Documentation ¶
Index ¶
- func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string
- func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc
- func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error)
- func CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc.Tokens, string), ...) http.HandlerFunc
- func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest
- func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error)
- func NewRemoteKeySet(client *http.Client, jwksURL string) oidc.KeySet
- func Userinfo(token string, rp RelyingParty) (oidc.UserInfo, error)
- func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error
- func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error)
- func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error)
- func WithIssuedAtMaxAge(maxAge time.Duration) func(*idTokenVerifier)
- func WithIssuedAtOffset(offset time.Duration) func(*idTokenVerifier)
- type AuthURLOpt
- type CodeExchangeOpt
- type DelegationTokenExchangeRP
- type Endpoints
- type ErrorHandler
- type IDTokenVerifier
- type Option
- func WithClientKey(path string) Option
- func WithCookieHandler(cookieHandler *utils.CookieHandler) Option
- func WithErrorHandler(errorHandler ErrorHandler) Option
- func WithHTTPClient(client *http.Client) Option
- func WithPKCE(cookieHandler *utils.CookieHandler) Option
- func WithVerifierOpts(opts ...VerifierOption) Option
- type OptionFunc
- type RelyingParty
- type TokenExchangeRP
- type VerifierOption
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthURL ¶
func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string
AuthURL returns the auth request url (wrapping the oauth2 `AuthCodeURL`)
func AuthURLHandler ¶
func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc
AuthURLHandler extends the `AuthURL` method with a http redirect handler including handling setting cookie for secure `state` transfer
func CodeExchange ¶
func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error)
CodeExchange handles the oauth2 code exchange, extracting and validating the id_token returning it parsed together with the oauth2 tokens (access, refresh)
func CodeExchangeHandler ¶
func CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc.Tokens, string), rp RelyingParty) http.HandlerFunc
CodeExchangeHandler extends the `CodeExchange` method with a http handler including cookie handling for secure `state` transfer and optional PKCE code verifier checking
func DelegationTokenRequest ¶
func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest
DelegationTokenRequest is an implementation of TokenExchangeRequest it exchanges a "urn:ietf:params:oauth:token-type:access_token" with an optional "urn:ietf:params:oauth:token-type:access_token" actor token for a "urn:ietf:params:oauth:token-type:access_token" delegation token
func GenerateAndStoreCodeChallenge ¶
func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error)
GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
func Userinfo ¶
func Userinfo(token string, rp RelyingParty) (oidc.UserInfo, error)
Userinfo will call the OIDC Userinfo Endpoint with the provided token
func VerifyAccessToken ¶
VerifyAccessToken validates the access token according to https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
func VerifyIDToken ¶
func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error)
VerifyIDToken validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func VerifyTokens ¶
func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error)
VerifyTokens implement the Token Response Validation as defined in OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation
func WithIssuedAtMaxAge ¶
WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now
func WithIssuedAtOffset ¶
WithIssuedAtOffset mitigates the risk of iat to be in the future because of clock skews with the ability to add an offset to the current time
Types ¶
type AuthURLOpt ¶
type AuthURLOpt func() []oauth2.AuthCodeOption
func WithCodeChallenge ¶
func WithCodeChallenge(codeChallenge string) AuthURLOpt
WithCodeChallenge sets the `code_challenge` params in the auth request
func WithPrompt ¶
func WithPrompt(prompt oidc.Prompt) AuthURLOpt
WithPrompt sets the `prompt` params in the auth request
type CodeExchangeOpt ¶
type CodeExchangeOpt func() []oauth2.AuthCodeOption
func WithClientAssertionJWT ¶
func WithClientAssertionJWT(clientAssertion string) CodeExchangeOpt
WithClientAssertionJWT sets the `client_assertion` param in the token request
func WithCodeVerifier ¶
func WithCodeVerifier(codeVerifier string) CodeExchangeOpt
WithCodeVerifier sets the `code_verifier` param in the token request
type DelegationTokenExchangeRP ¶
type DelegationTokenExchangeRP interface { TokenExchangeRP //DelegationTokenExchange implement the `Token Exchange Grant` //providing an access token in request for a `delegation` token for a given resource / audience DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error) }
DelegationTokenExchangeRP extends the `TokenExchangeRP` interface for the specific `delegation token` request
type Endpoints ¶
func Discover ¶
Discover calls the discovery endpoint of the provided issuer and returns the found endpoints
deprecated: use client.Discover
func GetEndpoints ¶
func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints
type ErrorHandler ¶
type ErrorHandler func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string)
var ( DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) { http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError) } )
type IDTokenVerifier ¶
type IDTokenVerifier interface { oidc.Verifier ClientID() string SupportedSignAlgs() []string KeySet() oidc.KeySet Nonce(context.Context) string ACR() oidc.ACRVerifier MaxAge() time.Duration }
func NewIDTokenVerifier ¶
func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) IDTokenVerifier
NewIDTokenVerifier returns an implementation of `IDTokenVerifier` for `VerifyTokens` and `VerifyIDToken`
type Option ¶
type Option func(*relyingParty) error
DefaultRPOpts is the type for providing dynamic options to the DefaultRP
func WithClientKey ¶
func WithCookieHandler ¶
func WithCookieHandler(cookieHandler *utils.CookieHandler) Option
WithCookieHandler set a `CookieHandler` for securing the various redirects
func WithErrorHandler ¶
func WithErrorHandler(errorHandler ErrorHandler) Option
func WithHTTPClient ¶
WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier
func WithPKCE ¶
func WithPKCE(cookieHandler *utils.CookieHandler) Option
WithPKCE sets the RP to use PKCE (oauth2 code challenge) it also sets a `CookieHandler` for securing the various redirects and exchanging the code challenge
func WithVerifierOpts ¶
func WithVerifierOpts(opts ...VerifierOption) Option
type OptionFunc ¶
type OptionFunc func(RelyingParty)
type RelyingParty ¶
type RelyingParty interface { //OAuthConfig returns the oauth2 Config OAuthConfig() *oauth2.Config //Issuer returns the issuer of the oidc config Issuer() string //IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)` IsPKCE() bool //CookieHandler returns a http cookie handler used for various state transfer cookies CookieHandler() *utils.CookieHandler //HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint HttpClient() *http.Client //IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls IsOAuth2Only() bool //Signer is used if the relaying party uses the JWT Profile Signer() jose.Signer //UserinfoEndpoint returns the userinfo UserinfoEndpoint() string //IDTokenVerifier returns the verifier interface used for oidc id_token verification IDTokenVerifier() IDTokenVerifier ErrorHandler() func(http.ResponseWriter, *http.Request, string, string, string) }
RelyingParty declares the minimal interface for oidc clients
func NewRelyingPartyOAuth ¶
func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingParty, error)
NewRelyingPartyOAuth creates an (OAuth2) RelyingParty with the given OAuth2 Config and possible configOptions it will use the AuthURL and TokenURL set in config
func NewRelyingPartyOIDC ¶
func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error)
NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions it will run discovery on the provided issuer and use the found endpoints
type TokenExchangeRP ¶
type TokenExchangeRP interface { RelyingParty //TokenExchange implement the `Token Exchange Grant` exchanging some token for an other TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error) }
TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`
type VerifierOption ¶
type VerifierOption func(*idTokenVerifier)
VerifierOption is the type for providing dynamic options to the IDTokenVerifier
func WithACRVerifier ¶
func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption
WithACRVerifier sets the verifier for the acr claim
func WithAuthTimeMaxAge ¶
func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption
WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now
func WithNonce ¶
func WithNonce(nonce func(context.Context) string) VerifierOption
WithNonce sets the function to check the nonce
func WithSupportedSigningAlgorithms ¶
func WithSupportedSigningAlgorithms(algs ...string) VerifierOption
WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm