goidc

package
v0.0.0-...-e0d3fc9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 20, 2024 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ClaimTokenID                        string = "jti"
	ClaimIssuer                         string = "iss"
	ClaimSubject                        string = "sub"
	ClaimAudience                       string = "aud"
	ClaimClientID                       string = "client_id"
	ClaimExpiry                         string = "exp"
	ClaimIssuedAt                       string = "iat"
	ClaimScope                          string = "scope"
	ClaimNonce                          string = "nonce"
	ClaimAuthenticationTime             string = "auth_time"
	ClaimAuthenticationMethodReferences string = "amr"
	ClaimAuthenticationContextReference string = "acr"
	ClaimProfile                        string = "profile"
	ClaimEmail                          string = "email"
	ClaimEmailVerified                  string = "email_verified"
	ClaimAddress                        string = "address"
	ClaimAuthorizationDetails           string = "authorization_details"
	ClaimAccessTokenHash                string = "at_hash"
	ClaimAuthorizationCodeHash          string = "c_hash"
	ClaimStateHash                      string = "s_hash"
)
View Source
const (
	HeaderDPoP string = "DPoP"
	// HeaderSecureClientCertificate is the header used to transmit a client certificate that was validated by a trusted source.
	HeaderSecureClientCertificate string = "X-Secure-Client-Certificate"
	// HeaderInsecureClientCertificate is the header used to trasmit a client certificate that cannot be trusted.
	// This is useful for clients authenticating with self signed certificates.
	HeaderInsecureClientCertificate string = "X-Insecure-Client-Certificate"
)
View Source
const AuthorizationCodeLength int = 30
View Source
const AuthorizationCodeLifetimeSecs int = 60
View Source
const CallbackIDLength int = 20
View Source
const ClientSecretCharset string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
View Source
const ClientSecretLength int = 64

The client secret length must have at least 64 characters, so that it can be also used for symmetric encryption during, for instance, authentication with client_secret_jwt. For client_secret_jwt, the highest algorithm we accept is HS512 which requires a key of at least 512 bits (64 characters).

View Source
const DefaultAuthenticationSessionTimeoutSecs = 30 * 60
View Source
const DefaultRefreshTokenLifetimeSecs int = 6000
View Source
const DefaultTokenLifetimeSecs int = 300
View Source
const DynamicClientIDLength int = 30
View Source
const ProtectedParamPrefix string = "p_"
View Source
const RefreshTokenLength int = 99

During introspection, a refresh token is identified by its length. Then, setting the length to an unusual value will avoid refresh tokens and opaque access token to be confused.

View Source
const RegistrationAccessTokenLength int = 50
View Source
const RequestURILength int = 20

Variables

View Source
var (
	ScopeOpenID         = NewScope("openid")
	ScopeProfile        = NewScope("profile")
	ScopeEmail          = NewScope("email")
	ScopeAddress        = NewScope("address")
	ScopeOffilineAccess = NewScope("offline_access")
)
View Source
var ErrorEntityNotFound error = errors.New("entity not found")

Functions

func AssertTimestampWithin

func AssertTimestampWithin(t *testing.T, expected int, actual int, msgAndArgs ...any)

func AuthorizationCode

func AuthorizationCode() (string, error)

func CallbackID

func CallbackID() (string, error)

func ContainsAll

func ContainsAll[T comparable](superSet []T, subSet ...T) bool

func ContainsAllScopes

func ContainsAllScopes(scopesSuperSet string, scopesSubSet string) bool

func RandomString

func RandomString(n int) (string, error)

func RequestURI

func RequestURI() (string, error)

func SplitStringWithSpaces

func SplitStringWithSpaces(s string) []string

func TimestampNow

func TimestampNow() int

Get the current timestamp. The result is always on UTC time.

Types

type AuthenticationContextReference

type AuthenticationContextReference string
const (
	ACRNoAssuranceLevel      AuthenticationContextReference = "0"
	ACRMaceIncommonIAPSilver AuthenticationContextReference = "urn:mace:incommon:iap:silver"
	ACRMaceIncommonIAPBronze AuthenticationContextReference = "urn:mace:incommon:iap:bronze"
)

