Documentation
¶
Overview ¶
Package oauth provides the base auth interfaces
Package oauth provides the base auth interfaces ¶
Package oauth provides the base auth interfaces
Index ¶
- Constants
- Variables
- func ContextFromRequest(ctx context.Context, ctrl Controller, req *AuthRequest) (context.Context, error)
- func Error(code ErrorCode, e error) *api.Response
- func Errorf(code ErrorCode, f string, args ...interface{}) *api.Response
- func NewContext(ctx context.Context, args ...interface{}) context.Context
- type Address
- type Application
- type Audience
- type AuthCode
- type AuthOption
- type AuthRequest
- type Authorizer
- type AuthorizerOption
- type BearerToken
- type Claims
- func (c Claims) Audience() []string
- func (c Claims) ClientID() string
- func (c Claims) ExpiresAt() time.Time
- func (c Claims) ID() string
- func (c Claims) IssuedAt() time.Time
- func (c *Claims) Scan(value interface{}) error
- func (c Claims) Scope() Permissions
- func (c Claims) Set(key string, value interface{})
- func (c Claims) Sign(ctx context.Context, alg TokenAlgorithm, key interface{}) (string, error)
- func (c Claims) Subject() string
- func (c Claims) Use() string
- func (c Claims) Valid() error
- func (c Claims) Value() (driver.Value, error)
- type CodeStore
- type Context
- type Controller
- type EmailClaim
- type Entitlement
- type ErrorCode
- type Notification
- type NotificationChannel
- type NotificationChannels
- type NotificationType
- type PermissionSet
- type Permissions
- func (s Permissions) Contains(value string) bool
- func (s Permissions) Empty() bool
- func (s Permissions) Every(elements ...string) bool
- func (m Permissions) Scan(value interface{}) error
- func (s Permissions) Some(elements ...string) bool
- func (s Permissions) Unique() Permissions
- func (m Permissions) Value() (driver.Value, error)
- func (s Permissions) Without(elements ...string) Permissions
- type PhoneClaim
- type Profile
- type Session
- type SessionStore
- type TokenAlgorithm
- type URI
- type URIList
- type User
Constants ¶
View Source
const ( // NotificationTypeVerify are verification notifications NotificationTypeVerify NotificationType = "verify" // NotificationTypeSignup are signup notifications NotificationTypeSignup NotificationType = "signup" // NotificationTypePassword are password notification NotificationTypePassword NotificationType = "password" // NotificationTypeCode is a code notification NotificationTypeCode NotificationType = "code" // NotificationTypePasswordReset are password reset notification NotificationTypePasswordReset NotificationType = "password-reset" // NotificationTypeInvite are invitation notification NotificationTypeInvite NotificationType = "invite" // NotificationChannelEmail is an email notification NotificationChannelEmail NotificationChannel = "email" // NotificationChannelSMS is an sms notification NotificationChannelSMS NotificationChannel = "sms" )
View Source
const ( // ScopeOpenID is the scope that provides identity tokens ScopeOpenID = "openid" // ScopeProfile is the scope that provides profile claims in the identity token ScopeProfile = "profile" // ScopeEntitlements is the scope that provides entitlement claims in the identity token ScopeEntitlements = "entitlements" // ScopePassword is required to set a user's password ScopePassword = "password" // ScopeSession is required to create a session ScopeSession = "session" // ScopePrincipal is the scope that provides principal claims in the identity token ScopePrincipal = "principal" // ScopeOffline is the scope that allows a client to request refresh tokens ScopeOffline = "offline_access" // ScopeTokenExchange is require to exchange tokens between audiences ScopeTokenExchange = "token:exchange" // ScopeEmailVerify is required to verify a users email address ScopeEmailVerify = "email:verify" // ScopeTokenRead is required to call /token-introspect ScopeTokenRead = "token:read" // ScopeTokenRevoke is required to call /token-revoke ScopeTokenRevoke = "token:revoke" // GrantTypeAuthCode is the auth code grant type GrantTypeAuthCode = "authorization_code" // GrantTypeRefreshToken is the refresh token offline_access token type GrantTypeRefreshToken = "refresh_token" // GrantTypeClientCredentials is the grant for machine-to-machine access GrantTypeClientCredentials = "client_credentials" // GrantTypePassword is the grant password grants GrantTypePassword = "password" // GrantTypeExchange is used to exchange tokens GrantTypeExchange = "exchange" TokenAlgorithmHS256 TokenAlgorithm = "HS256" TokenAlgorithmRS256 TokenAlgorithm = "RS256" )
Variables ¶
View Source
var ( // ErrAccessDenied is returned when authentication has failed ErrAccessDenied = errors.New("access denied") // ErrCodeNotFound is returned when the store could not find the code ErrCodeNotFound = errors.New("code not found") // ErrApplicationNotFound is returned when the store could not find the application ErrApplicationNotFound = errors.New("application not found") // ErrAudienceNotFound is returned when the store could not find the audience ErrAudienceNotFound = errors.New("audience not found") // ErrSessionNotFound is returned when the session was not found by the controller ErrSessionNotFound = errors.New("session not found") // ErrUnsupportedAlogrithm is returned when the Authorizer gets a bad token ErrUnsupportedAlogrithm = errors.New("unsupported signing algorithm") // ErrInvalidToken is returned when the token is not valid ErrInvalidToken = errors.New("invalid token") // ErrUserNotFound is returned when the user lookup failed ErrUserNotFound = errors.New("user not found") // ErrExpiredToken is returned when the token is expired ErrExpiredToken = errors.New("expired token") // ErrPasswordLen is returned when a password does not meet length requirements ErrPasswordLen = errors.New("invalid password length") // ErrPasswordComplexity is returned if the password does not meet complexity requirements ErrPasswordComplexity = errors.New("password to simple") // ErrPasswordResuse is returned if password does not meet the reuse constraints ErrPasswordResuse = errors.New("password to reused") // ErrPasswordExpired is returned when the password has expired ErrPasswordExpired = errors.New("password expired") // ErrInvalidInviteCode is returned when an invitation code is bad ErrInvalidInviteCode = errors.New("bad invite code") )
Functions ¶
func ContextFromRequest ¶
func ContextFromRequest(ctx context.Context, ctrl Controller, req *AuthRequest) (context.Context, error)
ContextFromRequest will create a context from the Controller and AuthRequest
Types ¶
type Address ¶
type Address struct {
// Country name component.
Country *string `json:"country,omitempty"`
// Full mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines.
// Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
//
Formatted *string `json:"formatted,omitempty"`
// City or locality component.
Locality *string `json:"locality,omitempty"`
// Zip code or postal code component.
PostalCode *string `json:"postal_code,omitempty"`
// State, province, prefecture, or region component.
Region *string `json:"region,omitempty"`
// Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended street address
// information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line
// feed pair ("\r\n") or as a single line feed character ("\n").
//
StreetAddress *string `json:"street_address,omitempty"`
}
Address OpenID address claim as defined in section 5.1.1 of the connect core 1.0 specification
type Application ¶
type Application struct {
// allowed grants
AllowedGrants PermissionSet `json:"allowed_grants,omitempty"`
// app uris
AppUris PermissionSet `json:"app_uris,omitempty"`
// The application client id used for oauth grants
// Read Only: true
ClientID string `json:"client_id,omitempty"`
// The application client secret used for oauth grants
// Read Only: true
ClientSecret string `json:"client_secret,omitempty"`
// The application description
Description *string `json:"description,omitempty"`
// The application name
Name string `json:"name,omitempty"`
// permissions
Permissions PermissionSet `json:"permissions,omitempty"`
// redirect uris
RedirectUris PermissionSet `json:"redirect_uris,omitempty"`
// The lifetime for identity tokens in seconds, provided the call requested the
// `openid` scopes.
//
TokenLifetime int64 `json:"token_lifetime,omitempty"`
// The lifetime for refresh tokens in days, provided the call requested the
// `offline_access` scopes.
//
RefreshTokenLifetime int64 `json:"refresh_token_lifetime,omitempty"`
// The ttl for refresh tokens in seconds, provided the call requested the
// `offline_access` scopes.
//
RefreshTokenMaxAge int64 `json:"refresh_token_max_age,omitempty"`
// The application type
// Enum: [web native machine]
Type string `json:"type,omitempty"`
}
Application Applications are API clients that access APIs managed by the integration service. Applications may provide user authentication flows. Applications are managed by the `oauth.Controller`. This library provides an incomplete base definition for application clients.
## API URLs This is an array of the application's allowed application uris. These are checked in the `/authorize` path to ensure the redirect is allowed by the application. This path on redirect will receive the following query parameters:
- `auth_request`: An encoded and signed request value to be forwarded to various posts.
## Redirect URIs This is an array of the application's allowed redirect uris. These are checked in the `/login` path to ensure the redirect is allowed by the application. This path on redirect will receive the following query parameters:
func (*Application) Scan ¶
func (m *Application) Scan(value interface{}) error
Scan reads a json value from the database into a Application
type Audience ¶
type Audience interface {
// The name of the audience. This is used in token request and token claims.
Name() string
// The audience description
Description() string
// permissions
Permissions() Permissions
// The audience token signing algorithm
// Enum: [RS256 HS256]
TokenAlgorithm() TokenAlgorithm
// The lifetime for tokens created on behalf of this audience, in seconds
TokenLifetime() int64
// The signing secret used if the algorithm is HS256
TokenSecret() string
// VerifyKey returns the audience RSA public key used for token verification
VerifyKey() interface{}
// VerifyCertificate returns the x509 cert and thumbprint or token verification
VerifyCertificate() (*x509.Certificate, error)
// Principal is the implementation specfic audience object
Principal() interface{}
}
Audience An audience is an API that applications can request permission to access on behalf of a user or itself.
type AuthCode ¶
type AuthCode struct {
AuthRequest
// The auth code value provided by the CodeStore
Code string `json:"code,omitempty"`
// The time the code was issued on
IssuedAt int64 `json:"issued_at,omitempty"`
// The refresh token nonce
RefreshNonce string `json:"refresh_nonce,omitempty"`
// The session id
SessionID string `json:"session_id,omitempty"`
// The session subject
Subject string `json:"subject,omitempty"`
// If this is false the session was created in am SSO flow without capture user credentials
// Some audiences may request credentials
//
UserAuthenticated bool `json:"user_authenticated,omitempty"`
}
AuthCode Authcodes are used by client in browser based flows to request BearerTokens
Internally Authcodes are associated with an AuthRequest, which are not persisted until after authentication has completed successfully.
Additionally, the library uses AuthCodes to:
- store refresh tokens used when a client request offline_access.
- reset user passwords
func (AuthCode) MarshalJSON ¶
MarshalJSON marshals this object to a JSON structure
func (*AuthCode) UnmarshalJSON ¶
UnmarshalJSON unmarshals this object from a JSON structure
type AuthOption ¶
type AuthOption func(a *authOptions)
AuthOption is an authorizer option
func WithErrorPassthrough ¶ added in v0.1.17
func WithErrorPassthrough() AuthOption
WithErrorPassthrough passes the error in the context to the method
func WithIgnoreAudience ¶ added in v0.2.17
func WithIgnoreAudience() AuthOption
func WithOptional ¶
func WithOptional() AuthOption
WithOptional ignores missing auth tokens, but enforces present tokens
func WithScope ¶
func WithScope(scope ...Permissions) AuthOption
WithScope will create an api.Authorizer with the scope
type AuthRequest ¶
type AuthRequest struct {
// The request audience
// Required: true
Audience string `json:"aud"`
// The request client id
// Required: true
ClientID string `json:"client_id"`
// The request code challenge
// Required: true
CodeChallenge *string `json:"code_challenge,omitempty"`
// The request code challenge method
// Enum: [S256]
CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
// The request expiration epoch
ExpiresAt int64 `json:"expires_at,omitempty"`
// The request app uri
// Required: true
AppURI string `json:"app_uri"`
// The request redirect uri
// Required: true
RedirectURI string `json:"redirect_uri"`
// scope
Scope Permissions `json:"scope,omitempty"`
// The request state
State *string `json:"state,omitempty"`
// The request nonce
Nonce *string `json:"nonce,omitempty"`
// Subject is the request subject
Subject *string `json:"subject,omitempty"`
}
AuthRequest An AuthRequest is generated by the `/authorize` call and passed to the `app_uri`. The properties of AuthRequest map to the parameters of the `/authorize` operation. This request is encoded and signed by the authorization service and must be passed in the POST to `/login` to validate the authentication request.
func (*AuthRequest) Scan ¶
func (m *AuthRequest) Scan(value interface{}) error
Scan reads a json value from the database into a AuthRequest
type Authorizer ¶
type Authorizer interface {
Authorize(opts ...AuthOption) api.Authorizer
}
Authorizer is an oauth authorizer interface
func NewAuthorizer ¶
func NewAuthorizer(ctrl Controller, opts ...AuthorizerOption) Authorizer
NewAuthorizer returns a new oauth authorizer
type AuthorizerOption ¶
type AuthorizerOption func(a *authorizer)
AuthorizerOption is an authorizer option
func SkipAudienceVerify ¶ added in v0.1.94
func SkipAudienceVerify() AuthorizerOption
func SkipClientVerify ¶ added in v0.1.94
func SkipClientVerify() AuthorizerOption
func WithPermitQueryToken ¶
func WithPermitQueryToken(permit bool) AuthorizerOption
WithPermitQueryToken enforces the user roles
type BearerToken ¶
type BearerToken struct {
// The token to be used for authorization
// Required: true
AccessToken string `json:"access_token"`
// The time from `now` that the token expires
// Required: true
ExpiresIn int64 `json:"expires_in"`
// The idenity token contains claims about the users identity. This token is
// returned if the `openid` scope was granted.
// If the `profile` scope was granted, this will contain the user profile.
// These scopes are outside of the context of this library, it is up to the
// provider to maintain these scopes.
//
IDToken string `json:"id_token,omitempty"`
// The refresh token maybe used to generate a new access token so client
// and user credentials do not have to traverse the wire again.
// The is provided if the `offline_access` scope is request.
// This scopes are outside of the context of this library, it is up to the
// provider to maintain these scopes.
//
RefreshToken string `json:"refresh_token,omitempty"`
// The token type, always Bearer
// Required: true
// Enum: [bearer]
TokenType string `json:"token_type"`
// Additional properties added by the platform
BearerToken map[string]map[string]interface{} `json:"-"`
}
BearerToken BearerTokens are returned by the `/token` method. These token always include an `access_token` which can be used to access api methods from a related service. These are the only objects managed by the api itself. The integration is expected to implement the `oauth.Controller` interface.
func (BearerToken) MarshalJSON ¶
func (m BearerToken) MarshalJSON() ([]byte, error)
MarshalJSON marshals this object with additional properties into a JSON object
func (*BearerToken) Scan ¶
func (m *BearerToken) Scan(value interface{}) error
Scan reads a json value from the database into a BearerToken
func (*BearerToken) UnmarshalJSON ¶
func (m *BearerToken) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals this object with additional properties from JSON
type Claims ¶
type Claims map[string]interface{}
Claims is token claims
func ParseClaims ¶
func ParseClaims(ctx context.Context, bearer string, keyfn func(hdr map[string]interface{}, claims Claims) (interface{}, error)) (Claims, error)
ParseClaims parses the jwt token into claims
type CodeStore ¶
type CodeStore interface {
// AuthCodeCreate creates a new authcode from the request if code expires at is set
// the store should use that value, otherwise set the defaults
AuthCodeCreate(context.Context, *AuthCode) error
// AuthCodeGet returns a code from the store
AuthCodeGet(context.Context, string) (*AuthCode, error)
// AuthCodeDestroy removes a code from the store
AuthCodeDestroy(context.Context, string) error
}
CodeStore defines an AuthCode storage interface AuthCodes are used by the Oauth 2.0 `authorization_code` flow
type Context ¶
type Context struct {
Controller Controller
Application *Application
Audience Audience
User *User
Principal interface{}
Token Claims
Bearer string
Request *AuthRequest
Error error
}
Context is the oauth context
type Controller ¶
type Controller interface {
// AudienceGet should return an audience for the specified name/id
AudienceGet(ctx context.Context, name string) (Audience, error)
// ApplicationGet should return an application for the specified client id
ApplicationGet(ctx context.Context, clientID string) (*Application, error)
// UserGet returns a user by a supported verifier
UserGet(ctx context.Context, id interface{}) (*User, interface{}, error)
// UserAuthenticate authenticates a user using the login and password
// This function should return an oauth user and the principal
UserAuthenticate(ctx context.Context, login string, password string) (*User, interface{}, error)
// UserCreate will create the user, optionally validating the invite code
UserCreate(ctx context.Context, login string, password *string, profile *Profile, invite ...string) (*User, error)
// UserUpdate updates a user profile
UserUpdate(ctx context.Context, id string, profile *Profile) error
// UserNotify should create an email or sms with the verification link or code for the user
UserNotify(ctx context.Context, note Notification) error
// UserResetPassword resets a user's password
UserResetPassword(ctx context.Context, login string, resetCode string) error
// UserSetPassword will set a user's password
UserSetPassword(ctx context.Context, sub string, password string) error
// UserEntitlementsGet returns a list of user entitlements
UserEntitlementsGet(ctx context.Context, sub string) ([]Entitlement, error)
// TokenFinalize finalizes the token, signs it and returns the bearer
TokenFinalize(ctx context.Context, claims Claims) (string, error)
// TokenValidate validate the token signature and parse it into the Claims
TokenValidate(ctx context.Context, bearerToken string) (Claims, error)
// TokenGet gets a token by id
TokenGet(ctx context.Context, id string) (Claims, error)
// TokenRevoke revokes a token by id
TokenRevoke(ctx context.Context, sub string, id string) error
}
Controller is the interface implemented by consumers of the auth server This provides the backend functionality for user, application, and audience management
type EmailClaim ¶
type EmailClaim struct {
// The user's email address
Email *string `json:"email,omitempty"`
// True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP
// took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed.
// The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements
// within which the parties are operating.
//
EmailVerified *bool `json:"email_verified,omitempty"`
}
EmailClaim is the claim components for a user's email
func (EmailClaim) Validate ¶
func (e EmailClaim) Validate() error
Validate handles validation for the EmailClaim struct
type Entitlement ¶ added in v0.2.5
type Entitlement interface {
// ID returns the unique entitlement identifier
ID() string
// Audience is the entitlement audience
Audience() string
// Subject is the subject identifier of the entitlement owner
Subject() string
// ExpiresAt is the expiration for this entitlement
ExpiresAt() *time.Time
// Scope returns the require scope for the entitlement
Scope() Permissions
// Source is the entitlement source
Source() string
// Claims returns the entitlement claims, which are source specific
Claims() Claims
}
Entitlement defines an interface for user entitlments that grant access to services and resources
type ErrorCode ¶ added in v0.1.46
type ErrorCode string
ErrorCode defines an oauth error code
const ( ErrorCodeInvalidRequest ErrorCode = "invalid_request" ErrorCodeInvalidClient ErrorCode = "invalid_client" ErrorCodeInvalidGrant ErrorCode = "invalid_grant" ErrorCodeUnsupportedGrantType ErrorCode = "unsupported_grant_type" ErrorCodeInvalidScope ErrorCode = "invalid_scope" ErrorCodeAccessDenied ErrorCode = "access_denied" ErrorCodeServerError ErrorCode = "server_error" )
ErrorCode response to oauth endpoint request errors
type Notification ¶
type Notification interface {
Type() NotificationType
Subject() string
Channels() NotificationChannels
URI() *URI
Code() *string
Context() map[string]interface{}
}
Notification is a simply a notification interface
type NotificationChannel ¶
type NotificationChannel string
NotificationChannel is the channel to notify
type NotificationChannels ¶
type NotificationChannels []NotificationChannel
NotificationChannels is an array of notifications
func (NotificationChannels) Contains ¶
func (n NotificationChannels) Contains(value NotificationChannel) bool
Contains returns if the channel
func (*NotificationChannels) UnmarshalText ¶ added in v0.1.40
func (n *NotificationChannels) UnmarshalText(v []byte) error
type NotificationType ¶
type NotificationType string
NotificationType is a notification type
func (NotificationType) String ¶
func (n NotificationType) String() string
type PermissionSet ¶
type PermissionSet map[string]Permissions
PermissionSet A set of permissions grouped by audience.
func (PermissionSet) Scan ¶
func (m PermissionSet) Scan(value interface{}) error
Scan reads a json value from the database into a PermissionSet
type Permissions ¶
type Permissions []string
Permissions Permissions are used for both OAuth scopes and API ACL lists.
func Scope ¶
func Scope(s ...string) Permissions
Scope returns specified scopes as a Permissions type
func (Permissions) Contains ¶
func (s Permissions) Contains(value string) bool
Contains return true if the scope contains the value
func (Permissions) Empty ¶ added in v0.1.41
func (s Permissions) Empty() bool
Empty return true if empty
func (Permissions) Every ¶
func (s Permissions) Every(elements ...string) bool
Every returns true if every element is contained in the scope
func (Permissions) Scan ¶
func (m Permissions) Scan(value interface{}) error
Scan reads a json value from the database into a Permissions
func (Permissions) Some ¶
func (s Permissions) Some(elements ...string) bool
Some returns true if at least one of the elements is contained in the scope
func (Permissions) Unique ¶ added in v0.1.28
func (s Permissions) Unique() Permissions
Unique returns a scope withonly unique values
func (Permissions) Value ¶
func (m Permissions) Value() (driver.Value, error)
Value returns Permissions as a value that can be stored as json in the database
func (Permissions) Without ¶
func (s Permissions) Without(elements ...string) Permissions
Without returns the scope excluding the elements
type PhoneClaim ¶
type PhoneClaim struct {
// The user's phone number in E.164 format
PhoneNumber *string `json:"phone_number,omitempty"`
// True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP
// took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed.
// The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements
// within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be
// represented in RFC 3966 format."
//
PhoneNumberVerified *bool `json:"phone_number_verified,omitempty"`
}
PhoneClaim is the claim components for a user's phone number
func (PhoneClaim) Validate ¶
func (p PhoneClaim) Validate() error
Validate handles validation for the PhoneClaim struct
type Profile ¶
type Profile struct {
*EmailClaim `json:",squash,flatten,omitempty"`
*PhoneClaim `json:",squash,flatten,omitempty"`
// Subject - Identifier for the End-User at the Issuer.
//
Subject string `json:"sub,omitempty"`
// address
Address *Address `json:"address,omitempty"`
// End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted.
// To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just
// year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates."
//
Birthdate *time.Time `json:"birthdate,omitempty"`
// Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name;
// all can be present, with the names being separated by space characters.
//
FamilyName string `json:"family_name,omitempty"`
// End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither
// of the defined values are applicable.
//
Gender string `json:"gender,omitempty"`
// Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names;
// all can be present, with the names being separated by space characters.
//
GivenName string `json:"given_name,omitempty"`
// End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase
// and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note,
// some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept
// this locale syntax as well.
//
Locale *string `json:"locale,omitempty"`
// Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names;
// all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
//
MiddleName string `json:"middle_name,omitempty"`
// End-User's full name in displayable form including all name parts, possibly including titles and suffixes,
// ordered according to the End-User's locale and preferences.
//
Name string `json:"name,omitempty"`
// Casual name of the End-User that may or may not be the same as the given_name. For instance,
// a nickname value of Mike might be returned alongside a given_name value of Michael.
//
Nickname string `json:"nickname,omitempty"`
// URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file),
// rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the
// End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
//
Picture string `json:"picture,omitempty"`
// Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid
// JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique.
//
PreferredUsername string `json:"preferred_username,omitempty"`
// URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
//
// Format: uri
Profile string `json:"profile,omitempty"`
// Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z
// as measured in UTC until the date/time.
//
UpdatedAt int64 `json:"updated_at,omitempty"`
// URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an
// organization that the End-User is affiliated with.
//
Website string `json:"website,omitempty"`
// String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
//
Zoneinfo string `json:"zoneinfo,omitempty"`
}
Profile A profile object based on the [openid connect standard](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).
type Session ¶
type Session interface {
// ID is the session id
ID() string
// ClientID is the client that created the user session
ClientID() string
// Audience is the session audience
Audience() string
// Subject is the user subject id
Subject() string
// Scope is the session scope
Scope(aud string) Permissions
// CreatedAt is the session creation time
CreatedAt() time.Time
// ExpiresAt is the session expriation time
ExpiresAt() time.Time
// Set sets a value in the session interface
Set(key string, value interface{})
// Get gets a value from the session interface
Get(key string) interface{}
// Write writes the session to the response
Write(http.ResponseWriter) error
// Destroy clears the session from the response
Destroy(http.ResponseWriter) error
}
Session A Session is interface for browser based sessions
type SessionStore ¶
type SessionStore interface {
// SessionCreate creates a new session, overwriting an exising session
SessionCreate(context.Context, *http.Request) (Session, error)
// SessionRead returns the session
SessionRead(context.Context, *http.Request) (Session, error)
// SessionDestroy should cleanup an session in the response
SessionDestroy(context.Context, http.ResponseWriter, *http.Request) error
}
SessionStore provides session persistence for oauth user flows
type TokenAlgorithm ¶ added in v0.2.0
type TokenAlgorithm string
TokenAlgorithm are token algorithms
const ( // AudienceTokenAlgorithmRS256 captures enum value "RS256" AudienceTokenAlgorithmRS256 TokenAlgorithm = "RS256" // AudienceTokenAlgorithmHS256 captures enum value "HS256" AudienceTokenAlgorithmHS256 TokenAlgorithm = "HS256" )
func (TokenAlgorithm) String ¶ added in v0.2.0
func (t TokenAlgorithm) String() string
type URIList ¶
type URIList []URI
URIList is a list of uris
func MakeURIList ¶
MakeURIList returns a Scope from the string scopes
func (URIList) MarshalJSON ¶
MarshalJSON handles json marshaling of this type
type User ¶
type User struct {
// The user's login
//
// Required: true
Login string `json:"login"`
// The time the user password expirts
// Format: date-time
PasswordExpiresAt time.Time `json:"password_expires_at,omitempty"`
// permissions
Permissions PermissionSet `json:"permissions,omitempty"`
// profile
Profile *Profile `json:"profile,omitempty"`
// roles
Roles PermissionSet `json:"roles,omitempty"`
}
User A user is a user object
func (User) CurrentRoles ¶
func (u User) CurrentRoles(ctx context.Context) Permissions
CurrentRoles returns the user roles in the given context
Source Files
Click to show internal directories.
Click to hide internal directories.