Documentation ¶
Index ¶
- func AuthURL(state string, rp RelayingParty, opts ...AuthURLOpt) string
- func AuthURLHandler(stateFn func() string, rp RelayingParty) http.HandlerFunc
- func CallTokenEndpoint(request interface{}, rp RelayingParty) (newToken *oauth2.Token, err error)
- func CallTokenEndpointAuthorized(request interface{}, rp RelayingParty) (newToken *oauth2.Token, err error)
- func ClientCredentials(ctx context.Context, rp RelayingParty, scopes ...string) (newToken *oauth2.Token, err error)
- func CodeExchange(ctx context.Context, code string, rp RelayingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error)
- func CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc.Tokens, string), ...) http.HandlerFunc
- func DelegationTokenExchange(ctx context.Context, subjectToken string, rp RelayingParty, ...) (newToken *oauth2.Token, err error)
- func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest
- func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelayingParty) (string, error)
- func JWTProfileAssertionExchange(ctx context.Context, assertion *oidc.JWTProfileAssertion, scopes oidc.Scopes, ...) (*oauth2.Token, error)
- func JWTProfileExchange(ctx context.Context, jwtProfileRequest *tokenexchange.JWTProfileRequest, ...) (*oauth2.Token, error)
- func NewRemoteKeySet(client *http.Client, jwksURL string) oidc.KeySet
- func TokenExchange(ctx context.Context, request *tokenexchange.TokenExchangeRequest, ...) (newToken *oauth2.Token, err error)
- func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error
- func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error)
- func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error)
- func WithIssuedAtMaxAge(maxAge time.Duration) func(*idTokenVerifier)
- func WithIssuedAtOffset(offset time.Duration) func(*idTokenVerifier)
- type AuthURLOpt
- type CodeExchangeOpt
- type DelegationTokenExchangeRP
- type Endpoints
- type ErrorHandler
- type IDTokenVerifier
- type Option
- type OptionFunc
- type RelayingParty
- type TokenExchangeRP
- type Verifier
- type VerifierOption
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthURL ¶ added in v0.9.0
func AuthURL(state string, rp RelayingParty, opts ...AuthURLOpt) string
AuthURL returns the auth request url (wrapping the oauth2 `AuthCodeURL`)
func AuthURLHandler ¶ added in v0.9.0
func AuthURLHandler(stateFn func() string, rp RelayingParty) http.HandlerFunc
AuthURLHandler extends the `AuthURL` method with a http redirect handler including handling setting cookie for secure `state` transfer
func CallTokenEndpoint ¶ added in v0.9.0
func CallTokenEndpoint(request interface{}, rp RelayingParty) (newToken *oauth2.Token, err error)
func CallTokenEndpointAuthorized ¶ added in v0.12.0
func CallTokenEndpointAuthorized(request interface{}, rp RelayingParty) (newToken *oauth2.Token, err error)
func ClientCredentials ¶ added in v0.9.0
func ClientCredentials(ctx context.Context, rp RelayingParty, scopes ...string) (newToken *oauth2.Token, err error)
ClientCredentials is the `RelayingParty` interface implementation handling the oauth2 client credentials grant
func CodeExchange ¶ added in v0.9.0
func CodeExchange(ctx context.Context, code string, rp RelayingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error)
CodeExchange handles the oauth2 code exchange, extracting and validating the id_token returning it parsed together with the oauth2 tokens (access, refresh)
func CodeExchangeHandler ¶ added in v0.9.0
func CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc.Tokens, string), rp RelayingParty) http.HandlerFunc
CodeExchangeHandler extends the `CodeExchange` method with a http handler including cookie handling for secure `state` transfer and optional PKCE code verifier checking
func DelegationTokenExchange ¶ added in v0.9.0
func DelegationTokenExchange(ctx context.Context, subjectToken string, rp RelayingParty, reqOpts ...tokenexchange.TokenExchangeOption) (newToken *oauth2.Token, err error)
DelegationTokenExchange handles the oauth2 token exchange for a delegation token
func DelegationTokenRequest ¶
func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest
DelegationTokenRequest is an implementation of TokenExchangeRequest it exchanges a "urn:ietf:params:oauth:token-type:access_token" with an optional "urn:ietf:params:oauth:token-type:access_token" actor token for a "urn:ietf:params:oauth:token-type:access_token" delegation token
func GenerateAndStoreCodeChallenge ¶ added in v0.9.0
func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelayingParty) (string, error)
GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
func JWTProfileAssertionExchange ¶ added in v0.12.0
func JWTProfileAssertionExchange(ctx context.Context, assertion *oidc.JWTProfileAssertion, scopes oidc.Scopes, rp RelayingParty) (*oauth2.Token, error)
JWTProfileExchange handles the oauth2 jwt profile exchange
func JWTProfileExchange ¶ added in v0.9.0
func JWTProfileExchange(ctx context.Context, jwtProfileRequest *tokenexchange.JWTProfileRequest, rp RelayingParty) (*oauth2.Token, error)
JWTProfileExchange handles the oauth2 jwt profile exchange
func TokenExchange ¶ added in v0.9.0
func TokenExchange(ctx context.Context, request *tokenexchange.TokenExchangeRequest, rp RelayingParty) (newToken *oauth2.Token, err error)
TokenExchange handles the oauth2 token exchange
func VerifyAccessToken ¶ added in v0.9.0
VerifyAccessToken validates the access token according to https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
func VerifyIDToken ¶ added in v0.9.0
func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error)
VerifyIDToken validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func VerifyTokens ¶ added in v0.9.0
func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error)
VerifyTokens implement the Token Response Validation as defined in OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation
func WithIssuedAtMaxAge ¶
WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now
func WithIssuedAtOffset ¶
WithIssuedAtOffset mitigates the risk of iat to be in the future because of clock skews with the ability to add an offset to the current time
Types ¶
type AuthURLOpt ¶
type AuthURLOpt func() []oauth2.AuthCodeOption
func WithCodeChallenge ¶
func WithCodeChallenge(codeChallenge string) AuthURLOpt
WithCodeChallenge sets the `code_challenge` params in the auth request
func WithPrompt ¶ added in v0.10.0
func WithPrompt(prompt oidc.Prompt) AuthURLOpt
WithPrompt sets the `prompt` params in the auth request
type CodeExchangeOpt ¶
type CodeExchangeOpt func() []oauth2.AuthCodeOption
func WithCodeVerifier ¶
func WithCodeVerifier(codeVerifier string) CodeExchangeOpt
WithCodeVerifier sets the `code_verifier` param in the token request
type DelegationTokenExchangeRP ¶
type DelegationTokenExchangeRP interface { TokenExchangeRP //DelegationTokenExchange implement the `Token Exchange Grant` //providing an access token in request for a `delegation` token for a given resource / audience DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error) }
DelegationTokenExchangeRP extends the `TokenExchangeRP` interface for the specific `delegation token` request
type Endpoints ¶
func Discover ¶ added in v0.9.0
Discover calls the discovery endpoint of the provided issuer and returns the found endpoints
func GetEndpoints ¶
func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints
type ErrorHandler ¶ added in v0.9.0
type ErrorHandler func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string)
var ( DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) { http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError) } )
type IDTokenVerifier ¶ added in v0.9.0
type IDTokenVerifier interface { oidc.Verifier ClientID() string SupportedSignAlgs() []string KeySet() oidc.KeySet Nonce(context.Context) string ACR() oidc.ACRVerifier MaxAge() time.Duration }
func NewIDTokenVerifier ¶ added in v0.9.0
func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) IDTokenVerifier
NewIDTokenVerifier returns an implementation of `IDTokenVerifier` for `VerifyTokens` and `VerifyIDToken`
type Option ¶ added in v0.9.0
type Option func(*relayingParty)
DefaultRPOpts is the type for providing dynamic options to the DefaultRP
func WithCookieHandler ¶
func WithCookieHandler(cookieHandler *utils.CookieHandler) Option
WithCookieHandler set a `CookieHandler` for securing the various redirects
func WithErrorHandler ¶ added in v0.9.0
func WithErrorHandler(errorHandler ErrorHandler) Option
func WithHTTPClient ¶
WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier
func WithPKCE ¶
func WithPKCE(cookieHandler *utils.CookieHandler) Option
WithPKCE sets the RP to use PKCE (oauth2 code challenge) it also sets a `CookieHandler` for securing the various redirects and exchanging the code challenge
func WithVerifierOpts ¶ added in v0.8.0
func WithVerifierOpts(opts ...VerifierOption) Option
type OptionFunc ¶
type OptionFunc func(RelayingParty)
type RelayingParty ¶
type RelayingParty interface { //OAuthConfig returns the oauth2 Config OAuthConfig() *oauth2.Config //IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)` IsPKCE() bool //CookieHandler returns a http cookie handler used for various state transfer cookies CookieHandler() *utils.CookieHandler //HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint HttpClient() *http.Client //IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls IsOAuth2Only() bool //IDTokenVerifier returns the verifier interface used for oidc id_token verification IDTokenVerifier() IDTokenVerifier //ErrorHandler returns the handler used for callback errors ErrorHandler() func(http.ResponseWriter, *http.Request, string, string, string) }
RelayingParty declares the minimal interface for oidc clients
func NewRelayingPartyOAuth ¶ added in v0.9.0
func NewRelayingPartyOAuth(config *oauth2.Config, options ...Option) (RelayingParty, error)
NewRelayingPartyOAuth creates an (OAuth2) RelayingParty with the given OAuth2 Config and possible configOptions it will use the AuthURL and TokenURL set in config
func NewRelayingPartyOIDC ¶ added in v0.9.0
func NewRelayingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelayingParty, error)
NewRelayingPartyOIDC creates an (OIDC) RelayingParty with the given issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions it will run discovery on the provided issuer and use the found endpoints
type TokenExchangeRP ¶
type TokenExchangeRP interface { RelayingParty //TokenExchange implement the `Token Exchange Grant` exchanging some token for an other TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error) }
TokenExchangeRP extends the `RelayingParty` interface for the *draft* oauth2 `Token Exchange`
type Verifier ¶
type Verifier interface { //Verify checks the access_token and id_token and returns the `id token claims` Verify(ctx context.Context, accessToken, idTokenString string) (*oidc.IDTokenClaims, error) //VerifyIDToken checks the id_token only and returns its `id token claims` VerifyIDToken(ctx context.Context, idTokenString string) (*oidc.IDTokenClaims, error) }
deprecated: Use IDTokenVerifier (or oidc.Verifier)
type VerifierOption ¶ added in v0.9.0
type VerifierOption func(*idTokenVerifier)
VerifierOption is the type for providing dynamic options to the IDTokenVerifier
func WithACRVerifier ¶
func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption
WithACRVerifier sets the verifier for the acr claim
func WithAuthTimeMaxAge ¶
func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption
WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now
func WithNonce ¶
func WithNonce(nonce func(context.Context) string) VerifierOption
WithNonce sets the function to check the nonce
func WithSupportedSigningAlgorithms ¶
func WithSupportedSigningAlgorithms(algs ...string) VerifierOption
WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm