oidc

package
v0.21.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 24, 2019 License: AGPL-3.0-only Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// ApplicationTypeWeb is the string value for the OpenID Connect client
	// application_type web.
	ApplicationTypeWeb = "web"

	// ApplicationTypeNative is the string value for the OpenID Connect client
	// application_type web.
	ApplicationTypeNative = "native"
)
View Source
const (
	AuthMethodClientSecretPost  = "client_secret_post"
	AuthMethodClientSecretBasic = "client_secret_basic"
	AuthMethodClientSecretJWT   = "client_secret_jwt"
	AuthMethodPrivateKeyJWT     = "private_key_jwt"
	AuthMethodNone              = "none"
)

Auth method string values as defined by OpenID Connect Core 1.0.

View Source
const (
	IssuerIdentifierClaim  = "iss"
	SubjectIdentifierClaim = "sub"
	AudienceClaim          = "aud"
	ExpirationClaim        = "exp"
	IssuedAtClaim          = "iat"
)

Standard claims as used in JSON Web Tokens.

View Source
const (
	NameClaim              = "name"
	FamilyNameClaim        = "family_name"
	GivenNameClaim         = "given_name"
	MiddleNameClaim        = "middle_name"
	NicknameClaim          = "nickname"
	PreferredUsernameClaim = "preferred_username"
	ProfileClaim           = "profile"
	PictureClaim           = "picture"
	WebsiteClaim           = "website"
	GenderClaim            = "gender"
	BirthdateClaim         = "birthdate"
	ZoneinfoClaim          = "zoneinfo"
	LocaleClaim            = "locale"
	UpdatedAtClaim         = "updated_at"

	EmailClaim         = "email"
	EmailVerifiedClaim = "email_verified"

	AuthTimeClaim = "auth_time"
)

Additional claims as defined by OIDC.

View Source
const (
	PlainCodeChallengeMethod = "plain"
	S256CodeChallengeMethod  = "S256"
)

Code challenge methods implemented by Konnect. See https://tools.ietf.org/html/rfc7636.

View Source
const (
	ErrorOAuth2UnsupportedResponseType = "unsupported_response_type"
	ErrorOAuth2InvalidRequest          = "invalid_request"
	ErrorOAuth2InvalidToken            = "invalid_token"
	ErrorOAuth2InsufficientScope       = "insufficient_scope"
	ErrorOAuth2InvalidGrant            = "invalid_grant"
	ErrorOAuth2UnsupportedGrantType    = "unsupported_grant_type"
	ErrorOAuth2AccessDenied            = "access_denied"
	ErrorOAuth2ServerError             = "server_error"
	ErrorOAuth2TemporarilyUnavailable  = "temporarily_unavailable"

	ErrorOIDCInteractionRequired = "interaction_required"
	ErrorOIDCLoginRequired       = "login_required"
	ErrorOIDCConsentRequired     = "consent_required"

	ErrorOIDCRequestNotSupported      = "request_not_supported"
	ErrorOIDCInvalidRequestObject     = "invalid_request_object"
	ErrorOIDCRequestURINotSupported   = "request_uri_not_supported"
	ErrorOIDCRegistrationNotSupported = "registration_not_supported"

	ErrorOIDCInvalidRedirectURI    = "invalid_redirect_uri"
	ErrorOIDCInvalidClientMetadata = "invalid_client_metadata"
)

OIDC and OAuth2 error codes.

View Source
const (
	ResponseTypeCode             = "code"                // OIDC code flow
	ResponseTypeIDTokenToken     = "id_token token"      // OIDC implicit flow
	ResponseTypeIDToken          = "id_token"            // OIDC implicit flow
	ResponseTypeCodeIDToken      = "code id_token"       // OIDC hybrid flow
	ResponseTypeCodeToken        = "code token"          // OIDC hybrid flow
	ResponseTypeCodeIDTokenToken = "code id_token token" // OIDC hybrid flow
	ResponseTypeToken            = "token"               // OAuth2

	ResponseModeFragment = "fragment"
	ResponseModeQuery    = "query"

	FlowCode     = "code"
	FlowImplicit = "implicit"
	FlowHybrid   = "hybrid"
)

OIDC response types and flows.

View Source
const (
	// GrantTypeAuthorizationCode is the string value for the
	// OAuth2 authroization code token request grant type.
	GrantTypeAuthorizationCode = "authorization_code"

	// GrantTypeImplicit is the string value for the OAuth2 id_token, token
	// id_token token request grant type.
	GrantTypeImplicit = "implicit"

	// GrantTypeRefreshToken is the string value for the OAuth2 refresh_token
	// token request grant_type.
	GrantTypeRefreshToken = "refresh_token"
)
View Source
const (
	PromptNone          = "none"
	PromptLogin         = "login"
	PromptConsent       = "consent"
	PromptSelectAccount = "select_account"
)

OIDC prompt values. See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

View Source
const (
	// ScopeOpenID is the string value of the base OIDC scope.
	ScopeOpenID = "openid"
	// ScopeProfile is the string value of the OIDC profile scope.
	ScopeProfile = "profile"
	// ScopeEmail is the string value of the OIDC email scope.
	ScopeEmail = "email"
	// ScopeOfflineAccess is the string value of the OIDC offline_access scope.
	ScopeOfflineAccess = "offline_access"
)
View Source
const (
	JWTHeaderKeyID = "kid"
	JWTHeaderAlg   = "alg"
)

Token header as used in JSON web tokens.

View Source
const KonnectIDTokenSubjectSaltV1 = "konnect-IDToken-v1"

KonnectIDTokenSubjectSaltV1 is the salt value used when hasing Subjects in ID tokens created by Konnect.

View Source
const (
	SessionIDClaim = "sid"
)

Additional claims as defined by OIDC extensions.

View Source
const (
	// SubjectIDPublic is the the string value of the Subject Identifier Type
	// as defined in https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
	SubjectIDPublic = "public"
)
View Source
const TokenTypeBearer = "Bearer"

TokenTypeBearer is required for OIDC as defined in http://openid.net/specs/openid-connect-core-1_0.html.

Variables

This section is empty.

Functions

func HashFromSigningMethod

func HashFromSigningMethod(alg string) (hash crypto.Hash, err error)

HashFromSigningMethod returns the matching crypto.Hash for the provided signing alg.

func IsErrorWithID

func IsErrorWithID(err error, id string) bool

IsErrorWithCode returns true if the given error is an OAuth2Error error with the given ID.

func NewOAuth2Error

func NewOAuth2Error(id string, description string) utils.ErrorWithDescription

NewOAuth2Error creates a new error with id and description.

func ValidateCodeChallenge

func ValidateCodeChallenge(challenge string, method string, verifier string) error

ValidateCodeChallenge implements https://tools.ietf.org/html/rfc7636#section-4.6 code challenge verification.

func WriteWWWAuthenticateError

func WriteWWWAuthenticateError(rw http.ResponseWriter, code int, err error)

WriteWWWAuthenticateError writes the provided error with the provided http status code to the provided http response writer as a WWW-Authenticate header with comma seperated fields for id and description.

Types

type EmailClaims

type EmailClaims struct {
	Email         string `json:"email,omitempty"`
	EmailVerified bool   `json:"email_verified"`
}

EmailClaims define the claims for the OIDC email scope. https://openid.net/specs/openid-connect-basic-1_0.html#Scopes

func NewEmailClaims

func NewEmailClaims(claims jwt.Claims) *EmailClaims

NewEmailClaims return a new EmailClaims set from the provided jwt.Claims or nil.

func (EmailClaims) Valid

func (c EmailClaims) Valid() error

Valid implements the jwt.Claims interface.

type IDTokenClaims

type IDTokenClaims struct {
	jwt.StandardClaims

	Nonce           string `json:"nonce,omitempty"`
	AuthTime        int64  `json:"auth_time,omitempty"`
	AccessTokenHash string `json:"at_hash,omitempty"`
	CodeHash        string `json:"c_hash,omitempty"`

	*ProfileClaims
	*EmailClaims

	*SessionClaims
}

IDTokenClaims define the claims found in OIDC ID Tokens.

func (IDTokenClaims) Valid

func (c IDTokenClaims) Valid() (err error)

Valid implements the jwt.Claims interface.

type LeftmostHashBytes

type LeftmostHashBytes []byte

LeftmostHashBytes defines []bytes with Base64URL encoder via String().

func LeftmostHash

func LeftmostHash(data []byte, hash crypto.Hash) LeftmostHashBytes

LeftmostHash hashes the provided data with the provided hash function and returns the left-most half the hashed bytes.

func (LeftmostHashBytes) String

func (lmhb LeftmostHashBytes) String() string

String returns the Base64URL encoded string of the accociated bytes.

type OAuth2Error

type OAuth2Error struct {
	ErrorID          string `json:"error"`
	ErrorDescription string `json:"error_description"`
}

OAuth2Error defines a general OAuth2 error with id and decription.

func (*OAuth2Error) Description

func (err *OAuth2Error) Description() string

Description implements the ErrorWithDescription interface.

func (*OAuth2Error) Error

func (err *OAuth2Error) Error() string

Error implements the error interface.

type ProfileClaims

type ProfileClaims struct {
	Name              string `json:"name,omitempty"`
	FamilyName        string `json:"family_name,omitempty"`
	GivenName         string `json:"given_name,omitempty"`
	PreferredUsername string `json:"preferred_username,omitempty"`
}

ProfileClaims define the claims for the OIDC profile scope. https://openid.net/specs/openid-connect-basic-1_0.html#Scopes

func NewProfileClaims

func NewProfileClaims(claims jwt.Claims) *ProfileClaims

NewProfileClaims return a new ProfileClaims set from the provided jwt.Claims or nil.

func (ProfileClaims) Valid

func (c ProfileClaims) Valid() error

Valid implements the jwt.Claims interface.

type SessionClaims

type SessionClaims struct {
	SessionID string `json:"sid,omitempty"`
}

SessionClaims define claims related to front end sessions, for example as specified by https://openid.net/specs/openid-connect-frontchannel-1_0.html

type UserInfoClaims

type UserInfoClaims struct {
	Subject string `json:"sub,omitempty"`
}

UserInfoClaims define the claims defined by the OIDC UserInfo endpoint.

func (UserInfoClaims) Valid

func (c UserInfoClaims) Valid() error

Valid implements the jwt.Claims interface.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL