oauth

package
v1.0.0-alpha.18 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 22, 2020 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package oauth provides the base auth interfaces

Index

Constants

View Source
const (

	// ApplicationTypeWeb captures enum value "web"
	ApplicationTypeWeb string = "web"

	// ApplicationTypeNative captures enum value "native"
	ApplicationTypeNative string = "native"

	// ApplicationTypeMachine captures enum value "machine"
	ApplicationTypeMachine string = "machine"
)
View Source
const (

	// AudienceTokenAlgorithmRS256 captures enum value "RS256"
	AudienceTokenAlgorithmRS256 string = "RS256"

	// AudienceTokenAlgorithmHS256 captures enum value "HS256"
	AudienceTokenAlgorithmHS256 string = "HS256"
)
View Source
const (
	// ScopeOpenID is the scope that provides identity tokens
	ScopeOpenID = "openid"

	// ScopeProfile is the scope that provides profile claims in the identity token
	ScopeProfile = "profile"

	// ScopePrincipal is the scope that provides principal claims in the identity token
	ScopePrincipal = "principal"

	// ScopeOffline is the scope that allows a client to request refresh tokens
	ScopeOffline = "offline_access"

	// GrantTypeAuthCode is the auth code grant type
	GrantTypeAuthCode = "authorization_code"

	// GrantTypeRefreshToken is the refresh token offline_access token type
	GrantTypeRefreshToken = "refresh_token"

	// GrantTypeClientCredentials is the grant for machine-to-machine access
	GrantTypeClientCredentials = "client_credentials"
)
View Source
const (

	// AuthRequestCodeChallengeMethodS256 captures enum value "S256"
	AuthRequestCodeChallengeMethodS256 string = "S256"
)
View Source
const (

	// BearerTokenTokenTypeBearer captures enum value "bearer"
	BearerTokenTokenTypeBearer string = "bearer"
)

Variables

View Source
var (
	// ErrAccessDenied is returned when authentication has failed
	ErrAccessDenied = errors.New("access denied")

	// ErrCodeNotFound is returned when the store could not find the code
	ErrCodeNotFound = errors.New("code not found")

	// ErrUnsupportedAlogrithm is returned when the Authorizer gets a bad token
	ErrUnsupportedAlogrithm = errors.New("unsupported signing algorithm")

	// ErrInvalidToken is returned when the token is not valid
	ErrInvalidToken = errors.New("invalid token")

	// ErrPasswordLen is returned when a password does not meet length requirements
	ErrPasswordLen = errors.New("invalid password length")

	// ErrPasswordComplexity is returned if the password does not meet complexity requirements
	ErrPasswordComplexity = errors.New("password to simple")

	// ErrPasswordResuse is returned if password does not meet the reuse constraints
	ErrPasswordResuse = errors.New("password to reused")

	// ErrPasswordExpired is returned when the password has expired
	ErrPasswordExpired = errors.New("password expired")

	// ErrInvalidInviteCode is returned when an invitation code is bad
	ErrInvalidInviteCode = errors.New("bad invite code")
)

Functions

This section is empty.

Types

type Address

type Address struct {

	// Country name component.
	Country *string `json:"country,omitempty"`

	// Full mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines.
	// Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
	//
	Formatted *string `json:"formatted,omitempty"`

	// City or locality component.
	Locality *string `json:"locality,omitempty"`

	// Zip code or postal code component.
	PostalCode *string `json:"postal_code,omitempty"`

	// State, province, prefecture, or region component.
	Region *string `json:"region,omitempty"`

	// Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended street address
	// information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line
	// feed pair ("\r\n") or as a single line feed character ("\n").
	//
	StreetAddress *string `json:"street_address,omitempty"`
}

Address OpenID address claim as defined in section 5.1.1 of the connect core 1.0 specification

swagger:model Address

func (*Address) MarshalBinary added in v1.0.0

func (m *Address) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*Address) UnmarshalBinary added in v1.0.0

func (m *Address) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*Address) Validate

func (m *Address) Validate(formats strfmt.Registry) error

Validate validates this address

type Application

type Application struct {

	// The applications allowed grant types
	// Required: true
	AllowedGrants []string `json:"allowed_grants"`

	// This is an array of the application's allowed application uris. These are checked
	// in the `/authorize` path to ensure the redirect is allowed by the application.
	// This path on redirect will receive the following query parameters:
	//   - `auth_request`: An encoded and signed request value to be forwarded to various posts.
	//
	AppUris []string `json:"app_uris"`

	// The application client id used for oauth grants
	// Read Only: true
	ClientID string `json:"client_id,omitempty"`

	// The application client secret used for oauth grants
	// Read Only: true
	ClientSecret string `json:"client_secret,omitempty"`

	// The application description
	Description string `json:"description,omitempty"`

	// The application name
	// Required: true
	Name string `json:"name"`

	// The application's authorized permissions
	Permissions map[string][]string `json:"permissions,omitempty"`

	// This is an array of the application's allowed redirect uris. These are checked
	// in the `/login` path to ensure the redirect is allowed by the application.
	// This path on redirect will receive the following query parameters:
	//   - `code`: A signed authorization code that can be passed to the `/token` path.
	//
	RedirectUris []string `json:"redirect_uris"`

	// The lifetime for identity tokens in seconds, provided the call requested the
	// `openid` scopes.
	//
	TokenLifetime int64 `json:"token_lifetime,omitempty"`

	// The application type
	// Enum: [web native machine]
	Type string `json:"type,omitempty"`
}

Application Applications are API clients that access APIs managed by the integration service. Applications may provide user authentication flows. Applications are managed by the `oauth.Controller`.

swagger:model Application

func (*Application) MarshalBinary

func (m *Application) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*Application) UnmarshalBinary

func (m *Application) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*Application) Validate

func (m *Application) Validate(formats strfmt.Registry) error

Validate validates this application

type Audience

type Audience struct {

	// The audience description
	Description string `json:"description,omitempty"`

	// The name of the audience. This is used in token request and token claims.
	// This must match `/?[a-zA-Z0-9][a-zA-Z0-9_.-:]+`.
	//
	// Required: true
	Name string `json:"name"`

	// The audience available permissions
	Permissions []string `json:"permissions"`

	// The audience token signing algorithm
	// Enum: [RS256 HS256]
	TokenAlgorithm string `json:"token_algorithm,omitempty"`

	// The lifetime for tokens created on behalf of this audience, in seconds
	TokenLifetime int64 `json:"token_lifetime,omitempty"`

	// The signing secret used if the algorithm is HS256
	TokenSecret string `json:"token_secret,omitempty"`
}

Audience An audience is an API that applications can request permission to access on behalf of a user or itself.

swagger:model Audience

func (*Audience) MarshalBinary added in v1.0.0

func (m *Audience) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*Audience) UnmarshalBinary added in v1.0.0

func (m *Audience) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*Audience) Validate added in v1.0.0

func (m *Audience) Validate(formats strfmt.Registry) error

Validate validates this audience

type AuthCode

type AuthCode struct {
	AuthRequest

	// The auth code value provided by the CodeStore
	Code string `json:"code,omitempty"`

	// The time the code was issued on
	IssuedAt int64 `json:"issued_at,omitempty"`

	// The refresh token nonce
	RefreshNonce string `json:"refresh_nonce,omitempty"`

	// The session id
	SessionID string `json:"session_id,omitempty"`

	// The session subject
	Subject string `json:"subject,omitempty"`

	// If this is false the session was created in am SSO flow without capture user credentials
	// Some audiences may request credentials
	//
	UserAuthenticated bool `json:"user_authenticated,omitempty"`
}

AuthCode Authcodes are used by client in browser based flows to request BearerTokens Internally Authcodes are assiciated with an AuthRequest, which are not persisted until after authentication has completed successfully. Additionally, the library uses AuthCodes to store refresh tokens used when a client request offline_access.

swagger:model AuthCode

func (*AuthCode) MarshalBinary

func (m *AuthCode) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (AuthCode) MarshalJSON

func (m AuthCode) MarshalJSON() ([]byte, error)

MarshalJSON marshals this object to a JSON structure

func (*AuthCode) UnmarshalBinary

func (m *AuthCode) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*AuthCode) UnmarshalJSON

func (m *AuthCode) UnmarshalJSON(raw []byte) error

UnmarshalJSON unmarshals this object from a JSON structure

func (*AuthCode) Validate

func (m *AuthCode) Validate(formats strfmt.Registry) error

Validate validates this auth code

type AuthRequest

type AuthRequest struct {

	// The request audience
	// Required: true
	Audience string `json:"audience"`

	// The request client id
	// Required: true
	ClientID string `json:"client_id"`

	// The request code challenge
	// Required: true
	CodeChallenge string `json:"code_challenge"`

	// The request code challenge method
	// Enum: [S256]
	CodeChallengeMethod string `json:"code_challenge_method,omitempty"`

	// The request expiration epoch
	ExpiresAt int64 `json:"expires_at,omitempty"`

	// The request redirect uri
	// Required: true
	RedirectURI string `json:"redirect_uri"`

	// The request scope
	Scope []string `json:"scope"`

	// The request state
	State *string `json:"state,omitempty"`
}

AuthRequest An AuthRequest is generated by the `/authorize` call and passed to the `app_uri`. The properties of AuthRequest map to the parameters of the `/authorize` operation. This request is encoded and signed by the authorization service and must be passed in the POST to `/login` to validate the authentication request.

swagger:model AuthRequest

func (*AuthRequest) MarshalBinary

func (m *AuthRequest) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*AuthRequest) UnmarshalBinary

func (m *AuthRequest) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*AuthRequest) Validate

func (m *AuthRequest) Validate(formats strfmt.Registry) error

Validate validates this auth request

type Authorizer

type Authorizer interface {
	AuthorizeRequest(r *http.Request, scope ...[]string) (Context, error)
}

Authorizer provides an interface for authorizing bearer tokens The Authorizer should ensure the scope and should return the token with jwt.MapClaims The first return value is the token, the second is the princial (*User or *Application)

type BearerToken

type BearerToken struct {

	// The token to be used for authorization
	// Required: true
	AccessToken string `json:"access_token"`

	// The time from `now` that the token expires
	// Required: true
	ExpiresIn int64 `json:"expires_in"`

	// The idenity token contains claims about the users identity. This token is
	// returned if the `openid` scope was granted.
	// If the `profile` scope was granted, this will contain the user profile.
	// These scopes are outside of the context of this library, it is up to the
	// provider to maintain these scopes.
	//
	IDToken string `json:"id_token,omitempty"`

	// The refresh token maybe used to generate a new access token so client
	// and user credentials do not have to traverse the wire again.
	// The is provided if the `offline_access` scope is request.
	// This scopes are outside of the context of this library, it is up to the
	// provider to maintain these scopes.
	//
	RefreshToken string `json:"refresh_token,omitempty"`

	// The token type, always Bearer
	// Required: true
	// Enum: [bearer]
	TokenType string `json:"token_type"`

	// Additional properties added by the platform
	BearerToken map[string]map[string]interface{} `json:"-"`
}

BearerToken BearerTokens are returned by the `/token` method. These token always include an `access_token` which can be used to access api methods from a related service. These are the only objects managed by the api itself. The integration is expected to implement the `oauth.Controller` interface.

swagger:model BearerToken

func (*BearerToken) MarshalBinary

func (m *BearerToken) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (BearerToken) MarshalJSON

func (m BearerToken) MarshalJSON() ([]byte, error)

MarshalJSON marshals this object with additional properties into a JSON object

func (*BearerToken) UnmarshalBinary

func (m *BearerToken) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*BearerToken) UnmarshalJSON

func (m *BearerToken) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals this object with additional properties from JSON

func (*BearerToken) Validate

func (m *BearerToken) Validate(formats strfmt.Registry) error

Validate validates this bearer token

type CodeStore

type CodeStore interface {
	// CodeCreate creates a new authcode from the request if code expires at is set
	// the store should use that value, otherwise set the defaults
	CodeCreate(req *AuthCode) error

	// CodeGet returns a code from the store
	CodeGet(code string) (*AuthCode, error)

	// CodeDestroy removes a code from the store
	CodeDestroy(code string) error
}

CodeStore defines an AuthCode storage interface AuthCodes are used by the Oauth 2.0 `authorization_code` flow

type Context

type Context interface {
	// Application is the client for the context
	Application() *Application

	// Audience is the context audience
	Audience() *Audience

	// User is the oauth user for the context
	User() *User

	// Token is the oauth token object
	Token() *jwt.Token

	// Prinicipal is the implementor opaque principal
	Principal() interface{}
}

Context provides the oauth user and underlying principal from the authorizer

type Controller

type Controller interface {
	// ApplicationGet should return an application for the specified client id
	ApplicationGet(id string) (*Application, error)

	// AudienceGet should return an audience for the specified name
	AudienceGet(name string) (*Audience, error)

	// UserGet returns a user by subject id along with the underlying principal
	UserGet(ctx Context, id string) (*User, interface{}, error)

	// UserAuthenticate authenticates a user using the login and password
	// This function should return an oauth user and the principal
	UserAuthenticate(ctx Context, login string, password string) (*User, interface{}, error)

	// UserCreate will create the user, optionally validating the invite code
	// This method should send the user an email verification link with the format:
	// - https://domain.tld/oauth/verify?sub={user_id}&code={verify_code}&redirect_uri=/
	//
	// The library will call the controller's UserVerify method with this id and code
	UserCreate(ctx Context, user *User, password string, invite ...string) error

	// UserVerify should validate the code and update the user's email address as verified
	UserVerify(ctx Context, id string, code string) error

	// UserUpdate updates a user
	UserUpdate(ctx Context, user *User) error

	// UserResetPassword should notify the user with a reset password link to the
	// which includes the user's password reset code i.e.:
	// - https://domain.tld/setPassword?code={reset_code}
	//
	// These values should be the posted along with the new password to `/oauth/passwordSet`
	UserResetPassword(ctx Context, login string, resetCode string) error

	// UserSetPassword will set a user's password
	UserSetPassword(ctx Context, id string, password string) error

	// TokenFinalize allows the controller to modify any tokens before being returned
	TokenFinalize(ctx Context, scope []string, claims map[string]interface{}) error
}

Controller is the interface implemented by consumers of the auth server

type ErrorResponse

type ErrorResponse struct {

	// The error message
	// Required: true
	Message string `json:"message"`
}

ErrorResponse A common error response

swagger:model ErrorResponse

func (*ErrorResponse) MarshalBinary

func (m *ErrorResponse) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*ErrorResponse) UnmarshalBinary

func (m *ErrorResponse) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*ErrorResponse) Validate

func (m *ErrorResponse) Validate(formats strfmt.Registry) error

Validate validates this error response

type Profile

type Profile struct {

	// Subject - Identifier for the End-User at the Issuer.
	//
	Subject string `json:"sub,omitempty"`

	// address
	Address *Address `json:"address,omitempty"`

	// End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted.
	// To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just
	// year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates."
	//
	// Format: date
	Birthdate *strfmt.Date `json:"birthdate,omitempty"`

	// The user's email address
	// Format: email
	Email strfmt.Email `json:"email,omitempty"`

	// True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP
	// took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed.
	// The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements
	// within which the parties are operating.
	//
	EmailVerified bool `json:"email_verified,omitempty"`

	// Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name;
	// all can be present, with the names being separated by space characters.
	//
	FamilyName string `json:"family_name,omitempty"`

	// End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither
	// of the defined values are applicable.
	//
	Gender string `json:"gender,omitempty"`

	// Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names;
	// all can be present, with the names being separated by space characters.
	//
	GivenName string `json:"given_name,omitempty"`

	// End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase
	// and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note,
	// some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept
	// this locale syntax as well.
	//
	Locale *string `json:"locale,omitempty"`

	// Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names;
	// all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
	//
	MiddleName string `json:"middle_name,omitempty"`

	// End-User's full name in displayable form including all name parts, possibly including titles and suffixes,
	// ordered according to the End-User's locale and preferences.
	//
	Name string `json:"name,omitempty"`

	// Casual name of the End-User that may or may not be the same as the given_name. For instance,
	// a nickname value of Mike might be returned alongside a given_name value of Michael.
	//
	Nickname string `json:"nickname,omitempty"`

	// The user's phone number in E.164 format
	PhoneNumber string `json:"phone_number,omitempty"`

	// True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP
	// took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed.
	// The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements
	// within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be
	// represented in RFC 3966 format."
	//
	PhoneNumberVerified bool `json:"phone_number_verified,omitempty"`

	// URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file),
	// rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the
	// End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
	//
	Picture string `json:"picture,omitempty"`

	// Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid
	// JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique.
	//
	PreferredUsername string `json:"preferred_username,omitempty"`

	// URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
	//
	// Format: uri
	Profile strfmt.URI `json:"profile,omitempty"`

	// Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z
	// as measured in UTC until the date/time.
	//
	UpdatedAt int64 `json:"updated_at,omitempty"`

	// URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an
	// organization that the End-User is affiliated with.
	//
	Website string `json:"website,omitempty"`

	// String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
	//
	Zoneinfo string `json:"zoneinfo,omitempty"`
}

Profile A profile object based on the [openid connect standard](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).

swagger:model Profile

func (*Profile) MarshalBinary added in v1.0.0

func (m *Profile) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*Profile) UnmarshalBinary added in v1.0.0

func (m *Profile) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*Profile) Validate

func (m *Profile) Validate(formats strfmt.Registry) error

Validate validates this profile

type Session

type Session struct {

	// The client that created the user session
	ClientID string `json:"client_id,omitempty"`

	// The token creation time
	CreatedAt int64 `json:"created_at,omitempty"`

	// The token expiration time
	ExpiresAt int64 `json:"expires_at,omitempty"`

	// The session id
	ID string `json:"id,omitempty"`

	// Subject is the user subject id
	Subject string `json:"subject,omitempty"`
}

Session A Session is a browser based session object that stores the currently authenticate user principal

swagger:model Session

func (*Session) MarshalBinary

func (m *Session) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*Session) UnmarshalBinary

func (m *Session) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*Session) Validate

func (m *Session) Validate(formats strfmt.Registry) error

Validate validates this session

type User

type User struct {

	// The user's login
	//
	// Required: true
	Login string `json:"login"`

	// The time the user password expirts
	// Format: date-time
	PasswordExpiresAt strfmt.DateTime `json:"password_expires_at,omitempty"`

	// The users's authorized permissions, keyed on audience
	Permissions map[string][]string `json:"permissions,omitempty"`

	// profile
	Profile *Profile `json:"profile,omitempty"`
}

User A user is a user object

swagger:model User

func (*User) MarshalBinary

func (m *User) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*User) UnmarshalBinary

func (m *User) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

func (*User) Validate

func (m *User) Validate(formats strfmt.Registry) error

Validate validates this user

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL