oauth

package
v0.1.67 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2021 License: GPL-3.0 Imports: 18 Imported by: 0

Documentation

Overview

Package oauth provides the base auth interfaces

Package oauth provides the base auth interfaces

Package oauth provides the base auth interfaces

Index

Constants

View Source
const (

	// AudienceTokenAlgorithmRS256 captures enum value "RS256"
	AudienceTokenAlgorithmRS256 string = "RS256"

	// AudienceTokenAlgorithmHS256 captures enum value "HS256"
	AudienceTokenAlgorithmHS256 string = "HS256"
)
View Source
const (
	// NotificationTypeVerify are verification notifications
	NotificationTypeVerify NotificationType = "verify"

	// NotificationTypeSignup are signup notifications
	NotificationTypeSignup NotificationType = "signup"

	// NotificationTypePassword are password notification
	NotificationTypePassword NotificationType = "password"

	// NotificationTypeCode is a  code notification
	NotificationTypeCode NotificationType = "code"

	// NotificationTypePasswordReset are password reset notification
	NotificationTypePasswordReset NotificationType = "password-reset"

	// NotificationTypeInvite are invitation notification
	NotificationTypeInvite NotificationType = "invite"

	// NotificationChannelEmail is an email notification
	NotificationChannelEmail NotificationChannel = "email"

	// NotificationChannelSMS is an sms notification
	NotificationChannelSMS NotificationChannel = "sms"
)
View Source
const (
	// ScopeOpenID is the scope that provides identity tokens
	ScopeOpenID = "openid"

	// ScopeProfile is the scope that provides profile claims in the identity token
	ScopeProfile = "profile"

	// ScopePassword is required to set a user's password
	ScopePassword = "password"

	// ScopeSession is required to create a session
	ScopeSession = "session"

	// ScopePrincipal is the scope that provides principal claims in the identity token
	ScopePrincipal = "principal"

	// ScopeOffline is the scope that allows a client to request refresh tokens
	ScopeOffline = "offline_access"

	// ScopeEmailVerify is required to verify a users email address
	ScopeEmailVerify = "email:verify"

	// ScopeTokenRead is required to call /token-introspect
	ScopeTokenRead = "token:read"

	// ScopeTokenRevoke is required to call /token-revoke
	ScopeTokenRevoke = "token:revoke"

	// GrantTypeAuthCode is the auth code grant type
	GrantTypeAuthCode = "authorization_code"

	// GrantTypeRefreshToken is the refresh token offline_access token type
	GrantTypeRefreshToken = "refresh_token"

	// GrantTypeClientCredentials is the grant for machine-to-machine access
	GrantTypeClientCredentials = "client_credentials"

	// GrantTypePassword is the grant password grants
	GrantTypePassword = "password"
)

Variables

View Source
var (
	// ErrAccessDenied is returned when authentication has failed
	ErrAccessDenied = errors.New("access denied")

	// ErrCodeNotFound is returned when the store could not find the code
	ErrCodeNotFound = errors.New("code not found")

	// ErrApplicationNotFound is returned when the store could not find the application
	ErrApplicationNotFound = errors.New("application not found")

	// ErrAudienceNotFound is returned when the store could not find the audience
	ErrAudienceNotFound = errors.New("audience not found")

	// ErrSessionNotFound is returned when the session was not found by the controller
	ErrSessionNotFound = errors.New("session not found")

	// ErrUnsupportedAlogrithm is returned when the Authorizer gets a bad token
	ErrUnsupportedAlogrithm = errors.New("unsupported signing algorithm")

	// ErrInvalidToken is returned when the token is not valid
	ErrInvalidToken = errors.New("invalid token")

	// ErrUserNotFound is returned when the user lookup failed
	ErrUserNotFound = errors.New("user not found")

	// ErrExpiredToken is returned when the token is expired
	ErrExpiredToken = errors.New("expired token")

	// ErrPasswordLen is returned when a password does not meet length requirements
	ErrPasswordLen = errors.New("invalid password length")

	// ErrPasswordComplexity is returned if the password does not meet complexity requirements
	ErrPasswordComplexity = errors.New("password to simple")

	// ErrPasswordResuse is returned if password does not meet the reuse constraints
	ErrPasswordResuse = errors.New("password to reused")

	// ErrPasswordExpired is returned when the password has expired
	ErrPasswordExpired = errors.New("password expired")

	// ErrInvalidInviteCode is returned when an invitation code is bad
	ErrInvalidInviteCode = errors.New("bad invite code")
)

Functions

func ContextFromRequest

func ContextFromRequest(ctx context.Context, ctrl Controller, req *AuthRequest) (context.Context, error)

ContextFromRequest will create a context from the Controller and AuthRequest

func Error added in v0.1.46

func Error(code ErrorCode, e error) *api.Response

Error returns an error responder

func Errorf added in v0.1.46

func Errorf(code ErrorCode, f string, args ...interface{}) *api.Response

Errorf returns a new error response from a string

func NewContext

func NewContext(ctx context.Context, args ...interface{}) context.Context

NewContext returns a new context from the paramters

Types

type Address

type Address struct {

	// Country name component.
	Country *string `json:"country,omitempty"`

	// Full mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines.
	// Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
	//
	Formatted *string `json:"formatted,omitempty"`

	// City or locality component.
	Locality *string `json:"locality,omitempty"`

	// Zip code or postal code component.
	PostalCode *string `json:"postal_code,omitempty"`

	// State, province, prefecture, or region component.
	Region *string `json:"region,omitempty"`

	// Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended street address
	// information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line
	// feed pair ("\r\n") or as a single line feed character ("\n").
	//
	StreetAddress *string `json:"street_address,omitempty"`
}

Address OpenID address claim as defined in section 5.1.1 of the connect core 1.0 specification

func (*Address) Scan

func (a *Address) Scan(value interface{}) error

Scan reads a json value from the database into a Address

func (Address) Validate

func (a Address) Validate() error

Validate handles validation for the Profile struct

func (Address) Value

func (a Address) Value() (driver.Value, error)

Value returns Address as a value that can be stored as json in the database

type Application

type Application struct {

	// allowed grants
	AllowedGrants PermissionSet `json:"allowed_grants,omitempty"`

	// app uris
	AppUris PermissionSet `json:"app_uris,omitempty"`

	// The application client id used for oauth grants
	// Read Only: true
	ClientID string `json:"client_id,omitempty"`

	// The application client secret used for oauth grants
	// Read Only: true
	ClientSecret string `json:"client_secret,omitempty"`

	// The application description
	Description *string `json:"description,omitempty"`

	// The application name
	Name string `json:"name,omitempty"`

	// permissions
	Permissions PermissionSet `json:"permissions,omitempty"`

	// redirect uris
	RedirectUris PermissionSet `json:"redirect_uris,omitempty"`

	// The lifetime for identity tokens in seconds, provided the call requested the
	// `openid` scopes.
	//
	TokenLifetime int64 `json:"token_lifetime,omitempty"`

	// The application type
	// Enum: [web native machine]
	Type string `json:"type,omitempty"`
}

Application Applications are API clients that access APIs managed by the integration service. Applications may provide user authentication flows. Applications are managed by the `oauth.Controller`. This library provides an incomplete base definition for application clients.

## API URLs This is an array of the application's allowed application uris. These are checked in the `/authorize` path to ensure the redirect is allowed by the application. This path on redirect will receive the following query parameters:

  • `auth_request`: An encoded and signed request value to be forwarded to various posts.

## Redirect URIs This is an array of the application's allowed redirect uris. These are checked in the `/login` path to ensure the redirect is allowed by the application. This path on redirect will receive the following query parameters:

func (*Application) Scan

func (m *Application) Scan(value interface{}) error

Scan reads a json value from the database into a Application

func (Application) Value

func (m Application) Value() (driver.Value, error)

Value returns Application as a value that can be stored as json in the database

type Audience

type Audience interface {
	// The name of the audience. This is used in token request and token claims.
	Name() string

	// The audience description
	Description() string

	// permissions
	Permissions() Permissions

	// The audience token signing algorithm
	// Enum: [RS256 HS256]
	TokenAlgorithm() string

	// The lifetime for tokens created on behalf of this audience, in seconds
	TokenLifetime() int64

	// The signing secret used if the algorithm is HS256
	TokenSecret() string

	// VerifyKey returns the audience RSA public key used for token verification
	VerifyKey() interface{}

	// VerifyCertificate returns the x509 cert and thumbprint or token verification
	VerifyCertificate() (*x509.Certificate, error)

	// Principal is the implementation specfic audience object
	Principal() interface{}
}

Audience An audience is an API that applications can request permission to access on behalf of a user or itself.

type AuthCode

type AuthCode struct {
	AuthRequest

	// The auth code value provided by the CodeStore
	Code string `json:"code,omitempty"`

	// The time the code was issued on
	IssuedAt int64 `json:"issued_at,omitempty"`

	// The refresh token nonce
	RefreshNonce string `json:"refresh_nonce,omitempty"`

	// The session id
	SessionID string `json:"session_id,omitempty"`

	// The session subject
	Subject string `json:"subject,omitempty"`

	// If this is false the session was created in am SSO flow without capture user credentials
	// Some audiences may request credentials
	//
	UserAuthenticated bool `json:"user_authenticated,omitempty"`
}

AuthCode Authcodes are used by client in browser based flows to request BearerTokens

Internally Authcodes are associated with an AuthRequest, which are not persisted until after authentication has completed successfully.

Additionally, the library uses AuthCodes to:

  • store refresh tokens used when a client request offline_access.
  • reset user passwords

func (AuthCode) MarshalJSON

func (m AuthCode) MarshalJSON() ([]byte, error)

MarshalJSON marshals this object to a JSON structure

func (*AuthCode) Scan

func (m *AuthCode) Scan(value interface{}) error

Scan reads a json value from the database into a AuthCode

func (*AuthCode) UnmarshalJSON

func (m *AuthCode) UnmarshalJSON(raw []byte) error

UnmarshalJSON unmarshals this object from a JSON structure

func (AuthCode) Value

func (m AuthCode) Value() (driver.Value, error)

Value returns AuthCode as a value that can be stored as json in the database

type AuthOption

type AuthOption func(a *authOptions)

AuthOption is an authorizer option

func WithErrorPassthrough added in v0.1.17

func WithErrorPassthrough() AuthOption

WithErrorPassthrough passes the error in the context to the method

func WithOptional

func WithOptional() AuthOption

WithOptional ignores missing auth tokens, but enforces present tokens

func WithRoles

func WithRoles(roles ...Permissions) AuthOption

WithRoles enforces the user roles

func WithScope

func WithScope(scope ...Permissions) AuthOption

WithScope will create an api.Authorizer with the scope

type AuthRequest

type AuthRequest struct {

	// The request audience
	// Required: true
	Audience string `json:"aud"`

	// The request client id
	// Required: true
	ClientID string `json:"client_id"`

	// The request code challenge
	// Required: true
	CodeChallenge *string `json:"code_challenge,omitempty"`

	// The request code challenge method
	// Enum: [S256]
	CodeChallengeMethod string `json:"code_challenge_method,omitempty"`

	// The request expiration epoch
	ExpiresAt int64 `json:"expires_at,omitempty"`

	// The request app uri
	// Required: true
	AppURI string `json:"app_uri"`

	// The request redirect uri
	// Required: true
	RedirectURI string `json:"redirect_uri"`

	// scope
	Scope Permissions `json:"scope,omitempty"`

	// The request state
	State *string `json:"state,omitempty"`

	// The request nonce
	Nonce *string `json:"nonce,omitempty"`

	// Subject is the request subject
	Subject *string `json:"subject,omitempty"`
}

AuthRequest An AuthRequest is generated by the `/authorize` call and passed to the `app_uri`. The properties of AuthRequest map to the parameters of the `/authorize` operation. This request is encoded and signed by the authorization service and must be passed in the POST to `/login` to validate the authentication request.

func (*AuthRequest) Scan

func (m *AuthRequest) Scan(value interface{}) error

Scan reads a json value from the database into a AuthRequest

func (AuthRequest) Value

func (m AuthRequest) Value() (driver.Value, error)

Value returns AuthRequest as a value that can be stored as json in the database

type Authorizer

type Authorizer interface {
	Authorize(opts ...AuthOption) api.Authorizer
}

Authorizer is an oauth authorizer interface

func NewAuthorizer

func NewAuthorizer(ctrl Controller, opts ...AuthorizerOption) Authorizer

NewAuthorizer returns a new oauth authorizer

type AuthorizerOption

type AuthorizerOption func(a *authorizer)

AuthorizerOption is an authorizer option

func WithPermitQueryToken

func WithPermitQueryToken(permit bool) AuthorizerOption

WithPermitQueryToken enforces the user roles

type BearerToken

type BearerToken struct {

	// The token to be used for authorization
	// Required: true
	AccessToken string `json:"access_token"`

	// The time from `now` that the token expires
	// Required: true
	ExpiresIn int64 `json:"expires_in"`

	// The idenity token contains claims about the users identity. This token is
	// returned if the `openid` scope was granted.
	// If the `profile` scope was granted, this will contain the user profile.
	// These scopes are outside of the context of this library, it is up to the
	// provider to maintain these scopes.
	//
	IDToken string `json:"id_token,omitempty"`

	// The refresh token maybe used to generate a new access token so client
	// and user credentials do not have to traverse the wire again.
	// The is provided if the `offline_access` scope is request.
	// This scopes are outside of the context of this library, it is up to the
	// provider to maintain these scopes.
	//
	RefreshToken string `json:"refresh_token,omitempty"`

	// The token type, always Bearer
	// Required: true
	// Enum: [bearer]
	TokenType string `json:"token_type"`

	// Additional properties added by the platform
	BearerToken map[string]map[string]interface{} `json:"-"`
}

BearerToken BearerTokens are returned by the `/token` method. These token always include an `access_token` which can be used to access api methods from a related service. These are the only objects managed by the api itself. The integration is expected to implement the `oauth.Controller` interface.

func (BearerToken) MarshalJSON

func (m BearerToken) MarshalJSON() ([]byte, error)

MarshalJSON marshals this object with additional properties into a JSON object

func (*BearerToken) Scan

func (m *BearerToken) Scan(value interface{}) error

Scan reads a json value from the database into a BearerToken

func (*BearerToken) UnmarshalJSON

func (m *BearerToken) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals this object with additional properties from JSON

func (BearerToken) Value

func (m BearerToken) Value() (driver.Value, error)

Value returns BearerToken as a value that can be stored as json in the database

type Claims

type Claims map[string]interface{}

Claims is token claims

func ParseClaims

func ParseClaims(ctx context.Context, bearer string, keyfn func(claims Claims) (interface{}, error)) (Claims, error)

ParseClaims parses the jwt token into claims

func (Claims) Audience

func (c Claims) Audience() []string

Audience returns the audience for the token

func (Claims) ClientID

func (c Claims) ClientID() string

ClientID returns the client (application) id for the token

func (Claims) ExpiresAt

func (c Claims) ExpiresAt() time.Time

ExpiresAt returns the expiration for the token

func (Claims) ID

func (c Claims) ID() string

ID returns the token id

func (Claims) IssuedAt

func (c Claims) IssuedAt() time.Time

IssuedAt returns the issue time for the token

func (*Claims) Scan

func (c *Claims) Scan(value interface{}) error

Scan reads a json value from the database into a Map

func (Claims) Scope

func (c Claims) Scope() Permissions

Scope returns the scope for the token

func (Claims) Set

func (c Claims) Set(key string, value interface{})

Set sets a value in the claims

func (Claims) Sign

func (c Claims) Sign(ctx context.Context, alg string, key interface{}) (string, error)

Sign returns the signed jwt bearer token

func (Claims) Subject

func (c Claims) Subject() string

Subject returns the subject for the token

func (Claims) Use

func (c Claims) Use() string

Use returns the token use

func (Claims) Valid

func (c Claims) Valid() error

Valid validates the claims

func (Claims) Value

func (c Claims) Value() (driver.Value, error)

Value returns Map as a value that can be stored as json in the database

type CodeStore

type CodeStore interface {
	// AuthCodeCreate creates a new authcode from the request if code expires at is set
	// the store should use that value, otherwise set the defaults
	AuthCodeCreate(context.Context, *AuthCode) error

	// AuthCodeGet returns a code from the store
	AuthCodeGet(context.Context, string) (*AuthCode, error)

	// AuthCodeDestroy removes a code from the store
	AuthCodeDestroy(context.Context, string) error
}

CodeStore defines an AuthCode storage interface AuthCodes are used by the Oauth 2.0 `authorization_code` flow

type Context

type Context struct {
	Controller  Controller
	Application *Application
	Audience    Audience
	User        *User
	Principal   interface{}
	Token       Claims
	Bearer      string
	Request     *AuthRequest
	Error       error
}

Context is the oauth context

func AuthContext

func AuthContext(ctx context.Context) *Context

AuthContext returns the context

type Controller

type Controller interface {
	// AudienceGet should return an audience for the specified name/id
	AudienceGet(ctx context.Context, name string) (Audience, error)

	// ApplicationGet should return an application for the specified client id
	ApplicationGet(ctx context.Context, clientID string) (*Application, error)

	// UserGet returns a user by subject id along with the underlying principal
	UserGet(ctx context.Context, id string) (*User, interface{}, error)

	// UserAuthenticate authenticates a user using the login and password
	// This function should return an oauth user and the principal
	UserAuthenticate(ctx context.Context, login string, password string) (*User, interface{}, error)

	// UserCreate will create the user, optionally validating the invite code
	UserCreate(ctx context.Context, login string, password *string, profile *Profile, invite ...string) (*User, error)

	// UserUpdate updates a user profile
	UserUpdate(ctx context.Context, id string, profile *Profile) error

	// UserNotify should create an email or sms with the verification link or code for the user
	UserNotify(ctx context.Context, note Notification) error

	// UserResetPassword resets a user's password
	UserResetPassword(ctx context.Context, login string, resetCode string) error

	// UserSetPassword will set a user's password
	UserSetPassword(ctx context.Context, sub string, password string) error

	// TokenFinalize finalizes the token, signs it and returns the bearer
	TokenFinalize(ctx context.Context, claims Claims) (string, error)

	// TokenValidate validate the token signature and parse it into the Claims
	TokenValidate(ctx context.Context, bearerToken string) (Claims, error)

	// TokenGet gets a token by id
	TokenGet(ctx context.Context, id string) (Claims, error)

	// TokenRevoke revokes a token by id
	TokenRevoke(ctx context.Context, sub string, id string) error
}

Controller is the interface implemented by consumers of the auth server This provides the backend functionality for user, application, and audience management

type EmailClaim

type EmailClaim struct {
	// The user's email address
	Email *string `json:"email,omitempty"`

	// True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP
	// took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed.
	// The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements
	// within which the parties are operating.
	//
	EmailVerified *bool `json:"email_verified,omitempty"`
}

EmailClaim is the claim components for a user's email

func (EmailClaim) Validate

func (e EmailClaim) Validate() error

Validate handles validation for the EmailClaim struct

type ErrorCode added in v0.1.46

type ErrorCode string

ErrorCode defines an oauth error code

const (
	ErrorCodeInvalidRequest ErrorCode = "invalid_request"

	ErrorCodeInvalidClient ErrorCode = "invalid_client"

	ErrorCodeInvalidGrant ErrorCode = "invalid_grant"

	ErrorCodeUnauthorizedClient ErrorCode = "unauthorized_client"

	ErrorCodeUnsupportedGrantType ErrorCode = "unsupported_grant_type"

	ErrorCodeInvalidScope ErrorCode = "invalid_scope"

	ErrorCodeAccessDenied ErrorCode = "access_denied"

	ErrorCodeServerError ErrorCode = "server_error"
)

ErrorCode response to oauth endpoint request errors

type Notification

type Notification interface {
	Type() NotificationType
	Subject() string
	Channels() NotificationChannels
	URI() *URI
	Code() *string
	Context() map[string]interface{}
}

Notification is a simply a notification interface

type NotificationChannel

type NotificationChannel string

NotificationChannel is the channel to notify

type NotificationChannels

type NotificationChannels []NotificationChannel

NotificationChannels is an array of notifications

func (NotificationChannels) Contains

func (n NotificationChannels) Contains(value NotificationChannel) bool

Contains returns if the channel

func (*NotificationChannels) UnmarshalText added in v0.1.40

func (n *NotificationChannels) UnmarshalText(v []byte) error

type NotificationType

type NotificationType string

NotificationType is a notification type

func (NotificationType) String

func (n NotificationType) String() string

type PermissionSet

type PermissionSet map[string]Permissions

PermissionSet A set of permissions grouped by audience.

func (PermissionSet) Scan

func (m PermissionSet) Scan(value interface{}) error

Scan reads a json value from the database into a PermissionSet

func (PermissionSet) Value

func (m PermissionSet) Value() (driver.Value, error)

Value returns PermissionSet as a value that can be stored as json in the database

type Permissions

type Permissions []string

Permissions Permissions are used for both OAuth scopes and API ACL lists.

func Scope

func Scope(s ...string) Permissions

Scope returns specified scopes as a Permissions type

func (Permissions) Contains

func (s Permissions) Contains(value string) bool

Contains return true if the scope contains the value

func (Permissions) Empty added in v0.1.41

func (s Permissions) Empty() bool

Empty return true if empty

func (Permissions) Every

func (s Permissions) Every(elements ...string) bool

Every returns true if every element is contained in the scope

func (Permissions) Scan

func (m Permissions) Scan(value interface{}) error

Scan reads a json value from the database into a Permissions

func (Permissions) Some

func (s Permissions) Some(elements ...string) bool

Some returns true if at least one of the elements is contained in the scope

func (Permissions) Unique added in v0.1.28

func (s Permissions) Unique() Permissions

Unique returns a scope withonly unique values

func (Permissions) Value

func (m Permissions) Value() (driver.Value, error)

Value returns Permissions as a value that can be stored as json in the database

func (Permissions) Without

func (s Permissions) Without(elements ...string) Permissions

Without returns the scope excluding the elements

type PhoneClaim

type PhoneClaim struct {
	// The user's phone number in E.164 format
	PhoneNumber *string `json:"phone_number,omitempty"`

	// True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP
	// took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed.
	// The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements
	// within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be
	// represented in RFC 3966 format."
	//
	PhoneNumberVerified *bool `json:"phone_number_verified,omitempty"`
}

PhoneClaim is the claim components for a user's phone number

func (PhoneClaim) Validate

func (p PhoneClaim) Validate() error

Validate handles validation for the PhoneClaim struct

type Profile

type Profile struct {
	*EmailClaim `json:",squash,flatten,omitempty"`
	*PhoneClaim `json:",squash,flatten,omitempty"`

	// Subject - Identifier for the End-User at the Issuer.
	//
	Subject string `json:"sub,omitempty"`

	// address
	Address *Address `json:"address,omitempty"`

	// End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted.
	// To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just
	// year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates."
	//
	Birthdate *time.Time `json:"birthdate,omitempty"`

	// Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name;
	// all can be present, with the names being separated by space characters.
	//
	FamilyName string `json:"family_name,omitempty"`

	// End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither
	// of the defined values are applicable.
	//
	Gender string `json:"gender,omitempty"`

	// Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names;
	// all can be present, with the names being separated by space characters.
	//
	GivenName string `json:"given_name,omitempty"`

	// End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase
	// and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note,
	// some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept
	// this locale syntax as well.
	//
	Locale *string `json:"locale,omitempty"`

	// Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names;
	// all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
	//
	MiddleName string `json:"middle_name,omitempty"`

	// End-User's full name in displayable form including all name parts, possibly including titles and suffixes,
	// ordered according to the End-User's locale and preferences.
	//
	Name string `json:"name,omitempty"`

	// Casual name of the End-User that may or may not be the same as the given_name. For instance,
	// a nickname value of Mike might be returned alongside a given_name value of Michael.
	//
	Nickname string `json:"nickname,omitempty"`

	// URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file),
	// rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the
	// End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
	//
	Picture string `json:"picture,omitempty"`

	// Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid
	// JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique.
	//
	PreferredUsername string `json:"preferred_username,omitempty"`

	// URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
	//
	// Format: uri
	Profile string `json:"profile,omitempty"`

	// Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z
	// as measured in UTC until the date/time.
	//
	UpdatedAt int64 `json:"updated_at,omitempty"`

	// URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an
	// organization that the End-User is affiliated with.
	//
	Website string `json:"website,omitempty"`

	// String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
	//
	Zoneinfo string `json:"zoneinfo,omitempty"`
}

Profile A profile object based on the [openid connect standard](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).

func (*Profile) Scan

func (p *Profile) Scan(value interface{}) error

Scan reads a json value from the database into a Profile

func (Profile) Validate

func (p Profile) Validate() error

Validate handles validation for the Profile struct

func (Profile) Value

func (p Profile) Value() (driver.Value, error)

Value returns Profile as a value that can be stored as json in the database

type Session

type Session interface {
	// ID is the session id
	ID() string

	// ClientID is the client that created the user session
	ClientID() string

	// Audience is the session audience
	Audience() string

	// Subject is the user subject id
	Subject() string

	// Scope is the session scope
	Scope(aud string) Permissions

	// CreatedAt is the session creation time
	CreatedAt() time.Time

	// ExpiresAt is the session expriation time
	ExpiresAt() time.Time

	// Set sets a value in the session interface
	Set(key string, value interface{})

	// Get gets a value from the session interface
	Get(key string) interface{}

	// Write writes the session to the response
	Write(http.ResponseWriter) error

	// Destroy clears the session from the response
	Destroy(http.ResponseWriter) error
}

Session A Session is interface for browser based sessions

type SessionStore

type SessionStore interface {
	// SessionCreate creates a new session, overwriting an exising session
	SessionCreate(context.Context, *http.Request) (Session, error)

	// SessionRead returns the session
	SessionRead(context.Context, *http.Request) (Session, error)

	// SessionDestroy should cleanup an session in the response
	SessionDestroy(context.Context, http.ResponseWriter, *http.Request) error
}

SessionStore provides session persistence for oauth user flows

type URI

type URI string

URI is a uri

func Issuer added in v0.1.63

func Issuer(ctx context.Context) URI

func (URI) Append

func (u URI) Append(paths ...string) URI

Append appends the paths to the uri

func (URI) Parse

func (u URI) Parse() (*url.URL, error)

Parse parses the uri into a url.URL

func (URI) Ptr

func (u URI) Ptr() *URI

Ptr returns a pointer to the URI

func (URI) String

func (u URI) String() string

String converts the uri to a string

func (URI) Validate

func (u URI) Validate() error

Validate validates a uri

type URIList

type URIList []URI

URIList is a list of uris

func MakeURIList

func MakeURIList(uris ...string) URIList

MakeURIList returns a Scope from the string scopes

func (URIList) MarshalJSON

func (u URIList) MarshalJSON() ([]byte, error)

MarshalJSON handles json marshaling of this type

func (*URIList) Scan

func (u *URIList) Scan(value interface{}) error

Scan reads a json value from the database into a PermissionSet

func (URIList) Unique

func (u URIList) Unique() URIList

Unique returns a scope withonly unique values

func (URIList) Value

func (u URIList) Value() (driver.Value, error)

Value returns Permissions as a value that can be stored as json in the database

type User

type User struct {

	// The user's login
	//
	// Required: true
	Login string `json:"login"`

	// The time the user password expirts
	// Format: date-time
	PasswordExpiresAt time.Time `json:"password_expires_at,omitempty"`

	// permissions
	Permissions PermissionSet `json:"permissions,omitempty"`

	// profile
	Profile *Profile `json:"profile,omitempty"`

	// roles
	Roles PermissionSet `json:"roles,omitempty"`
}

User A user is a user object

func (User) CurrentRoles

func (u User) CurrentRoles(ctx context.Context) Permissions

CurrentRoles returns the user roles in the given context

func (User) HasRole

func (u User) HasRole(ctx context.Context, role ...string) bool

HasRole returns true if the user has the roles

func (*User) Scan

func (m *User) Scan(value interface{}) error

Scan reads a json value from the database into a User

func (User) Value

func (m User) Value() (driver.Value, error)

Value returns User as a value that can be stored as json in the database

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL