Documentation
¶
Index ¶
- Constants
- Variables
- func DiscoverPublicKey(ctx context.Context, headers jws.Headers, issuer string) (crypto.PublicKey, error)
- func ExtractClaim(idt []byte, claimName string) (string, error)
- func VerifyPKToken(ctx context.Context, pkt *pktoken.PKToken, provider OpenIdProvider) error
- type AuthOpts
- type AuthOptsStruct
- type BrowserOpenIdProvider
- type ClientOpts
- type CosignerProvider
- func (c *CosignerProvider) CreateInitAuthSig(redirectURI string) ([]byte, string, error)
- func (c *CosignerProvider) RequestToken(ctx context.Context, signer crypto.Signer, pkt *pktoken.PKToken, ...) (*pktoken.PKToken, error)
- func (c *CosignerProvider) ValidateCos(cosSig []byte, expectedNonce string, expectedRedirectURI string) error
- type OidcClaims
- type OpenIdProvider
- type OpkClient
- func (o *OpkClient) Auth(ctx context.Context, opts ...AuthOpts) (*pktoken.PKToken, error)
- func (o *OpkClient) GetAlg() jwa.KeyAlgorithm
- func (o *OpkClient) GetCosP() *CosignerProvider
- func (o *OpkClient) GetOp() OpenIdProvider
- func (o *OpkClient) GetSignGQ() bool
- func (o *OpkClient) GetSigner() crypto.Signer
- func (o *OpkClient) OidcAuth(ctx context.Context, signer crypto.Signer, alg jwa.KeyAlgorithm, ...) (*pktoken.PKToken, error)
- type PKTokenVerifier
Constants ¶
const GQSecurityParameter = 256
Variables ¶
var ErrNonGQUnsupported = fmt.Errorf("non-GQ signatures are not supported")
Functions ¶
func DiscoverPublicKey ¶
func VerifyPKToken ¶
Types ¶
type AuthOpts ¶
type AuthOpts func(a *AuthOptsStruct)
func WithExtraClaim ¶
WithExtraClaim specifies additional values to be included in the CIC. These claims will be include in the CIC protected header and will be hashed into the commitment claim in the ID Token. The commitment claim is typically the nonce or aud claim in the ID Token. Example use:
WithExtraClaim("claimKey", "claimValue")
type AuthOptsStruct ¶
type AuthOptsStruct struct {
// contains filtered or unexported fields
}
type BrowserOpenIdProvider ¶
type BrowserOpenIdProvider interface {
OpenIdProvider
HookHTTPSession(h http.HandlerFunc)
}
Interface for interacting with the OP (OpenID Provider)
type ClientOpts ¶
type ClientOpts func(o *OpkClient)
ClientOpts contains options for constructing an OpkClient
func WithCosignerProvider ¶
func WithCosignerProvider(cosP *CosignerProvider) ClientOpts
WithCosignerProvider specifies what cosigner provider should be used to cosign the PK Token. If this is not specified then the cosigning setup is skipped.
func WithSignGQ ¶
func WithSignGQ(signGQ bool) ClientOpts
WithSignGQ specifies if the OPs signature on the ID Token should be replaced with a GQ signature by the client.
func WithSigner ¶
func WithSigner(signer crypto.Signer, alg jwa.KeyAlgorithm) ClientOpts
WithSigner allows the caller to inject their own signer and algorithm. Use this option if to generate to bring your own user key pair. If this option is not set the OpkClient constructor will automatically generate a signer, i.e., key pair. Example use:
signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) WithSigner(signer, jwa.ES256)
type CosignerProvider ¶
func (*CosignerProvider) CreateInitAuthSig ¶
func (c *CosignerProvider) CreateInitAuthSig(redirectURI string) ([]byte, string, error)
func (*CosignerProvider) RequestToken ¶
func (*CosignerProvider) ValidateCos ¶
func (c *CosignerProvider) ValidateCos(cosSig []byte, expectedNonce string, expectedRedirectURI string) error
type OidcClaims ¶
type OidcClaims struct {
Issuer string `json:"iss"`
Subject string `json:"sub"`
Audience string `json:"-"`
Expiration int64 `json:"exp"`
IssuedAt int64 `json:"iat"`
Email string `json:"email,omitempty"`
Nonce string `json:"nonce,omitempty"`
Username string `json:"preferred_username,omitempty"`
FirstName string `json:"given_name,omitempty"`
LastName string `json:"family_name,omitempty"`
}
func (*OidcClaims) UnmarshalJSON ¶
func (id *OidcClaims) UnmarshalJSON(data []byte) error
Implement UnmarshalJSON for custom handling during JSON unmarshaling
type OpenIdProvider ¶
type OpenIdProvider interface {
Issuer() string
RequestTokens(ctx context.Context, cicHash string) (*memguard.LockedBuffer, error)
PublicKey(ctx context.Context, headers jws.Headers) (crypto.PublicKey, error)
VerifyCICHash(ctx context.Context, idt []byte, expectedCICHash string) error
VerifyNonGQSig(ctx context.Context, idt []byte, expectedNonce string) error
}
Interface for interacting with the OP (OpenID Provider)
type OpkClient ¶
type OpkClient struct {
Op OpenIdProvider
// contains filtered or unexported fields
}
OpkClient is the OpenPubkey client
func New ¶
func New(op OpenIdProvider, opts ...ClientOpts) (*OpkClient, error)
New returns a new client.OpkClient. The op argument should be the OpenID Provider you want to authenticate against.
func (*OpkClient) Auth ¶
Auth returns a PK Token by running the OpenPubkey protocol. It will first authenticate to the configured OpenID Provider (OP) and receive an ID Token. Using this ID Token it will generate a PK Token. If a Cosigner has been configured it will also attempt to get the PK Token cosigned.
func (*OpkClient) GetAlg ¶
func (o *OpkClient) GetAlg() jwa.KeyAlgorithm
GetAlg returns the algorithm of the client's key pair (Public Key, Signing Key)
func (*OpkClient) GetCosP ¶
func (o *OpkClient) GetCosP() *CosignerProvider
GetCosP returns the MFA Cosigner Provider the OpkClient has been configured to use
func (*OpkClient) GetOp ¶
func (o *OpkClient) GetOp() OpenIdProvider
GetOp returns the OpenID Provider the OpkClient has been configured to use
func (*OpkClient) GetSignGQ ¶
GetSignGQ returns if the client is using GQ signatures to hide the OPs signature on the ID Token in this PK Token.
type PKTokenVerifier ¶
type PKTokenVerifier struct {
AllowedProviders []OpenIdProvider
AllowedCosigners []CosignerProvider
}
Source Files
Directories