Documentation ¶
Index ¶
- Constants
- func HashFromSigningMethod(alg string) (hash crypto.Hash, err error)
- func IsErrorWithID(err error, id string) bool
- func NewOAuth2Error(id string, description string) utils.ErrorWithDescription
- func ValidateCodeChallenge(challenge string, method string, verifier string) error
- func WriteWWWAuthenticateError(rw http.ResponseWriter, code int, err error)
- type EmailClaims
- type IDTokenClaims
- type LeftmostHashBytes
- type OAuth2Error
- type ProfileClaims
- type SessionClaims
- type UserInfoClaims
Constants ¶
const ( // ApplicationTypeWeb is the string value for the OpenID Connect client // application_type web. ApplicationTypeWeb = "web" // ApplicationTypeNative is the string value for the OpenID Connect client // application_type web. ApplicationTypeNative = "native" )
const ( AuthMethodClientSecretPost = "client_secret_post" AuthMethodClientSecretBasic = "client_secret_basic" AuthMethodClientSecretJWT = "client_secret_jwt" AuthMethodPrivateKeyJWT = "private_key_jwt" AuthMethodNone = "none" )
Auth method string values as defined by OpenID Connect Core 1.0.
const ( IssuerIdentifierClaim = "iss" SubjectIdentifierClaim = "sub" AudienceClaim = "aud" ExpirationClaim = "exp" IssuedAtClaim = "iat" )
Standard claims as used in JSON Web Tokens.
const ( NameClaim = "name" FamilyNameClaim = "family_name" GivenNameClaim = "given_name" MiddleNameClaim = "middle_name" NicknameClaim = "nickname" PreferredUsernameClaim = "preferred_username" ProfileClaim = "profile" PictureClaim = "picture" WebsiteClaim = "website" GenderClaim = "gender" BirthdateClaim = "birthdate" ZoneinfoClaim = "zoneinfo" LocaleClaim = "locale" UpdatedAtClaim = "updated_at" EmailClaim = "email" EmailVerifiedClaim = "email_verified" AuthTimeClaim = "auth_time" )
Additional claims as defined by OIDC.
const ( PlainCodeChallengeMethod = "plain" S256CodeChallengeMethod = "S256" )
Code challenge methods implemented by Konnect. See https://tools.ietf.org/html/rfc7636.
const ( ErrorOAuth2UnsupportedResponseType = "unsupported_response_type" ErrorOAuth2InvalidRequest = "invalid_request" ErrorOAuth2InvalidToken = "invalid_token" ErrorOAuth2InsufficientScope = "insufficient_scope" ErrorOAuth2InvalidGrant = "invalid_grant" ErrorOAuth2UnsupportedGrantType = "unsupported_grant_type" ErrorOAuth2AccessDenied = "access_denied" ErrorOAuth2ServerError = "server_error" ErrorOIDCInteractionRequired = "interaction_required" ErrorOIDCLoginRequired = "login_required" ErrorOIDCConsentRequired = "consent_required" ErrorOIDCRequestNotSupported = "request_not_supported" ErrorOIDCInvalidRequestObject = "invalid_request_object" ErrorOIDCRequestURINotSupported = "request_uri_not_supported" ErrorOIDCRegistrationNotSupported = "registration_not_supported" ErrorOIDCInvalidRedirectURI = "invalid_redirect_uri" ErrorOIDCInvalidClientMetadata = "invalid_client_metadata" )
OIDC and OAuth2 error codes.
const ( ResponseTypeCode = "code" // OIDC code flow ResponseTypeIDTokenToken = "id_token token" // OIDC implicit flow ResponseTypeIDToken = "id_token" // OIDC implicit flow ResponseTypeCodeIDToken = "code id_token" // OIDC hybrid flow ResponseTypeCodeToken = "code token" // OIDC hybrid flow ResponseTypeCodeIDTokenToken = "code id_token token" // OIDC hybrid flow ResponseTypeToken = "token" // OAuth2 ResponseModeFragment = "fragment" ResponseModeQuery = "query" FlowCode = "code" FlowImplicit = "implicit" FlowHybrid = "hybrid" )
OIDC response types and flows.
const ( // GrantTypeAuthorizationCode is the string value for the // OAuth2 authroization code token request grant type. GrantTypeAuthorizationCode = "authorization_code" // GrantTypeImplicit is the string value for the OAuth2 id_token, token // id_token token request grant type. GrantTypeImplicit = "implicit" // GrantTypeRefreshToken is the string value for the OAuth2 refresh_token // token request grant_type. GrantTypeRefreshToken = "refresh_token" )
const ( PromptNone = "none" PromptLogin = "login" PromptConsent = "consent" PromptSelectAccount = "select_account" )
OIDC prompt values. See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
const ( // ScopeOpenID is the string value of the base OIDC scope. ScopeOpenID = "openid" // ScopeProfile is the string value of the OIDC profile scope. ScopeProfile = "profile" // ScopeEmail is the string value of the OIDC email scope. ScopeEmail = "email" // ScopeOfflineAccess is the string value of the OIDC offline_access scope. ScopeOfflineAccess = "offline_access" )
const ( JWTHeaderKeyID = "kid" JWTHeaderAlg = "alg" )
Token header as used in JSON web tokens.
const KonnectIDTokenSubjectSaltV1 = "konnect-IDToken-v1"
KonnectIDTokenSubjectSaltV1 is the salt value used when hasing Subjects in ID tokens created by Konnect.
const (
SessionIDClaim = "sid"
)
Additional claims as defined by OIDC extensions.
const ( // SubjectIDPublic is the the string value of the Subject Identifier Type // as defined in https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes SubjectIDPublic = "public" )
const TokenTypeBearer = "Bearer"
TokenTypeBearer is required for OIDC as defined in http://openid.net/specs/openid-connect-core-1_0.html.
Variables ¶
This section is empty.
Functions ¶
func HashFromSigningMethod ¶
HashFromSigningMethod returns the matching crypto.Hash for the provided signing alg.
func IsErrorWithID ¶
IsErrorWithCode returns true if the given error is an OAuth2Error error with the given ID.
func NewOAuth2Error ¶
func NewOAuth2Error(id string, description string) utils.ErrorWithDescription
NewOAuth2Error creates a new error with id and description.
func ValidateCodeChallenge ¶
ValidateCodeChallenge implements https://tools.ietf.org/html/rfc7636#section-4.6 code challenge verification.
func WriteWWWAuthenticateError ¶
func WriteWWWAuthenticateError(rw http.ResponseWriter, code int, err error)
WriteWWWAuthenticateError writes the provided error with the provided http status code to the provided http response writer as a WWW-Authenticate header with comma seperated fields for id and description.
Types ¶
type EmailClaims ¶
type EmailClaims struct { Email string `json:"email,omitempty"` EmailVerified bool `json:"email_verified"` }
EmailClaims define the claims for the OIDC email scope. https://openid.net/specs/openid-connect-basic-1_0.html#Scopes
func NewEmailClaims ¶
func NewEmailClaims(claims jwt.Claims) *EmailClaims
NewEmailClaims return a new EmailClaims set from the provided jwt.Claims or nil.
func (EmailClaims) Valid ¶
func (c EmailClaims) Valid() error
Valid implements the jwt.Claims interface.
type IDTokenClaims ¶
type IDTokenClaims struct { jwt.StandardClaims Nonce string `json:"nonce,omitempty"` AuthTime int64 `json:"auth_time,omitempty"` AccessTokenHash string `json:"at_hash,omitempty"` CodeHash string `json:"c_hash,omitempty"` *ProfileClaims *EmailClaims *SessionClaims }
IDTokenClaims define the claims found in OIDC ID Tokens.
func (IDTokenClaims) Valid ¶
func (c IDTokenClaims) Valid() (err error)
Valid implements the jwt.Claims interface.
type LeftmostHashBytes ¶
type LeftmostHashBytes []byte
LeftmostHashBytes defines []bytes with Base64URL encoder via String().
func LeftmostHash ¶
func LeftmostHash(data []byte, hash crypto.Hash) LeftmostHashBytes
LeftmostHash hashes the provided data with the provided hash function and returns the left-most half the hashed bytes.
func (LeftmostHashBytes) String ¶
func (lmhb LeftmostHashBytes) String() string
String returns the Base64URL encoded string of the accociated bytes.
type OAuth2Error ¶
type OAuth2Error struct { ErrorID string `json:"error"` ErrorDescription string `json:"error_description"` }
OAuth2Error defines a general OAuth2 error with id and decription.
func (*OAuth2Error) Description ¶
func (err *OAuth2Error) Description() string
Description implements the ErrorWithDescription interface.
func (*OAuth2Error) Error ¶
func (err *OAuth2Error) Error() string
Error implements the error interface.
type ProfileClaims ¶
type ProfileClaims struct { Name string `json:"name,omitempty"` FamilyName string `json:"family_name,omitempty"` GivenName string `json:"given_name,omitempty"` PreferredUsername string `json:"preferred_username,omitempty"` }
ProfileClaims define the claims for the OIDC profile scope. https://openid.net/specs/openid-connect-basic-1_0.html#Scopes
func NewProfileClaims ¶
func NewProfileClaims(claims jwt.Claims) *ProfileClaims
NewProfileClaims return a new ProfileClaims set from the provided jwt.Claims or nil.
func (ProfileClaims) Valid ¶
func (c ProfileClaims) Valid() error
Valid implements the jwt.Claims interface.
type SessionClaims ¶
type SessionClaims struct {
SessionID string `json:"sid,omitempty"`
}
SessionClaims define claims related to front end sessions, for example as specified by https://openid.net/specs/openid-connect-frontchannel-1_0.html
type UserInfoClaims ¶
type UserInfoClaims struct {
Subject string `json:"sub,omitempty"`
}
UserInfoClaims define the claims defined by the OIDC UserInfo endpoint.
func (UserInfoClaims) Valid ¶
func (c UserInfoClaims) Valid() error
Valid implements the jwt.Claims interface.