type AuthenticationMethodReference

type AuthenticationMethodReference string
const (
	AuthenticationMethodFacialRecognition            AuthenticationMethodReference = "face"
	AuthenticationMethodFingerPrint                  AuthenticationMethodReference = "fpt"
	AuthenticationMethodGeolocation                  AuthenticationMethodReference = "geo"
	AuthenticationMethodHardwareSecuredKey           AuthenticationMethodReference = "hwk"
	AuthenticationMethodIrisScan                     AuthenticationMethodReference = "iris"
	AuthenticationMethodMultipleFactor               AuthenticationMethodReference = "mfa"
	AuthenticationMethodOneTimePassoword             AuthenticationMethodReference = "otp"
	AuthenticationMethodPassword                     AuthenticationMethodReference = "pwd"
	AuthenticationMethodPersonalIDentificationNumber AuthenticationMethodReference = "pin"
	AuthenticationMethodRiskBased                    AuthenticationMethodReference = "rba"
	AuthenticationMethodSMS                          AuthenticationMethodReference = "sms"
	AuthenticationMethodSoftwareSecuredKey           AuthenticationMethodReference = "swk"
)

type AuthnFunc

type AuthnFunc func(Context, *AuthnSession) AuthnStatus

AuthnFunc executes the user authentication logic.

type AuthnHint

type AuthnHint string
const (
	HintUserIDNotInformed  AuthnHint = "user_id_not_informed"
	HintReauthenticateUser AuthnHint = "reauthenticate_user"
)

type AuthnPolicy

type AuthnPolicy struct {
	ID           string
	SetUp        SetUpAuthnFunc
	Authenticate AuthnFunc
}

func NewPolicy

func NewPolicy(
	id string,
	setUpFunc SetUpAuthnFunc,
	authnFunc AuthnFunc,
) AuthnPolicy

NewPolicy creates a policy that will be selected based on setUpFunc and that authenticates users with authnFunc.

type AuthnSession

type AuthnSession struct {
	ID                          string                `json:"id" bson:"_id"`
	CallbackID                  string                `json:"callback_id" bson:"callback_id"`
	PolicyID                    string                `json:"policy_id" bson:"policy_id"`
	ExpiresAtTimestamp          int                   `json:"expires_at" bson:"expires_at"`
	CreatedAtTimestamp          int                   `json:"created_at" bson:"created_at"`
	Subject                     string                `json:"sub" bson:"sub"`
	ClientID                    string                `json:"client_id" bson:"client_id"`
	GrantedScopes               string                `json:"granted_scopes" bson:"granted_scopes"`
	GrantedAuthorizationDetails []AuthorizationDetail `json:"granted_authorization_details,omitempty" bson:"granted_authorization_details,omitempty"`
	AuthorizationCode           string                `json:"authorization_code,omitempty" bson:"authorization_code,omitempty"`
	// ProtectedParameters contains custom parameters sent by PAR or JAR.
	ProtectedParameters map[string]any `json:"protected_params,omitempty" bson:"protected_params,omitempty"`
	// Store allows developers to store information between user interactions.
	Store                    map[string]any `json:"store,omitempty" bson:"store,omitempty"`
	AdditionalTokenClaims    map[string]any `json:"additional_token_claims,omitempty" bson:"additional_token_claims,omitempty"`
	AdditionalIDTokenClaims  map[string]any `json:"additional_id_token_claims,omitempty" bson:"additional_id_token_claims,omitempty"`
	AdditionalUserInfoClaims map[string]any `json:"additional_user_info_claims,omitempty" bson:"additional_user_info_claims,omitempty"`
	AuthorizationParameters  `bson:"inline"`
	Error                    OAuthError `json:"-" bson:"-"`
}

func (*AuthnSession) AddIDTokenClaim

func (s *AuthnSession) AddIDTokenClaim(claim string, value any)

func (*AuthnSession) AddTokenClaim

func (s *AuthnSession) AddTokenClaim(claim string, value any)

func (*AuthnSession) AddUserInfoClaim

func (s *AuthnSession) AddUserInfoClaim(claim string, value any)

func (*AuthnSession) GrantAuthorizationDetails

func (s *AuthnSession) GrantAuthorizationDetails(authDetails []AuthorizationDetail)

GrantAuthorizationDetails sets the authorization details the client will have permissions to use. This will only have effect if support for authorization details was enabled.

func (*AuthnSession) GrantScopes

func (s *AuthnSession) GrantScopes(scopes string)

func (*AuthnSession) InitAuthorizationCode

func (s *AuthnSession) InitAuthorizationCode() OAuthError

func (*AuthnSession) IsExpired

func (s *AuthnSession) IsExpired() bool

func (*AuthnSession) Push

func (s *AuthnSession) Push(lifetimeSecs int) (requestURI string, err error)

