oidc

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 14, 2021 License: MPL-2.0 Imports: 49 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AuthMethodPrefix defines the prefix for AuthMethod public ids.
	AuthMethodPrefix = "amoidc"
	// AccountPrefix defines the prefix for Account public ids.
	AccountPrefix = "acctoidc"
)
View Source 
const (
	SigningAlgVO  voName = "SigningAlgs"
	CertificateVO voName = "Certificates"
	AudClaimVO    voName = "AudClaims"
)
View Source 
const (
	// AttemptExpiration defines the TTL for an authentication attempt
	AttemptExpiration = 5 * 60 * time.Second

	// FinalRedirectEndpoint is the endpoint that the oidc callback redirect
	// client to after the callback is complete.
	FinalRedirectEndpoint = "%s/authentication-complete"

	// AuthenticationErrorsEndpoint is the endpoint that will returned as the final redirect
	// from the callback when there are auth errors
	AuthenticationErrorsEndpoint = "%s/authentication-error"

	// CallbackEndpoint is the endpoint for the oidc callback which will be
	// included in the auth URL returned when an authen attempted is kicked off.
	CallbackEndpoint = "%s/v1/auth-methods/%s:authenticate:callback"
)

Variables

This section is empty.

Functions

func Callback 

func Callback(
	ctx context.Context,
	oidcRepoFn OidcRepoFactory,
	iamRepoFn IamRepoFactory,
	atRepoFn AuthTokenRepoFactory,
	am *AuthMethod,
	state, code string) (finalRedirect string, e error)

Callback is an oidc domain service function for processing a successful OIDC Authentication Response from an IdP oidc callback. On success, it returns a final redirect URL for the response to the IdP.

Callback can return several errors including errors.Forbidden for requests with non-unique states (which are replays)

For more info on a successful OIDC Authentication Response see: https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse

The service operation includes:

* Decrypt the state which has been encrypted with the OIDC DEK. If decryption fails, and error is returned. Decrypted state payload includes the token_request_id, nonce and final_redirect_url.

* Exchange the callbackCodeParameter for provider tokens and validate the tokens. Call UserInfo endpoint using access token.

* Use oidc.(Repository).upsertAccount to create/update account using ID Tokens claims. The "sub" claim as external ID and setting email and full name for the account.

* Use iam.(Repository).LookupUserWithLogin(...) look up the iam.User matching the Account.

* Use the authtoken.(Repository).CreateAuthToken(...) to create a pending auth token for the authenticated user.

func EncodeCertificates 

func EncodeCertificates(certs ...*x509.Certificate) ([]string, error)

EncodeCertificates will encode a number of x509 certificates to PEMs.

func ParseCertificates 

func ParseCertificates(pems ...string) ([]*x509.Certificate, error)

ParseCertificates will parse a number of certificates PEMs to x509s.

func StartAuth 

func StartAuth(ctx context.Context, oidcRepoFn OidcRepoFactory, authMethodId string, opt ...Option) (authUrl *url.URL, tokenId string, e error)

StartAuth accepts a request to start an OIDC authentication/authorization attempt. It returns two URLs and a tokenId. authUrl is an OIDC authorization request URL. The authUrl includes a "state" parameter which is encrypted and has a payload which includes (among other things) the final redirect (calculated from the clientInfo), a token_request_id, and nonce. The tokenUrl is the URL theclient can use to retrieve the results of the user's OIDC authentication attempt. The tokenId is an encrypted payload for the POST request to the tokenUrl.

If the auth method is in an InactiveState, then an error is returned.

