oauth2

Documentation

Index

• Constants
• func AssertObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)
• func AssertObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)
• func RequireObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)
• func RequireObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)
• func TestHelperRunner(t *testing.T, store InternalRegistry, k string)
• type AssertionJWTReader
• type BlacklistedJTI
  • func NewBlacklistedJTI(jti string, exp time.Time) *BlacklistedJTI
  • func (j *BlacklistedJTI) AfterFind(_ *pop.Connection) error
  • func (BlacklistedJTI) TableName() string
• type Handler
  • func NewHandler(r InternalRegistry, c *config.Provider) *Handler
  • func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
  • func (h *Handler) DefaultErrorHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
  • func (h *Handler) DeleteHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
  • func (h *Handler) FlushHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
  • func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
  • func (h *Handler) LogoutHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
  • func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request)
  • func (h *Handler) SetRoutes(admin *helpers.RouterAdmin, public *helpers.RouterPublic, ...)
  • func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request)
  • func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request)
  • func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request)
• type InternalRegistry
• type Registry
• type Session
  • func NewSession(subject string) *Session
  • func NewSessionWithCustomClaims(subject string, allowedTopLevelClaims []string) *Session
  • func (s *Session) Clone() fosite.Session
  • func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer
  • func (s *Session) GetJWTHeader() *jwt.Headers

Constants

const (
	DefaultLoginPath      = "/oauth2/fallbacks/login"
	DefaultConsentPath    = "/oauth2/fallbacks/consent"
	DefaultPostLogoutPath = "/oauth2/fallbacks/logout/callback"
	DefaultLogoutPath     = "/oauth2/fallbacks/logout"
	DefaultErrorPath      = "/oauth2/fallbacks/error"
	TokenPath             = "/oauth2/token" // #nosec G101
	AuthPath              = "/oauth2/auth"
	LogoutPath            = "/oauth2/sessions/logout"

	UserinfoPath  = "/userinfo"
	WellKnownPath = "/.well-known/openid-configuration"
	JWKPath       = "/.well-known/jwks.json"

	// IntrospectPath points to the OAuth2 introspection endpoint.
	IntrospectPath   = "/oauth2/introspect"
	RevocationPath   = "/oauth2/revoke"
	FlushPath        = "/oauth2/flush"
	DeleteTokensPath = "/oauth2/tokens" // #nosec G101
)

Functions

func AssertObjectKeysEqual

func AssertObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)

func AssertObjectKeysNotEqual

func AssertObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)

func RequireObjectKeysEqual

func RequireObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)

func RequireObjectKeysNotEqual

func RequireObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)

func TestHelperRunner

func TestHelperRunner(t *testing.T, store InternalRegistry, k string)

TestHelperRunner is used to run the database suite of tests in this package. KEEP EXPORTED AND AVAILABLE FOR THIRD PARTIES TO TEST PLUGINS!

Types

type AssertionJWTReader

type AssertionJWTReader interface {
	helpers.FositeStorer

	GetClientAssertionJWT(ctx context.Context, jti string) (*BlacklistedJTI, error)

	SetClientAssertionJWTRaw(context.Context, *BlacklistedJTI) error
}

type BlacklistedJTI

type BlacklistedJTI struct {
	JTI    string    `db:"-"`
	ID     string    `db:"signature"`
	Expiry time.Time `db:"expires_at"`
}

func NewBlacklistedJTI

func NewBlacklistedJTI(jti string, exp time.Time) *BlacklistedJTI

func (*BlacklistedJTI) AfterFind

func (j *BlacklistedJTI) AfterFind(_ *pop.Connection) error

func (BlacklistedJTI) TableName

func (BlacklistedJTI) TableName() string

type Handler

type Handler struct {
	// contains filtered or unexported fields
}

func NewHandler

func NewHandler(r InternalRegistry, c *config.Provider) *Handler

func (*Handler) AuthHandler

func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route GET /oauth2/auth public oauthAuth

The OAuth 2.0 Authorize Endpoint

This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.

To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749

Consumes:
- application/x-www-form-urlencoded

Schemes: http, https

Responses:
  302: emptyResponse
  401: jsonError
  500: jsonError

func (*Handler) DefaultErrorHandler

func (h *Handler) DefaultErrorHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

func (*Handler) DeleteHandler

func (h *Handler) DeleteHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route DELETE /oauth2/tokens admin deleteOAuth2Token

Delete OAuth2 Access Tokens from a Client

This endpoint deletes OAuth2 access tokens issued for a client from the database

Consumes:
- application/json

Schemes: http, https

Responses:
  204: emptyResponse
  401: jsonError
  500: jsonError

func (*Handler) FlushHandler

func (h *Handler) FlushHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /oauth2/flush admin flushInactiveOAuth2Tokens

Flush Expired OAuth2 Access Tokens

This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted automatically when performing the refresh flow.

