfileGrantRequest 

func ParseJWTProfileGrantRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)

func ParseJWTProfileRequest 

func ParseJWTProfileRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)

ParseJWTProfileRequest has been renamed to ParseJWTProfileGrantRequest

deprecated: use ParseJWTProfileGrantRequest

func ParseRefreshTokenRequest 

func ParseRefreshTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.RefreshTokenRequest, error)

ParseRefreshTokenRequest parsed the http request into a oidc.RefreshTokenRequest

func ParseRequestObject 

func ParseRequestObject(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, issuer string) (*oidc.AuthRequest, error)

ParseRequestObject parse the `request` parameter, validates the token including the signature and copies the token claims into the auth request

func ParseTokenIntrospectionRequest 

func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector) (token, clientID string, err error)

func ParseTokenRevocationRequest 

func ParseTokenRevocationRequest(r *http.Request, revoker Revoker) (token, tokenTypeHint, clientID string, err error)

func ParseUserinfoRequest 

func ParseUserinfoRequest(r *http.Request, decoder httphelper.Decoder) (string, error)

func Readiness 

func Readiness(w http.ResponseWriter, r *http.Request, probes ...ProbesFn)

func RedirectToLogin 

func RedirectToLogin(authReqID string, client Client, w http.ResponseWriter, r *http.Request)

RedirectToLogin redirects the end user to the Login UI for authentication

func RefreshTokenExchange 

func RefreshTokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)

RefreshTokenExchange handles the OAuth 2.0 refresh_token grant, including parsing, validating, authorizing the client and finally exchanging the refresh_token for new tokens

func RequestError 

func RequestError(w http.ResponseWriter, r *http.Request, err error)

func RequestObjectSigAlgorithms 

func RequestObjectSigAlgorithms(c Configuration) []string

func ResponseTypes 

func ResponseTypes(c Configuration) []string

func RevocationRequestError 

func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error)

func RevocationSigAlgorithms 

func RevocationSigAlgorithms(c Configuration) []string

func Revoke 

func Revoke(w http.ResponseWriter, r *http.Request, revoker Revoker)

func Scopes 

func Scopes(c Configuration) []string

func SigAlgorithms 

func SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string

func SignerFromKey 

func SignerFromKey(key SigningKey) (jose.Signer, error)

func StaticIssuer 

func StaticIssuer(issuer string) func(bool) (IssuerFromRequest, error)

func SubjectIsIssuer 

func SubjectIsIssuer(request *oidc.JWTTokenRequest) error

func SubjectTypes 

func SubjectTypes(c Configuration) []string

func SupportedClaims 

func SupportedClaims(c Configuration) []string

func TokenExchange 

func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)

TokenExchange will handle the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange")

func TokenSigAlgorithms 

func TokenSigAlgorithms(c Configuration) []string

func Userinfo 

func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoProvider)

func ValidateAccessTokenRequest 

func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error)

ValidateAccessTokenRequest validates the token request parameters including authorization check of the client and returns the previous created auth request corresponding to the auth code

func ValidateAuthReqIDTokenHint 

func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifier IDTokenHintVerifier) (string, error)

ValidateAuthReqIDTokenHint validates the id_token_hint (if passed as parameter in the request) and returns the `sub` claim

func ValidateAuthReqPrompt 

func ValidateAuthReqPrompt(prompts []string, maxAge *uint) (_ *uint, err error)

ValidateAuthReqPrompt validates the passed prompt values and sets max_age to 0 if prompt login is present

func ValidateAuthReqRedirectURI 

func ValidateAuthReqRedirectURI(client Client, uri string, responseType oidc.ResponseType) error

ValidateAuthReqRedirectURI validates the passed redirect_uri and response_type to the registered uris and client type

func ValidateAuthReqResponseType 

func ValidateAuthReqResponseType(client Client, responseType oidc.ResponseType) error

ValidateAuthReqResponseType validates the passed response_type to the registered response types

func ValidateAuthReqScopes 

func ValidateAuthReqScopes(client Client, scopes []string) ([]string, error)

ValidateAuthReqScopes validates the passed scopes

func ValidateAuthRequest 

func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, verifier IDTokenHintVerifier) (sub string, err error)

ValidateAuthRequest validates the authorize parameters and returns the userID of the id_token_hint if passed

func ValidateGrantType 

func ValidateGrantType(client Client, grantType oidc.GrantType) bool

ValidateGrantType ensures that the requested grant_type is allowed by the Client

func ValidateIssuer 

func ValidateIssuer(issuer string, allowInsecure bool) error

func ValidateIssuerPath 

func ValidateIssuerPath(issuer *url.URL) error

func ValidateRefreshTokenRequest 

func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error)

ValidateRefreshTokenRequest validates the refresh_token request parameters including authorization check of the client and returns the data representing the original auth request corresponding to the refresh_token

func ValidateRefreshTokenScopes 

func ValidateRefreshTokenScopes(requestedScopes []string, authRequest RefreshTokenRequest) error

ValidateRefreshTokenScopes validates that the requested scope is a subset of the original auth request scope it will set the requested scopes as current scopes onto RefreshTokenRequest if empty the original scopes will be used

func VerifyAccessToken 

func VerifyAccessToken(ctx context.Context, token string, v AccessTokenVerifier) (oidc.AccessTokenClaims, error)

VerifyAccessToken validates the access token (issuer, signature and expiration)

func VerifyIDTokenHint 

func VerifyIDTokenHint(ctx context.Context, token string, v IDTokenHintVerifier) (oidc.IDTokenClaims, error)

VerifyIDTokenHint validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

func VerifyJWTAssertion 

func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTProfileVerifier) (*oidc.JWTTokenRequest, error)

VerifyJWTAssertion verifies the assertion string from JWT Profile (authorization grant and client authentication)

checks audience, exp, iat, signature and that issuer and sub are the same

Types

type AccessTokenType 

type AccessTokenType int
const (
	AccessTokenTypeBearer AccessTokenType = iota
	AccessTokenTypeJWT
)

type AccessTokenVerifier 

type AccessTokenVerifier interface {
	oidc.Verifier
	SupportedSignAlgs() []string
	KeySet() oidc.KeySet
}

func NewAccessTokenVerifier 

func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet) AccessTokenVerifier

type ApplicationType 

type ApplicationType int
const (
	ApplicationTypeWeb ApplicationType = iota
	ApplicationTypeUserAgent
	ApplicationTypeNative
)

type AuthMethod 

type AuthMethod string

type AuthRequest 

type AuthRequest interface {
	GetID() string
	GetACR() string
	GetAMR() []string
	GetAudience() []string
	GetAuthTime() time.Time
	GetClientID() string
	GetCodeChallenge() *oidc.CodeChallenge
	GetNonce() string
	GetRedirectURI() string
	GetResponseType() oidc.ResponseType
	GetResponseMode() oidc.ResponseMode
	GetScopes() []string
	GetState() string
	GetSubject() string
	Done() bool
}

func AuthRequestByCode 

func AuthRequestByCode(ctx context.Context, storage Storage, code string) (AuthRequest, error)

AuthRequestByCode returns the AuthRequest previously created from Storage corresponding to the auth code or an error

type AuthStorage 

type AuthStorage interface {
	CreateAuthRequest(context.Context, *oidc.AuthRequest, string) (AuthRequest, error)
	AuthRequestByID(context.Context, string) (AuthRequest, error)
	AuthRequestByCode(context.Context, string) (AuthRequest, error)
	SaveAuthCode(context.Context, string, string) error
	DeleteAuthRequest(context.Context, string) error

	CreateAccessToken(context.Context, TokenRequest) (string, time.Time, error)
	CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)
	TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (RefreshTokenRequest, error)

	TerminateSession(ctx context.Context, userID string, clientID string) error
	RevokeToken(ctx context.Context, token string, userID string, clientID string) *oidc.Error

	SigningKey(context.Context) (SigningKey, error)
	SignatureAlgorithms(context.Context) ([]jose.SignatureAlgorithm, error)
	KeySet(context.Context) ([]Key, error)
}

type AuthenticatedTokenRequest 

type AuthenticatedTokenRequest interface {
	SetClientID(string)
	SetClientSecret(string)
}

AuthenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest

type AuthorizeValidator 

type AuthorizeValidator interface {
	Authorizer
	ValidateAuthRequest(context.Context, *oidc.AuthRequest, Storage, IDTokenHintVerifier) (string, error)
}

AuthorizeValidator is an extension of Authorizer interface implementing its own validation mechanism for the auth request

type Authorizer 

type Authorizer interface {
	Storage() Storage
	Decoder() httphelper.Decoder
	Encoder() httphelper.Encoder
	IDTokenHintVerifier(context.Context) IDTokenHintVerifier
	Crypto() Crypto
	RequestObjectSupported() bool
}

type Client 

type Client interface {
	GetID() string
	RedirectURIs() []string
	PostLogoutRedirectURIs() []string
	ApplicationType() ApplicationType
	AuthMethod() oidc.AuthMethod
	ResponseTypes() []oidc.ResponseType
	GrantTypes() []oidc.GrantType
	LoginURL(string) string
	AccessTokenType() AccessTokenType
	IDTokenLifetime() time.Duration
	DevMode() bool
	RestrictAdditionalIdTokenScopes() func(scopes []string) []string
	RestrictAdditionalAccessTokenScopes() func(scopes []string) []string
	IsScopeAllowed(scope string) bool
	IDTokenUserinfoClaimsAssertion() bool
	ClockSkew() time.Duration
}

func AuthorizePrivateJWTKey 

func AuthorizePrivateJWTKey(ctx context.Context, clientAssertion string, exchanger JWTAuthorizationGrantExchanger) (Client, error)

AuthorizePrivateJWTKey authorizes a client by validating the client_assertion's signature with a previously registered public key (JWT Profile)

type Config 

type Config struct {
	CryptoKey                [32]byte
	DefaultLogoutRedirectURI string
	CodeMethodS256           bool
	AuthMethodPost           bool
	AuthMethodPrivateKeyJWT  bool
	GrantTypeRefreshToken    bool
	RequestObjectSupported   bool
	SupportedUILocales       []language.Tag
}

type Configuration 

type Configuration interface {
	IssuerFromRequest(r *http.Request) string
	Insecure() bool
	AuthorizationEndpoint() Endpoint
	TokenEndpoint() Endpoint
	IntrospectionEndpoint() Endpoint
	UserinfoEndpoint() Endpoint
	RevocationEndpoint() Endpoint
	EndSessionEndpoint() Endpoint
	KeysEndpoint() Endpoint

	AuthMethodPostSupported() bool
	CodeMethodS256Supported() bool
	AuthMethodPrivateKeyJWTSupported() bool
	TokenEndpointSigningAlgorithmsSupported() []string
	GrantTypeRefreshTokenSupported() bool
	GrantTypeTokenExchangeSupported() bool
	GrantTypeJWTAuthorizationSupported() bool
	IntrospectionAuthMethodPrivateKeyJWTSupported() bool
	IntrospectionEndpointSigningAlgorithmsSupported() []string
	RevocationAuthMethodPrivateKeyJWTSupported() bool
	RevocationEndpointSigningAlgorithmsSupported() []string
	RequestObjectSupported() bool
	RequestObjectSigningAlgorithmsSupported() []string

	SupportedUILocales() []language.Tag
}

type Crypto 

type Crypto interface {
	Encrypt(string) (string, error)
	Decrypt(string) (string, error)
}

func NewAESCrypto 

func NewAESCrypto(key [32]byte) Crypto

type DiscoverStorage 

type DiscoverStorage interface {
	SignatureAlgorithms(context.Context) ([]jose.SignatureAlgorithm, error)
}

type EndSessionRequest 

type EndSessionRequest struct {
	UserID      string
	Client      Client
	RedirectURI string
}

func ValidateEndSessionRequest 

func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest, ender SessionEnder) (*EndSessionRequest, error)

type Endpoint 

type Endpoint struct {
	// contains filtered or unexported fields
}

func NewEndpoint 

func NewEndpoint(path string) Endpoint

func NewEndpointWithURL 

func NewEndpointWithURL(path, url string) Endpoint

func (Endpoint) Absolute 

func (e Endpoint) Absolute(host string) string

func (Endpoint) Relative 

func (e Endpoint) Relative() string

func (Endpoint) Validate 

func (e Endpoint) Validate() error

type ErrAuthRequest 

type ErrAuthRequest interface {
	GetRedirectURI() string
	GetResponseType() oidc.ResponseType
	GetState() string
}

type Exchanger 

type Exchanger interface {
	Storage() Storage
	Decoder() httphelper.Decoder
	Crypto() Crypto
	AuthMethodPostSupported() bool
	AuthMethodPrivateKeyJWTSupported() bool
	GrantTypeRefreshTokenSupported() bool
	GrantTypeTokenExchangeSupported() bool
	GrantTypeJWTAuthorizationSupported() bool
}

type HttpInterceptor 

type HttpInterceptor func(http.Handler) http.Handler

type IDTokenHintVerifier 

type IDTokenHintVerifier interface {
	oidc.Verifier
	SupportedSignAlgs() []string
	KeySet() oidc.KeySet
	ACR() oidc.ACRVerifier
	MaxAge() time.Duration
}

func NewIDTokenHintVerifier 

func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet) IDTokenHintVerifier

type IDTokenRequest 

type IDTokenRequest interface {
	GetAMR() []string
	GetAudience() []string
	GetAuthTime() time.Time
	GetClientID() string
	GetScopes() []string
	GetSubject() string
}

type Introspector 

type Introspector interface {
	Decoder() httphelper.Decoder
	Crypto() Crypto
	Storage() Storage
	AccessTokenVerifier(context.Context) AccessTokenVerifier
}

type IntrospectorJWTProfile 

type IntrospectorJWTProfile interface {
	Introspector
	JWTProfileVerifier(context.Context) JWTProfileVerifier
}

type IssuerFromRequest 

type IssuerFromRequest func(r *http.Request) string

type IssuerInterceptor 

type IssuerInterceptor struct {
	// contains filtered or unexported fields
}

func NewIssuerInterceptor 

func NewIssuerInterceptor(issuerFromRequest IssuerFromRequest) *IssuerInterceptor

NewIssuerInterceptor will set the issuer into the context by the provided IssuerFromRequest (e.g. returned from StaticIssuer or IssuerFromHost)

func (*IssuerInterceptor) Handler 

func (i *IssuerInterceptor) Handler(next http.Handler) http.Handler

func (*IssuerInterceptor) HandlerFunc 

func (i *IssuerInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc

type JWTAuthorizationGrantExchanger 

type JWTAuthorizationGrantExchanger interface {
	Exchanger
	JWTProfileVerifier(context.Context) JWTProfileVerifier
}

type JWTProfileVerifier 

type JWTProfileVerifier interface {
	oidc.Verifier
	Storage() jwtProfileKeyStorage
	CheckSubject(request *oidc.JWTTokenRequest) error
}

func NewJWTProfileVerifier 

func NewJWTProfileVerifier(storage jwtProfileKeyStorage, issuer string, maxAgeIAT, offset time.Duration, opts ...JWTProfileVerifierOption) JWTProfileVerifier

NewJWTProfileVerifier creates a oidc.Verifier for JWT Profile assertions (authorization grant and client authentication)

type JWTProfileVerifierOption 

type JWTProfileVerifierOption func(*jwtProfileVerifier)

func SubjectCheck 

func SubjectCheck(check func(request *oidc.JWTTokenRequest) error) JWTProfileVerifierOption

type Key 

type Key interface {
	ID() string
	Algorithm() jose.SignatureAlgorithm
	Use() string
	Key() interface{}
}

type KeyProvider 

type KeyProvider interface {
	KeySet(context.Context) ([]Key, error)
}

type OPStorage 

type OPStorage interface {
	GetClientByClientID(ctx context.Context, clientID string) (Client, error)
	AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error
	SetUserinfoFromScopes(ctx context.Context, userinfo oidc.UserInfoSetter, userID, clientID string, scopes []string) error
	SetUserinfoFromToken(ctx context.Context, userinfo oidc.UserInfoSetter, tokenID, subject, origin string) error
	SetIntrospectionFromToken(ctx context.Context, userinfo oidc.IntrospectionResponse, tokenID, subject, clientID string) error
	GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (map[string]interface{}, error)
	GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error)
	ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error)
}

type OpenIDProvider 

type OpenIDProvider interface {
	Configuration
	Storage() Storage
	Decoder() httphelper.Decoder
	Encoder() httphelper.Encoder
	IDTokenHintVerifier(context.Context) IDTokenHintVerifier
	AccessTokenVerifier(context.Context) AccessTokenVerifier
	Crypto() Crypto
	DefaultLogoutRedirectURI() string
	Probes() []ProbesFn
	HttpHandler() http.Handler
}

type Option 

type Option func(o *Provider) error

func WithAllowInsecure 

func WithAllowInsecure() Option

WithAllowInsecure allows the use of http (instead of https) for issuers this is not recommended for production use and violates the OIDC specification

func WithCustomAuthEndpoint 

func WithCustomAuthEndpoint(endpoint Endpoint) Option

func WithCustomEndSessionEndpoint 

func WithCustomEndSessionEndpoint(endpoint Endpoint) Option

func WithCustomEndpoints 

func WithCustomEndpoints(auth, token, userInfo, revocation, endSession, keys Endpoint) Option

func WithCustomIntrospectionEndpoint 

func WithCustomIntrospectionEndpoint(endpoint Endpoint) Option

func WithCustomKeysEndpoint 

func WithCustomKeysEndpoint(endpoint Endpoint) Option

func WithCustomRevocationEndpoint 

func WithCustomRevocationEndpoint(endpoint Endpoint) Option

func WithCustomTokenEndpoint 

func WithCustomTokenEndpoint(endpoint Endpoint) Option

func WithCustomUserinfoEndpoint 

func WithCustomUserinfoEndpoint(endpoint Endpoint) Option

func WithHttpInterceptors 

func WithHttpInterceptors(interceptors ...HttpInterceptor) Option

type ProbesFn 

type ProbesFn func(context.Context) error

func ReadyStorage 

func ReadyStorage(s Storage) ProbesFn

type Provider 

type Provider struct {
	// contains filtered or unexported fields
}

func NewDynamicOpenIDProvider 

func NewDynamicOpenIDProvider(ctx context.Context, path string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)

func NewOpenIDProvider 

func NewOpenIDProvider(ctx context.Context, issuer string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)

func (*Provider) AccessTokenVerifier 

func (o *Provider) AccessTokenVerifier(ctx context.Context) AccessTokenVerifier

func (*Provider) AuthMethodPostSupported 

func (o *Provider) AuthMethodPostSupported() bool

func (*Provider) AuthMethodPrivateKeyJWTSupported 

func (o *Provider) AuthMethodPrivateKeyJWTSupported() bool

func (*Provider) AuthorizationEndpoint 

func (o *Provider) AuthorizationEndpoint() Endpoint

func (*Provider) CodeMethodS256Supported 

func (o *Provider) CodeMethodS256Supported() bool

func (*Provider) Crypto 

func (o *Provider) Crypto() Crypto

func (*Provider) Decoder 

func (o *Provider) Decoder() httphelper.Decoder

func (*Provider) DefaultLogoutRedirectURI 

func (o *Provider) DefaultLogoutRedirectURI() string

func (*Provider) Encoder 

func (o *Provider) Encoder() httphelper.Encoder

func (*Provider) EndSessionEndpoint 

func (o *Provider) EndSessionEndpoint() Endpoint

func (*Provider) GrantTypeJWTAuthorizationSupported 

func (o *Provider) GrantTypeJWTAuthorizationSupported() bool

func (*Provider) GrantTypeRefreshTokenSupported 

func (o *Provider) GrantTypeRefreshTokenSupported() bool

func (*Provider) GrantTypeTokenExchangeSupported 

func (o *Provider) GrantTypeTokenExchangeSupported() bool

func (*Provider) HttpHandler 

func (o *Provider) HttpHandler() http.Handler

func (*Provider) IDTokenHintVerifier 

func (o *Provider) IDTokenHintVerifier(ctx context.Context) IDTokenHintVerifier

func (*Provider) Insecure 

func (o *Provider) Insecure() bool

func (*Provider) IntrospectionAuthMethodPrivateKeyJWTSupported 

func (o *Provider) IntrospectionAuthMethodPrivateKeyJWTSupported() bool

func (*Provider) IntrospectionEndpoint 

func (o *Provider) IntrospectionEndpoint() Endpoint

func (*Provider) IntrospectionEndpointSigningAlgorithmsSupported 

func (o *Provider) IntrospectionEndpointSigningAlgorithmsSupported() []string

func (*Provider) IssuerFromRequest 

func (o *Provider) IssuerFromRequest(r *http.Request) string

func (*Provider) JWTProfileVerifier 

func (o *Provider) JWTProfileVerifier(ctx context.Context) JWTProfileVerifier

func (*Provider) KeysEndpoint 

func (o *Provider) KeysEndpoint() Endpoint

func (*Provider) Probes 

func (o *Provider) Probes() []ProbesFn

func (*Provider) RequestObjectSigningAlgorithmsSupported 

func (o *Provider) RequestObjectSigningAlgorithmsSupported() []string

func (*Provider) RequestObjectSupported 

func (o *Provider) RequestObjectSupported() bool

func (*Provider) RevocationAuthMethodPrivateKeyJWTSupported 

func (o *Provider) RevocationAuthMethodPrivateKeyJWTSupported() bool

func (*Provider) RevocationEndpoint 

func (o *Provider) RevocationEndpoint() Endpoint

func (*Provider) RevocationEndpointSigningAlgorithmsSupported 

func (o *Provider) RevocationEndpointSigningAlgorithmsSupported() []string

func (*Provider) Storage 

func (o *Provider) Storage() Storage

func (*Provider) SupportedUILocales 

func (o *Provider) SupportedUILocales() []language.Tag

func (*Provider) TokenEndpoint 

func (o *Provider) TokenEndpoint() Endpoint

func (*Provider) TokenEndpointSigningAlgorithmsSupported 

func (o *Provider) TokenEndpointSigningAlgorithmsSupported() []string

func (*Provider) UserinfoEndpoint 

func (o *Provider) UserinfoEndpoint() Endpoint

type RefreshTokenRequest 

type RefreshTokenRequest interface {
	GetAMR() []string
	GetAudience() []string
	GetAuthTime() time.Time
	GetClientID() string
	GetScopes() []string
	GetSubject() string
	SetCurrentScopes(scopes []string)
}

func RefreshTokenRequestByRefreshToken 

func RefreshTokenRequestByRefreshToken(ctx context.Context, storage Storage, refreshToken string) (RefreshTokenRequest, error)

RefreshTokenRequestByRefreshToken returns the RefreshTokenRequest (data representing the original auth request) corresponding to the refresh_token from Storage or an error

type Revoker 

type Revoker interface {
	Decoder() httphelper.Decoder
	Crypto() Crypto
	Storage() Storage
	AccessTokenVerifier(context.Context) AccessTokenVerifier
	AuthMethodPrivateKeyJWTSupported() bool
	AuthMethodPostSupported() bool
}

type RevokerJWTProfile 

type RevokerJWTProfile interface {
	Revoker
	JWTProfileVerifier(context.Context) JWTProfileVerifier
}

type SessionEnder 

type SessionEnder interface {
	Decoder() httphelper.Decoder
	Storage() Storage
	IDTokenHintVerifier(context.Context) IDTokenHintVerifier
	DefaultLogoutRedirectURI() string
}

type SigningKey 

type SigningKey interface {
	SignatureAlgorithm() jose.SignatureAlgorithm
	Key() interface{}
	ID() string
}

type Storage 

type Storage interface {
	AuthStorage
	OPStorage
	Health(context.Context) error
}

type StorageNotFoundError 

type StorageNotFoundError interface {
	IsNotFound()
}

type TokenCreator 

type TokenCreator interface {
	Storage() Storage
	Crypto() Crypto
}

type TokenRequest 

type TokenRequest interface {
	GetSubject() string
	GetAudience() []string
	GetScopes() []string
}

type UserinfoProvider 

type UserinfoProvider interface {
	Decoder() httphelper.Decoder
	Crypto() Crypto
	Storage() Storage
	AccessTokenVerifier(context.Context) AccessTokenVerifier
}

Source Files

View all Source files

Directories

Path Synopsis
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.