Documentation ¶
Overview ¶
Package oidc is DEPRECATED. Use github.com/coreos/go-oidc instead.
Index ¶
- Constants
- Variables
- func ExtractBearerToken(r *http.Request) (string, error)
- func GenClientID(hostport string) (string, error)
- func NewClaims(iss, sub string, aud interface{}, iat, exp time.Time) jose.Claims
- func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProviderConfigGetter
- func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo
- func VerifyClaims(jwt jose.JWT, issuer, clientID string) error
- func VerifyClientClaims(jwt jose.JWT, issuer string) (string, error)
- func VerifySignature(jwt jose.JWT, keys []key.PublicKey) (bool, error)
- type AuthenticatedTransport
- type Client
- func (c *Client) ClientCredsToken(scope []string) (jose.JWT, error)
- func (c *Client) ExchangeAuthCode(code string) (jose.JWT, error)
- func (c *Client) Healthy() error
- func (c *Client) OAuthClient() (*oauth2.Client, error)
- func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error)
- func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{}
- func (c *Client) VerifyJWT(jwt jose.JWT) error
- type ClientConfig
- type ClientCredentials
- type ClientCredsTokenRefresher
- type ClientIdentity
- type ClientMetadata
- type ClientRegistrationResponse
- type Identity
- type JWAOptions
- type JWTVerifier
- type LoginFunc
- type ProviderConfig
- func (p ProviderConfig) Defaults() ProviderConfig
- func (p ProviderConfig) Empty() bool
- func (p *ProviderConfig) MarshalJSON() ([]byte, error)
- func (p ProviderConfig) Supports(c ClientMetadata) error
- func (p ProviderConfig) SupportsGrantType(grantType string) bool
- func (p *ProviderConfig) UnmarshalJSON(data []byte) error
- func (p ProviderConfig) Valid() error
- type ProviderConfigGetter
- type ProviderConfigSetter
- type ProviderConfigSyncer
- type RequestTokenExtractor
- type TokenRefresher
Constants ¶
const ( // Subject Identifier types defined by the OIDC spec. Specifies if the provider // should provide the same sub claim value to all clients (public) or a unique // value for each client (pairwise). // // See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes SubjectTypePublic = "public" SubjectTypePairwise = "pairwise" )
const ( MaximumProviderConfigSyncInterval = 24 * time.Hour MinimumProviderConfigSyncInterval = time.Minute )
const DefaultPublicKeySetTTL = 24 * time.Hour
DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no Cache-Control header is provided by the JWK Set document endpoint.
Variables ¶
var ( // Default values for omitted provider config fields. // // Use ProviderConfig's Defaults method to fill a provider config with these values. DefaultGrantTypesSupported = []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit} DefaultResponseModesSupported = []string{"query", "fragment"} DefaultTokenEndpointAuthMethodsSupported = []string{oauth2.AuthMethodClientSecretBasic} DefaultClaimTypesSupported = []string{"normal"} )
var (
DefaultScope = []string{"openid", "email", "profile"}
)
Functions ¶
func ExtractBearerToken ¶
ExtractBearerToken is a RequestTokenExtractor which extracts a bearer token from a request's Authorization header.
func GenClientID ¶
func NewRemotePublicKeyRepo ¶
NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.
func VerifyClaims ¶
Verify claims in accordance with OIDC spec http://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation
func VerifyClientClaims ¶
VerifyClientClaims verifies all the required claims are valid for a "client credentials" JWT. Returns the client ID if valid, or an error if invalid.
Types ¶
type AuthenticatedTransport ¶
type AuthenticatedTransport struct { TokenRefresher http.RoundTripper // contains filtered or unexported fields }
func (*AuthenticatedTransport) SetJWT ¶
func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT)
SetJWT sets the JWT held by the Transport. This is useful for cases in which you want to set an initial JWT.
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
func NewClient ¶
func NewClient(cfg ClientConfig) (*Client, error)
func (*Client) ClientCredsToken ¶
func (*Client) ExchangeAuthCode ¶
ExchangeAuthCode exchanges an OAuth2 auth code for an OIDC JWT ID token.
func (*Client) RefreshToken ¶
RefreshToken uses a refresh token to exchange for a new OIDC JWT ID Token.
func (*Client) SyncProviderConfig ¶
SyncProviderConfig starts the provider config syncer
type ClientConfig ¶
type ClientConfig struct { HTTPClient phttp.Client Credentials ClientCredentials Scope []string RedirectURL string ProviderConfig ProviderConfig KeySet key.PublicKeySet }
type ClientCredentials ¶
type ClientCredentials oauth2.ClientCredentials
type ClientCredsTokenRefresher ¶
type ClientIdentity ¶
type ClientIdentity struct { Credentials ClientCredentials Metadata ClientMetadata }
type ClientMetadata ¶
type ClientMetadata struct { RedirectURIs []url.URL // Required // A list of OAuth 2.0 "response_type" values that the client wishes to restrict // itself to. Either "code", "token", or another registered extension. // // If omitted, only "code" will be used. ResponseTypes []string // A list of OAuth 2.0 grant types the client wishes to restrict itself to. // The grant type values used by OIDC are "authorization_code", "implicit", // and "refresh_token". // // If ommitted, only "authorization_code" will be used. GrantTypes []string // "native" or "web". If omitted, "web". ApplicationType string // List of email addresses. Contacts []mail.Address // Name of client to be presented to the end-user. ClientName string // URL that references a logo for the Client application. LogoURI *url.URL // URL of the home page of the Client. ClientURI *url.URL // Profile data policies and terms of use to be provided to the end user. PolicyURI *url.URL TermsOfServiceURI *url.URL // URL to or the value of the client's JSON Web Key Set document. JWKSURI *url.URL JWKS *jose.JWKSet // URL referencing a flie with a single JSON array of redirect URIs. SectorIdentifierURI *url.URL SubjectType string // Options to restrict the JWS alg and enc values used for server responses and requests. IDTokenResponseOptions JWAOptions UserInfoResponseOptions JWAOptions RequestObjectOptions JWAOptions // Client requested authorization method and signing options for the token endpoint. // // Defaults to "client_secret_basic" TokenEndpointAuthMethod string TokenEndpointAuthSigningAlg string // DefaultMaxAge specifies the maximum amount of time in seconds before an authorized // user must reauthroize. // // If 0, no limitation is placed on the maximum. DefaultMaxAge int64 // RequireAuthTime specifies if the auth_time claim in the ID token is required. RequireAuthTime bool // Default Authentication Context Class Reference values for authentication requests. DefaultACRValues []string // URI that a third party can use to initiate a login by the relaying party. // // See: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin InitiateLoginURI *url.URL // Pre-registered request_uri values that may be cached by the server. RequestURIs []url.URL }
ClientMetadata holds metadata that the authorization server associates with a client identifier. The fields range from human-facing display strings such as client name, to items that impact the security of the protocol, such as the list of valid redirect URIs.
See http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
TODO: support language specific claim representations http://openid.net/specs/openid-connect-registration-1_0.html#LanguagesAndScripts
func (ClientMetadata) Defaults ¶
func (m ClientMetadata) Defaults() ClientMetadata
Defaults returns a shallow copy of ClientMetadata with default values replacing omitted fields.
func (*ClientMetadata) MarshalJSON ¶
func (m *ClientMetadata) MarshalJSON() ([]byte, error)
func (*ClientMetadata) UnmarshalJSON ¶
func (m *ClientMetadata) UnmarshalJSON(data []byte) error
func (*ClientMetadata) Valid ¶
func (m *ClientMetadata) Valid() error
Valid determines if a ClientMetadata conforms with the OIDC specification.
Valid is called by UnmarshalJSON.
NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34
type ClientRegistrationResponse ¶
type ClientRegistrationResponse struct { ClientID string // Required ClientSecret string RegistrationAccessToken string RegistrationClientURI string // If IsZero is true, unspecified. ClientIDIssuedAt time.Time // Time at which the client_secret will expire. // If IsZero is true, it will not expire. ClientSecretExpiresAt time.Time ClientMetadata }
func (*ClientRegistrationResponse) MarshalJSON ¶
func (c *ClientRegistrationResponse) MarshalJSON() ([]byte, error)
func (*ClientRegistrationResponse) UnmarshalJSON ¶
func (c *ClientRegistrationResponse) UnmarshalJSON(data []byte) error
type JWAOptions ¶
type JWAOptions struct { // SigningAlg specifies an JWA alg for signing JWTs. // // Specifying this field implies different actions depending on the context. It may // require objects be serialized and signed as a JWT instead of plain JSON, or // require an existing JWT object use the specified alg. // // See: http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata SigningAlg string // EncryptionAlg, if provided, specifies that the returned or sent object be stored // (or nested) within a JWT object and encrypted with the provided JWA alg. EncryptionAlg string // EncryptionEnc specifies the JWA enc algorithm to use with EncryptionAlg. If // EncryptionAlg is provided and EncryptionEnc is omitted, this field defaults // to A128CBC-HS256. // // If EncryptionEnc is provided EncryptionAlg must also be specified. EncryptionEnc string }
type JWTVerifier ¶
type JWTVerifier struct {
// contains filtered or unexported fields
}
func NewJWTVerifier ¶
func NewJWTVerifier(issuer, clientID string, syncFunc func() error, keysFunc func() []key.PublicKey) JWTVerifier
type ProviderConfig ¶
type ProviderConfig struct { Issuer *url.URL // Required AuthEndpoint *url.URL // Required TokenEndpoint *url.URL // Required if grant types other than "implicit" are supported UserInfoEndpoint *url.URL KeysEndpoint *url.URL // Required RegistrationEndpoint *url.URL EndSessionEndpoint *url.URL CheckSessionIFrame *url.URL // Servers MAY choose not to advertise some supported scope values even when this // parameter is used, although those defined in OpenID Core SHOULD be listed, if supported. ScopesSupported []string // OAuth2.0 response types supported. ResponseTypesSupported []string // Required // OAuth2.0 response modes supported. // // If omitted, defaults to DefaultResponseModesSupported. ResponseModesSupported []string // OAuth2.0 grant types supported. // // If omitted, defaults to DefaultGrantTypesSupported. GrantTypesSupported []string ACRValuesSupported []string // SubjectTypesSupported specifies strategies for providing values for the sub claim. SubjectTypesSupported []string // Required // JWA signing and encryption algorith values supported for ID tokens. IDTokenSigningAlgValues []string // Required IDTokenEncryptionAlgValues []string IDTokenEncryptionEncValues []string // JWA signing and encryption algorith values supported for user info responses. UserInfoSigningAlgValues []string UserInfoEncryptionAlgValues []string UserInfoEncryptionEncValues []string // JWA signing and encryption algorith values supported for request objects. ReqObjSigningAlgValues []string ReqObjEncryptionAlgValues []string ReqObjEncryptionEncValues []string TokenEndpointAuthMethodsSupported []string TokenEndpointAuthSigningAlgValuesSupported []string DisplayValuesSupported []string ClaimTypesSupported []string ClaimsSupported []string ServiceDocs *url.URL ClaimsLocalsSupported []string UILocalsSupported []string ClaimsParameterSupported bool RequestParameterSupported bool RequestURIParamaterSupported bool RequireRequestURIRegistration bool Policy *url.URL TermsOfService *url.URL // Not part of the OpenID Provider Metadata ExpiresAt time.Time }
ProviderConfig represents the OpenID Provider Metadata specifying what configurations a provider supports.
See: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
func FetchProviderConfig ¶
func FetchProviderConfig(hc phttp.Client, issuerURL string) (ProviderConfig, error)
func WaitForProviderConfig ¶
func WaitForProviderConfig(hc phttp.Client, issuerURL string) (pcfg ProviderConfig)
func (ProviderConfig) Defaults ¶
func (p ProviderConfig) Defaults() ProviderConfig
Defaults returns a shallow copy of ProviderConfig with default values replacing omitted fields.
var cfg oidc.ProviderConfig // Fill provider config with default values for omitted fields. cfg = cfg.Defaults()
func (ProviderConfig) Empty ¶
func (p ProviderConfig) Empty() bool
Empty returns if a ProviderConfig holds no information.
This case generally indicates a ProviderConfigGetter has experienced an error and has nothing to report.
func (*ProviderConfig) MarshalJSON ¶
func (p *ProviderConfig) MarshalJSON() ([]byte, error)
func (ProviderConfig) Supports ¶
func (p ProviderConfig) Supports(c ClientMetadata) error
Supports determines if provider supports a client given their respective metadata.
func (ProviderConfig) SupportsGrantType ¶
func (p ProviderConfig) SupportsGrantType(grantType string) bool
func (*ProviderConfig) UnmarshalJSON ¶
func (p *ProviderConfig) UnmarshalJSON(data []byte) error
func (ProviderConfig) Valid ¶
func (p ProviderConfig) Valid() error
Valid determines if a ProviderConfig conforms with the OIDC specification. If Valid returns successfully it guarantees required field are non-nil and URLs are well formed.
Valid is called by UnmarshalJSON.
NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34
type ProviderConfigGetter ¶
type ProviderConfigGetter interface {
Get() (ProviderConfig, error)
}
type ProviderConfigSetter ¶
type ProviderConfigSetter interface {
Set(ProviderConfig) error
}
type ProviderConfigSyncer ¶
type ProviderConfigSyncer struct {
// contains filtered or unexported fields
}
func NewProviderConfigSyncer ¶
func NewProviderConfigSyncer(from ProviderConfigGetter, to ProviderConfigSetter) *ProviderConfigSyncer
func (*ProviderConfigSyncer) Run ¶
func (s *ProviderConfigSyncer) Run() chan struct{}
func (*ProviderConfigSyncer) WaitUntilInitialSync ¶
func (s *ProviderConfigSyncer) WaitUntilInitialSync()
type RequestTokenExtractor ¶
RequestTokenExtractor funcs extract a raw encoded token from a request.
func CookieTokenExtractor ¶
func CookieTokenExtractor(cookieName string) RequestTokenExtractor
CookieTokenExtractor returns a RequestTokenExtractor which extracts a token from the named cookie in a request.