Consumes:
- application/json

Schemes: http, https

Responses:
  204: emptyResponse
  401: jsonError
  500: jsonError

func (*Handler) IntrospectHandler

func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /oauth2/introspect admin introspectOAuth2Token

Introspect OAuth2 Tokens

The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting `accessTokenExtra` during the consent flow.

For more information [read this blog post](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/).

Consumes:
- application/x-www-form-urlencoded

Produces:
- application/json

Schemes: http, https

Responses:
  200: oAuth2TokenIntrospection
  401: jsonError
  500: jsonError

func (*Handler) LogoutHandler

func (h *Handler) LogoutHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

swagger:route GET /oauth2/sessions/logout public disconnectUser

OpenID Connect Front-Backchannel Enabled Logout

This endpoint initiates and completes user logout at ORY Hydra and initiates OpenID Connect Front-/Back-channel logout:

- https://openid.net/specs/openid-connect-frontchannel-1_0.html - https://openid.net/specs/openid-connect-backchannel-1_0.html

Schemes: http, https

Responses:
  302: emptyResponse

func (*Handler) RevocationHandler

func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request)

swagger:route POST /oauth2/revoke public revokeOAuth2Token

Revoke OAuth2 Tokens

Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by the client the token was generated for.

Consumes:
- application/x-www-form-urlencoded

Schemes: http, https

Security:
  basic:
  oauth2:

Responses:
  200: emptyResponse
  401: jsonError
  500: jsonError

func (*Handler) SetRoutes

func (h *Handler) SetRoutes(admin *helpers.RouterAdmin, public *helpers.RouterPublic, corsMiddleware func(http.Handler) http.Handler)

func (*Handler) TokenHandler

func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request)

swagger:route POST /oauth2/token public oauth2Token

The OAuth 2.0 Token Endpoint

The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" HTTP request entity-body.

> Do not implement a client for this endpoint yourself. Use a library. There are many libraries > available for any programming language. You can find a list of libraries here: https://oauth.net/code/ > > Do note that Hydra SDK does not implement this endpoint properly. Use one of the libraries listed above!

Consumes:
- application/x-www-form-urlencoded

Produces:
- application/json

Schemes: http, https

Security:
  basic:
  oauth2:

Responses:
  200: oauth2TokenResponse
  401: jsonError
  400: jsonError
  500: jsonError

func (*Handler) UserinfoHandler

func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request)

swagger:route GET /userinfo public userinfo

OpenID Connect Userinfo

This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 Access Token.

For more information please [refer to the spec](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo).

In the case of authentication error, a WWW-Authenticate header might be set in the response with more information about the error. See [the spec](https://datatracker.ietf.org/doc/html/rfc6750#section-3) for more details about header format.

Produces:
- application/json

Schemes: http, https

Security:
  oauth2:

Responses:
  200: userinfoResponse
  401: jsonError
  500: jsonError

func (*Handler) WellKnownHandler

func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request)

swagger:route GET /.well-known/openid-configuration public discoverOpenIDConfiguration

OpenID Connect Discovery

The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html .

Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others. For a full list of clients go here: https://openid.net/developers/certified/

Produces:
- application/json

Schemes: http, https

Responses:
  200: wellKnown
  401: jsonError
  500: jsonError

type InternalRegistry

type InternalRegistry interface {
	client.Registry
	helpers.RegistryWriter
	helpers.RegistryLogger
	consent.Registry
	Registry
}

type Registry

type Registry interface {
	OAuth2Storage() helpers.FositeStorer
	OAuth2Provider() fosite.OAuth2Provider
	AudienceStrategy() fosite.AudienceMatchingStrategy
	ScopeStrategy() fosite.ScopeStrategy

	AccessTokenJWTStrategy() jwk.JWTStrategy
	OpenIDJWTStrategy() jwk.JWTStrategy

	OpenIDConnectRequestValidator() *openid.OpenIDConnectRequestValidator
}

type Session

type Session struct {
	*openid.DefaultSession `json:"idToken"`
	Extra                  map[string]interface{} `json:"extra"`
	KID                    string
	ClientID               string
	ConsentChallenge       string
	ExcludeNotBeforeClaim  bool
	AllowedTopLevelClaims  []string
}

func NewSession

func NewSession(subject string) *Session

func NewSessionWithCustomClaims

func NewSessionWithCustomClaims(subject string, allowedTopLevelClaims []string) *Session

func (*Session) Clone

func (s *Session) Clone() fosite.Session

func (*Session) GetJWTClaims

func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer

func (*Session) GetJWTHeader

func (s *Session) GetJWTHeader() *jwt.Headers