oauth2

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 24, 2024 License: MIT Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ClaimClientID        = "client_id"
	ClaimExpiryTime      = "exp"
	ClaimIssuer          = "iss"
	ClaimIssuedAtTime    = "iat"
	ClaimNotBeforeTime   = "nbf"
	ClaimUserID          = "user_id"
	ClaimScope           = "scope"
	ClaimSubject         = "sub"
	ClaimType            = "typ"
	ClaimAudience        = "aud"
	ClaimAccessTokenHash = "at_hash"
	ClaimNonce           = "nonce"
	ClaimTokenID         = "jti"
)
View Source 
const (
	// ErrorInvalidRequest - The request is missing a parameter so the server
	// can't proceed with the request. This may also be returned if the
	// request includes an unsupported parameter or repeats a parameter.
	ErrorInvalidRequest = "invalid_request"

	// ErrorInvalidClient – Client authentication failed, such as if the
	// request contains an invalid client ID or secret. Send an HTTP 401
	// response in this case.
	ErrorInvalidClient = "invalid_client"

	// ErrorInvalidGrant – The authorization code (or user's password for the
	// password grant type) is invalid or expired. This is also the error you
	// would return if the redirect URL given in the authorization grant does
	// not match the URL provided in this access token request.
	ErrorInvalidGrant = "invalid_grant"

	// ErrorRedirectURIMismatch - The redirect URI is invalid for the
	// requested client id
	ErrorRedirectURIMismatch = "redirect_uri_mismatch"

	ErrorUnauthorizedClient = "unauthorized_client"

	// ErrorUnsupportedGrantType – If a grant type is requested that the
	// authorization server doesn't recognize, use this code. Note that
	// unknown grant types also use this specific error code rather than using
	// the ErrorInvalidRequest above.
	ErrorUnsupportedGrantType = "unsupported_grant_type"

	ErrorInternal = "internal_server_error"
	ErrorNotFound = "not_found"
)
View Source 
const (
	GrantTypeAuthorizationCode = "authorization_code"
	GrantTypeClientCredentials = "client_credentials"
	GrantTypeRefreshToken      = "refresh_token"
	GrantTypePassword          = "password"

	TokenTypeCode         = "code"
	TokenTypeRefreshToken = "refresh_token"
	ResponseTypeCode      = "code"
	ResponseTypeToken     = "token"
)
View Source 
const HeaderKeyID = "KeyID"
View Source 
const OIDCDefaultScope = "openid profile email phone address offline_access"

Variables

View Source 
var ErrInvalidTokenType = errors.New("invalid token type (typ)")

Functions

func AddAddressClaims added in v0.3.0 

func AddAddressClaims(claims map[string]any, user User)

func AddEmailClaims 

func AddEmailClaims(claims map[string]any, user User)

func AddExtraClaims 

func AddExtraClaims(claims map[string]any, extraClaims map[string]string, user User, clientID string)

func AddPhoneClaims added in v0.3.0 

func AddPhoneClaims(claims map[string]any, user User)

func AddProfileClaims 

func AddProfileClaims(claims map[string]any, user User)

func AuthorizeHandler 

func AuthorizeHandler(basePath string, tokenService TokenCreator, peopleStore people.Store, clientStore clients.Store, scope, sessionName string) http.Handler

func DiscoveryDocumentHandler 

func DiscoveryDocumentHandler(issuer, scope string) http.Handler

func Error 

func Error(w http.ResponseWriter, error string, description string, code int)

func GeneratePrivateKey 

func GeneratePrivateKey(keySize int, keyID string) ([]byte, error)

func IntersectScope 

func IntersectScope(availableScope, requestedScope string) string

func JwksHandler 

func JwksHandler(publicKeys map[string]any) http.Handler

func LoadPublicKeys 

func LoadPublicKeys(basePath string, keys []string) (map[string]any, error)

func NewTokenID added in v0.4.1 

func NewTokenID(timestamp time.Time) string

func RevokeHandler added in v0.4.1 

func RevokeHandler(tokenCreator TokenCreator, clientStore clients.Store, trlStore trl.Store) http.Handler

func ToJwks 

func ToJwks(publicKeys map[string]any) []jose.JSONWebKey

ToJwks creates JSON Web Keys from multiple public keys

func ToPublicKeys added in v0.4.1 

func ToPublicKeys(jwks []jose.JSONWebKey) map[string]any

func TokenHandler 

func TokenHandler(tokenService TokenCreator, peopleStore people.Store, clientStore clients.Store, trlStore trl.Store, scope string) http.Handler

func UnmarshalJWKS added in v0.6.0 

func UnmarshalJWKS(bytes []byte) ([]jose.JSONWebKey, error)

func UserInfoHandler 

func UserInfoHandler(peopleStore people.Store, extraClaims map[string]string) http.Handler

Types

type DiscoveryDocument 

type DiscoveryDocument struct {
	Issuer                                     string   `json:"issuer"`
	AuthorizationEndpoint                      string   `json:"authorization_endpoint"`
	JwksURI                                    string   `json:"jwks_uri"`
	ResponseTypesSupported                     []string `json:"response_types_supported"`
	GrantTypesSupported                        []string `json:"grant_types_supported"`
	TokenEndpoint                              string   `json:"token_endpoint"`
	UserinfoEndpoint                           string   `json:"userinfo_endpoint"`
	EndSessionEndpoint                         string   `json:"end_session_endpoint"`
	ScopesSupported                            []string `json:"scopes_supported"`
	TokenEndpointAuthMethodsSupported          []string `json:"token_endpoint_auth_methods_supported"`
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`
	CodeChallengeMethodsSupported              []string `json:"code_challenge_methods_supported,omitempty"`
	IDTokenSigningAlgValuesSupported           []string `json:"id_token_signing_alg_values_supported"`
	RevocationEndpoint                         string   `json:"revocation_endpoint"`
	RevocationEndpointAuthMethodsSupported     []string `json:"revocation_endpoint_auth_methods_supported"`
}

type ErrorResponse 

type ErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
}

type TokenCreator 

type TokenCreator interface {
	GenerateAccessToken(user User, subject, clientID, scope string) (string, error)
	GenerateIDToken(user User, clientID, scope, accessTokenHash, nonce string) (string, error)
	GenerateAuthCode(userID, clientID, scope, challenge, nonce string) (string, error)
	GenerateRefreshToken(userID, clientID, scope, nonce string) (string, error)
	Verify(rawToken, tokenType string) (*VerifiedClaims, error)
	AccessTokenTTL() int64
	Issuer() string
}

func NewTokenCreator added in v0.4.1 

func NewTokenCreator(privateKey *rsa.PrivateKey, keyID, issuer, scope string,
	accessTokenTTL, refreshTokenTTL, idTokenTTL int64,
	accessTokenExtraClaims, idTokenExtraClaims map[string]string) (TokenCreator, error)

type TokenResponse 

type TokenResponse struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int64  `json:"expires_in"`
	RefreshToken string `json:"refresh_token,omitempty"`
	IDToken      string `json:"id_token,omitempty"`
}

type User 

type User struct {
	people.Person
	UserID string `json:"user_id"`
}

type VerifiedClaims added in v0.4.1 

type VerifiedClaims struct {
	UserID    string           `json:"user_id"`
	ClientID  string           `json:"client_id"`
	TokenID   string           `json:"jti"`
	Type      string           `json:"typ"`
	Scope     string           `json:"scope"`
	Challenge string           `json:"challenge"`
	Nonce     string           `json:"nonce"`
	Expiry    *jwt.NumericDate `json:"exp"`
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.