Documentation ¶
Index ¶
- Constants
- func AssertObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)
- func AssertObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)
- func RequireObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)
- func RequireObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)
- func TestHelperCreateGetDeleteAccessTokenSession(m pkg.FositeStorer) func(t *testing.T)
- func TestHelperCreateGetDeleteAuthorizeCodes(m pkg.FositeStorer) func(t *testing.T)
- func TestHelperCreateGetDeleteOpenIDConnectSession(m pkg.FositeStorer) func(t *testing.T)
- func TestHelperCreateGetDeleteRefreshTokenSession(m pkg.FositeStorer) func(t *testing.T)
- func TestHelperRevokeRefreshToken(m pkg.FositeStorer) func(t *testing.T)
- type AcceptConsentRequestPayload
- type ConsentRequest
- type ConsentRequestManager
- type ConsentRequestMemoryManager
- func (m *ConsentRequestMemoryManager) AcceptConsentRequest(id string, payload *AcceptConsentRequestPayload) error
- func (m *ConsentRequestMemoryManager) GetConsentRequest(id string) (*ConsentRequest, error)
- func (m *ConsentRequestMemoryManager) PersistConsentRequest(session *ConsentRequest) error
- func (m *ConsentRequestMemoryManager) RejectConsentRequest(id string, payload *RejectConsentRequestPayload) error
- type ConsentRequestSQLManager
- func (m *ConsentRequestSQLManager) AcceptConsentRequest(id string, payload *AcceptConsentRequestPayload) error
- func (m *ConsentRequestSQLManager) CreateSchemas() (int, error)
- func (m *ConsentRequestSQLManager) GetConsentRequest(id string) (*ConsentRequest, error)
- func (m *ConsentRequestSQLManager) PersistConsentRequest(request *ConsentRequest) error
- func (m *ConsentRequestSQLManager) RejectConsentRequest(id string, payload *RejectConsentRequestPayload) error
- type ConsentSessionHandler
- func (h *ConsentSessionHandler) AcceptConsentRequestHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *ConsentSessionHandler) FetchConsentRequest(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *ConsentSessionHandler) PrefixResource(resource string) string
- func (h *ConsentSessionHandler) RejectConsentRequestHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *ConsentSessionHandler) SetRoutes(r *httprouter.Router)
- type ConsentStrategy
- type DefaultConsentStrategy
- func (s *DefaultConsentStrategy) CreateConsentRequest(req fosite.AuthorizeRequester, redirectURL string, cookie *sessions.Session) (string, error)
- func (s *DefaultConsentStrategy) ValidateConsentRequest(req fosite.AuthorizeRequester, session string, cookie *sessions.Session) (claims *Session, err error)
- type FositeMemoryStore
- func (s *FositeMemoryStore) CreateAccessTokenSession(_ context.Context, signature string, req fosite.Requester) error
- func (s *FositeMemoryStore) CreateAuthorizeCodeSession(_ context.Context, code string, req fosite.Requester) error
- func (s *FositeMemoryStore) CreateImplicitAccessTokenSession(ctx context.Context, code string, req fosite.Requester) error
- func (s *FositeMemoryStore) CreateOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) error
- func (s *FositeMemoryStore) CreateRefreshTokenSession(_ context.Context, signature string, req fosite.Requester) error
- func (s *FositeMemoryStore) DeleteAccessTokenSession(ctx context.Context, signature string) error
- func (s *FositeMemoryStore) DeleteAuthorizeCodeSession(_ context.Context, code string) error
- func (s *FositeMemoryStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error
- func (s *FositeMemoryStore) DeleteRefreshTokenSession(ctx context.Context, signature string) error
- func (s *FositeMemoryStore) GetAccessTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error)
- func (s *FositeMemoryStore) GetAuthorizeCodeSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error)
- func (s *FositeMemoryStore) GetOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error)
- func (s *FositeMemoryStore) GetRefreshTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error)
- func (s *FositeMemoryStore) RevokeAccessToken(ctx context.Context, id string) error
- func (s *FositeMemoryStore) RevokeRefreshToken(ctx context.Context, id string) error
- type FositeSQLStore
- func (s *FositeSQLStore) CreateAccessTokenSession(_ context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateAuthorizeCodeSession(_ context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateImplicitAccessTokenSession(ctx context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateOpenIDConnectSession(_ context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateRefreshTokenSession(_ context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateSchemas() (int, error)
- func (s *FositeSQLStore) DeleteAccessTokenSession(_ context.Context, signature string) error
- func (s *FositeSQLStore) DeleteAuthorizeCodeSession(_ context.Context, signature string) error
- func (s *FositeSQLStore) DeleteOpenIDConnectSession(_ context.Context, signature string) error
- func (s *FositeSQLStore) DeleteRefreshTokenSession(_ context.Context, signature string) error
- func (s *FositeSQLStore) GetAccessTokenSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)
- func (s *FositeSQLStore) GetAuthorizeCodeSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)
- func (s *FositeSQLStore) GetOpenIDConnectSession(_ context.Context, signature string, requester fosite.Requester) (fosite.Requester, error)
- func (s *FositeSQLStore) GetRefreshTokenSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)
- func (s *FositeSQLStore) RevokeAccessToken(ctx context.Context, id string) error
- func (s *FositeSQLStore) RevokeRefreshToken(ctx context.Context, id string) error
- type Handler
- func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) DefaultConsentHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) PrefixResource(resource string) string
- func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) SetRoutes(r *httprouter.Router)
- func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- type Introspection
- type RejectConsentRequestPayload
- type Session
- type WellKnown
Constants ¶
const ( ConsentRequestAccepted = "accepted" ConsentRequestRejected = "rejected" ConsentRequestPath = "/oauth2/consent/requests" ConsentResource = "oauth2:consent:requests:%s" ConsentScope = "hydra.consent" )
const ( OpenIDConnectKeyName = "hydra.openid.id-token" DefaultConsentPath = "/oauth2/consent-fallback" TokenPath = "/oauth2/token" AuthPath = "/oauth2/auth" UserinfoPath = "/userinfo" WellKnownPath = "/.well-known/openid-configuration" JWKPath = "/.well-known/jwks.json" // IntrospectPath points to the OAuth2 introspection endpoint. IntrospectPath = "/oauth2/introspect" RevocationPath = "/oauth2/revoke" IntrospectScope = "hydra.introspect" )
const (
CookieCSRFKey = "consent_csrf"
)
Variables ¶
This section is empty.
Functions ¶
func AssertObjectKeysEqual ¶ added in v0.8.6
func AssertObjectKeysNotEqual ¶ added in v0.8.6
func RequireObjectKeysEqual ¶ added in v0.8.6
func RequireObjectKeysNotEqual ¶ added in v0.8.6
func TestHelperCreateGetDeleteAccessTokenSession ¶ added in v0.9.3
func TestHelperCreateGetDeleteAccessTokenSession(m pkg.FositeStorer) func(t *testing.T)
func TestHelperCreateGetDeleteAuthorizeCodes ¶ added in v0.9.3
func TestHelperCreateGetDeleteAuthorizeCodes(m pkg.FositeStorer) func(t *testing.T)
func TestHelperCreateGetDeleteOpenIDConnectSession ¶ added in v0.9.4
func TestHelperCreateGetDeleteOpenIDConnectSession(m pkg.FositeStorer) func(t *testing.T)
func TestHelperCreateGetDeleteRefreshTokenSession ¶ added in v0.9.4
func TestHelperCreateGetDeleteRefreshTokenSession(m pkg.FositeStorer) func(t *testing.T)
func TestHelperRevokeRefreshToken ¶ added in v0.9.4
func TestHelperRevokeRefreshToken(m pkg.FositeStorer) func(t *testing.T)
Types ¶
type AcceptConsentRequestPayload ¶ added in v0.9.14
type AcceptConsentRequestPayload struct { // AccessTokenExtra represents arbitrary data that will be added to the access token and that will be returned // on introspection and warden requests. AccessTokenExtra map[string]interface{} `json:"accessTokenExtra"` // IDTokenExtra represents arbitrary data that will be added to the ID token. The ID token will only be issued // if the user agrees to it and if the client requested an ID token. IDTokenExtra map[string]interface{} `json:"idTokenExtra"` // Subject represents a unique identifier of the user (or service, or legal entity, ...) that accepted the // OAuth2 request. Subject string `json:"subject"` // A list of scopes that the user agreed to grant. It should be a subset of requestedScopes from the consent request. GrantScopes []string `json:"grantScopes"` }
AcceptConsentRequestPayload represents data that will be used to accept a consent request.
swagger:model consentRequestAcceptance
type ConsentRequest ¶ added in v0.9.14
type ConsentRequest struct { // ID is the id of this consent request. ID string `json:"id"` // RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator. RequestedScopes []string `json:"requestedScopes"` // ClientID is the client id that initiated the OAuth2 request. ClientID string `json:"clientId"` // ExpiresAt is the time where the access request will expire. ExpiresAt time.Time `json:"expiresAt"` // Redirect URL is the URL where the user agent should be redirected to after the consent has been // accepted or rejected. RedirectURL string `json:"redirectUrl"` CSRF string `json:"-"` GrantedScopes []string `json:"-"` Subject string `json:"-"` AccessTokenExtra map[string]interface{} `json:"-"` IDTokenExtra map[string]interface{} `json:"-"` Consent string `json:"-"` DenyReason string `json:"-"` }
ConsentRequest represents a consent request.
func (*ConsentRequest) IsConsentGranted ¶ added in v0.9.14
func (c *ConsentRequest) IsConsentGranted() bool
type ConsentRequestManager ¶ added in v0.9.14
type ConsentRequestManager interface { PersistConsentRequest(*ConsentRequest) error AcceptConsentRequest(id string, payload *AcceptConsentRequestPayload) error RejectConsentRequest(id string, payload *RejectConsentRequestPayload) error GetConsentRequest(id string) (*ConsentRequest, error) }
type ConsentRequestMemoryManager ¶ added in v0.9.14
func NewConsentRequestMemoryManager ¶ added in v0.9.14
func NewConsentRequestMemoryManager() *ConsentRequestMemoryManager
func (*ConsentRequestMemoryManager) AcceptConsentRequest ¶ added in v0.9.14
func (m *ConsentRequestMemoryManager) AcceptConsentRequest(id string, payload *AcceptConsentRequestPayload) error
func (*ConsentRequestMemoryManager) GetConsentRequest ¶ added in v0.9.14
func (m *ConsentRequestMemoryManager) GetConsentRequest(id string) (*ConsentRequest, error)
func (*ConsentRequestMemoryManager) PersistConsentRequest ¶ added in v0.9.14
func (m *ConsentRequestMemoryManager) PersistConsentRequest(session *ConsentRequest) error
func (*ConsentRequestMemoryManager) RejectConsentRequest ¶ added in v0.9.14
func (m *ConsentRequestMemoryManager) RejectConsentRequest(id string, payload *RejectConsentRequestPayload) error
type ConsentRequestSQLManager ¶ added in v0.9.14
type ConsentRequestSQLManager struct {
// contains filtered or unexported fields
}
func NewConsentRequestSQLManager ¶ added in v0.9.14
func NewConsentRequestSQLManager(db *sqlx.DB) *ConsentRequestSQLManager
func (*ConsentRequestSQLManager) AcceptConsentRequest ¶ added in v0.9.14
func (m *ConsentRequestSQLManager) AcceptConsentRequest(id string, payload *AcceptConsentRequestPayload) error
func (*ConsentRequestSQLManager) CreateSchemas ¶ added in v0.9.14
func (m *ConsentRequestSQLManager) CreateSchemas() (int, error)
func (*ConsentRequestSQLManager) GetConsentRequest ¶ added in v0.9.14
func (m *ConsentRequestSQLManager) GetConsentRequest(id string) (*ConsentRequest, error)
func (*ConsentRequestSQLManager) PersistConsentRequest ¶ added in v0.9.14
func (m *ConsentRequestSQLManager) PersistConsentRequest(request *ConsentRequest) error
func (*ConsentRequestSQLManager) RejectConsentRequest ¶ added in v0.9.14
func (m *ConsentRequestSQLManager) RejectConsentRequest(id string, payload *RejectConsentRequestPayload) error
type ConsentSessionHandler ¶ added in v0.9.14
type ConsentSessionHandler struct { H herodot.Writer M ConsentRequestManager W firewall.Firewall ResourcePrefix string }
func (*ConsentSessionHandler) AcceptConsentRequestHandler ¶ added in v0.9.14
func (h *ConsentSessionHandler) AcceptConsentRequestHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route PATCH /oauth2/consent/requests/{id}/accept oAuth2 acceptOAuth2ConsentRequest
Accept a consent request ¶
Call this endpoint to accept a consent request. This usually happens when a user agrees to give access rights to an application.
The consent request id is usually transmitted via the URL query `consent`. For example: `http://consent-app.mydomain.com/?consent=1234abcd`
The subject making the request needs to be assigned to a policy containing:
``` { "resources": ["rn:hydra:oauth2:consent:requests:<request-id>"], "actions": ["accept"], "effect": "allow" } ``` Consumes: - application/json Produces: - application/json Schemes: http, https Security: oauth2: hydra.consent Responses: 204: emptyResponse 401: genericError 500: genericError
func (*ConsentSessionHandler) FetchConsentRequest ¶ added in v0.9.14
func (h *ConsentSessionHandler) FetchConsentRequest(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route GET /oauth2/consent/requests/{id} oAuth2 getOAuth2ConsentRequest
Receive consent request information ¶
Call this endpoint to receive information on consent requests. The consent request id is usually transmitted via the URL query `consent`. For example: `http://consent-app.mydomain.com/?consent=1234abcd`
The subject making the request needs to be assigned to a policy containing:
``` { "resources": ["rn:hydra:oauth2:consent:requests:<request-id>"], "actions": ["get"], "effect": "allow" } ``` Consumes: - application/json Produces: - application/json Schemes: http, https Security: oauth2: hydra.consent Responses: 200: oAuth2ConsentRequest 401: genericError 500: genericError
func (*ConsentSessionHandler) PrefixResource ¶ added in v0.10.0
func (h *ConsentSessionHandler) PrefixResource(resource string) string
func (*ConsentSessionHandler) RejectConsentRequestHandler ¶ added in v0.9.14
func (h *ConsentSessionHandler) RejectConsentRequestHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route PATCH /oauth2/consent/requests/{id}/reject oAuth2 rejectOAuth2ConsentRequest
Reject a consent request ¶
Call this endpoint to reject a consent request. This usually happens when a user denies access rights to an application.
The consent request id is usually transmitted via the URL query `consent`. For example: `http://consent-app.mydomain.com/?consent=1234abcd`
The subject making the request needs to be assigned to a policy containing:
``` { "resources": ["rn:hydra:oauth2:consent:requests:<request-id>"], "actions": ["reject"], "effect": "allow" } ``` Consumes: - application/json Produces: - application/json Schemes: http, https Security: oauth2: hydra.consent Responses: 204: emptyResponse 401: genericError 500: genericError
func (*ConsentSessionHandler) SetRoutes ¶ added in v0.9.14
func (h *ConsentSessionHandler) SetRoutes(r *httprouter.Router)
type ConsentStrategy ¶
type DefaultConsentStrategy ¶
type DefaultConsentStrategy struct { Issuer string DefaultIDTokenLifespan time.Duration DefaultChallengeLifespan time.Duration ConsentManager ConsentRequestManager }
func (*DefaultConsentStrategy) CreateConsentRequest ¶ added in v0.9.14
func (s *DefaultConsentStrategy) CreateConsentRequest(req fosite.AuthorizeRequester, redirectURL string, cookie *sessions.Session) (string, error)
func (*DefaultConsentStrategy) ValidateConsentRequest ¶ added in v0.9.14
func (s *DefaultConsentStrategy) ValidateConsentRequest(req fosite.AuthorizeRequester, session string, cookie *sessions.Session) (claims *Session, err error)
type FositeMemoryStore ¶ added in v0.6.0
type FositeMemoryStore struct { client.Manager AuthorizeCodes map[string]fosite.Requester IDSessions map[string]fosite.Requester AccessTokens map[string]fosite.Requester RefreshTokens map[string]fosite.Requester sync.RWMutex }
func (*FositeMemoryStore) CreateAccessTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) CreateAuthorizeCodeSession ¶ added in v0.6.0
func (*FositeMemoryStore) CreateImplicitAccessTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) CreateOpenIDConnectSession ¶ added in v0.6.0
func (*FositeMemoryStore) CreateRefreshTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) DeleteAccessTokenSession ¶ added in v0.6.0
func (s *FositeMemoryStore) DeleteAccessTokenSession(ctx context.Context, signature string) error
func (*FositeMemoryStore) DeleteAuthorizeCodeSession ¶ added in v0.6.0
func (s *FositeMemoryStore) DeleteAuthorizeCodeSession(_ context.Context, code string) error
func (*FositeMemoryStore) DeleteOpenIDConnectSession ¶ added in v0.6.0
func (s *FositeMemoryStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error
func (*FositeMemoryStore) DeleteRefreshTokenSession ¶ added in v0.6.0
func (s *FositeMemoryStore) DeleteRefreshTokenSession(ctx context.Context, signature string) error
func (*FositeMemoryStore) GetAccessTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) GetAuthorizeCodeSession ¶ added in v0.6.0
func (*FositeMemoryStore) GetOpenIDConnectSession ¶ added in v0.6.0
func (*FositeMemoryStore) GetRefreshTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) RevokeAccessToken ¶ added in v0.6.0
func (s *FositeMemoryStore) RevokeAccessToken(ctx context.Context, id string) error
func (*FositeMemoryStore) RevokeRefreshToken ¶ added in v0.6.0
func (s *FositeMemoryStore) RevokeRefreshToken(ctx context.Context, id string) error
type FositeSQLStore ¶ added in v0.6.0
func (*FositeSQLStore) CreateAccessTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateAuthorizeCodeSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateImplicitAccessTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateOpenIDConnectSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateRefreshTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateSchemas ¶ added in v0.6.0
func (s *FositeSQLStore) CreateSchemas() (int, error)
func (*FositeSQLStore) DeleteAccessTokenSession ¶ added in v0.6.0
func (s *FositeSQLStore) DeleteAccessTokenSession(_ context.Context, signature string) error
func (*FositeSQLStore) DeleteAuthorizeCodeSession ¶ added in v0.6.0
func (s *FositeSQLStore) DeleteAuthorizeCodeSession(_ context.Context, signature string) error
func (*FositeSQLStore) DeleteOpenIDConnectSession ¶ added in v0.6.0
func (s *FositeSQLStore) DeleteOpenIDConnectSession(_ context.Context, signature string) error
func (*FositeSQLStore) DeleteRefreshTokenSession ¶ added in v0.6.0
func (s *FositeSQLStore) DeleteRefreshTokenSession(_ context.Context, signature string) error
func (*FositeSQLStore) GetAccessTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) GetAuthorizeCodeSession ¶ added in v0.6.0
func (*FositeSQLStore) GetOpenIDConnectSession ¶ added in v0.6.0
func (*FositeSQLStore) GetRefreshTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) RevokeAccessToken ¶ added in v0.6.0
func (s *FositeSQLStore) RevokeAccessToken(ctx context.Context, id string) error
func (*FositeSQLStore) RevokeRefreshToken ¶ added in v0.6.0
func (s *FositeSQLStore) RevokeRefreshToken(ctx context.Context, id string) error
type Handler ¶
type Handler struct { OAuth2 fosite.OAuth2Provider Consent ConsentStrategy H herodot.Writer ForcedHTTP bool ConsentURL url.URL AccessTokenLifespan time.Duration CookieStore sessions.Store L logrus.FieldLogger ScopeStrategy fosite.ScopeStrategy Issuer string W firewall.Firewall ResourcePrefix string }
func (*Handler) AuthHandler ¶
func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route GET /oauth2/auth oAuth2 oauthAuth
The OAuth 2.0 authorize endpoint ¶
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.
To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
Consumes: - application/x-www-form-urlencoded Schemes: http, https Responses: 302: emptyResponse 401: genericError 500: genericError
func (*Handler) DefaultConsentHandler ¶
func (h *Handler) DefaultConsentHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
func (*Handler) IntrospectHandler ¶ added in v0.6.0
func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /oauth2/introspect oAuth2 introspectOAuth2Token
Introspect OAuth2 tokens ¶
The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting `accessTokenExtra` during the consent flow.
``` { "resources": ["rn:hydra:oauth2:tokens"], "actions": ["introspect"], "effect": "allow" } ``` Consumes: - application/x-www-form-urlencoded Produces: - application/json Schemes: http, https Security: basic: oauth2: hydra.introspect Responses: 200: introspectOAuth2TokenResponse 401: genericError 500: genericError
func (*Handler) PrefixResource ¶ added in v0.10.0
func (*Handler) RevocationHandler ¶ added in v0.6.0
func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /oauth2/revoke oAuth2 revokeOAuth2Token
Revoke OAuth2 tokens ¶
Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it.
Consumes: - application/x-www-form-urlencoded Schemes: http, https Security: basic: Responses: 200: emptyResponse 401: genericError 500: genericError
func (*Handler) SetRoutes ¶
func (h *Handler) SetRoutes(r *httprouter.Router)
func (*Handler) TokenHandler ¶
func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /oauth2/token oAuth2 oauthToken
The OAuth 2.0 token endpoint ¶
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.
To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
Consumes: - application/x-www-form-urlencoded Produces: - application/json Schemes: http, https Security: basic: oauth2: Responses: 200: oauthTokenResponse 401: genericError 500: genericError
func (*Handler) UserinfoHandler ¶ added in v0.10.4
func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /userinfo oAuth2 userinfo
OpenID Connect Userinfo ¶
This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 access token. The endpoint implements http://openid.net/specs/openid-connect-core-1_0.html#UserInfo .
Produces: - application/json Schemes: http, https Security: oauth2: Responses: 200: userinfoResponse 401: genericError 500: genericError
func (*Handler) WellKnownHandler ¶ added in v0.8.2
func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route GET /.well-known/openid-configuration oAuth2 getWellKnown
Server well known configuration ¶
The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html
Produces: - application/json Schemes: http, https Responses: 200: wellKnown 401: genericError 500: genericError
type Introspection ¶ added in v0.4.0
type Introspection struct { // Active is a boolean indicator of whether or not the presented token // is currently active. The specifics of a token's "active" state // will vary depending on the implementation of the authorization // server and the information it keeps about its tokens, but a "true" // value return for the "active" property will generally indicate // that a given token has been issued by this authorization server, // has not been revoked by the resource owner, and is within its // given time window of validity (e.g., after its issuance time and // before its expiration time). Active bool `json:"active"` // Scope is a JSON string containing a space-separated list of // scopes associated with this token. Scope string `json:"scope,omitempty"` // ClientID is aclient identifier for the OAuth 2.0 client that // requested this token. ClientID string `json:"client_id,omitempty"` // Subject of the token, as defined in JWT [RFC7519]. // Usually a machine-readable identifier of the resource owner who // authorized this token. Subject string `json:"sub,omitempty"` // Expires at is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token will expire. ExpiresAt int64 `json:"exp,omitempty"` // Issued at is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token was // originally issued. IssuedAt int64 `json:"iat,omitempty"` // NotBefore is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token is not to be // used before. NotBefore int64 `json:"nbf,omitempty"` // Username is a human-readable identifier for the resource owner who // authorized this token. Username string `json:"username,omitempty"` // ClientID is a service-specific string identifier or list of string // identifiers representing the intended audience for this token. Audience string `json:"aud,omitempty"` // Issuer is a string representing the issuer of this token Issuer string `json:"iss,omitempty"` // Extra is arbitrary data set by the session. Extra map[string]interface{} `json:"ext,omitempty"` }
Introspection contains an access token's session data as specified by IETF RFC 7662, see: https://tools.ietf.org/html/rfc7662
type RejectConsentRequestPayload ¶ added in v0.9.14
type RejectConsentRequestPayload struct { // Reason represents the reason why the user rejected the consent request. Reason string `json:"reason"` }
RejectConsentRequestPayload represents data that will be used to reject a consent request.
swagger:model consentRequestRejection
type Session ¶
type Session struct { *openid.DefaultSession `json:"idToken"` Extra map[string]interface{} `json:"extra"` }
func NewSession ¶
type WellKnown ¶ added in v0.8.2
type WellKnown struct { // URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. // If Issuer discovery is supported , this value MUST be identical to the issuer value returned // by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. // // required: true Issuer string `json:"issuer"` // URL of the OP's OAuth 2.0 Authorization Endpoint // // required: true AuthURL string `json:"authorization_endpoint"` // URL of the OP's OAuth 2.0 Token Endpoint // // required: true TokenURL string `json:"token_endpoint"` // URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate // signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs // to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) // parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. // Although some algorithms allow the same key to be used for both signatures and encryption, doing so is // NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of // keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. // // required: true JWKsURI string `json:"jwks_uri"` // JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include // pairwise and public. // // required: true SubjectTypes []string `json:"subject_types_supported"` // JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token // to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, // but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint // (such as when using the Authorization Code Flow). // // required: true SigningAlgs []string `json:"id_token_signing_alg_values_supported"` // JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID // Providers MUST support the code, id_token, and the token id_token Response Type values. // // required: true ResponseTypes []string `json:"response_types_supported"` // JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply // values for. Note that for privacy or other reasons, this might not be an exhaustive list. ClaimsSupported []string `json:"claims_supported"` // URL of the OP's UserInfo Endpoint. UserinfoEndpoint string `json:"userinfo_endpoint"` // SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST // support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used ScopesSupported []string `json:"scopes_supported"` }
swagger:model wellKnown
Source Files ¶
- consent.go
- consent_handler.go
- consent_manager.go
- consent_manager_memory.go
- consent_manager_sql.go
- consent_strategy.go
- doc.go
- equalKeys.go
- fosite_store_memory.go
- fosite_store_sql.go
- fosite_store_test_helpers.go
- handler.go
- handler_default_consent_endpoint.go
- handler_struct.go
- introspector.go
- session.go