rp

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2020 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrIssuerInvalid = func(expected, actual string) *validationError {
		return ValidationError("Issuer does not match. Expected: %s, got: %s", expected, actual)
	}
	ErrAudienceMissingClientID = func(clientID string) *validationError {
		return ValidationError("Audience is not valid. Audience must contain client_id (%s)", clientID)
	}
	ErrAzpMissing = func() *validationError {
		return ValidationError("Authorized Party is not set. If Token is valid for multiple audiences, azp must not be empty")
	}
	ErrAzpInvalid = func(azp, clientID string) *validationError {
		return ValidationError("Authorized Party is not valid. azp (%s) must be equal to client_id (%s)", azp, clientID)
	}
	ErrExpInvalid = func(exp time.Time) *validationError {
		return ValidationError("Token has expired %v", exp)
	}
	ErrIatInFuture = func(exp, now time.Time) *validationError {
		return ValidationError("IssuedAt of token is in the future (%v, now with offset: %v)", exp, now)
	}
	ErrIatToOld = func(maxAge, iat time.Time) *validationError {
		return ValidationError("IssuedAt of token must not be older than %v, but was %v (%v to old)", maxAge, iat, maxAge.Sub(iat))
	}
	ErrNonceInvalid = func(expected, actual string) *validationError {
		return ValidationError("nonce does not match. Expected: %s, got: %s", expected, actual)
	}
	ErrAcrInvalid = func(expected []string, actual string) *validationError {
		return ValidationError("acr is invalid. Expected one of: %v, got: %s", expected, actual)
	}

	ErrAuthTimeNotPresent = func() *validationError {
		return ValidationError("claim `auth_time` of token is missing")
	}
	ErrAuthTimeToOld = func(maxAge, authTime time.Time) *validationError {
		return ValidationError("Auth Time of token must not be older than %v, but was %v (%v to old)", maxAge, authTime, maxAge.Sub(authTime))
	}
	ErrSignatureInvalidPayload = func() *validationError {
		return ValidationError("Signature does not match Payload")
	}
)
View Source 
var (
	DefaultErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
		http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError)
	}
)

Functions

func CheckKey added in v0.1.1 

func CheckKey(keyID string, keys []jose.JSONWebKey, jws *jose.JSONWebSignature) ([]byte, error, bool)

func DelegationTokenRequest 

func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest

DelegationTokenRequest is an implementation of TokenExchangeRequest it exchanges a "urn:ietf:params:oauth:token-type:access_token" with an optional "urn:ietf:params:oauth:token-type:access_token" actor token for a "urn:ietf:params:oauth:token-type:access_token" delegation token

func NewRemoteKeySet 

func NewRemoteKeySet(client *http.Client, jwksURL string) oidc.KeySet

func ValidationError 

func ValidationError(message string, args ...interface{}) *validationError

func WithACRVerifier 

func WithACRVerifier(verifier ACRVerifier) func(*verifierConfig)

WithACRVerifier sets the verifier for the acr claim

func WithAuthTimeMaxAge 

func WithAuthTimeMaxAge(maxAge time.Duration) func(*verifierConfig)

WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now

func WithIgnoreAudience added in v0.4.0 

func WithIgnoreAudience() func(*verifierConfig)

WithIgnoreAudience will turn off audience claim (should only be used for id_token_hints)

func WithIgnoreIssuedAt 

func WithIgnoreIssuedAt() func(*verifierConfig)

WithIgnoreIssuedAt will turn off iat claim verification

func WithIssuedAtMaxAge 

func WithIssuedAtMaxAge(maxAge time.Duration) func(*verifierConfig)

WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now

func WithIssuedAtOffset 

func WithIssuedAtOffset(offset time.Duration) func(*verifierConfig)

WithIssuedAtOffset mitigates the risk of iat to be in the future because of clock skews with the ability to add an offset to the current time

func WithNonce 

func WithNonce(nonce string) func(*verifierConfig)

WithNonce TODO: ?

func WithSupportedSigningAlgorithms 

func WithSupportedSigningAlgorithms(algs ...string) func(*verifierConfig)

WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm

Types

type ACRVerifier 

type ACRVerifier func(string) error

ACRVerifier specifies the function to be used by the `DefaultVerifier` for validating the acr claim

func DefaultACRVerifier 

func DefaultACRVerifier(possibleValues []string) ACRVerifier

DefaultACRVerifier implements `ACRVerifier` returning an error if non of the provided values matches the acr claim

type AuthURLOpt 

type AuthURLOpt func() []oauth2.AuthCodeOption

func WithCodeChallenge 

func WithCodeChallenge(codeChallenge string) AuthURLOpt

WithCodeChallenge sets the `code_challenge` params in the auth request

type CodeExchangeOpt 

type CodeExchangeOpt func() []oauth2.AuthCodeOption

func WithCodeVerifier 

func WithCodeVerifier(codeVerifier string) CodeExchangeOpt

WithCodeVerifier sets the `code_verifier` param in the token request

type ConfFunc 

type ConfFunc func(*verifierConfig)

ConfFunc is the type for providing dynamic options to the DefaultVerfifier

type Config 

type Config struct {
	ClientID     string
	ClientSecret string
	CallbackURL  string
	Issuer       string
	Scopes       []string
	Endpoints    oauth2.Endpoint
}

type DefaultRP 

type DefaultRP struct {
	// contains filtered or unexported fields
}

DefaultRP impements the `DelegationTokenExchangeRP` interface extending the `RelayingParty` interface

func (*DefaultRP) AuthURL 

func (p *DefaultRP) AuthURL(state string, opts ...AuthURLOpt) string

AuthURL is the `RelayingParty` interface implementation wrapping the oauth2 `AuthCodeURL` returning the url of the auth request

func (*DefaultRP) AuthURLHandler 

func (p *DefaultRP) AuthURLHandler(state string) http.HandlerFunc

AuthURL is the `RelayingParty` interface implementation extending the `AuthURL` method with a http redirect handler

func (*DefaultRP) Client added in v0.6.0 

func (p *DefaultRP) Client(ctx context.Context, token *oauth2.Token) *http.Client

func (*DefaultRP) ClientCredentials 

func (p *DefaultRP) ClientCredentials(ctx context.Context, scopes ...string) (newToken *oauth2.Token, err error)

ClientCredentials is the `RelayingParty` interface implementation handling the oauth2 client credentials grant

func (*DefaultRP) CodeExchange 

func (p *DefaultRP) CodeExchange(ctx context.Context, code string, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error)

AuthURL is the `RelayingParty` interface implementation handling the oauth2 code exchange, extracting and validating the id_token returning it paresed together with the oauth2 tokens (access, refresh)

func (*DefaultRP) CodeExchangeHandler 

func (p *DefaultRP) CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc.Tokens, string)) http.HandlerFunc

AuthURL is the `RelayingParty` interface implementation extending the `CodeExchange` method with callback function

func (*DefaultRP) DelegationTokenExchange 

func (p *DefaultRP) DelegationTokenExchange(ctx context.Context, subjectToken string, reqOpts ...grants_tx.TokenExchangeOption) (newToken *oauth2.Token, err error)

DelegationTokenExchange is the `TokenExchangeRP` interface implementation handling the oauth2 token exchange for a delegation token (draft)

func (*DefaultRP) TokenExchange 

func (p *DefaultRP) TokenExchange(ctx context.Context, request *grants_tx.TokenExchangeRequest) (newToken *oauth2.Token, err error)

TokenExchange is the `TokenExchangeRP` interface implementation handling the oauth2 token exchange (draft)

func (*DefaultRP) Userinfo 

func (p *DefaultRP) Userinfo()

type DefaultRPOpts 

type DefaultRPOpts func(p *DefaultRP)

DefaultRPOpts is the type for providing dynamic options to the DefaultRP

func WithCookieHandler 

func WithCookieHandler(cookieHandler *utils.CookieHandler) DefaultRPOpts

WithCookieHandler set a `CookieHandler` for securing the various redirects

func WithHTTPClient 

func WithHTTPClient(client *http.Client) DefaultRPOpts

WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier

func WithPKCE 

func WithPKCE(cookieHandler *utils.CookieHandler) DefaultRPOpts

WithPKCE sets the RP to use PKCE (oauth2 code challenge) it also sets a `CookieHandler` for securing the various redirects and exchanging the code challenge

type DefaultVerifier 

type DefaultVerifier struct {
	// contains filtered or unexported fields
}

DefaultVerifier implements the `Verifier` interface

func (*DefaultVerifier) Verify 

func (v *DefaultVerifier) Verify(ctx context.Context, accessToken, idTokenString string) (*oidc.IDTokenClaims, error)

Verify implements the `Verify` method of the `Verifier` interface according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation and https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation

func (*DefaultVerifier) VerifyIDToken 

func (v *DefaultVerifier) VerifyIDToken(ctx context.Context, idTokenString string) (*oidc.IDTokenClaims, error)

VerifyIDToken: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

type DelegationTokenExchangeRP 

type DelegationTokenExchangeRP interface {
	TokenExchangeRP

	//DelegationTokenExchange implement the `Token Exchange Grant`
	//providing an access token in request for a `delegation` token for a given resource / audience
	DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error)
}

DelegationTokenExchangeRP extends the `TokenExchangeRP` interface for the specific `delegation token` request

func NewDefaultRP 

func NewDefaultRP(rpConfig *Config, rpOpts ...DefaultRPOpts) (DelegationTokenExchangeRP, error)

NewDefaultRP creates `DefaultRP` with the given Config and possible configOptions it will run discovery on the provided issuer if no verifier is provided using the options the `DefaultVerifier` is set

type Endpoints 

type Endpoints struct {
	oauth2.Endpoint
	IntrospectURL string
	UserinfoURL   string
	JKWsURL       string
}

func GetEndpoints 

func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints

type OptionFunc 

type OptionFunc func(RelayingParty)

type PasswortGrantRP 

type PasswortGrantRP interface {
	RelayingParty

	//PasswordGrant implements the oauth2 `Password Grant`,
	//requesting an access token with the users `username` and `password`
	PasswordGrant(context.Context, string, string) (*oauth2.Token, error)
}

PasswortGrantRP extends the `RelayingParty` interface with the oauth2 `Password Grant`

This interface is separated from the standard `RelayingParty` interface as the `password grant` is part of the oauth2 and therefore OIDC specification, but should only be used when there's no other possibility, so IMHO never ever. Ever.

type RelayingParty 

type RelayingParty interface {
	//Client return a standard http client where the token can be used
	Client(ctx context.Context, token *oauth2.Token) *http.Client

	//AuthURL returns the authorization endpoint with a given state
	AuthURL(state string, opts ...AuthURLOpt) string

	//AuthURLHandler should implement the AuthURL func as http.HandlerFunc
	//(redirecting to the auth endpoint)
	AuthURLHandler(state string) http.HandlerFunc

	//CodeExchange implements the OIDC Token Request (oauth2 Authorization Code Grant)
	//returning an `Access Token` and `ID Token Claims`
	CodeExchange(ctx context.Context, code string, opts ...CodeExchangeOpt) (*oidc.Tokens, error)

	//CodeExchangeHandler extends the CodeExchange func,
	//calling the provided callback func on success with additional returned `state`
	CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc.Tokens, string)) http.HandlerFunc

	//ClientCredentials implements the oauth2 Client Credentials Grant
	//requesting an `Access Token` for the client itself, without user context
	ClientCredentials(ctx context.Context, scopes ...string) (*oauth2.Token, error)

	//Userinfo implements the OIDC Userinfo call
	//returning the info of the user for the requested scopes of an access token
	Userinfo()
}

RelayingParty declares the minimal interface for oidc clients

type TokenExchangeRP 

type TokenExchangeRP interface {
	RelayingParty

	//TokenExchange implement the `Token Echange Grant` exchanging some token for an other
	TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error)
}

TokenExchangeRP extends the `RelayingParty` interface for the *draft* oauth2 `Token Exchange`

type Verifier 

type Verifier interface {

	//Verify checks the access_token and id_token and returns the `id token claims`
	Verify(ctx context.Context, accessToken, idTokenString string) (*oidc.IDTokenClaims, error)
}

Verifier implement the Token Response Validation as defined in OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation

func NewDefaultVerifier 

func NewDefaultVerifier(issuer, clientID string, keySet oidc.KeySet, confOpts ...ConfFunc) Verifier

NewDefaultVerifier creates `DefaultVerifier` with the given issuer, clientID, keyset and possible configOptions

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.