Options supported:

WithRoundTripPayload(string) provides an option for a client roundtrip payload. This payload will be added to the final redirect as a query parameter.

func SupportedAlgorithm 

func SupportedAlgorithm(a Alg) bool

SupportedAlgorithm returns true iff the provided algorithm is supported by boundary.

func TestConvertToUrls 

func TestConvertToUrls(t *testing.T, urls ...string) []*url.URL

TestConvertToUrls will convert URL string representations to a slice of *url.URL

func TestPendingToken 

func TestPendingToken(
	t *testing.T,
	tokenRepo *authtoken.Repository,
	user *iam.User,
	acct *Account,
	tokenRequestId string,
) *authtoken.AuthToken

TestPendingToken will create a pending auth token for the tokenRequestId (aka public id)

func TestSortAuthMethods 

func TestSortAuthMethods(t *testing.T, methods []*AuthMethod)

TestSortAuthMethods will sort the provided auth methods by public id and it will sort each auth method's embedded value objects (algs, auds, certs, callbacks)

func TestTokenRequestId 

func TestTokenRequestId(
	t *testing.T,
	am *AuthMethod,
	kms *kms.Kms,
	expIn time.Duration,
	tokenPublicId string,
) string

TestTokenRequestId will make a request.Token and encrypt/encode within a request.Wrapper. the returned string can be used as a parameter for functions like: oidc.TokenRequest

func TokenRequest 

func TokenRequest(ctx context.Context, kms *kms.Kms, atRepoFn AuthTokenRepoFactory, authMethodId, tokenRequestId string) (*authtoken.AuthToken, error)

TokenRequest is an oidc domain service function for processing a token request from a Boundary client. Token requests are the result of a Boundary client polling the tokenUrl they received via StartAuth. On success, it returns Boundary token.

* Decrypt the tokenRequestId. If encryption fails, it returns an error.

* Use the authtoken.(Repository).IssueAuthToken to issue the request id's token and mark it as issued in the repo. If the token is already issue, an error is returned.

Types

type Account 

type Account struct {
	*store.Account
	// contains filtered or unexported fields
}

Account contains an OIDC auth account. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Accounts.

func AllocAccount 

func AllocAccount() *Account

AllocAccount makes an empty one in memory

func NewAccount 

func NewAccount(authMethodId string, subject string, opt ...Option) (*Account, error)

NewAccount creates a new in memory Account assigned to OIDC AuthMethod. WithIssuer, WithFullName, WithEmail, WithName and WithDescription are the only valid options. All other options are ignored.

Subject equals the locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.

Issuer equals the Verifiable Identifier for an Issuer. An Issuer Identifier is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

FullName equals the End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.

Email equals the End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique

See: https://openid.net/specs/openid-connect-core-1_0.html

func TestAccount 

func TestAccount(t *testing.T, conn *gorm.DB, am *AuthMethod, subject string, opt ...Option) *Account

TestAccount creates a test oidc auth account.

func (*Account) Clone 

func (a *Account) Clone() *Account

Clone an Account.

func (*Account) SetTableName 

func (a *Account) SetTableName(n string)

SetTableName sets the table name.

func (*Account) TableName 

func (a *Account) TableName() string

TableName returns the table name.

type Alg 

type Alg string

Alg represents asymmetric signing algorithms 

const (
	// JOSE asymmetric signing algorithm values as defined by RFC 7518.
	//
	// See: https://tools.ietf.org/html/rfc7518#section-3.1
	RS256 Alg = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
	RS384 Alg = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
	RS512 Alg = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
	ES256 Alg = "ES256" // ECDSA using P-256 and SHA-256
	ES384 Alg = "ES384" // ECDSA using P-384 and SHA-384
	ES512 Alg = "ES512" // ECDSA using P-521 and SHA-512
	PS256 Alg = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
	PS384 Alg = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
	PS512 Alg = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
	EdDSA Alg = "EdDSA"
)

type AudClaim 

type AudClaim struct {
	*store.AudClaim
	// contains filtered or unexported fields
}

AudClaim defines an audience claim for an OIDC auth method. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its AudClaims. AudClaims are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

see aud claim in the oidc spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func AllocAudClaim 

func AllocAudClaim() AudClaim

AllocAudClaim make an empty one in memory.

func NewAudClaim 

func NewAudClaim(authMethodId string, audClaim string) (*AudClaim, error)

NewAudClaim creates a new in memory audience claim assigned to an OIDC AuthMethod. It supports no options. If an AuthMethod as assigned AudClaims, then ID tokens issued from the provider must contain one of the assigned audiences to be valid.

For more info on oidc aud claims, see the oidc spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func (*AudClaim) Clone 

func (c *AudClaim) Clone() *AudClaim

Clone an AudClaim

func (*AudClaim) SetTableName 

func (c *AudClaim) SetTableName(n string)

SetTableName sets the table name.

func (*AudClaim) TableName 

func (c *AudClaim) TableName() string

TableName returns the table name.

type AuthMethod 

type AuthMethod struct {
	*store.AuthMethod
	// contains filtered or unexported fields
}

AuthMethod contains an OIDC auth method configuration. It is owned by a scope. AuthMethods can have Accounts, AudClaims, CallbackUrls, Certificates, SigningAlgs. AuthMethods also have one State at any given time which determines it's behavior for many its operations.

func AllocAuthMethod 

func AllocAuthMethod() AuthMethod

AllocAuthMethod makes an empty one in memory

func NewAuthMethod 

func NewAuthMethod(scopeId string, clientId string, clientSecret ClientSecret, opt ...Option) (*AuthMethod, error)

NewAuthMethod creates a new in memory AuthMethod assigned to scopeId. WithMaxAge, WithName and WithDescription are the only valid options. All other options are ignored.

State equals the state of the OIDC auth method. State is not a supported parameter when creating new AuthMethod's since it must be Inactive for all new AuthMethods.

Issuer equals a URL that identifies the OIDC provider. Boundary will strip off anything beyond scheme, host and port

ClientId equals an OAuth 2.0 Client Identifier valid at the Authorization Server.

ClientSecret equals the client's secret which will be encrypted when stored in the database and an hmac representation will also be stored when ever the secret changes. The secret is not returned via the API, the hmac is returned so callers can determine if it's been updated.

MaxAge equals the Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. A value -1 basically forces the IdP to re-authenticate the End-User. Zero is not a valid value.

See: https://openid.net/specs/openid-connect-core-1_0.html

Supports the options of WithMaxAge, WithSigningAlgs, WithAudClaims, WithApiUrl and WithCertificates and all other options are ignored.

func TestAuthMethod 

func TestAuthMethod(
	t *testing.T,
	conn *gorm.DB,
	databaseWrapper wrapping.Wrapper,
	scopeId string,
	state AuthMethodState,
	clientId string,
	clientSecret ClientSecret,
	opt ...Option) *AuthMethod

TestAuthMethod creates a test oidc auth method. WithName, WithDescription, WithMaxAge, WithApiUrl, WithIssuer, WithCertificates, WithAudClaims, and WithSigningAlgs options are supported.

func (*AuthMethod) Clone 

func (a *AuthMethod) Clone() *AuthMethod

Clone an AuthMethod.

func (*AuthMethod) SetTableName 

func (a *AuthMethod) SetTableName(n string)

SetTableName sets the table name.

func (*AuthMethod) TableName 

func (a *AuthMethod) TableName() string

TableName returns the table name.

type AuthMethodState 

type AuthMethodState string

AuthMethodState defines the possible states for an oidc auth method 

const (
	UnknownState       AuthMethodState = "unknown"
	InactiveState      AuthMethodState = "inactive"
	ActivePrivateState AuthMethodState = "active-private"
	ActivePublicState  AuthMethodState = "active-public"
)

type AuthTokenRepoFactory 

type AuthTokenRepoFactory func() (*authtoken.Repository, error)

AuthTokenRepoFactory is used by "service functions" to create a new auth token repo

type Certificate 

type Certificate struct {
	*store.Certificate
	// contains filtered or unexported fields
}

Certificate defines a certificate to use as part of a trust root when connecting to the auth method's OIDC Provider. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Certificates. Certificates are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

func AllocCertificate 

func AllocCertificate() Certificate

AllocCertificate makes an empty one in memory

func NewCertificate 

func NewCertificate(authMethodId string, certificatePem string) (*Certificate, error)

NewCertificate creates a new in memory certificate assigned to and OIDC auth method.

func (*Certificate) Clone 

func (c *Certificate) Clone() *Certificate

Clone a Certificate

func (*Certificate) SetTableName 

func (c *Certificate) SetTableName(n string)

SetTableName sets the table name.

func (*Certificate) TableName 

func (c *Certificate) TableName() string

TableName returns the table name.

type ClientSecret 

type ClientSecret string

ClientSecret equals an AuthMethod's client secret. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.

func (ClientSecret) MarshalJSON 

func (s ClientSecret) MarshalJSON() ([]byte, error)

MarshalJSON will redact the client_secret.

func (ClientSecret) String 

func (s ClientSecret) String() string

String will redact the client_secret.

type HTTPClient 

type HTTPClient interface {
	Do(req *http.Request) (*http.Response, error)
}

type IamRepoFactory 

type IamRepoFactory func() (*iam.Repository, error)

IamRepoFactory is used by "service functions" to create a new iam repo

type OidcRepoFactory 

type OidcRepoFactory func() (*Repository, error)

OidcRepoFactory is used by "service functions" to create a new oidc repo

type Option 

type Option func(*options)

Option - how Options are passed as arguments.

func WithApiUrl 

func WithApiUrl(urls *url.URL) Option

WithApiUrl provides optional api URL to use in the various

func WithAudClaims 

func WithAudClaims(aud ...string) Option

WithAudClaims provides optional audience claims

func WithAuthMethod 

func WithAuthMethod(am *AuthMethod) Option

WithAuthMethod provides an option for passing an AuthMethod to the operation

func WithCertificates 

func WithCertificates(certs ...*x509.Certificate) Option

WithCertificates provides optional certificates.

func WithDescription 

func WithDescription(desc string) Option

WithDescription provides an optional description.

func WithDryRun 

func WithDryRun() Option

WithDryRun provides an option to do a "dry run" of a write operation, which will run verification steps and return any errors, but will not persist the data into the repository.

func WithEmail 

func WithEmail(email string) Option

WithEmail provides an optional email address for the account.

func WithForce 

func WithForce() Option

WithForce provides an option to force the write operation, regardless of whether or not it's pre-verification succeeds.

func WithFullName 

func WithFullName(n string) Option

WithFullName provides an optional full name for the account.

func WithIssuer 

func WithIssuer(iss *url.URL) Option

WithIssuer provides an option for specifying an issuer.

func WithKeyId 

func WithKeyId(id string) Option

WithKeyId provides an option for specifying a key id.

func WithLimit 

func WithLimit(l int) Option

WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.

func WithMaxAge 

func WithMaxAge(max int) Option

WithMaxAge provides an optional max age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. A value -1 basically forces the IdP to re-authenticate the End-User. Zero is not a valid value.

see: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func WithName 

func WithName(name string) Option

WithName provides an optional name.

func WithOperationalState 

func WithOperationalState(state AuthMethodState) Option

WithOperationalState provides an option for specifying an issuer.

func WithOrderByCreateTime 

func WithOrderByCreateTime(ascending bool) Option

WithOrderByCreateTime provides an option to specify ordering by the CreateTime field.

func WithPublicId 

func WithPublicId(publicId string) Option

WithPublicId provides an option for passing a public id to the operation

func WithRoundtripPayload 

func WithRoundtripPayload(payload string) Option

WithRoundTripPayload provides an option for passing an payload to be roundtripped during an authentication process.

func WithSigningAlgs 

func WithSigningAlgs(alg ...Alg) Option

WithSigningAlgs provides optional signing algorithms

func WithUnauthenticatedUser 

func WithUnauthenticatedUser(enabled bool) Option

WithUnauthenticatedUser provides an option for filtering results for an unauthenticated users.

type Repository 

type Repository struct {
	// contains filtered or unexported fields
}

Repository is the oidc repository

func NewRepository 

func NewRepository(r db.Reader, w db.Writer, kms *kms.Kms, opt ...Option) (*Repository, error)

NewRepository creates a new oidc Repository. Supports the options: WithLimit which sets a default limit on results returned by repo operations.

func (*Repository) CreateAccount 

func (r *Repository) CreateAccount(ctx context.Context, scopeId string, a *Account, opt ...Option) (*Account, error)

CreateAccount inserts an Account, a, into the repository and returns a new Account containing its PublicId. a is not changed. a must contain a valid AuthMethodId. a must not contain a PublicId. The PublicId is generated and assigned by this method. a must not contain an Issuer. The Issuer is retrieved from the auth method. If it does not contain an Issuer an error is returned.

a must contain a valid Subject. a.Subject must be unique for an a.AuthMethod/Issuer pair.

Both a.Name and a.Description are optional. If a.Name is set, it must be unique within a.AuthMethodId.

func (*Repository) CreateAuthMethod 

func (r *Repository) CreateAuthMethod(ctx context.Context, am *AuthMethod, opt ...Option) (*AuthMethod, error)

CreateAuthMethod creates am (*AuthMethod) in the repo along with its associated embedded optional value objects of SigningAlgs, AudClaims, and Certificates and returns the newly created AuthMethod (with its PublicId set)

The AuthMethod's public id and version must be empty (zero values).

All options are ignored.

func (*Repository) DeleteAccount 

func (r *Repository) DeleteAccount(ctx context.Context, scopeId, withPublicId string, opt ...Option) (int, error)

DeleteAccount deletes the account for the provided id from the repository returning a count of the number of records deleted. All options are ignored.

func (*Repository) DeleteAuthMethod 

func (r *Repository) DeleteAuthMethod(ctx context.Context, publicId string, _ ...Option) (int, error)

DeleteAuthMethod will delete the auth method from the repository. It is idempotent so if the auth method was not found, return 0 (no rows affected) and nil. No options are currently supported.

func (*Repository) ListAccounts 

func (r *Repository) ListAccounts(ctx context.Context, withAuthMethodId string, opt ...Option) ([]*Account, error)

ListAccounts in an auth method and supports WithLimit option.

func (*Repository) ListAuthMethods 

func (r *Repository) ListAuthMethods(ctx context.Context, scopeIds []string, opt ...Option) ([]*AuthMethod, error)

ListAuthMethods returns a slice of AuthMethods for the scopeId. The WithUnauthenticatedUser, WithLimit and WithOrder options are supported and 

all other options are ignored.

func (*Repository) LookupAccount 

func (r *Repository) LookupAccount(ctx context.Context, withPublicId string, opt ...Option) (*Account, error)

LookupAccount will look up an account in the repository. If the account is not found, it will return nil, nil. All options are ignored.

func (*Repository) LookupAuthMethod 

func (r *Repository) LookupAuthMethod(ctx context.Context, publicId string, opt ...Option) (*AuthMethod, error)

LookupAuthMethod will lookup an auth method in the repo, along with its associated Value Objects of SigningAlgs, CallbackUrls, AudClaims and Certificates. If it's not found, it will return nil, nil. The WithUnauthenticatedUser options is supported and all other options are ignored.

func (*Repository) MakeInactive 

func (r *Repository) MakeInactive(ctx context.Context, authMethodId string, version uint32, _ ...Option) (*AuthMethod, error)

MakeInactive will transision an OIDC auth method from either the ActivePrivateState or the ActivePublicState to the InactiveState. No options are supported.

func (*Repository) MakePrivate 

func (r *Repository) MakePrivate(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)

MakePrivate will transision an OIDC auth method from either the InactiveState or the ActivePublicState to the ActivePrivateState. If transitioning from the InactiveState, the transition will only succeed if the auth method is complete and the oidc.ValidateAuthMethod(...) succeeds. If the WithForce option is provided, oidc.ValidateAuthMethod(...) success is not required.

func (*Repository) MakePublic 

func (r *Repository) MakePublic(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)

MakePublic will transision an OIDC auth method from either the InactiveState or the ActivePrivateState to the ActivePublicState. If transitioning from the InactiveState, the transition will only succeed if the auth method is complete and the oidc.ValidateAuthMethod(...) succeeds. If the WithForce option is provided, oidc.ValidateAuthMethod(...) success is not required.

func (*Repository) UpdateAccount 

func (r *Repository) UpdateAccount(ctx context.Context, scopeId string, a *Account, version uint32, fieldMaskPaths []string, opt ...Option) (*Account, int, error)

UpdateAccount updates the repository entry for a.PublicId with the values in a for the fields listed in fieldMaskPaths. It returns a new Account containing the updated values and a count of the number of records updated. a is not changed.

a must contain a valid PublicId. Only a.Name and a.Description can be updated. If a.Name is set to a non-empty string, it must be unique within a.AuthMethodId.

An attribute of a will be set to NULL in the database if the attribute in a is the zero value and it is included in fieldMaskPaths.

func (*Repository) UpdateAuthMethod 

func (r *Repository) UpdateAuthMethod(ctx context.Context, am *AuthMethod, version uint32, fieldMaskPaths []string, opt ...Option) (*AuthMethod, int, error)

UpdateAuthMethod will retrieve the auth method from the repository, and update it based on the field masks provided.

The auth method will not be persisted in the repository if the auth method's OperationalStatus is currently ActivePublic or ActivePrivate and the update would have resulted in an incomplete/non-operational auth method.

During update, the auth method will be tested/validated against its provider's published OIDC discovery document. If this validation succeeds, the auth method is persisted in the repository, and the written auth method is returned.

fieldMaskPaths provides field_mask.proto paths for fields that should be updated. Fields will be set to NULL if the field is a zero value and included in fieldMask. Name, Description, Issuer, ClientId, ClientSecret, MaxAge are all updatable fields. The AuthMethod's Value Objects of SigningAlgs, CallbackUrls, AudClaims and Certificates are also updatable. if no updatable fields are included in the fieldMaskPaths, then an error is returned.

Options supported:

* WithDryRun: when this option is provided, the auth method is retrieved from the repo, updated based on the fieldMask, tested via Repository.ValidateDiscoveryInfo, the results of the update are returned, and and any errors reported. The updates are not peristed to the repository.

* WithForce: when this option is provided, the auth method is persisted in the repository without testing it's validity against its provider's published OIDC discovery document. Even if this option is provided, the auth method will not be persisted in the repository when the update would have resulted in an incomplete/non-operational auth method and it's OperationalStatus is currently ActivePublic or ActivePrivate.

Also, a successful update will invalidate (delete) the Repository's cache of the oidc.Provider for the AuthMethod.

func (*Repository) ValidateDiscoveryInfo 

func (r *Repository) ValidateDiscoveryInfo(ctx context.Context, opt ...Option) error

ValidateDiscoveryInfo will test/validate the provided AuthMethod against the info from it's discovery URL.

It will verify that all required fields for a working AuthMethod have values.

If the AuthMethod is complete, ValidateDiscoveryInfo retrieves the auth method's OpenID Configuration document. The values in the AuthMethod (and associated data) are validated with the retrieved document. The issuer and id token signing algorithm in the configuration are validated with the retrieved document. ValidateDiscoveryInfo also verifies the authorization, token, and user_info endpoints by connecting to each and uses any certificates in the configuration as trust anchors to confirm connectivity.

Options supported are: WithPublicId, WithAuthMethod

type SigningAlg 

type SigningAlg struct {
	*store.SigningAlg
	// contains filtered or unexported fields
}

SigningAlg defines an signing algorithm supported by an OIDC auth method. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its SigningAlgs. SigningAlgs are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

func AllocSigningAlg 

func AllocSigningAlg() SigningAlg

AllocSigningAlg makes an empty one in memory

func NewSigningAlg 

func NewSigningAlg(authMethodId string, alg Alg) (*SigningAlg, error)

NewSigningAlg creates a new in memory signing alg assigned to an OIDC AuthMethod. It supports no options.

func (*SigningAlg) Clone 

func (s *SigningAlg) Clone() *SigningAlg

Clone a SigningAlg

func (*SigningAlg) SetTableName 

func (s *SigningAlg) SetTableName(n string)

SetTableName sets the table name.

func (*SigningAlg) TableName 

func (s *SigningAlg) TableName() string

TableName returns the table name.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.