The highest tagged major version is
Documentation
¶
Index ¶
- Constants
- Variables
- func AppendClientIDToAudience(clientID string, audience []string) []string
- func CheckAudience(claims Claims, clientID string) error
- func CheckAuthTime(claims Claims, maxAge time.Duration) error
- func CheckAuthorizationContextClassReference(claims Claims, acr ACRVerifier) error
- func CheckAuthorizedParty(claims Claims, clientID string) error
- func CheckExpiration(claims Claims, offset time.Duration) error
- func CheckIssuedAt(claims Claims, maxAgeIAT, offset time.Duration) error
- func CheckIssuer(claims Claims, issuer string) error
- func CheckKey(keyID string, jws *jose.JSONWebSignature, keys ...jose.JSONWebKey) ([]byte, error, bool)
- func CheckNonce(claims Claims, nonce string) error
- func CheckSignature(ctx context.Context, token string, payload []byte, claims Claims, ...) error
- func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, error)
- func DecryptToken(tokenString string) (string, error)
- func NewSHACodeChallenge(code string) string
- func ParseToken(tokenString string, claims interface{}) ([]byte, error)
- func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool
- type ACRVerifier
- type AccessTokenClaims
- type AccessTokenRequest
- type AccessTokenResponse
- type Audience
- type AuthRequest
- type Claims
- type CodeChallenge
- type CodeChallengeMethod
- type DiscoveryConfiguration
- type Display
- type EndSessionRequest
- type Gender
- type GrantType
- type IDTokenClaims
- type JWTProfileAssertion
- func NewJWTProfileAssertion(userID, keyID string, audience []string, key []byte) *JWTProfileAssertion
- func NewJWTProfileAssertionFromFileData(data []byte, audience []string) (*JWTProfileAssertion, error)
- func NewJWTProfileAssertionFromKeyJSON(filename string, audience []string) (*JWTProfileAssertion, error)
- type JWTTokenRequest
- func (j *JWTTokenRequest) GetAudience() []string
- func (j *JWTTokenRequest) GetAuthTime() time.Time
- func (j *JWTTokenRequest) GetAuthenticationContextClassReference() string
- func (j *JWTTokenRequest) GetAuthorizedParty() string
- func (j *JWTTokenRequest) GetExpiration() time.Time
- func (j *JWTTokenRequest) GetIssuedAt() time.Time
- func (j *JWTTokenRequest) GetIssuer() string
- func (j *JWTTokenRequest) GetNonce() string
- func (j *JWTTokenRequest) GetScopes() []string
- func (j *JWTTokenRequest) GetSubject() string
- func (j *JWTTokenRequest) SetSignatureAlgorithm(_ jose.SignatureAlgorithm)
- type KeySet
- type Locales
- type Prompt
- type ResponseType
- type Scopes
- type Time
- type TokenExchangeRequest
- type TokenRequest
- type TokenRequestType
- type Tokens
- type UserInfo
- type UserInfoAddress
- type UserInfoEmail
- type UserInfoPhone
- type UserInfoProfile
- type UserInfoProfileSetter
- type UserInfoRequest
- type UserInfoSetter
- type Verifier
Constants ¶
View Source
const ( //ScopeOpenID defines the scope `openid` //OpenID Connect requests MUST contain the `openid` scope value ScopeOpenID = "openid" //ScopeProfile defines the scope `profile` //This (optional) scope value requests access to the End-User's default profile Claims, //which are: name, family_name, given_name, middle_name, nickname, preferred_username, //profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at. ScopeProfile = "profile" //ScopeEmail defines the scope `email` //This (optional) scope value requests access to the email and email_verified Claims. ScopeEmail = "email" //ScopeAddress defines the scope `address` //This (optional) scope value requests access to the address Claim. ScopeAddress = "address" //ScopePhone defines the scope `phone` //This (optional) scope value requests access to the phone_number and phone_number_verified Claims. ScopePhone = "phone" //ScopeOfflineAccess defines the scope `offline_access` //This (optional) scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token //that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in). ScopeOfflineAccess = "offline_access" //ResponseTypeCode for the Authorization Code Flow returning a code from the Authorization Server ResponseTypeCode ResponseType = "code" //ResponseTypeIDToken for the Implicit Flow returning id and access tokens directly from the Authorization Server ResponseTypeIDToken ResponseType = "id_token token" //ResponseTypeIDTokenOnly for the Implicit Flow returning only id token directly from the Authorization Server ResponseTypeIDTokenOnly ResponseType = "id_token" DisplayPage Display = "page" DisplayPopup Display = "popup" DisplayTouch Display = "touch" DisplayWAP Display = "wap" //PromptNone (`none`) disallows the Authorization Server to display any authentication or consent user interface pages. //An error (login_required, interaction_required, ...) will be returned if the user is not already authenticated or consent is needed PromptNone Prompt = "none" //PromptLogin (`login`) directs the Authorization Server to prompt the End-User for reauthentication. PromptLogin Prompt = "login" //PromptConsent (`consent`) directs the Authorization Server to prompt the End-User for consent (of sharing information). PromptConsent Prompt = "consent" //PromptSelectAccount (`select_account `) directs the Authorization Server to prompt the End-User to select a user account (to enable multi user / session switching) PromptSelectAccount Prompt = "select_account" )
View Source
const (
//BearerToken defines the token_type `Bearer`, which is returned in a successful token response
BearerToken = "Bearer"
)
View Source
const (
DiscoveryEndpoint = "/.well-known/openid-configuration"
)
Variables ¶
View Source
var ( ErrParse = errors.New("parsing of request failed") ErrIssuerInvalid = errors.New("issuer does not match") ErrAudience = errors.New("audience is not valid") ErrAzpMissing = errors.New("authorized party is not set. If Token is valid for multiple audiences, azp must not be empty") ErrAzpInvalid = errors.New("authorized party is not valid") ErrSignatureMissing = errors.New("id_token does not contain a signature") ErrSignatureMultiple = errors.New("id_token contains multiple signatures") ErrSignatureUnsupportedAlg = errors.New("signature algorithm not supported") ErrSignatureInvalidPayload = errors.New("signature does not match Payload") ErrExpired = errors.New("token has expired") ErrIatInFuture = errors.New("issuedAt of token is in the future") ErrIatToOld = errors.New("issuedAt of token is to old") ErrNonceInvalid = errors.New("nonce does not match") ErrAcrInvalid = errors.New("acr is invalid") ErrAuthTimeNotPresent = errors.New("claim `auth_time` of token is missing") ErrAuthTimeToOld = errors.New("auth time of token is to old") ErrAtHash = errors.New("at_hash does not correspond to access token") )
Functions ¶
func AppendClientIDToAudience ¶ added in v0.12.5
func CheckAudience ¶ added in v0.9.0
func CheckAuthorizationContextClassReference ¶ added in v0.9.0
func CheckAuthorizationContextClassReference(claims Claims, acr ACRVerifier) error
func CheckAuthorizedParty ¶ added in v0.9.0
func CheckExpiration ¶ added in v0.9.0
func CheckIssuedAt ¶ added in v0.9.0
func CheckIssuer ¶ added in v0.9.0
func CheckKey ¶ added in v0.9.0
func CheckKey(keyID string, jws *jose.JSONWebSignature, keys ...jose.JSONWebKey) ([]byte, error, bool)
CheckKey searches the given JSON Web Keys for the requested key ID and verifies the JSON Web Signature with the found key
will return false but no error if key ID is not found
func CheckNonce ¶ added in v0.9.0
func CheckSignature ¶ added in v0.9.0
func DecryptToken ¶ added in v0.9.0
func NewSHACodeChallenge ¶
func ParseToken ¶ added in v0.9.0
func VerifyCodeChallenge ¶
func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool
Types ¶
type ACRVerifier ¶ added in v0.9.0
ACRVerifier specifies the function to be used by the `DefaultVerifier` for validating the acr claim
func DefaultACRVerifier ¶ added in v0.9.0
func DefaultACRVerifier(possibleValues []string) ACRVerifier
DefaultACRVerifier implements `ACRVerifier` returning an error if non of the provided values matches the acr claim
type AccessTokenClaims ¶
type AccessTokenClaims interface {
Claims
GetSubject() string
GetTokenID() string
SetPrivateClaims(map[string]interface{})
}
func EmptyAccessTokenClaims ¶ added in v0.12.0
func EmptyAccessTokenClaims() AccessTokenClaims
func NewAccessTokenClaims ¶ added in v0.12.0
type AccessTokenRequest ¶
type AccessTokenRequest struct {
Code string `schema:"code"`
RedirectURI string `schema:"redirect_uri"`
ClientID string `schema:"client_id"`
ClientSecret string `schema:"client_secret"`
CodeVerifier string `schema:"code_verifier"`
}
func (*AccessTokenRequest) GrantType ¶
func (a *AccessTokenRequest) GrantType() GrantType
type AccessTokenResponse ¶
type AccessTokenResponse struct {
AccessToken string `json:"access_token,omitempty" schema:"access_token,omitempty"`
TokenType string `json:"token_type,omitempty" schema:"token_type,omitempty"`
RefreshToken string `json:"refresh_token,omitempty" schema:"refresh_token,omitempty"`
ExpiresIn uint64 `json:"expires_in,omitempty" schema:"expires_in,omitempty"`
IDToken string `json:"id_token,omitempty" schema:"id_token,omitempty"`
}
type Audience ¶ added in v0.12.0
type Audience []string
func (*Audience) UnmarshalJSON ¶ added in v0.12.0
type AuthRequest ¶
type AuthRequest struct {
ID string
Scopes Scopes `schema:"scope"`
ResponseType ResponseType `schema:"response_type"`
ClientID string `schema:"client_id"`
RedirectURI string `schema:"redirect_uri"` //TODO: type
State string `schema:"state"`
Nonce string `schema:"nonce"`
Display Display `schema:"display"`
Prompt Prompt `schema:"prompt"`
MaxAge uint32 `schema:"max_age"`
UILocales Locales `schema:"ui_locales"`
IDTokenHint string `schema:"id_token_hint"`
LoginHint string `schema:"login_hint"`
ACRValues []string `schema:"acr_values"`
CodeChallenge string `schema:"code_challenge"`
CodeChallengeMethod CodeChallengeMethod `schema:"code_challenge_method"`
}
AuthRequest according to: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
func (*AuthRequest) GetRedirectURI ¶
func (a *AuthRequest) GetRedirectURI() string
GetRedirectURI returns the redirect_uri value for the ErrAuthRequest interface
func (*AuthRequest) GetResponseType ¶
func (a *AuthRequest) GetResponseType() ResponseType
GetResponseType returns the response_type value for the ErrAuthRequest interface
func (*AuthRequest) GetState ¶
func (a *AuthRequest) GetState() string
GetState returns the optional state value for the ErrAuthRequest interface
type CodeChallenge ¶
type CodeChallenge struct {
Challenge string
Method CodeChallengeMethod
}
type CodeChallengeMethod ¶
type CodeChallengeMethod string
const ( CodeChallengeMethodPlain CodeChallengeMethod = "plain" CodeChallengeMethodS256 CodeChallengeMethod = "S256" )
type DiscoveryConfiguration ¶
type DiscoveryConfiguration struct {
Issuer string `json:"issuer,omitempty"`
AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint,omitempty"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
CheckSessionIframe string `json:"check_session_iframe,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
ClaimsSupported []string `json:"claims_supported,omitempty"`
}
type EndSessionRequest ¶ added in v0.4.0
type EndSessionRequest struct {
IdTokenHint string `schema:"id_token_hint"`
PostLogoutRedirectURI string `schema:"post_logout_redirect_uri"`
State string `schema:"state"`
}
EndSessionRequest for the RP-Initiated Logout according to: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
type GrantType ¶
type GrantType string
const ( //GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow GrantTypeCode GrantType = "authorization_code" //GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer" //GrantTypeTokenExchange defines the grant_type `urn:ietf:params:oauth:grant-type:token-exchange` used for the OAuth Token Exchange Grant GrantTypeTokenExchange GrantType = "urn:ietf:params:oauth:grant-type:token-exchange" )
type IDTokenClaims ¶
type IDTokenClaims interface {
Claims
GetNotBefore() time.Time
GetJWTID() string
GetAccessTokenHash() string
GetCodeHash() string
GetAuthenticationMethodsReferences() []string
GetClientID() string
GetSignatureAlgorithm() jose.SignatureAlgorithm
SetAccessTokenHash(hash string)
SetUserinfo(userinfo UserInfo)
SetCodeHash(hash string)
UserInfo
}
func EmptyIDTokenClaims ¶ added in v0.12.0
func EmptyIDTokenClaims() IDTokenClaims
type JWTProfileAssertion ¶ added in v0.9.0
type JWTProfileAssertion struct {
PrivateKeyID string `json:"-"`
PrivateKey []byte `json:"-"`
Issuer string `json:"issuer"`
Subject string `json:"sub"`
Audience Audience `json:"aud"`
Expiration Time `json:"exp"`
IssuedAt Time `json:"iat"`
}
func NewJWTProfileAssertion ¶ added in v0.9.0
func NewJWTProfileAssertion(userID, keyID string, audience []string, key []byte) *JWTProfileAssertion
func NewJWTProfileAssertionFromFileData ¶ added in v0.12.0
func NewJWTProfileAssertionFromFileData(data []byte, audience []string) (*JWTProfileAssertion, error)
func NewJWTProfileAssertionFromKeyJSON ¶ added in v0.9.0
func NewJWTProfileAssertionFromKeyJSON(filename string, audience []string) (*JWTProfileAssertion, error)
type JWTTokenRequest ¶ added in v0.9.0
type JWTTokenRequest struct {
Issuer string `json:"iss"`
Subject string `json:"sub"`
Scopes Scopes `json:"-"`
Audience Audience `json:"aud"`
IssuedAt Time `json:"iat"`
ExpiresAt Time `json:"exp"`
}
func (*JWTTokenRequest) GetAudience ¶ added in v0.9.0
func (j *JWTTokenRequest) GetAudience() []string
GetAudience implements the Claims and TokenRequest interfaces
func (*JWTTokenRequest) GetAuthTime ¶ added in v0.9.0
func (j *JWTTokenRequest) GetAuthTime() time.Time
GetAuthTime implements the Claims interface
func (*JWTTokenRequest) GetAuthenticationContextClassReference ¶ added in v0.9.0
func (j *JWTTokenRequest) GetAuthenticationContextClassReference() string
GetAuthenticationContextClassReference implements the Claims interface
func (*JWTTokenRequest) GetAuthorizedParty ¶ added in v0.9.0
func (j *JWTTokenRequest) GetAuthorizedParty() string
GetAuthorizedParty implements the Claims interface
func (*JWTTokenRequest) GetExpiration ¶ added in v0.9.0
func (j *JWTTokenRequest) GetExpiration() time.Time
GetExpiration implements the Claims interface
func (*JWTTokenRequest) GetIssuedAt ¶ added in v0.9.0
func (j *JWTTokenRequest) GetIssuedAt() time.Time
GetIssuedAt implements the Claims interface
func (*JWTTokenRequest) GetIssuer ¶ added in v0.9.0
func (j *JWTTokenRequest) GetIssuer() string
GetIssuer implements the Claims interface
func (*JWTTokenRequest) GetNonce ¶ added in v0.9.0
func (j *JWTTokenRequest) GetNonce() string
GetNonce implements the Claims interface
func (*JWTTokenRequest) GetScopes ¶ added in v0.9.0
func (j *JWTTokenRequest) GetScopes() []string
GetSubject implements the TokenRequest interface
func (*JWTTokenRequest) GetSubject ¶ added in v0.9.0
func (j *JWTTokenRequest) GetSubject() string
GetSubject implements the TokenRequest interface
func (*JWTTokenRequest) SetSignatureAlgorithm ¶ added in v0.12.0
func (j *JWTTokenRequest) SetSignatureAlgorithm(_ jose.SignatureAlgorithm)
SetSignatureAlgorithm implements the Claims interface
type KeySet ¶
type KeySet interface {
//VerifySignature verifies the signature with the given keyset and returns the raw payload
VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error)
}
KeySet represents a set of JSON Web Keys - remotely fetch via discovery and jwks_uri -> `remoteKeySet` - held by the OP itself in storage -> `openIDKeySet` - dynamically aggregated by request for OAuth JWT Profile Assertion -> `jwtProfileKeySet`
type Locales ¶
func (*Locales) UnmarshalText ¶
type ResponseType ¶
type ResponseType string
type Scopes ¶
type Scopes []string
func (*Scopes) MarshalText ¶ added in v0.12.0
func (*Scopes) UnmarshalText ¶
type Time ¶ added in v0.9.0
func (*Time) MarshalJSON ¶ added in v0.12.0
func (*Time) UnmarshalJSON ¶ added in v0.9.0
type TokenExchangeRequest ¶
type TokenExchangeRequest struct {
Scope Scopes `schema:"scope"`
// contains filtered or unexported fields
}
type TokenRequest ¶
type TokenRequest interface {
// GrantType GrantType `schema:"grant_type"`
GrantType() GrantType
}
type TokenRequestType ¶
type TokenRequestType GrantType
type UserInfo ¶ added in v0.12.0
type UserInfo interface {
GetSubject() string
UserInfoProfile
UserInfoEmail
UserInfoPhone
GetAddress() UserInfoAddress
GetClaim(key string) interface{}
}
type UserInfoAddress ¶ added in v0.12.0
type UserInfoAddress interface {
GetFormatted() string
GetStreetAddress() string
GetLocality() string
GetRegion() string
GetPostalCode() string
GetCountry() string
}
func NewUserInfoAddress ¶ added in v0.12.0
func NewUserInfoAddress(streetAddress, locality, region, postalCode, country, formatted string) UserInfoAddress
type UserInfoEmail ¶ added in v0.12.0
type UserInfoPhone ¶ added in v0.12.0
type UserInfoProfile ¶ added in v0.12.0
type UserInfoProfile interface {
GetName() string
GetGivenName() string
GetFamilyName() string
GetMiddleName() string
GetNickname() string
GetProfile() string
GetPicture() string
GetWebsite() string
GetGender() Gender
GetBirthdate() string
GetZoneinfo() string
GetLocale() language.Tag
GetPreferredUsername() string
}
type UserInfoProfileSetter ¶ added in v0.12.0
type UserInfoProfileSetter interface {
SetName(name string)
SetGivenName(name string)
SetFamilyName(name string)
SetMiddleName(name string)
SetNickname(name string)
SetUpdatedAt(date time.Time)
SetProfile(profile string)
SetPicture(profile string)
SetWebsite(website string)
SetGender(gender Gender)
SetBirthdate(birthdate string)
SetZoneinfo(zoneInfo string)
SetLocale(locale language.Tag)
SetPreferredUsername(name string)
}
type UserInfoRequest ¶ added in v0.4.2
type UserInfoRequest struct {
AccessToken string `schema:"access_token"`
}
type UserInfoSetter ¶ added in v0.12.0
type UserInfoSetter interface {
UserInfo
SetSubject(sub string)
UserInfoProfileSetter
SetEmail(email string, verified bool)
SetPhone(phone string, verified bool)
SetAddress(address UserInfoAddress)
AppendClaims(key string, values interface{})
}
func NewUserInfo ¶ added in v0.12.0
func NewUserInfo() UserInfoSetter
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.