Push creates a session that can be referenced by a request URI.

func (*AuthnSession) SetRedirectError

func (s *AuthnSession) SetRedirectError(errorCode ErrorCode, errorDescription string)

func (*AuthnSession) SetUserID

func (s *AuthnSession) SetUserID(userID string)

func (*AuthnSession) Start

func (s *AuthnSession) Start(policyID string, lifetimeSecs int) OAuthError

Start prepares the session to be used while the authentication flow defined by policyID happens.

func (*AuthnSession) StoreParameter

func (s *AuthnSession) StoreParameter(key string, value any)

func (*AuthnSession) UpdateParams

func (s *AuthnSession) UpdateParams(params AuthorizationParameters)

UpdateParams updates the session with the parameters from an authorization request. The parameters already present in the session have priority.

type AuthnSessionManager

type AuthnSessionManager interface {
	CreateOrUpdate(ctx context.Context, session *AuthnSession) error
	GetByCallbackID(ctx context.Context, callbackID string) (*AuthnSession, error)
	GetByAuthorizationCode(ctx context.Context, authorizationCode string) (*AuthnSession, error)
	GetByRequestURI(ctx context.Context, requestURI string) (*AuthnSession, error)
	Delete(ctx context.Context, id string) error
}

type AuthnStatus

type AuthnStatus string
const (
	StatusSuccess    AuthnStatus = "success"
	StatusInProgress AuthnStatus = "in_progress"
	StatusFailure    AuthnStatus = "failure"
)

type AuthorizationDetail

type AuthorizationDetail map[string]any

Authorization details is a map instead of a struct, because its fields vary a lot depending on the use case. Some fields are well know so they are accessible as methods.

func (AuthorizationDetail) Actions

func (detail AuthorizationDetail) Actions() []string

func (AuthorizationDetail) DataTypes

func (detail AuthorizationDetail) DataTypes() []string

func (AuthorizationDetail) Identifier

func (detail AuthorizationDetail) Identifier() string

func (AuthorizationDetail) Locations

func (detail AuthorizationDetail) Locations() []string

func (AuthorizationDetail) Type

func (detail AuthorizationDetail) Type() string

type AuthorizationParameters

type AuthorizationParameters struct {
	RequestURI           string                `json:"request_uri,omitempty" bson:"request_uri,omitempty"`
	RequestObject        string                `json:"request,omitempty" bson:"request,omitempty"`
	RedirectURI          string                `json:"redirect_uri,omitempty" bson:"redirect_uri,omitempty"`
	ResponseMode         ResponseMode          `json:"response_mode,omitempty" bson:"response_mode,omitempty"`
	ResponseType         ResponseType          `json:"response_type,omitempty" bson:"response_type,omitempty"`
	Scopes               string                `json:"scope,omitempty" bson:"scope,omitempty"`
	State                string                `json:"state,omitempty" bson:"state,omitempty"`
	Nonce                string                `json:"nonce,omitempty" bson:"nonce,omitempty"`
	CodeChallenge        string                `json:"code_challenge,omitempty" bson:"code_challenge,omitempty"`
	CodeChallengeMethod  CodeChallengeMethod   `json:"code_challenge_method,omitempty" bson:"code_challenge_method,omitempty"`
	Prompt               PromptType            `json:"prompt,omitempty" bson:"prompt,omitempty"`
	MaxAuthnAgeSecs      *int                  `json:"max_age,omitempty" bson:"max_age,omitempty"`
	Display              DisplayValue          `json:"display,omitempty" bson:"display,omitempty"`
	ACRValues            string                `json:"acr_values,omitempty" bson:"acr_values,omitempty"`
	Claims               *ClaimsObject         `json:"claims,omitempty" bson:"claims,omitempty"`
	AuthorizationDetails []AuthorizationDetail `json:"authorization_details,omitempty" bson:"authorization_details,omitempty"`
}

func (AuthorizationParameters) DefaultResponseMode

func (params AuthorizationParameters) DefaultResponseMode() ResponseMode

DefaultResponseMode returns the response mode based on the response type.

func (AuthorizationParameters) Merge

func (AuthorizationParameters) NewRedirectError

func (params AuthorizationParameters) NewRedirectError(
	errorCode ErrorCode,
	errorDescription string,
) OAuthRedirectError

type AuthorizeErrorPluginFunc

type AuthorizeErrorPluginFunc func(ctx Context, err OAuthError) error

type ClaimObjectInfo

type ClaimObjectInfo struct {
	IsEssential bool     `json:"essential"`
	Value       string   `json:"value"`
	Values      []string `json:"values"`
}

type ClaimType

type ClaimType string
const (
	ClaimTypeNormal      ClaimType = "normal"
	ClaimTypeAggregated  ClaimType = "aggregated"
	ClaimTypeDistributed ClaimType = "distributed"
)

type ClaimsObject

type ClaimsObject struct {
	Userinfo map[string]ClaimObjectInfo `json:"userinfo"`
	IDToken  map[string]ClaimObjectInfo `json:"id_token"`
}

type Client

type Client struct {
	ID string `json:"client_id" bson:"_id"`
	// Secret is used when the client authenticates with client_secret_jwt,
	// since the key used to sign the assertion is the same used to verify it.
	Secret string `json:"client_secret,omitempty" bson:"client_secret,omitempty"`
	// HashedSecret is the hash of the client secret for the client_secret_basic
	// and client_secret_post authentication methods.
	HashedSecret                  string `json:"hashed_secret,omitempty" bson:"hashed_secret,omitempty"`
	HashedRegistrationAccessToken string `json:"hashed_registration_access_token" bson:"hashed_registration_access_token"`
	ClientMetaInfo                `bson:"inline"`
}

func (*Client) AreScopesAllowed

func (c *Client) AreScopesAllowed(ctx Context, availableScopes Scopes, requestedScopes string) bool

func (*Client) FetchPublicJWKS

func (c *Client) FetchPublicJWKS() (jose.JSONWebKeySet, error)

FetchPublicJWKS fetches the client public JWKS either directly from the jwks attribute or using jwks_uri. This method also caches the keys if they are fetched from jwks_uri.

func (*Client) IDTokenEncryptionJWK

func (c *Client) IDTokenEncryptionJWK() (jose.JSONWebKey, OAuthError)

func (*Client) IsAuthorizationDetailTypeAllowed

func (c *Client) IsAuthorizationDetailTypeAllowed(authDetailType string) bool

func (*Client) IsGrantTypeAllowed

func (c *Client) IsGrantTypeAllowed(grantType GrantType) bool

func (*Client) IsRedirectURIAllowed

func (c *Client) IsRedirectURIAllowed(redirectURI string) bool

func (*Client) IsRegistrationAccessTokenValid

func (c *Client) IsRegistrationAccessTokenValid(token string) bool

func (*Client) IsResponseTypeAllowed

func (c *Client) IsResponseTypeAllowed(responseType ResponseType) bool

func (*Client) JARMEncryptionJWK

func (c *Client) JARMEncryptionJWK() (jose.JSONWebKey, OAuthError)

func (*Client) PublicKey

func (c *Client) PublicKey(keyID string) (jose.JSONWebKey, OAuthError)

func (*Client) UserInfoEncryptionJWK

func (c *Client) UserInfoEncryptionJWK() (jose.JSONWebKey, OAuthError)

type ClientAssertionType

type ClientAssertionType string
const (
	AssertionTypeJWTBearer ClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
)

type ClientAuthnType

type ClientAuthnType string
const (
	ClientAuthnNone          ClientAuthnType = "none"
	ClientAuthnSecretBasic   ClientAuthnType = "client_secret_basic"
	ClientAuthnSecretPost    ClientAuthnType = "client_secret_post"
	ClientAuthnSecretJWT     ClientAuthnType = "client_secret_jwt"
	ClientAuthnPrivateKeyJWT ClientAuthnType = "private_key_jwt"
	ClientAuthnTLS           ClientAuthnType = "tls_client_auth"
	ClientAuthnSelfSignedTLS ClientAuthnType = "self_signed_tls_client_auth"
)

type ClientManager

type ClientManager interface {
	CreateOrUpdate(ctx context.Context, client *Client) error
	Get(ctx context.Context, id string) (*Client, error)
	Delete(ctx context.Context, id string) error
}

type ClientMetaInfo

type ClientMetaInfo struct {
	Name                               string                  `json:"client_name,omitempty" bson:"client_name,omitempty"`
	LogoURI                            string                  `json:"logo_uri,omitempty" bson:"logo_uri,omitempty"`
	RedirectURIS                       []string                `json:"redirect_uris" bson:"redirect_uris"`
	GrantTypes                         []GrantType             `json:"grant_types" bson:"grant_types"`
	ResponseTypes                      []ResponseType          `json:"response_types" bson:"response_types"`
	PublicJWKSURI                      string                  `json:"jwks_uri,omitempty" bson:"jwks_uri,omitempty"`
	PublicJWKS                         json.RawMessage         `json:"jwks,omitempty" bson:"jwks,omitempty"`
	Scopes                             string                  `json:"scope" bson:"scope"`
	SubjectIdentifierType              SubjectIdentifierType   `json:"subject_type,omitempty" bson:"subject_type,omitempty"`
	IDTokenSignatureAlgorithm          jose.SignatureAlgorithm `json:"id_token_signed_response_alg,omitempty" bson:"id_token_signed_response_alg,omitempty"`
	IDTokenKeyEncryptionAlgorithm      jose.KeyAlgorithm       `json:"id_token_encrypted_response_alg,omitempty" bson:"id_token_encrypted_response_alg,omitempty"`
	IDTokenContentEncryptionAlgorithm  jose.ContentEncryption  `json:"id_token_encrypted_response_enc,omitempty" bson:"id_token_encrypted_response_enc,omitempty"`
	UserInfoSignatureAlgorithm         jose.SignatureAlgorithm `json:"userinfo_signed_response_alg,omitempty" bson:"userinfo_signed_response_alg,omitempty"`
	UserInfoKeyEncryptionAlgorithm     jose.KeyAlgorithm       `json:"userinfo_encrypted_response_alg,omitempty" bson:"userinfo_encrypted_response_alg,omitempty"`
	UserInfoContentEncryptionAlgorithm jose.ContentEncryption  `json:"userinfo_encrypted_response_enc,omitempty" bson:"userinfo_encrypted_response_enc,omitempty"`
	JARSignatureAlgorithm              jose.SignatureAlgorithm `json:"request_object_signing_alg,omitempty" bson:"request_object_signing_alg,omitempty"`
	JARKeyEncryptionAlgorithm          jose.KeyAlgorithm       `json:"request_object_encryption_alg,omitempty" bson:"request_object_encryption_alg,omitempty"`
	JARContentEncryptionAlgorithm      jose.ContentEncryption  `json:"request_object_encryption_enc,omitempty" bson:"request_object_encryption_enc,omitempty"`
	JARMSignatureAlgorithm             jose.SignatureAlgorithm `json:"authorization_signed_response_alg,omitempty" bson:"authorization_signed_response_alg,omitempty"`
	JARMKeyEncryptionAlgorithm         jose.KeyAlgorithm       `json:"authorization_encrypted_response_alg,omitempty" bson:"authorization_encrypted_response_alg,omitempty"`
	JARMContentEncryptionAlgorithm     jose.ContentEncryption  `json:"authorization_encrypted_response_enc,omitempty" bson:"authorization_encrypted_response_enc,omitempty"`
	AuthnMethod                        ClientAuthnType         `json:"token_endpoint_auth_method" bson:"token_endpoint_auth_method"`
	AuthnSignatureAlgorithm            jose.SignatureAlgorithm `json:"token_endpoint_auth_signing_alg,omitempty" bson:"token_endpoint_auth_signing_alg,omitempty"`
	DPoPIsRequired                     bool                    `json:"dpop_bound_access_tokens,omitempty" bson:"dpop_bound_access_tokens,omitempty"`
	TLSSubjectDistinguishedName        string                  `json:"tls_client_auth_subject_dn,omitempty" bson:"tls_client_auth_subject_dn,omitempty"`
	// TLSSubjectAlternativeName represents a DNS name.
	TLSSubjectAlternativeName   string         `json:"tls_client_auth_san_dns,omitempty" bson:"tls_client_auth_san_dns,omitempty"`
	TLSSubjectAlternativeNameIp string         `json:"tls_client_auth_san_ip,omitempty" bson:"tls_client_auth_san_ip,omitempty"`
	AuthorizationDetailTypes    []string       `json:"authorization_data_types,omitempty" bson:"authorization_data_types,omitempty"`
	DefaultMaxAgeSecs           *int           `json:"default_max_age,omitempty" bson:"default_max_age,omitempty"`
	DefaultACRValues            string         `json:"default_acr_values,omitempty" bson:"default_acr_values,omitempty"`
	CustomAttributes            map[string]any `json:"custom_attributes,omitempty" bson:"custom_attributes,omitempty"`
}

func (*ClientMetaInfo) SetAttribute

func (c *ClientMetaInfo) SetAttribute(key string, value any)

type CodeChallengeMethod

type CodeChallengeMethod string
const (
	CodeChallengeMethodSHA256 CodeChallengeMethod = "S256"
	CodeChallengeMethodPlain  CodeChallengeMethod = "plain"
)

type Context

type Context interface {
	Request() *http.Request
	Response() http.ResponseWriter
	// AuthnHints provides a list of hints to fulfill the authentication flow successfully.
	// The authentication flow can still finished successfully if the hints are not followed, but it's recommended
	// to evaluate them and modify the session accordingly.
	AuthnHints(*UserInfo, *AuthnSession) ([]AuthnHint, error)
}

func NewTestContext

func NewTestContext(scopes Scopes) Context

type ContextKey

type ContextKey string
const CorrelationIDKey ContextKey = "correlation_id"

type DCRPluginFunc

type DCRPluginFunc func(ctx Context, clientInfo *ClientMetaInfo)

Function that will be executed during DCR and DCM. It can be used to modify the client and perform custom validations.

type DisplayValue

type DisplayValue string
const (
	DisplayValuePage  DisplayValue = "page"
	DisplayValuePopUp DisplayValue = "popup"
	DisplayValueTouch DisplayValue = "touch"
	DisplayValueWAP   DisplayValue = "wap"
)

type EndpointPath

type EndpointPath string
const (
	EndpointWellKnown                  EndpointPath = "/.well-known/openid-configuration"
	EndpointJSONWebKeySet              EndpointPath = "/jwks"
	EndpointPushedAuthorizationRequest EndpointPath = "/par"
	EndpointAuthorization              EndpointPath = "/authorize"
	EndpointToken                      EndpointPath = "/token"
	EndpointUserInfo                   EndpointPath = "/userinfo"
	EndpointDynamicClient              EndpointPath = "/register"
	EndpointTokenIntrospection         EndpointPath = "/introspect"
)

type ErrorCode

type ErrorCode string
const (
	ErrorCodeAccessDenied                ErrorCode = "access_denied"
	ErrorCodeInvalidClient               ErrorCode = "invalid_client"
	ErrorCodeInvalidGrant                ErrorCode = "invalid_grant"
	ErrorCodeInvalidRequest              ErrorCode = "invalid_request"
	ErrorCodeUnauthorizedClient          ErrorCode = "unauthorized_client"
	ErrorCodeInvalidScope                ErrorCode = "invalid_scope"
	ErrorCodeInvalidAuthorizationDetails ErrorCode = "invalid_authorization_details"
	ErrorCodeUnsupportedGrantType        ErrorCode = "unsupported_grant_type"
	ErrorCodeInvalidResquestObject       ErrorCode = "invalid_request_object"
	ErrorCodeInvalidToken                ErrorCode = "invalid_token"
	ErrorCodeInternalError               ErrorCode = "internal_error"
)

func (ErrorCode) StatusCode

func (ec ErrorCode) StatusCode() int

type GrantOptions

type GrantOptions struct {
	GrantType                   GrantType             `json:"grant_type" bson:"grant_type"`
	Subject                     string                `json:"sub" bson:"sub"`
	ClientID                    string                `json:"client_id" bson:"client_id"`
	GrantedScopes               string                `json:"granted_scopes" bson:"granted_scopes"`
	GrantedAuthorizationDetails []AuthorizationDetail `json:"granted_authorization_details,omitempty" bson:"granted_authorization_details,omitempty"`
	AdditionalIDTokenClaims     map[string]any        `json:"additional_id_token_claims,omitempty" bson:"additional_id_token_claims,omitempty"`
	AdditionalUserInfoClaims    map[string]any        `json:"additional_user_info_claims,omitempty" bson:"additional_user_info_claims,omitempty"`
	TokenOptions                `bson:"inline"`
}

type GrantSession

type GrantSession struct {
	ID                          string `json:"id" bson:"_id"`
	JWKThumbprint               string `json:"jwk_thumbprint,omitempty" bson:"jwk_thumbprint,omitempty"`
	ClientCertificateThumbprint string `json:"certificate_thumbprint,omitempty" bson:"certificate_thumbprint,omitempty"`
	TokenID                     string `json:"token_id" bson:"token_id"`
	RefreshToken                string `json:"refresh_token,omitempty" bson:"refresh_token,omitempty"`
	LastTokenIssuedAtTimestamp  int    `json:"last_token_issued_at" bson:"last_token_issued_at"`
	CreatedAtTimestamp          int    `json:"created_at" bson:"created_at"`
	ExpiresAtTimestamp          int    `json:"expires_at" bson:"expires_at"`
	ActiveScopes                string `json:"active_scopes" bson:"active_scopes"`
	GrantOptions                `bson:"inline"`
}

func (*GrantSession) HasLastTokenExpired

func (g *GrantSession) HasLastTokenExpired() bool

func (*GrantSession) IsRefreshSessionExpired

func (g *GrantSession) IsRefreshSessionExpired() bool

type GrantSessionManager

type GrantSessionManager interface {
	CreateOrUpdate(ctx context.Context, grantSession *GrantSession) error
	GetByTokenID(ctx context.Context, tokenID string) (*GrantSession, error)
	GetByRefreshToken(ctx context.Context, refreshToken string) (*GrantSession, error)
	Delete(ctx context.Context, id string) error
}

type GrantType

type GrantType string
const (
	GrantClientCredentials GrantType = "client_credentials"
	GrantAuthorizationCode GrantType = "authorization_code"
	GrantRefreshToken      GrantType = "refresh_token"
	GrantImplicit          GrantType = "implicit"
	GrantIntrospection     GrantType = "urn:goidc:oauth2:grant_type:token_intropection"
)

type KeyUsage

type KeyUsage string
const (
	KeyUsageSignature  KeyUsage = "sig"
	KeyUsageEncryption KeyUsage = "enc"
)

type OAuthBaseError

type OAuthBaseError struct {
	Inner            error     // It can be used to wrap errors.
	ErrorCode        ErrorCode `json:"error"`
	ErrorDescription string    `json:"error_description"`
}

func (OAuthBaseError) Code

func (err OAuthBaseError) Code() ErrorCode

func (OAuthBaseError) Error

func (err OAuthBaseError) Error() string

func (OAuthBaseError) Unwrap

func (e OAuthBaseError) Unwrap() error

type OAuthError

type OAuthError interface {
	Code() ErrorCode
	Error() string
}

func NewOAuthError

func NewOAuthError(code ErrorCode, description string) OAuthError

func NewWrappingOAuthError

func NewWrappingOAuthError(err error, code ErrorCode, description string) OAuthError

type OAuthRedirectError

type OAuthRedirectError struct {
	OAuthBaseError
	AuthorizationParameters
}

type Profile

type Profile string
const (
	ProfileOpenID Profile = "oidc_profile"
	ProfileFAPI2  Profile = "fapi2_profile"
)

type PromptType

type PromptType string
const (
	PromptTypeNone          PromptType = "none"
	PromptTypeLogin         PromptType = "login"
	PromptTypeConsent       PromptType = "consent"
	PromptTypeSelectAccount PromptType = "select_account"
)

type ResponseMode

type ResponseMode string
const (
	ResponseModeQuery    ResponseMode = "query"
	ResponseModeFragment ResponseMode = "fragment"
	ResponseModeFormPost ResponseMode = "form_post"
	// JARM - JWT Secured Authorization Response Mode.
	// For more information, see https://openid.net/specs/oauth-v2-jarm.html.
	ResponseModeQueryJWT    ResponseMode = "query.jwt"
	ResponseModeFragmentJWT ResponseMode = "fragment.jwt"
	ResponseModeFormPostJWT ResponseMode = "form_post.jwt"
	ResponseModeJWT         ResponseMode = "jwt"
)

func (ResponseMode) IsJARM

func (rm ResponseMode) IsJARM() bool

func (ResponseMode) IsQuery

func (rm ResponseMode) IsQuery() bool

type ResponseType

type ResponseType string
const (
	ResponseTypeCode                   ResponseType = "code"
	ResponseTypeIDToken                ResponseType = "id_token"
	ResponseTypeToken                  ResponseType = "token"
	ResponseTypeCodeAndIDToken         ResponseType = "code id_token"
	ResponseTypeCodeAndToken           ResponseType = "code token"
	ResponseTypeIDTokenAndToken        ResponseType = "id_token token"
	ResponseTypeCodeAndIDTokenAndToken ResponseType = "code id_token token"
)

func (ResponseType) Contains

func (rt ResponseType) Contains(responseType ResponseType) bool

func (ResponseType) DefaultResponseMode

func (rt ResponseType) DefaultResponseMode(jarm bool) ResponseMode

DefaultResponseMode returns the response mode based on the response type. According to "5. Definitions of Multiple-Valued Response Type Combinations" of https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations.

