Documentation
¶
Overview ¶
Package oidc provides functions for interacting with OpenID Connect providers
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Configuration ¶
type Configuration struct {
// REQUIRED. URL using the https scheme with no query or fragment component
// that the OP asserts as its Issuer Identifier. If Issuer discovery is
// supported (see Section 2), this value MUST be identical to the issuer value
// returned by WebFinger. This also MUST be identical to the iss Claim value
// in ID Tokens issued from this Issuer.
Issuer string `json:"issuer"`
// REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint
AuthorizationEndpoint string `json:"authorization_endpoint"`
// URL of the OP's OAuth 2.0 Token Endpoint. This is REQUIRED unless only
// the Implicit Flow is used.
TokenEndpoint string `json:"token_endpoint"`
// RECOMMENDED. URL of the OP's UserInfo Endpoint. This URL MUST use the
// https scheme and MAY contain port, path, and query parameter components.
UserInfoEndpoint string `json:"userinfo_endpoint"`
// REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains
// the signing key(s) the RP uses to validate signatures from the OP.
// The JWK Set MAY also contain the Server's encryption key(s), which are used
// by RPs to encrypt requests to the Server. When both signing and encryption
// keys are made available, a use (Key Use) parameter value is REQUIRED for
// all keys in the referenced JWK Set to indicate each key's intended usage.
// Although some algorithms allow the same key to be used for both signatures
// and encryption, doing so is NOT RECOMMENDED, as it is less secure.
// The JWK x5c parameter MAY be used to provide X.509 representations of keys
// provided. When used, the bare key values MUST still be present and MUST
// match those in the certificate.
JWKSURI string `json:"jwks_uri"`
// RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint
RegistrationEndpoint string `json:"registration_endpoint"`
// RECOMMENDED. JSON array containing a list of the OAuth 2.0 scope values
// that this server supports. The server MUST support the openid scope value.
// Servers MAY choose not to advertise some supported scope values even when
// this parameter is used, although those defined in SHOULD be listed,
// if supported.
ScopesSupported []string `json:"scopes_supported"`
// REQUIRED. JSON array containing a list of the OAuth 2.0 response_type
// values that this OP supports. Dynamic OpenID Providers MUST support
// the code, id_token, and the token id_token Response Type values.
ResponseTypesSupported []string `json:"response_types_supported"`
// OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode
// values that this OP supports, as specified in OAuth 2.0 Multiple Response
// Type Encoding Practices. If omitted, the default for Dynamic OpenID
// Providers is ["query", "fragment"].
ResponseModesSupported []string `json:"response_modes_supported"`
// OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values
// that this OP supports. Dynamic OpenID Providers MUST support
// the authorization_code and implicit Grant Type values and MAY support
// other Grant Types. If omitted, the default value is
// ["authorization_code", "implicit"].
GrantTypesSupported []string `json:"grant_types_supported"`
// OPTIONAL. JSON array containing a list of the Authentication Context Class
// References that this OP supports.
ACRValuesSupported []string `json:"acr_values_supported"`
// REQUIRED. JSON array containing a list of the Subject Identifier types
// hat this OP supports. Valid types include pairwise and public.
SubjectTypesSupported []string `json:"subject_types_supported"`
// REQUIRED. JSON array containing a list of the JWS signing algorithms
// (alg values) supported by the OP for the ID Token to encode the Claims
// in a JWT. The algorithm RS256 MUST be included. The value none MAY be
// supported, but MUST NOT be used unless the Response Type used returns
// no ID Token from the Authorization Endpoint (such as when using the
// Authorization Code Flow).
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (enc values) supported by the OP for the ID Token to encode the Claims
// in a JWT.
IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported"`
// OPTIONAL. JSON array containing a list of the JWS signing algorithms
// (alg values) supported by the UserInfo Endpoint to encode the Claims
// in a JWT. The value none MAY be included.
UserInfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (alg values) supported by the UserInfo Endpoint to encode the Claims
// in a JWT.
UserInfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (enc values) supported by the UserInfo Endpoint to encode the Claims
// in a JWT.
UserInfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported"`
// OPTIONAL. JSON array containing a list of the JWS signing algorithms
// (alg values) supported by the OP for Request Objects, which are described
// in Section 6.1 of OpenID Connect Core 1.0. These algorithms are used both
// when the Request Object is passed by value (using the request parameter)
// and when it is passed by reference (using the request_uri parameter).
// Servers SHOULD support none and RS256.
RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (alg values) supported by the OP for Request Objects. These algorithms are
// used both when the Request Object is passed by value and when it is
// passed by reference.
RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (enc values) supported by the OP for Request Objects. These algorithms are
// used both when the Request Object is passed by value and when it is
// passed by reference.
RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported"`
// OPTIONAL. JSON array containing a list of Client Authentication methods
// supported by this Token Endpoint. The options are client_secret_post,
// client_secret_basic, client_secret_jwt, and private_key_jwt, as described
// in Section 9 of OpenID Connect Core 1.0. Other authentication methods MAY
// be defined by extensions. If omitted, the default is client_secret_basic
// -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of
// OAuth 2.0.
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
// OPTIONAL. JSON array containing a list of the JWS signing algorithms
// (alg values) supported by the Token Endpoint for the signature on the JWT
// used to authenticate the Client at the Token Endpoint for the
// private_key_jwt and client_secret_jwt authentication methods. Servers
// SHOULD support RS256. The value none MUST NOT be used.
TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`
// OPTIONAL. JSON array containing a list of the display parameter values that
// the OpenID Provider supports. These values are described in Section 3.1.2.1
// of OpenID Connect Core 1.0.
DisplayValuesSupported []string `json:"display_values_supported"`
// OPTIONAL. JSON array containing a list of the Claim Types that the OpenID
// Provider supports. These Claim Types are described in Section 5.6 of OpenID
// Connect Core 1.0. Values defined by this specification are normal,
// aggregated, and distributed. If omitted, the implementation supports only
// normal Claims.
ClaimTypesSupported []string `json:"claim_types_supported"`
// RECOMMENDED. JSON array containing a list of the Claim Names of the Claims
// that the OpenID Provider MAY be able to supply values for. Note that for
// privacy or other reasons, this might not be an exhaustive list.
ClaimsSupported []string `json:"claims_supported"`
// OPTIONAL. URL of a page containing human-readable information that
// developers might want or need to know when using the OpenID Provider.
// In particular, if the OpenID Provider does not support Dynamic Client
// Registration, then information on how to register Clients needs to be
// provided in this documentation.
ServiceDocumentation string `json:"service_documentation"`
// OPTIONAL. Languages and scripts supported for values in Claims being
// returned, represented as a JSON array of BCP47 language tag values. Not all
// languages and scripts are necessarily supported for all Claim values.
ClaimsLocalesSupported []string `json:"claims_locales_supported"`
// OPTIONAL. Languages and scripts supported for the user interface,
// represented as a JSON array of BCP47 language tag values.
UILocalesSupported []string `json:"ui_locales_supported"`
// OPTIONAL. Boolean value specifying whether the OP supports use of the
// claims parameter, with true indicating support. If omitted, the default
// value is false.
ClaimsParameterSupported bool `json:"claims_parameter_supported"`
// OPTIONAL. Boolean value specifying whether the OP supports use of the
// request parameter, with true indicating support. If omitted, the
// default value is false.
RequestParameterSupported bool `json:"request_parameter_supported"`
// OPTIONAL. Boolean value specifying whether the OP supports use of the
// request_uri parameter, with true indicating support. If omitted, the
// default value is true.
RequestURIParameterSupported *bool `json:"request_uri_parameter_supported"`
// OPTIONAL. Boolean value specifying whether the OP requires any request_uri
// values used to be pre-registered using the request_uris registration
// parameter. Pre-registration is REQUIRED when the value is true. If omitted,
// the default value is false.
RequireRequestURIRegistration bool `json:"require_request_uri_registration"`
// OPTIONAL. URL that the OpenID Provider provides to the person registering
// the Client to read about the OP's requirements on how the Relying Party can
// use the data provided by the OP. The registration process SHOULD display
// this URL to the person registering the Client if it is given.
OpPolicyURI string `json:"op_policy_uri"`
// OPTIONAL. URL that the OpenID Provider provides to the person registering
// the Client to read about OpenID Provider's terms of service. The
// registration process SHOULD display this URL to the person registering
// the Client if it is given.
OpTOSURI string `json:"op_tos_uri"`
}
Configuration for connecting to OIDC provider Documentation and fields copied from https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
func GetOpenIDConnectConfiguration ¶
func GetOpenIDConnectConfiguration(ctx context.Context, client *http.Client, url string) (config Configuration, err error)
GetOpenIDConnectConfiguration from a well-known url. Should be Issuer + /.well-known/openid-configuration
func (*Configuration) FillDefaultValuesIfEmpty ¶
func (config *Configuration) FillDefaultValuesIfEmpty()
FillDefaultValuesIfEmpty with the following replacements:
- ResponseModesSupported: ["query", "fragment"]
- GrantTypesSupported: ["authorization_code", "implicit"]
- TokenEndpointAuthMethodsSupported: ["client_secret_basic"]
- RequestURIParameterSupported: true
func (Configuration) Valid ¶
func (config Configuration) Valid() error
Valid checks that all the fields marked as required are present.
Source Files
Click to show internal directories.
Click to hide internal directories.