middleware

package

v1.0.0-beta.1 Latest Latest Go to latest Published: Nov 3, 2024 License: BSD-3-Clause Imports: 16 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/lstoll/oidc

Documentation ¶

Index ¶

Constants
Variables
func IDClaimsFromContext(ctx context.Context) *oidc.IDClaims
func IDJWTFromContext(ctx context.Context) *jwt.VerifiedJWT
type Cookiestore
- func (c *Cookiestore) GetOIDCSession(r *http.Request) (*SessionData, error)
- func (c *Cookiestore) SaveOIDCSession(w http.ResponseWriter, r *http.Request, d *SessionData) error
type Handler
- func NewFromDiscovery(ctx context.Context, sessStore SessionStore, ...) (*Handler, error)
- func (h *Handler) Wrap(next http.Handler) http.Handler
type SessionData
type SessionDataLogin
type SessionStore

Constants ¶

View Source

const DefaultKeyRefreshIterval = 1 * time.Hour

DefaultKeyRefreshIterval is the default interval we try and refresh signing keys from the issuer.

Variables ¶

View Source

var DefaultCookieTemplate = &http.Cookie{
	Name:     "oidc",
	HttpOnly: true,
	Secure:   true,
	SameSite: http.SameSiteLaxMode,
}

DefaultCookieTemplate is the default cookie used, unless otherwise configured.

Functions ¶

func IDClaimsFromContext ¶

func IDClaimsFromContext(ctx context.Context) *oidc.IDClaims

IDClaimsFromContext returns the OIDC ID claims for the given request context

func IDJWTFromContext ¶

func IDJWTFromContext(ctx context.Context) *jwt.VerifiedJWT

IDJWTFromContext returns the validated OIDC ID JWT from the given request context.

Types ¶

type Cookiestore ¶

type Cookiestore struct {
	// CookieTemplate is used to create the cookie we track the session ID in.
	// It must have at least the name set. Value and expiration fields will be
	// ignored, and set appropriately. If not set, DefaultCookieTemplate will be
	// used.
	CookieTemplate *http.Cookie
}

Cookiestore is a basic implementation of the middleware's session store, that stores values in a series of cookies. These are not signed or encrypted, so only the ID token is tracked - the access token and refresh tokens are discareded, to avoid risk of them leaking. The login state is also stored unauthenticated, applications should take this in to mind. Cookie storage is limited, so too many in-flight logins may cause issues.

This provides a simple default, but it is generally recommended to use a server-side session store.

func (*Cookiestore) GetOIDCSession ¶

func (c *Cookiestore) GetOIDCSession(r *http.Request) (*SessionData, error)

func (*Cookiestore) SaveOIDCSession ¶

func (c *Cookiestore) SaveOIDCSession(w http.ResponseWriter, r *http.Request, d *SessionData) error

type Handler ¶

type Handler struct {
	// Provider is the OIDC provider we verify tokens against. Required.
	Provider *oidc.Provider
	// OAuth2Config are the options used for the oauth2 flow. Required.
	OAuth2Config *oauth2.Config
	// AuthCodeOptions options that can be passed when creating the auth code
	// URL. This can be used to request ACRs or other items.
	AuthCodeOptions []oauth2.AuthCodeOption
	// SessionStore are used for managing state that we need to persist across
	// requests. It needs to be able to store ID and refresh tokens, plus a
	// small amount of additional data. Required.
	SessionStore SessionStore
	// BaseURL sets the base URL for this app, users will be redirect on login
	// here if the return to URL was not tracked or login was triggered from a
	// non-GET method request.
	BaseURL string
}

Handler wraps another http.Handler, protecting it with OIDC authentication.

func NewFromDiscovery ¶

func NewFromDiscovery(ctx context.Context, sessStore SessionStore, issuer, clientID, clientSecret, redirectURL string) (*Handler, error)

NewFromDiscovery will construct a Handler by discovering the configuration from the Issuer. If the sessStore is nil, Cookies will be used. The handler can be customized after calling this.

func (*Handler) Wrap ¶

func (h *Handler) Wrap(next http.Handler) http.Handler

Wrap returns an http.Handler that wraps the given http.Handler and provides OIDC authentication.

type SessionData ¶

type SessionData struct {
	// Logins tracks state for in-progress logins.
	Logins []SessionDataLogin `json:"logins,omitempty"`
	// Token contains the issued token from a successful authentication flow.
	Token *oidc.MarshaledToken `json:"token,omitempty"`
}

SessionData contains the data this middleware needs to save/restore across requests. This should be stored using a method that does not reveal the contents to the end user in any way.

type SessionDataLogin ¶

type SessionDataLogin struct {
	// State for an in-progress auth flow.
	State string `json:"oidc_state,omitempty"`
	// PKCEChallenge for the in-progress auth flow
	PKCEChallenge string `json:"pkce_challenge,omitempty"`
	// ReturnTo is where we should navigate to at the end of the flow
	ReturnTo string `json:"oidc_return_to,omitempty"`
	// Expires is when this can be discarded, Unix time.
	Expires int `json:"expires,omitempty"`
}

type SessionStore ¶

type SessionStore interface {
	// GetOIDCSession should always return a valid, usable session. If the session does not
	// exist, it should be empty. error indicates that there was a failure that
	// we should not proceed from.
	GetOIDCSession(*http.Request) (*SessionData, error)
	// SaveOIDCSession should store the updated session. If the session data is nil, the
	// session should be deleted.
	SaveOIDCSession(http.ResponseWriter, *http.Request, *SessionData) error
}

SessionStore are used for managing state across requests.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL