openidvc

package module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2023 License: BSD-3-Clause Imports: 26 Imported by: 3

README

diddoc

Documentation

Index

Constants

View Source 
const (
	// VC signed as a JWT, not using JSON-LD (jwt_vc_json)
	VCJwtFormat CredentialFormat = "jwt_vc_json"
	// VC signed as a JWT, using JSON-LD (jwt_vc_json-ld)
	VCJwtJsonldFormat CredentialFormat = "jwt_vc_json-ld"
	// VC secured using Data Integrity, using JSON-LD, with proof suite requiring Linked Data canonicalization (ldp_vc)
	VCJsonldFormat CredentialFormat = "ldp_vc"
	// proof type for the proof of possession
	JwtProofType ProofType = "jwt"
	// The rfc6749 specifies us english, ebsi and https://github.com/golang/oauth2 are using british english
	// This authorization server supports both
	AuthorizationCode_en    GrantType = "authorisation_code"
	AuthorizationCode_en_us GrantType = "authorization_code"

	Code    ResponseType = "code"
	VPToken ResponseType = "vp_token"
	IdToken ResponseType = "id_token"

	CodeChallengeS256  CodeChallengeMethod = "S256"
	CodeChallengePlain CodeChallengeMethod = "plain"

	Public SubjectType = "public"
)

Variables

View Source 
var (
	Rfc6749Errors map[string]int = map[string]int{
		"invalid_request":           http.StatusBadRequest,
		"unauthorized_client":       http.StatusUnauthorized,
		"access_denied":             http.StatusForbidden,
		"unsupported_response_type": http.StatusBadRequest,
		"invalid_scope":             http.StatusBadRequest,
		"server_error":              http.StatusInternalServerError,
		"temporarily_unavailable":   http.StatusServiceUnavailable,
	}
	OpenidIssuanceErrors map[string]int = map[string]int{
		"invalid_request":               http.StatusBadRequest,
		"invalid_token":                 http.StatusForbidden,
		"unsupported_credential_type":   http.StatusBadRequest,
		"unsupported_credential_format": http.StatusBadRequest,
		"invalid_or_missing_proof":      http.StatusBadRequest,
	}
)

Functions

func AutorizationRequestHandler 

func AutorizationRequestHandler(w http.ResponseWriter, r *http.Request)

AutorizationRequestHandler is a http handler to handle the authorization request the autorization qequest handler can only handle a single authorization code flow it can not handle multiple repsonse_types

func CredentialResponseError 

func CredentialResponseError(w http.ResponseWriter, err error)

func NewDecetralizedIdentifierRegistry 

func NewDecetralizedIdentifierRegistry() *didMethodRegistry

NewDecetralizedIdentifierRegistry initializes the registration of did methods this function is implemented as a singleton

func ProviderMetadataRequestHandler 

func ProviderMetadataRequestHandler(w http.ResponseWriter, _ *http.Request)

ProviderMetadataRequestHandler handles the request for the provider metatdata

func PushedAutorizationRequestHandler 

func PushedAutorizationRequestHandler(w http.ResponseWriter, r *http.Request)

PushedAutorizationRequestHandler is a http handler to handle the pushed authorization request

func ResponseError 

func ResponseError(w http.ResponseWriter, err error)

func SecureCompare 

func SecureCompare(givenSha [64]byte, actualSha [64]byte) bool

SecureCompare performs a constant time compare of two strings to limit timing attacks.

func SetExpirationTime 

func SetExpirationTime(expirationTime time.Duration)

func SetIssuer 

func SetIssuer(issuer string)

Types

type AuthorizationDetails 

type AuthorizationDetails struct {
	Type                 string           `json:"type"`
	Format               string           `json:"format"`
	CredentialTypes      []CredentialType `json:"types"`
	CredentialDefinition string           `json:"credential_definition"`
}

type AuthorizationRequest 

type AuthorizationRequest struct {
	// scope is required
	Scope string `schema:"scope"`
	// response_type is required
	ResponseType ResponseType `schema:"response_type"`
	//client_id is required
	ClientId string `schema:"client_id"`
	// redirect_uri is required
	RedirectUri string `schema:"redirect_uri"`
	// state is recommended
	State string `schema:"state,omitempty"`
	// code_challenge is required, rfc 7636
	CodeChallenge       string              `schema:"code_challenge,omitempty"`
	CodeChallengeMethod CodeChallengeMethod `schema:"code_challenge_method,omitempty"`
	// not required because authorization_details is one way to request a credential, the other one is to use scope
	AuthorizationDetails string `schema:"authorization_details,omitempty"`
	// rfc 9126, OAuth 2.0 Pushed Authorization Requests
	RequestUri string `schema:"request_uri,omitempty"`
	// open id for presentations
	PresentDef    string `schema:"presentation_definition,omitempty"`
	PresentDefUri string `schema:"presentation_definition_uri,omitempty"`
	// nonce is required for presentation of the credential
	Nonce string `schema:"nonce,omitempty"`
}

AuthorizationRequest is an open id connect authorizarion request

func GetByClientRedirectUri 

func GetByClientRedirectUri(clientId string, redirectUri string) (*AuthorizationRequest, error)

func GetByClientRequestUri 

func GetByClientRequestUri(clientId string, requestUri string) (*AuthorizationRequest, error)

func GetByClientState 

func GetByClientState(clientId string, state string) (*AuthorizationRequest, error)

func (*AuthorizationRequest) CreateAuthorizationRequestForm 

func (ar *AuthorizationRequest) CreateAuthorizationRequestForm() (url.Values, error)

CreateAuthorizationRequestForm creates an url encoded form for the authorizaion request

func (*AuthorizationRequest) CreateAuthorizationResponse 

func (ar *AuthorizationRequest) CreateAuthorizationResponse(options ...VPTokenOption) (*url.URL, error)

CreateAuthorizationResponse returns a url for the openid authorization response

func (*AuthorizationRequest) CreatePushedAuthorizationResponse 

func (ar *AuthorizationRequest) CreatePushedAuthorizationResponse() (PushedAuthorizationResponse, error)

CreatePushedAuthorizationResponse returns a json pushed authorization response

func (*AuthorizationRequest) InitiatePresentationRequest 

func (ar *AuthorizationRequest) InitiatePresentationRequest() (string, error)

InitPresentationRequest generates a url which can be used to generate a qr-code

func (*AuthorizationRequest) PostFormAuthorizationRequest 

func (ar *AuthorizationRequest) PostFormAuthorizationRequest(uri url.URL) error

PostFormIssuanceRequest posts an authorization request for credential issuance from the holder to the issuer

func (*AuthorizationRequest) PostFormPushedAuthorizationRequest 

func (ar *AuthorizationRequest) PostFormPushedAuthorizationRequest(uri url.URL) (PushedAuthorizationResponse, error)

PostFormPushedAuthorizationRequest posts an pushed authorization request for credential issuance from the holder to the issuer

func (*AuthorizationRequest) PostFormTokenRequest 

func (ar *AuthorizationRequest) PostFormTokenRequest(r *http.Request, uri url.URL) (TokenResponse, error)

PostFormTokenRequest take the received request and posts the request to get the token

func (*AuthorizationRequest) ReceiveAuthorizationResponse 

func (ar *AuthorizationRequest) ReceiveAuthorizationResponse(r *http.Request) (AuthorizationResponse, error)

ReceiveAuthorizationResponse receives the authorization response

func (*AuthorizationRequest) RedirectPresentationRequest 

func (ar *AuthorizationRequest) RedirectPresentationRequest(w http.ResponseWriter, r *http.Request)

RedirectPresentationRequest redirects to an initiate request

func (*AuthorizationRequest) StoreClientRedirectUri 

func (a *AuthorizationRequest) StoreClientRedirectUri() error

func (*AuthorizationRequest) StoreClientState 

func (a *AuthorizationRequest) StoreClientState() error

func (*AuthorizationRequest) StoreRequestUri 

func (a *AuthorizationRequest) StoreRequestUri() error

func (*AuthorizationRequest) Validate 

func (ar *AuthorizationRequest) Validate() error

Validate validates the content of the authorization request

type AuthorizationResponse 

type AuthorizationResponse struct {
	// code is required when response type is token
	Code  string `schema:"code,omitempty"`
	State string `schema:"state,omitempty"`
	// parameters for the presentation response
	PresentationToken string `schema:"vp_token,omitempty"`
	IdentityToken     string `schema:"id_token,omitempty"`
	PresentSubmission string `schema:"presentation_submission,omitempty"`
}

AuthorizationResponse is an open id connect authorizarion response

func GetByCodeGranted 

func GetByCodeGranted(code string) (*AuthorizationResponse, error)

func (*AuthorizationResponse) StoreCodeGranted 

func (a *AuthorizationResponse) StoreCodeGranted() error

type ClientMetadata 

type ClientMetadata map[string]interface{}

type CodeChallengeMethod 

type CodeChallengeMethod string

func (CodeChallengeMethod) String 

func (cc CodeChallengeMethod) String() string

func (CodeChallengeMethod) Validate 

func (ccm CodeChallengeMethod) Validate(cc, cv string) bool

type CredentialFormat 

type CredentialFormat string

func (CredentialFormat) String 

func (rt CredentialFormat) String() string

type CredentialRequest 

type CredentialRequest struct {
	ClientId             string           `json:"client_id"`
	AuthorizationDetails string           `json:"authorization_details"`
	CNonce               string           `json:"c_nonce"`
	CNonceExpiresIn      time.Duration    `json:"c_nonce_expires_in"`
	BearerTokenSHA512    [64]byte         `json:"token_hash"`
	BearerTokenExpiresIn time.Duration    `json:"token_type"`
	Deferred             bool             `json:"deferred"`
	Format               CredentialFormat `json:"format"`
	// object containing the proof of posession of the did
	Proof ProofOfPossession `json:"proof"`
	// the following two attriutes are according to appendix E of the open id specification
	CredentialTypes      []string        `json:"types"`
	CredentialDefinition json.RawMessage `json:"credential_definition"`
}

func GetCredentialIssuanceByCNonce 

func GetCredentialIssuanceByCNonce(cnonce string) (*CredentialRequest, error)

func GetCredentialRequestSecure 

func GetCredentialRequestSecure(bearerToken string) (*CredentialRequest, error)

func (*CredentialRequest) CreateCredentialResponse 

func (c *CredentialRequest) CreateCredentialResponse(options ...CredentialResponseOption) (CredentialResponse, error)

CreateCredentialResponse creates the credential response that can be used in the http response the function uses the verifiableCredential and deferred parameters to indicate a direct issuance or a deferred issuance

func (*CredentialRequest) ResolveDid 

func (c *CredentialRequest) ResolveDid(didString string) (diddoc.Document, error)

ResolveDid resolves a did from ebsi

func (*CredentialRequest) StoreCredentialRequest 

func (c *CredentialRequest) StoreCredentialRequest() error

Store the access token values indexed on c_nonce

func (*CredentialRequest) Validate 

func (c *CredentialRequest) Validate() error

Validate validates the credential request (only content) The client id should be the host of the

type CredentialResponse 

type CredentialResponse struct {
	Format          CredentialFormat `json:"format"`
	Credential      string           `json:"credential"`
	AcceptanceToken string           `json:"acceptance_token"`
	CNonce          string           `json:"c_nonce"`
	CNonceExpiresIn time.Duration    `json:"c_nonce_expires_in"`
}

type CredentialResponseOption 

type CredentialResponseOption func(*optionalParameters)

func WithAcceptanceTokenSigningKey 

func WithAcceptanceTokenSigningKey(alg jwa.KeyAlgorithm, sigKey interface{}) CredentialResponseOption

WithAcceptanceTokenSigningKey is the option for the algorithm and signing key

func WithCredentialDeferred 

func WithCredentialDeferred() CredentialResponseOption

WithCredentialDeferred is the option to defer the issuance of the credential

func WithVerifiableCredentialn 

func WithVerifiableCredentialn(vc string, f CredentialFormat) CredentialResponseOption

WithVerifiableCredentialn is the option to pass the credential for issuance

type CredentialSubject 

type CredentialSubject interface{}

type CredentialType 

type CredentialType string

func (CredentialType) String 

func (cc CredentialType) String() string

type DecetralizedIdentifier 

type DecetralizedIdentifier interface {
	ResolveDid(did string) (interface{}, error)
}

DecetralizedIdentifier is the interface for a decentralized identifier

type DescriptorMap 

type DescriptorMap struct {
	Id         string     `json:"id"`
	Format     string     `json:"format"`
	Path       string     `json:"path"`
	PathNested PathNested `json:"path_nested"`
}

type ErrorResponse 

type ErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
	ErrorUri         string `json:"error_uri,omitempty"`
}

ErrorResponse is the oauth2 error response format

type GrantType 

type GrantType string

func (GrantType) String 

func (gt GrantType) String() string

type Issuer 

type Issuer interface {
	// NewCredentialRequest receives an open id for credential issuance request
	// the options must contain the signing key of the access token
	NewCredentialRequest(r *http.Request, options ...TokenResponseOption) (CredentialRequest, error)
	// NewDeferredCredentialRequest receives a issuance request for a deferred credential
	NewDeferredCredentialRequest(r *http.Request, options ...TokenResponseOption) (CredentialRequest, error)
}

func NewIssuer 

func NewIssuer() Issuer

NewCredentialRequest creates a new issuer interface for credential issuance

type MKVStore 

type MKVStore struct {
	*buntdb.DB
}

MemoryStore token storage based on buntdb(https://github.com/tidwall/buntdb)

func NewMemoryKVStore 

func NewMemoryKVStore() (*MKVStore, error)

NewMemoryKVStore create a store instance based on memory

func (*MKVStore) Get 

func (m *MKVStore) Get(key string) (string, error)

func (*MKVStore) GetAllKeys 

func (m *MKVStore) GetAllKeys() ([]string, error)

func (*MKVStore) Remove 

func (m *MKVStore) Remove(key string) error

remove key

func (*MKVStore) Set 

func (m *MKVStore) Set(key string, value string, expires time.Duration) error

Set persist the value with key

type Metadata 

type Metadata struct {
	Versions         map[string]float32 `mapstructure:"versions"`
	ServerConfig     ServerConfig       `mapstructure:"config"`
	ProviderMetadata ProviderMetadata   `mapstructure:"provider"`
	ClientMetadata   ClientMetadata     `mapstructure:"client"`
}

type OpenIdProvider 

type OpenIdProvider interface {
	InitiateIssuance()
	// NewPushedAuthorizationRequest receives the pushed authorization request
	NewPushedAuthorizationRequest(r *http.Request) (AuthorizationRequest, error)
	// NewValidatedAuthorizationRequest receives an open id for credential issuance authorization request and validates it
	NewAuthorizationRequest(r *http.Request) (AuthorizationRequest, error)
	// NewTokenRequest receives an open id token request
	NewTokenRequest(r *http.Request) (TokenRequest, error)
}

func NewOpenIdProvider 

func NewOpenIdProvider() OpenIdProvider

NewAuthorizationRequest creates a new open id provider interface

type PathNested 

type PathNested struct {
	Format string `json:"format"`
	Path   string `json:"path"`
}

type PresentDef 

type PresentDef map[string]interface{}

type PresentationSubmission 

type PresentationSubmission struct {
	Id            string          `json:"id"`
	DefinitionId  string          `json:"definition_id"`
	DescriptorMap []DescriptorMap `json:"descriptor_map"`
}

type Proof 

type Proof struct {
	ProofType ProofType `json:"proof_type"`
	Jwt       string    `json:"jwt"`
}

type ProofOfPossession 

type ProofOfPossession struct {
	ProofType ProofType `json:"proof_type"`
	Jwt       string    `json:"jwt"`
}

type ProofType 

type ProofType string

type ProviderMetadata 

type ProviderMetadata struct {
	// OpenID Connect Discovery 1.0 incorporating errata set 1
	Issuer                     string         `json:"issuer" mapstructure:"issuer"`
	AuthorizationEndpoint      string         `json:"authorization_endpoint" mapstructure:"authorization_endpoint"`
	TokenEndpoint              string         `json:"token_endpoint" mapstructure:"token_endpoint"`
	JwksUri                    string         `json:"jwks_uri" mapstructure:"jwks_uri"`
	ResponseTypesSupported     []ResponseType `json:"response_types_supported" mapstructure:"response_types_supported"`
	SubjectTypesSupported      []SubjectType  `json:"subject_types_supported" mapstructure:"subject_types_supported"`
	IdTokenSigningAlgSupported []string       `json:"id_token_signing_alg_values_supported" mapstructure:"id_token_signing_alg_values_supported"`

	// RFC9126 Pushed Authorization Requests
	PushedEndpoint string `json:"pushed_authorization_request_endpoint" mapstructure:"pushed_authorization_request_endpoint"`
	RequirePushed  bool   `json:"require_pushed_authorization_requests" mapstructure:"require_pushed_authorization_requests"`

	// OpenID for Verifiable Credential Issuance
	CredentialEndpoint   string                   `json:"credential_endpoint" mapstructure:"credential_endpoint"`
	CredentialsSupported []map[string]interface{} `json:"credentials_supported" mapstructure:"credentials_supported"`

	// OpenID for Verifiable Presentations
	PresentationFormats map[string]interface{} `json:"vp_formats_supported" mapstructure:"vp_formats_supported"`
}

Metadata implements rfc8414 Authorization Server Metadata (only required parameters)

func GetProviderMetadata 

func GetProviderMetadata() *ProviderMetadata

type PushedAuthorizationResponse 

type PushedAuthorizationResponse struct {
	RequestUri string        `json:"request_uri"`
	ExpiresIn  time.Duration `json:"expires_in"`
}

OpenId4VCPushedAuthResponse is an oauth2 pushed authorizarion response

type ResponseType 

type ResponseType string

func (ResponseType) String 

func (rt ResponseType) String() string

type ServerConfig 

type ServerConfig struct {
	ExpirationTime time.Duration `mapstructure:"expiration_time"`
}

func GetServerConfig 

func GetServerConfig() *ServerConfig

type SubjectType 

type SubjectType string

func (SubjectType) String 

func (cf SubjectType) String() string

type TokenRequest 

type TokenRequest struct {
	// grant_type is required
	GrantType GrantType `schema:"grant_type,omitempty"`
	// code is required
	Code string `schema:"code,omitempty"`
	// client_id is required
	ClientId string `schema:"client_id,omitempty"`
	// redirect_uri is required
	RedirectUri string `schema:"redirect_uri,omitempty"`
	// code_verifier is required
	CodeVerifier string `schema:"code_verifier,omitempty"`
}

OpenId4VCAuthResponse is an open id connect authorizarion response

func (*TokenRequest) CreateTokenResponse 

func (tr *TokenRequest) CreateTokenResponse(options ...TokenResponseOption) (TokenResponse, error)

CreateTokenResponse returns a json token response With the options, the signing key, algorithm, and issuer are passed

func (*TokenRequest) Validate 

func (tr *TokenRequest) Validate() error

Validate validates the token request against rfc6749 and open id connect

type TokenResponse 

type TokenResponse struct {
	AccessToken     string        `json:"access_token,omitempty"`
	TokenType       string        `json:"token_type,omitempty"`
	ExpiresIn       time.Duration `json:"expires_in,omitempty"`
	CNonce          string        `json:"c_nonce,omitempty"`
	CNonceExpiresIn time.Duration `json:"c_nonce_expires_in,omitempty"`
}

type TokenResponseOption 

type TokenResponseOption func(*optionalParameters)

func WithAccessTokenSigningKey 

func WithAccessTokenSigningKey(alg jwa.KeyAlgorithm, sigKey interface{}) TokenResponseOption

WithAccessTokenSigningKey is the option for the algorithm and signing key

type VPTokenOption 

type VPTokenOption func(*presentation)

func WithIdentityToken 

func WithIdentityToken(id string) VPTokenOption

WithIdentityToken is the option to return an is_token

func WithPresentationSubmission 

func WithPresentationSubmission(ps string) VPTokenOption

WithVerifiablePresentation is the option to return a presentation submission with the vp_token

func WithVerifiablePresentation 

func WithVerifiablePresentation(vp string) VPTokenOption

WithVerifiablePresentation is the option to return a vp_token

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.