openid

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	PromptNone  = `none`
	PromptLogin = `login`
)
View Source 
const (
	DisplayPage = `page`
	PromptTouch = `touch`
)
View Source 
const (
	OPMetadataIssuer                = "issuer"
	OPMetadataAuthEndpoint          = "authorization_endpoint"
	OPMetadataTokenEndpoint         = "token_endpoint"
	OPMetadataUserInfoEndpoint      = "userinfo_endpoint"
	OPMetadataJwkSetURI             = "jwks_uri"
	OPMetadataRegEndpoint           = "registration_endpoint"
	OPMetadataScopes                = "scopes_supported"
	OPMetadataResponseTypes         = "response_types_supported"
	OPMetadataResponseModes         = "response_modes_supported"
	OPMetadataGrantTypes            = "grant_types_supported"
	OPMetadataACRValues             = "acr_values_supported"
	OPMetadataSubjectTypes          = "subject_types_supported"
	OPMetadataIdTokenJwsAlg         = "id_token_signing_alg_values_supported"
	OPMetadataIdTokenJweAlg         = "id_token_encryption_alg_values_supported"
	OPMetadataIdTokenJweEnc         = "id_token_encryption_enc_values_supported"
	OPMetadataUserInfoJwsAlg        = "userinfo_signing_alg_values_supported"
	OPMetadataUserInfoJweAlg        = "userinfo_encryption_alg_values_supported"
	OPMetadataUserInfoJweEnc        = "userinfo_encryption_enc_values_supported"
	OPMetadataRequestJwsAlg         = "request_object_signing_alg_values_supported"
	OPMetadataRequestJweAlg         = "request_object_encryption_alg_values_supported"
	OPMetadataRequestJweEnc         = "request_object_encryption_enc_values_supported"
	OPMetadataClientAuthMethod      = "token_endpoint_auth_methods_supported"
	OPMetadataAuthJwsAlg            = "token_endpoint_auth_signing_alg_values_supported"
	OPMetadataDisplayValues         = "display_values_supported"
	OPMetadataClaimTypes            = "claim_types_supported"
	OPMetadataClaims                = "claims_supported"
	OPMetadataServiceDocs           = "service_documentation"
	OPMetadataClaimsLocales         = "claims_locales_supported"
	OPMetadataUILocales             = "ui_locales_supported"
	OPMetadataClaimsParams          = "claims_parameter_supported"
	OPMetadataRequestParams         = "request_parameter_supported"
	OPMetadataRequestUriParams      = "request_uri_parameter_supported"
	OPMetadataRequiresRequestUriReg = "require_request_uri_registration"
	OPMetadataPolicyUri             = "op_policy_uri"
	OPMetadataTosUri                = "op_tos_uri"
	OPMetadataEndSessionEndpoint    = "end_session_endpoint"
)

See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

View Source 
const (
	ErrorCodeOidcSloRp
	ErrorCodeOidcSloOp
)
View Source 
const (

	// ErrorSubTypeCodeOidcSlo non-programming error that can occur during oidc RP initiated logout
	ErrorSubTypeCodeOidcSlo = security.ErrorTypeCodeOidc + iota<<errorutils.ErrorSubTypeOffset
)
View Source 
const (
	OPMetaExtraSourceIDPManager = "idpManager"
)
View Source 
const (
	WellKnownEndpointOPConfig = `/.well-known/openid-configuration`
)

Variables

View Source 
var (
	SupportedGrantTypes = utils.NewStringSet(
		oauth2.GrantTypeAuthCode,
		oauth2.GrantTypeImplicit,
		oauth2.GrantTypePassword,
		oauth2.GrantTypeSwitchUser,
		oauth2.GrantTypeSwitchTenant,
	)
	SupportedDisplayMode  = utils.NewStringSet(DisplayPage, PromptTouch)
	FullIdTokenGrantTypes = utils.NewStringSet(
		oauth2.GrantTypePassword,
		oauth2.GrantTypeSwitchUser,
		oauth2.GrantTypeSwitchTenant,
	)
)
View Source 
var (
	ErrorSubTypeOidcSlo = security.NewErrorSubType(ErrorSubTypeCodeOidcSlo, errors.New("error sub-type: oidc slo"))

	// ErrorOidcSloRp errors are displayed as an HTML page with status 400
	ErrorOidcSloRp = security.NewCodedError(ErrorCodeOidcSloRp, "SLO rp error")
	// ErrorOidcSloOp errors are displayed as an HTML page with status 500
	ErrorOidcSloOp = security.NewCodedError(ErrorCodeOidcSloOp, "SLO op error")
)
View Source 
var (
	OPMetadataBasicSpecs = map[string]claims.ClaimSpec{
		OPMetadataIssuer:           claims.Optional(claims.Issuer),
		OPMetadataAuthEndpoint:     opMetaEndpoint(OPMetadataAuthEndpoint),
		OPMetadataTokenEndpoint:    opMetaEndpoint(OPMetadataTokenEndpoint),
		OPMetadataUserInfoEndpoint: opMetaEndpoint(OPMetadataUserInfoEndpoint),
		OPMetadataJwkSetURI:        opMetaEndpoint(OPMetadataJwkSetURI),
		OPMetadataGrantTypes: opMetaFixedSet(
			oauth2.GrantTypeClientCredentials, oauth2.GrantTypePassword,
			oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit, oauth2.GrantTypeRefresh,
			oauth2.GrantTypeSwitchUser, oauth2.GrantTypeSwitchTenant, oauth2.GrantTypeSamlSSO,
		),
		OPMetadataScopes: opMetaFixedSet(
			oauth2.ScopeRead, oauth2.ScopeWrite, oauth2.ScopeTokenDetails, oauth2.ScopeTenantHierarchy,
			oauth2.ScopeOidc, oauth2.ScopeOidcProfile, oauth2.ScopeOidcEmail, oauth2.ScopeOidcAddress, oauth2.ScopeOidcPhone,
		),

		OPMetadataResponseTypes: opMetaFixedSet("code"),
		OPMetadataACRValues:     opMetaAcrValues(1, 2, 3),
		OPMetadataSubjectTypes:  opMetaFixedSet("public"),
		OPMetadataIdTokenJwsAlg: opMetaFixedSet("RS256"),
		OPMetadataClaims: opMetaFixedSet(
			oauth2.ClaimIssuer, oauth2.ClaimSubject, oauth2.ClaimAudience, oauth2.ClaimExpire, oauth2.ClaimIssueAt,
			oauth2.ClaimAuthTime, oauth2.ClaimNonce, oauth2.ClaimAuthCtxClassRef, oauth2.ClaimAuthMethodRef, oauth2.ClaimAuthorizedParty,
			oauth2.ClaimFullName, oauth2.ClaimFirstName, oauth2.ClaimLastName, oauth2.ClaimPreferredUsername,
			oauth2.ClaimEmail, oauth2.ClaimEmailVerified, oauth2.ClaimLocale,
		),
	}

	OPMetadataOptionalSpecs = map[string]claims.ClaimSpec{
		OPMetadataRegEndpoint:           claims.Unsupported(),
		OPMetadataResponseModes:         claims.Unsupported(),
		OPMetadataIdTokenJweAlg:         claims.Unsupported(),
		OPMetadataIdTokenJweEnc:         claims.Unsupported(),
		OPMetadataUserInfoJwsAlg:        opMetaFixedSet("RS256"),
		OPMetadataUserInfoJweAlg:        claims.Unsupported(),
		OPMetadataUserInfoJweEnc:        claims.Unsupported(),
		OPMetadataRequestJwsAlg:         claims.Unsupported(),
		OPMetadataRequestJweAlg:         claims.Unsupported(),
		OPMetadataRequestJweEnc:         claims.Unsupported(),
		OPMetadataClientAuthMethod:      opMetaFixedSet("client_secret_basic", "client_secret_post"),
		OPMetadataAuthJwsAlg:            claims.Unsupported(),
		OPMetadataDisplayValues:         opMetaFixedSet("page", "touch"),
		OPMetadataClaimTypes:            opMetaFixedSet("normal"),
		OPMetadataServiceDocs:           claims.Unsupported(),
		OPMetadataClaimsLocales:         opMetaFixedSet("en-CA", "en-US"),
		OPMetadataUILocales:             opMetaFixedSet("en-CA", "en-US"),
		OPMetadataClaimsParams:          opMetaFixedBool(true),
		OPMetadataRequestParams:         opMetaFixedBool(true),
		OPMetadataRequestUriParams:      claims.Unsupported(),
		OPMetadataRequiresRequestUriReg: claims.Unsupported(),
		OPMetadataPolicyUri:             claims.Unsupported(),
		OPMetadataTosUri:                claims.Unsupported(),
		OPMetadataEndSessionEndpoint:    opMetaEndpoint(OPMetadataEndSessionEndpoint),
	}
)
View Source 
var ParameterIdTokenHint = "id_token_hint"
View Source 
var ParameterRedirectUri = "post_logout_redirect_uri"
View Source 
var ParameterState = "state"

Functions

func NewAccountSelectionRequiredError 

func NewAccountSelectionRequiredError(value interface{}, causes ...interface{}) error

func NewInteractionRequiredError 

func NewInteractionRequiredError(value interface{}, causes ...interface{}) error

func NewInvalidRequestObjError 

func NewInvalidRequestObjError(value interface{}, causes ...interface{}) error

func NewInvalidRequestURIError 

func NewInvalidRequestURIError(value interface{}, causes ...interface{}) error

func NewLoginRequiredError 

func NewLoginRequiredError(value interface{}, causes ...interface{}) error

func NewOpenIDExtendedError 

func NewOpenIDExtendedError(oauth2Code string, value interface{}, causes ...interface{}) error

func NewRegistrationNotSupportedError 

func NewRegistrationNotSupportedError(value interface{}, causes ...interface{}) error

func NewRequestNotSupportedError 

func NewRequestNotSupportedError(value interface{}, causes ...interface{}) error

func NewRequestURINotSupportedError 

func NewRequestURINotSupportedError(value interface{}, causes ...interface{}) error

Types

type ARPOption 

type ARPOption struct {
	Issuer     security.Issuer
	JwtDecoder jwt.JwtDecoder
}

type ARPOptions 

type ARPOptions func(opt *ARPOption)

type ClaimsRequest 

type ClaimsRequest struct {
	UserInfo requestedClaims `json:"userinfo"`
	IdToken  requestedClaims `json:"id_token"`
}

type EnhancerOption 

type EnhancerOption struct {
	Issuer     security.Issuer
	JwtEncoder jwt.JwtEncoder
}

type EnhancerOptions 

type EnhancerOptions func(opt *EnhancerOption)

type EpOption 

type EpOption struct {
	WhitelabelErrorPath string
}

type EpOptions 

type EpOptions func(opt *EpOption)

type HandlerOption 

type HandlerOption struct {
	Dec         jwt.JwtDecoder
	Issuer      security.Issuer
	ClientStore oauth2.OAuth2ClientStore
}

type HandlerOptions 

type HandlerOptions func(opt *HandlerOption)

type IdTokenClaims 

type IdTokenClaims struct {
	oauth2.FieldClaimsMapper

	Issuer   string                `claim:"iss"`
	Subject  string                `claim:"sub"`
	Audience oauth2.StringSetClaim `claim:"aud"`
	Expire   time.Time             `claim:"exp"`
	IssueAt  time.Time             `claim:"iat"`

	/* Standard */
	AuthTime        time.Time `claim:"auth_time"`
	Nonce           string    `claim:"nonce"`
	AuthCtxClassRef string    `claim:"acr"`
	AuthMethodRef   []string  `claim:"amr"`
	AuthorizedParty string    `claim:"azp"`
	AccessTokenHash string    `claim:"at_hash"`

	/* Profile Scope */
	FullName          string    `claim:"name"`
	FirstName         string    `claim:"given_name"`
	LastName          string    `claim:"family_name"`
	MiddleName        string    `claim:"middle_name"`
	Nickname          string    `claim:"nickname"`
	PreferredUsername string    `claim:"preferred_username"`
	ProfileUrl        string    `claim:"profile"`
	PictureUrl        string    `claim:"picture"`
	Website           string    `claim:"website"`
	Gender            string    `claim:"gender"`
	Birthday          string    `claim:"birthdate"` // ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format
	ZoneInfo          string    `claim:"zoneinfo"`  // Europe/Paris or America/Los_Angeles
	Locale            string    `claim:"locale"`    // Typically ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1
	UpdatedAt         time.Time `claim:"updated_at"`

	/* Email Scope */
	Email         string `claim:"email"`
	EmailVerified *bool  `claim:"email_verified"`

	/* Phone Number Scope */
	PhoneNumber      string `claim:"phone_number"` // RFC 3966 [RFC3966] e.g. +1 (604) 555-1234;ext=5678
	PhoneNumVerified *bool  `claim:"phone_number_verified"`

	/* Address Scope */
	Address *claims.AddressClaim `claim:"address"`

	/* Profile Scope */
	DefaultTenantId string          `claim:"default_tenant_id"`
	AssignedTenants utils.StringSet `claim:"assigned_tenants"`
	Roles           utils.StringSet `claim:"roles"`
	Permissions     utils.StringSet `claim:"permissions"`

	/* General Scope */
	UserId           string `claim:"user_id"`
	AccountType      string `claim:"account_type"`
	TenantId         string `claim:"tenant_id"`
	TenantExternalId string `claim:"tenant_name"` //for backward compatibility, map to tenant_name
	TenantSuspended  *bool  `claim:"tenant_suspended"`
	ProviderId       string `claim:"provider_id"`
	ProviderName     string `claim:"provider_name"`
	OrigUsername     string `claim:"original_username"`
	Currency         string `claim:"currency"`
}

IdTokenClaims implements oauth2.Claims

func (*IdTokenClaims) Get 

func (c *IdTokenClaims) Get(claim string) interface{}

func (*IdTokenClaims) Has 

func (c *IdTokenClaims) Has(claim string) bool

func (*IdTokenClaims) MarshalJSON 

func (c *IdTokenClaims) MarshalJSON() ([]byte, error)

func (*IdTokenClaims) Set 

func (c *IdTokenClaims) Set(claim string, value interface{})

func (*IdTokenClaims) UnmarshalJSON 

func (c *IdTokenClaims) UnmarshalJSON(bytes []byte) error

func (*IdTokenClaims) Values 

func (c *IdTokenClaims) Values() map[string]interface{}

type OPMetadata 

type OPMetadata struct {
	oauth2.FieldClaimsMapper
	oauth2.MapClaims
	Issuer                 string          `claim:"issuer"`
	AuthEndpoint           string          `claim:"authorization_endpoint"`
	TokenEndpoint          string          `claim:"token_endpoint"`
	UserInfoEndpoint       string          `claim:"userinfo_endpoint"`
	JwkSetURI              string          `claim:"jwks_uri"`
	SupportedGrantTypes    utils.StringSet `claim:"grant_types_supported"`
	SupportedScopes        utils.StringSet `claim:"scopes_supported"`
	SupportedResponseTypes utils.StringSet `claim:"response_types_supported"`
	SupportedACRs          utils.StringSet `claim:"acr_values_supported"`
	SupportedSubjectTypes  utils.StringSet `claim:"subject_types_supported"`
	SupportedIdTokenJwsAlg utils.StringSet `claim:"id_token_signing_alg_values_supported"`
	SupportedClaims        utils.StringSet `claim:"claims_supported"`
}

OPMetadata leverage claims implementations

func (OPMetadata) Get 

func (m OPMetadata) Get(claim string) interface{}

func (OPMetadata) Has 

func (m OPMetadata) Has(claim string) bool

func (OPMetadata) MarshalJSON 

func (m OPMetadata) MarshalJSON() ([]byte, error)

func (*OPMetadata) Set 

func (m *OPMetadata) Set(claim string, value interface{})

func (*OPMetadata) UnmarshalJSON 

func (m *OPMetadata) UnmarshalJSON(bytes []byte) error

func (OPMetadata) Values 

func (m OPMetadata) Values() map[string]interface{}

type OidcEntryPoint 

type OidcEntryPoint struct {
	// contains filtered or unexported fields
}

func NewOidcEntryPoint 

func NewOidcEntryPoint(opts ...EpOptions) *OidcEntryPoint

func (*OidcEntryPoint) Commence 

func (o *OidcEntryPoint) Commence(ctx context.Context, request *http.Request, writer http.ResponseWriter, err error)

type OidcLogoutHandler 

type OidcLogoutHandler struct {
	// contains filtered or unexported fields
}

func NewOidcLogoutHandler 

func NewOidcLogoutHandler(opts ...HandlerOptions) *OidcLogoutHandler

func (*OidcLogoutHandler) HandleLogout 

func (o *OidcLogoutHandler) HandleLogout(ctx context.Context, request *http.Request, writer http.ResponseWriter, authentication security.Authentication) error

func (*OidcLogoutHandler) Order 

func (o *OidcLogoutHandler) Order() int

func (*OidcLogoutHandler) ShouldLogout 

func (o *OidcLogoutHandler) ShouldLogout(ctx context.Context, request *http.Request, writer http.ResponseWriter, authentication security.Authentication) error

type OidcSuccessHandler 

type OidcSuccessHandler struct {
	// contains filtered or unexported fields
}

func NewOidcSuccessHandler 

func NewOidcSuccessHandler(opts ...SuccessOptions) *OidcSuccessHandler

func (*OidcSuccessHandler) HandleAuthenticationSuccess 

func (o *OidcSuccessHandler) HandleAuthenticationSuccess(c context.Context, r *http.Request, rw http.ResponseWriter, from, to security.Authentication)

func (*OidcSuccessHandler) Order 

func (o *OidcSuccessHandler) Order() int

type OpenIDAuthorizeRequestProcessor 

type OpenIDAuthorizeRequestProcessor struct {
	// contains filtered or unexported fields
}

OpenIDAuthorizeRequestProcessor implements ChainedAuthorizeRequestProcessor and order.Ordered it validate auth request against standard oauth2 specs

func NewOpenIDAuthorizeRequestProcessor 

func NewOpenIDAuthorizeRequestProcessor(opts ...ARPOptions) *OpenIDAuthorizeRequestProcessor

func (*OpenIDAuthorizeRequestProcessor) Process 

func (p *OpenIDAuthorizeRequestProcessor) Process(ctx context.Context, request *auth.AuthorizeRequest, chain auth.AuthorizeRequestProcessChain) (validated *auth.AuthorizeRequest, err error)

type OpenIDTokenEnhancer 

type OpenIDTokenEnhancer struct {
	// contains filtered or unexported fields
}

OpenIDTokenEnhancer implements order.Ordered and TokenEnhancer OpenIDTokenEnhancer generate OpenID ID Token and set it to token details

func NewOpenIDTokenEnhancer 

func NewOpenIDTokenEnhancer(opts ...EnhancerOptions) *OpenIDTokenEnhancer

func (*OpenIDTokenEnhancer) Enhance 

func (oe *OpenIDTokenEnhancer) Enhance(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*OpenIDTokenEnhancer) Order 

func (oe *OpenIDTokenEnhancer) Order() int

type SuccessOption 

type SuccessOption struct {
	ClientStore         oauth2.OAuth2ClientStore
	WhitelabelErrorPath string
}

type SuccessOptions 

type SuccessOptions func(opt *SuccessOption)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.