func (ResponseType) IsImplicit

func (rt ResponseType) IsImplicit() bool

type Scope

type Scope struct {
	// ID is the string representation of the scope.
	// Its value will be exported as is.
	ID string
	// Matches validates if a requested scope is valid.
	Matches ScopeMatchingFunc
}

func NewDynamicScope

func NewDynamicScope(
	scope string,
	matchingFunc ScopeMatchingFunc,
) Scope

NewDynamicScope creates a scope with custom logic that will be used to validate the scopes requested by the client.

dynamicScope := NewDynamicScope(
	"payment",
	func(requestedScope string) bool {
		return strings.HasPrefix(requestedScope, "payment")
	},
)

// This results in true.
dynamicScope.Matches("payment:30")

func NewScope

func NewScope(scope string) Scope

NewScope creates a scope where the validation logic is simple string comparison.

func (Scope) String

func (scope Scope) String() string

type ScopeMatchingFunc

type ScopeMatchingFunc func(requestedScope string) bool

type Scopes

type Scopes []Scope

func (Scopes) Contains

func (scopes Scopes) Contains(requestedScope string) bool

func (Scopes) ContainsOpenID

func (scopes Scopes) ContainsOpenID() bool

func (Scopes) IDs

func (scopes Scopes) IDs() []string

func (Scopes) String

func (scopes Scopes) String() string

func (Scopes) SubSet

func (scopes Scopes) SubSet(ids []string) Scopes

type SetUpAuthnFunc

type SetUpAuthnFunc func(Context, *Client, *AuthnSession) bool

SetUpAuthnFunc is responsible for deciding if the corresponding policy will be executed.

type SubjectIdentifierType

type SubjectIdentifierType string

For more information, see: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

const (
	// The server provides the same sub (subject) value to all Clients.
	SubjectIdentifierPublic SubjectIdentifierType = "public"
)

type TestContext

type TestContext struct {
	OAuthScopes Scopes
}

func (TestContext) AuthnHints

func (testCtx TestContext) AuthnHints(info *UserInfo, session *AuthnSession) ([]AuthnHint, error)

func (TestContext) Request

func (testCtx TestContext) Request() *http.Request

func (TestContext) Response

func (testCtx TestContext) Response() http.ResponseWriter

type TokenFormat

type TokenFormat string
const (
	TokenFormatJWT    TokenFormat = "jwt"
	TokenFormatOpaque TokenFormat = "opaque"
)

type TokenOptions

type TokenOptions struct {
	TokenFormat           TokenFormat    `json:"token_format" bson:"token_format"`
	TokenLifetimeSecs     int            `json:"token_lifetime_secs" bson:"token_lifetime_secs"`
	JWTSignatureKeyID     string         `json:"token_signature_key_id,omitempty" bson:"token_signature_key_id,omitempty"`
	OpaqueTokenLength     int            `json:"opaque_token_length,omitempty" bson:"opaque_token_length,omitempty"`
	AdditionalTokenClaims map[string]any `json:"additional_token_claims,omitempty" bson:"additional_token_claims,omitempty"`
}

TODO: Allow passing the token ID? Or a prefix?

func NewJWTTokenOptions

func NewJWTTokenOptions(

	signatureKeyID string,
	tokenLifetimeSecs int,
) TokenOptions

func NewOpaqueTokenOptions

func NewOpaqueTokenOptions(
	tokenLength int,
	tokenLifetimeSecs int,
) TokenOptions

func (*TokenOptions) AddTokenClaims

func (opts *TokenOptions) AddTokenClaims(claims map[string]any)

type TokenOptionsFunc

type TokenOptionsFunc func(client *Client, scopes string) (TokenOptions, error)

type TokenType

type TokenType string
const (
	TokenTypeBearer TokenType = "Bearer"
	TokenTypeDPoP   TokenType = "DPoP"
)

type TokenTypeHint

type TokenTypeHint string
const (
	TokenHintAccess  TokenTypeHint = "access_token"
	TokenHintRefresh TokenTypeHint = "refresh_token"
)

type UserInfo

type UserInfo struct {
	UserID         string
	AuthnTimestamp int
	AuthnContext   AuthenticationContextReference
	AuthnMethods   []AuthenticationMethodReference
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL