Documentation ¶
Index ¶
- Constants
- Variables
- func AssertTimestampWithin(t *testing.T, expected int, actual int, msgAndArgs ...any)
- func AuthorizationCode() (string, error)
- func CallbackID() (string, error)
- func ContainsAll[T comparable](superSet []T, subSet ...T) bool
- func ContainsAllScopes(scopesSuperSet string, scopesSubSet string) bool
- func RandomString(n int) (string, error)
- func RequestURI() (string, error)
- func SplitStringWithSpaces(s string) []string
- func TimestampNow() int
- type AuthenticationContextReference
- type AuthenticationMethodReference
- type AuthnFunc
- type AuthnHint
- type AuthnPolicy
- type AuthnSession
- func (s *AuthnSession) AddIDTokenClaim(claim string, value any)
- func (s *AuthnSession) AddTokenClaim(claim string, value any)
- func (s *AuthnSession) AddUserInfoClaim(claim string, value any)
- func (s *AuthnSession) GrantAuthorizationDetails(authDetails []AuthorizationDetail)
- func (s *AuthnSession) GrantScopes(scopes string)
- func (s *AuthnSession) InitAuthorizationCode() OAuthError
- func (s *AuthnSession) IsExpired() bool
- func (s *AuthnSession) Push(lifetimeSecs int) (requestURI string, err error)
- func (s *AuthnSession) SetRedirectError(errorCode ErrorCode, errorDescription string)
- func (s *AuthnSession) SetUserID(userID string)
- func (s *AuthnSession) Start(policyID string, lifetimeSecs int) OAuthError
- func (s *AuthnSession) StoreParameter(key string, value any)
- func (s *AuthnSession) UpdateParams(params AuthorizationParameters)
- type AuthnSessionManager
- type AuthnStatus
- type AuthorizationDetail
- type AuthorizationParameters
- func (params AuthorizationParameters) DefaultResponseMode() ResponseMode
- func (insideParams AuthorizationParameters) Merge(outsideParams AuthorizationParameters) AuthorizationParameters
- func (params AuthorizationParameters) NewRedirectError(errorCode ErrorCode, errorDescription string) OAuthRedirectError
- type AuthorizeErrorPluginFunc
- type ClaimObjectInfo
- type ClaimType
- type ClaimsObject
- type Client
- func (c *Client) AreScopesAllowed(ctx Context, availableScopes Scopes, requestedScopes string) bool
- func (c *Client) FetchPublicJWKS() (jose.JSONWebKeySet, error)
- func (c *Client) IDTokenEncryptionJWK() (jose.JSONWebKey, OAuthError)
- func (c *Client) IsAuthorizationDetailTypeAllowed(authDetailType string) bool
- func (c *Client) IsGrantTypeAllowed(grantType GrantType) bool
- func (c *Client) IsRedirectURIAllowed(redirectURI string) bool
- func (c *Client) IsRegistrationAccessTokenValid(token string) bool
- func (c *Client) IsResponseTypeAllowed(responseType ResponseType) bool
- func (c *Client) JARMEncryptionJWK() (jose.JSONWebKey, OAuthError)
- func (c *Client) PublicKey(keyID string) (jose.JSONWebKey, OAuthError)
- func (c *Client) UserInfoEncryptionJWK() (jose.JSONWebKey, OAuthError)
- type ClientAssertionType
- type ClientAuthnType
- type ClientManager
- type ClientMetaInfo
- type CodeChallengeMethod
- type Context
- type ContextKey
- type DCRPluginFunc
- type DisplayValue
- type EndpointPath
- type ErrorCode
- type GrantOptions
- type GrantSession
- type GrantSessionManager
- type GrantType
- type KeyUsage
- type OAuthBaseError
- type OAuthError
- type OAuthRedirectError
- type Profile
- type PromptType
- type ResponseMode
- type ResponseType
- type Scope
- type ScopeMatchingFunc
- type Scopes
- type SetUpAuthnFunc
- type SubjectIdentifierType
- type TestContext
- type TokenFormat
- type TokenOptions
- type TokenOptionsFunc
- type TokenType
- type TokenTypeHint
- type UserInfo
Constants ¶
const ( ClaimTokenID string = "jti" ClaimIssuer string = "iss" ClaimSubject string = "sub" ClaimAudience string = "aud" ClaimClientID string = "client_id" ClaimExpiry string = "exp" ClaimIssuedAt string = "iat" ClaimScope string = "scope" ClaimNonce string = "nonce" ClaimAuthenticationTime string = "auth_time" ClaimAuthenticationMethodReferences string = "amr" ClaimAuthenticationContextReference string = "acr" ClaimProfile string = "profile" ClaimEmail string = "email" ClaimEmailVerified string = "email_verified" ClaimAddress string = "address" ClaimAuthorizationDetails string = "authorization_details" ClaimAccessTokenHash string = "at_hash" ClaimAuthorizationCodeHash string = "c_hash" ClaimStateHash string = "s_hash" )
const ( HeaderDPoP string = "DPoP" // HeaderSecureClientCertificate is the header used to transmit a client certificate that was validated by a trusted source. HeaderSecureClientCertificate string = "X-Secure-Client-Certificate" // HeaderInsecureClientCertificate is the header used to trasmit a client certificate that cannot be trusted. // This is useful for clients authenticating with self signed certificates. HeaderInsecureClientCertificate string = "X-Insecure-Client-Certificate" )
const AuthorizationCodeLength int = 30
const AuthorizationCodeLifetimeSecs int = 60
const CallbackIDLength int = 20
const ClientSecretCharset string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
const ClientSecretLength int = 64
The client secret length must have at least 64 characters, so that it can be also used for symmetric encryption during, for instance, authentication with client_secret_jwt. For client_secret_jwt, the highest algorithm we accept is HS512 which requires a key of at least 512 bits (64 characters).
const DefaultAuthenticationSessionTimeoutSecs = 30 * 60
const DefaultRefreshTokenLifetimeSecs int = 6000
const DefaultTokenLifetimeSecs int = 300
const DynamicClientIDLength int = 30
const ProtectedParamPrefix string = "p_"
const RefreshTokenLength int = 99
During introspection, a refresh token is identified by its length. Then, setting the length to an unusual value will avoid refresh tokens and opaque access token to be confused.
const RegistrationAccessTokenLength int = 50
const RequestURILength int = 20
Variables ¶
var ( ScopeOpenID = NewScope("openid") ScopeProfile = NewScope("profile") ScopeEmail = NewScope("email") ScopeAddress = NewScope("address") ScopeOffilineAccess = NewScope("offline_access") )
var ErrorEntityNotFound error = errors.New("entity not found")
var FAPIAllowedCipherSuites []uint16 = []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, }
Functions ¶
func AssertTimestampWithin ¶
func AuthorizationCode ¶
func CallbackID ¶
func ContainsAll ¶
func ContainsAll[T comparable](superSet []T, subSet ...T) bool
func ContainsAllScopes ¶
func RandomString ¶
func RequestURI ¶
func SplitStringWithSpaces ¶
func TimestampNow ¶
func TimestampNow() int
Get the current timestamp. The result is always on UTC time.
Types ¶
type AuthenticationContextReference ¶
type AuthenticationContextReference string
const ( ACRNoAssuranceLevel AuthenticationContextReference = "0" ACRMaceIncommonIAPSilver AuthenticationContextReference = "urn:mace:incommon:iap:silver" ACRMaceIncommonIAPBronze AuthenticationContextReference = "urn:mace:incommon:iap:bronze" )
type AuthenticationMethodReference ¶
type AuthenticationMethodReference string
const ( AuthenticationMethodFacialRecognition AuthenticationMethodReference = "face" AuthenticationMethodFingerPrint AuthenticationMethodReference = "fpt" AuthenticationMethodGeolocation AuthenticationMethodReference = "geo" AuthenticationMethodHardwareSecuredKey AuthenticationMethodReference = "hwk" AuthenticationMethodIrisScan AuthenticationMethodReference = "iris" AuthenticationMethodMultipleFactor AuthenticationMethodReference = "mfa" AuthenticationMethodOneTimePassoword AuthenticationMethodReference = "otp" AuthenticationMethodPassword AuthenticationMethodReference = "pwd" AuthenticationMethodPersonalIDentificationNumber AuthenticationMethodReference = "pin" AuthenticationMethodRiskBased AuthenticationMethodReference = "rba" AuthenticationMethodSMS AuthenticationMethodReference = "sms" AuthenticationMethodSoftwareSecuredKey AuthenticationMethodReference = "swk" )
type AuthnFunc ¶
type AuthnFunc func(Context, *AuthnSession) AuthnStatus
AuthnFunc executes the user authentication logic.
type AuthnPolicy ¶
type AuthnPolicy struct { ID string SetUp SetUpAuthnFunc Authenticate AuthnFunc }
func NewPolicy ¶
func NewPolicy( id string, setUpFunc SetUpAuthnFunc, authnFunc AuthnFunc, ) AuthnPolicy
NewPolicy creates a policy that will be selected based on setUpFunc and that authenticates users with authnFunc.
type AuthnSession ¶
type AuthnSession struct { ID string `json:"id" bson:"_id"` CallbackID string `json:"callback_id" bson:"callback_id"` PolicyID string `json:"policy_id" bson:"policy_id"` ExpiresAtTimestamp int `json:"expires_at" bson:"expires_at"` CreatedAtTimestamp int `json:"created_at" bson:"created_at"` Subject string `json:"sub" bson:"sub"` ClientID string `json:"client_id" bson:"client_id"` GrantedScopes string `json:"granted_scopes" bson:"granted_scopes"` GrantedAuthorizationDetails []AuthorizationDetail `json:"granted_authorization_details,omitempty" bson:"granted_authorization_details,omitempty"` AuthorizationCode string `json:"authorization_code,omitempty" bson:"authorization_code,omitempty"` // ProtectedParameters contains custom parameters sent by PAR or JAR. ProtectedParameters map[string]any `json:"protected_params,omitempty" bson:"protected_params,omitempty"` // Store allows developers to store information between user interactions. Store map[string]any `json:"store,omitempty" bson:"store,omitempty"` AdditionalTokenClaims map[string]any `json:"additional_token_claims,omitempty" bson:"additional_token_claims,omitempty"` AdditionalIDTokenClaims map[string]any `json:"additional_id_token_claims,omitempty" bson:"additional_id_token_claims,omitempty"` AdditionalUserInfoClaims map[string]any `json:"additional_user_info_claims,omitempty" bson:"additional_user_info_claims,omitempty"` AuthorizationParameters `bson:"inline"` Error OAuthError `json:"-" bson:"-"` }
func (*AuthnSession) AddIDTokenClaim ¶
func (s *AuthnSession) AddIDTokenClaim(claim string, value any)
func (*AuthnSession) AddTokenClaim ¶
func (s *AuthnSession) AddTokenClaim(claim string, value any)
func (*AuthnSession) AddUserInfoClaim ¶
func (s *AuthnSession) AddUserInfoClaim(claim string, value any)
func (*AuthnSession) GrantAuthorizationDetails ¶
func (s *AuthnSession) GrantAuthorizationDetails(authDetails []AuthorizationDetail)
GrantAuthorizationDetails sets the authorization details the client will have permissions to use. This will only have effect if support for authorization details was enabled.
func (*AuthnSession) GrantScopes ¶
func (s *AuthnSession) GrantScopes(scopes string)
func (*AuthnSession) InitAuthorizationCode ¶
func (s *AuthnSession) InitAuthorizationCode() OAuthError
func (*AuthnSession) IsExpired ¶
func (s *AuthnSession) IsExpired() bool
func (*AuthnSession) Push ¶
func (s *AuthnSession) Push(lifetimeSecs int) (requestURI string, err error)
Push creates a session that can be referenced by a request URI.
func (*AuthnSession) SetRedirectError ¶
func (s *AuthnSession) SetRedirectError(errorCode ErrorCode, errorDescription string)
func (*AuthnSession) SetUserID ¶
func (s *AuthnSession) SetUserID(userID string)
func (*AuthnSession) Start ¶
func (s *AuthnSession) Start(policyID string, lifetimeSecs int) OAuthError
Start prepares the session to be used while the authentication flow defined by policyID happens.
func (*AuthnSession) StoreParameter ¶
func (s *AuthnSession) StoreParameter(key string, value any)
func (*AuthnSession) UpdateParams ¶
func (s *AuthnSession) UpdateParams(params AuthorizationParameters)
UpdateParams updates the session with the parameters from an authorization request. The parameters already present in the session have priority.
type AuthnSessionManager ¶
type AuthnSessionManager interface { CreateOrUpdate(ctx context.Context, session *AuthnSession) error GetByCallbackID(ctx context.Context, callbackID string) (*AuthnSession, error) GetByAuthorizationCode(ctx context.Context, authorizationCode string) (*AuthnSession, error) GetByRequestURI(ctx context.Context, requestURI string) (*AuthnSession, error) Delete(ctx context.Context, id string) error }
type AuthnStatus ¶
type AuthnStatus string
const ( StatusSuccess AuthnStatus = "success" StatusInProgress AuthnStatus = "in_progress" StatusFailure AuthnStatus = "failure" )
type AuthorizationDetail ¶
Authorization details is a map instead of a struct, because its fields vary a lot depending on the use case. Some fields are well know so they are accessible as methods.
func (AuthorizationDetail) Actions ¶
func (detail AuthorizationDetail) Actions() []string
func (AuthorizationDetail) DataTypes ¶
func (detail AuthorizationDetail) DataTypes() []string
func (AuthorizationDetail) Identifier ¶
func (detail AuthorizationDetail) Identifier() string
func (AuthorizationDetail) Locations ¶
func (detail AuthorizationDetail) Locations() []string
func (AuthorizationDetail) Type ¶
func (detail AuthorizationDetail) Type() string
type AuthorizationParameters ¶
type AuthorizationParameters struct { RequestURI string `json:"request_uri,omitempty" bson:"request_uri,omitempty"` RequestObject string `json:"request,omitempty" bson:"request,omitempty"` RedirectURI string `json:"redirect_uri,omitempty" bson:"redirect_uri,omitempty"` ResponseMode ResponseMode `json:"response_mode,omitempty" bson:"response_mode,omitempty"` ResponseType ResponseType `json:"response_type,omitempty" bson:"response_type,omitempty"` Scopes string `json:"scope,omitempty" bson:"scope,omitempty"` State string `json:"state,omitempty" bson:"state,omitempty"` Nonce string `json:"nonce,omitempty" bson:"nonce,omitempty"` CodeChallenge string `json:"code_challenge,omitempty" bson:"code_challenge,omitempty"` CodeChallengeMethod CodeChallengeMethod `json:"code_challenge_method,omitempty" bson:"code_challenge_method,omitempty"` Prompt PromptType `json:"prompt,omitempty" bson:"prompt,omitempty"` MaxAuthnAgeSecs *int `json:"max_age,omitempty" bson:"max_age,omitempty"` Display DisplayValue `json:"display,omitempty" bson:"display,omitempty"` ACRValues string `json:"acr_values,omitempty" bson:"acr_values,omitempty"` Claims *ClaimsObject `json:"claims,omitempty" bson:"claims,omitempty"` AuthorizationDetails []AuthorizationDetail `json:"authorization_details,omitempty" bson:"authorization_details,omitempty"` }
func (AuthorizationParameters) DefaultResponseMode ¶
func (params AuthorizationParameters) DefaultResponseMode() ResponseMode
DefaultResponseMode returns the response mode based on the response type.
func (AuthorizationParameters) Merge ¶
func (insideParams AuthorizationParameters) Merge(outsideParams AuthorizationParameters) AuthorizationParameters
func (AuthorizationParameters) NewRedirectError ¶
func (params AuthorizationParameters) NewRedirectError( errorCode ErrorCode, errorDescription string, ) OAuthRedirectError
type AuthorizeErrorPluginFunc ¶
type AuthorizeErrorPluginFunc func(ctx Context, err OAuthError) error
type ClaimObjectInfo ¶
type ClaimsObject ¶
type ClaimsObject struct { Userinfo map[string]ClaimObjectInfo `json:"userinfo"` IDToken map[string]ClaimObjectInfo `json:"id_token"` }
type Client ¶
type Client struct { ID string `json:"client_id" bson:"_id"` // Secret is used when the client authenticates with client_secret_jwt, // since the key used to sign the assertion is the same used to verify it. Secret string `json:"client_secret,omitempty" bson:"client_secret,omitempty"` // HashedSecret is the hash of the client secret for the client_secret_basic // and client_secret_post authentication methods. HashedSecret string `json:"hashed_secret,omitempty" bson:"hashed_secret,omitempty"` HashedRegistrationAccessToken string `json:"hashed_registration_access_token" bson:"hashed_registration_access_token"` ClientMetaInfo `bson:"inline"` }
func (*Client) AreScopesAllowed ¶
func (*Client) FetchPublicJWKS ¶
FetchPublicJWKS fetches the client public JWKS either directly from the jwks attribute or using jwks_uri. This method also caches the keys if they are fetched from jwks_uri.
func (*Client) IDTokenEncryptionJWK ¶
func (c *Client) IDTokenEncryptionJWK() (jose.JSONWebKey, OAuthError)
func (*Client) IsAuthorizationDetailTypeAllowed ¶
func (*Client) IsGrantTypeAllowed ¶
func (*Client) IsRedirectURIAllowed ¶
func (*Client) IsRegistrationAccessTokenValid ¶
func (*Client) IsResponseTypeAllowed ¶
func (c *Client) IsResponseTypeAllowed(responseType ResponseType) bool
func (*Client) JARMEncryptionJWK ¶
func (c *Client) JARMEncryptionJWK() (jose.JSONWebKey, OAuthError)
func (*Client) PublicKey ¶
func (c *Client) PublicKey(keyID string) (jose.JSONWebKey, OAuthError)
func (*Client) UserInfoEncryptionJWK ¶
func (c *Client) UserInfoEncryptionJWK() (jose.JSONWebKey, OAuthError)
type ClientAssertionType ¶
type ClientAssertionType string
const (
AssertionTypeJWTBearer ClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
)
type ClientAuthnType ¶
type ClientAuthnType string
const ( ClientAuthnNone ClientAuthnType = "none" ClientAuthnSecretBasic ClientAuthnType = "client_secret_basic" ClientAuthnSecretPost ClientAuthnType = "client_secret_post" ClientAuthnSecretJWT ClientAuthnType = "client_secret_jwt" ClientAuthnPrivateKeyJWT ClientAuthnType = "private_key_jwt" ClientAuthnTLS ClientAuthnType = "tls_client_auth" ClientAuthnSelfSignedTLS ClientAuthnType = "self_signed_tls_client_auth" )
type ClientManager ¶
type ClientMetaInfo ¶
type ClientMetaInfo struct { Name string `json:"client_name,omitempty" bson:"client_name,omitempty"` LogoURI string `json:"logo_uri,omitempty" bson:"logo_uri,omitempty"` RedirectURIS []string `json:"redirect_uris" bson:"redirect_uris"` GrantTypes []GrantType `json:"grant_types" bson:"grant_types"` ResponseTypes []ResponseType `json:"response_types" bson:"response_types"` PublicJWKSURI string `json:"jwks_uri,omitempty" bson:"jwks_uri,omitempty"` PublicJWKS json.RawMessage `json:"jwks,omitempty" bson:"jwks,omitempty"` Scopes string `json:"scope" bson:"scope"` SubjectIdentifierType SubjectIdentifierType `json:"subject_type,omitempty" bson:"subject_type,omitempty"` IDTokenSignatureAlgorithm jose.SignatureAlgorithm `json:"id_token_signed_response_alg,omitempty" bson:"id_token_signed_response_alg,omitempty"` IDTokenKeyEncryptionAlgorithm jose.KeyAlgorithm `json:"id_token_encrypted_response_alg,omitempty" bson:"id_token_encrypted_response_alg,omitempty"` IDTokenContentEncryptionAlgorithm jose.ContentEncryption `json:"id_token_encrypted_response_enc,omitempty" bson:"id_token_encrypted_response_enc,omitempty"` UserInfoSignatureAlgorithm jose.SignatureAlgorithm `json:"userinfo_signed_response_alg,omitempty" bson:"userinfo_signed_response_alg,omitempty"` UserInfoKeyEncryptionAlgorithm jose.KeyAlgorithm `json:"userinfo_encrypted_response_alg,omitempty" bson:"userinfo_encrypted_response_alg,omitempty"` UserInfoContentEncryptionAlgorithm jose.ContentEncryption `json:"userinfo_encrypted_response_enc,omitempty" bson:"userinfo_encrypted_response_enc,omitempty"` JARSignatureAlgorithm jose.SignatureAlgorithm `json:"request_object_signing_alg,omitempty" bson:"request_object_signing_alg,omitempty"` JARKeyEncryptionAlgorithm jose.KeyAlgorithm `json:"request_object_encryption_alg,omitempty" bson:"request_object_encryption_alg,omitempty"` JARContentEncryptionAlgorithm jose.ContentEncryption `json:"request_object_encryption_enc,omitempty" bson:"request_object_encryption_enc,omitempty"` JARMSignatureAlgorithm jose.SignatureAlgorithm `json:"authorization_signed_response_alg,omitempty" bson:"authorization_signed_response_alg,omitempty"` JARMKeyEncryptionAlgorithm jose.KeyAlgorithm `json:"authorization_encrypted_response_alg,omitempty" bson:"authorization_encrypted_response_alg,omitempty"` JARMContentEncryptionAlgorithm jose.ContentEncryption `json:"authorization_encrypted_response_enc,omitempty" bson:"authorization_encrypted_response_enc,omitempty"` AuthnMethod ClientAuthnType `json:"token_endpoint_auth_method" bson:"token_endpoint_auth_method"` AuthnSignatureAlgorithm jose.SignatureAlgorithm `json:"token_endpoint_auth_signing_alg,omitempty" bson:"token_endpoint_auth_signing_alg,omitempty"` DPoPIsRequired bool `json:"dpop_bound_access_tokens,omitempty" bson:"dpop_bound_access_tokens,omitempty"` TLSSubjectDistinguishedName string `json:"tls_client_auth_subject_dn,omitempty" bson:"tls_client_auth_subject_dn,omitempty"` // TLSSubjectAlternativeName represents a DNS name. TLSSubjectAlternativeName string `json:"tls_client_auth_san_dns,omitempty" bson:"tls_client_auth_san_dns,omitempty"` TLSSubjectAlternativeNameIp string `json:"tls_client_auth_san_ip,omitempty" bson:"tls_client_auth_san_ip,omitempty"` AuthorizationDetailTypes []string `json:"authorization_data_types,omitempty" bson:"authorization_data_types,omitempty"` DefaultMaxAgeSecs *int `json:"default_max_age,omitempty" bson:"default_max_age,omitempty"` DefaultACRValues string `json:"default_acr_values,omitempty" bson:"default_acr_values,omitempty"` CustomAttributes map[string]any `json:"custom_attributes,omitempty" bson:"custom_attributes,omitempty"` }
func (*ClientMetaInfo) SetAttribute ¶
func (c *ClientMetaInfo) SetAttribute(key string, value any)
type CodeChallengeMethod ¶
type CodeChallengeMethod string
const ( CodeChallengeMethodSHA256 CodeChallengeMethod = "S256" CodeChallengeMethodPlain CodeChallengeMethod = "plain" )
type Context ¶
type Context interface { Request() *http.Request Response() http.ResponseWriter // AuthnHints provides a list of hints to fulfill the authentication flow successfully. // The authentication flow can still finished successfully if the hints are not followed, but it's recommended // to evaluate them and modify the session accordingly. AuthnHints(*UserInfo, *AuthnSession) ([]AuthnHint, error) }
func NewTestContext ¶
type DCRPluginFunc ¶
type DCRPluginFunc func(ctx Context, clientInfo *ClientMetaInfo)
Function that will be executed during DCR and DCM. It can be used to modify the client and perform custom validations.
type DisplayValue ¶
type DisplayValue string
const ( DisplayValuePage DisplayValue = "page" DisplayValuePopUp DisplayValue = "popup" DisplayValueTouch DisplayValue = "touch" DisplayValueWAP DisplayValue = "wap" )
type EndpointPath ¶
type EndpointPath string
const ( EndpointWellKnown EndpointPath = "/.well-known/openid-configuration" EndpointJSONWebKeySet EndpointPath = "/jwks" EndpointPushedAuthorizationRequest EndpointPath = "/par" EndpointAuthorization EndpointPath = "/authorize" EndpointToken EndpointPath = "/token" EndpointUserInfo EndpointPath = "/userinfo" EndpointDynamicClient EndpointPath = "/register" EndpointTokenIntrospection EndpointPath = "/introspect" )
type ErrorCode ¶
type ErrorCode string
const ( ErrorCodeAccessDenied ErrorCode = "access_denied" ErrorCodeInvalidClient ErrorCode = "invalid_client" ErrorCodeInvalidGrant ErrorCode = "invalid_grant" ErrorCodeInvalidRequest ErrorCode = "invalid_request" ErrorCodeInvalidScope ErrorCode = "invalid_scope" ErrorCodeInvalidAuthorizationDetails ErrorCode = "invalid_authorization_details" ErrorCodeUnsupportedGrantType ErrorCode = "unsupported_grant_type" ErrorCodeInvalidResquestObject ErrorCode = "invalid_request_object" ErrorCodeInvalidToken ErrorCode = "invalid_token" ErrorCodeInternalError ErrorCode = "internal_error" )
func (ErrorCode) StatusCode ¶
type GrantOptions ¶
type GrantOptions struct { GrantType GrantType `json:"grant_type" bson:"grant_type"` Subject string `json:"sub" bson:"sub"` ClientID string `json:"client_id" bson:"client_id"` GrantedScopes string `json:"granted_scopes" bson:"granted_scopes"` GrantedAuthorizationDetails []AuthorizationDetail `json:"granted_authorization_details,omitempty" bson:"granted_authorization_details,omitempty"` AdditionalIDTokenClaims map[string]any `json:"additional_id_token_claims,omitempty" bson:"additional_id_token_claims,omitempty"` AdditionalUserInfoClaims map[string]any `json:"additional_user_info_claims,omitempty" bson:"additional_user_info_claims,omitempty"` TokenOptions `bson:"inline"` }
type GrantSession ¶
type GrantSession struct { ID string `json:"id" bson:"_id"` JWKThumbprint string `json:"jwk_thumbprint,omitempty" bson:"jwk_thumbprint,omitempty"` ClientCertificateThumbprint string `json:"certificate_thumbprint,omitempty" bson:"certificate_thumbprint,omitempty"` TokenID string `json:"token_id" bson:"token_id"` RefreshToken string `json:"refresh_token,omitempty" bson:"refresh_token,omitempty"` LastTokenIssuedAtTimestamp int `json:"last_token_issued_at" bson:"last_token_issued_at"` CreatedAtTimestamp int `json:"created_at" bson:"created_at"` ExpiresAtTimestamp int `json:"expires_at" bson:"expires_at"` ActiveScopes string `json:"active_scopes" bson:"active_scopes"` GrantOptions `bson:"inline"` }
func (*GrantSession) HasLastTokenExpired ¶
func (g *GrantSession) HasLastTokenExpired() bool
func (*GrantSession) IsRefreshSessionExpired ¶
func (g *GrantSession) IsRefreshSessionExpired() bool
type GrantSessionManager ¶
type GrantSessionManager interface { CreateOrUpdate(ctx context.Context, grantSession *GrantSession) error GetByTokenID(ctx context.Context, tokenID string) (*GrantSession, error) GetByRefreshToken(ctx context.Context, refreshToken string) (*GrantSession, error) Delete(ctx context.Context, id string) error }
type OAuthBaseError ¶
type OAuthBaseError struct { Inner error // It can be used to wrap errors. ErrorCode ErrorCode `json:"error"` ErrorDescription string `json:"error_description"` }
func (OAuthBaseError) Code ¶
func (err OAuthBaseError) Code() ErrorCode
func (OAuthBaseError) Error ¶
func (err OAuthBaseError) Error() string
func (OAuthBaseError) Unwrap ¶
func (e OAuthBaseError) Unwrap() error
type OAuthError ¶
func NewOAuthError ¶
func NewOAuthError(code ErrorCode, description string) OAuthError
func NewWrappingOAuthError ¶
func NewWrappingOAuthError(err error, code ErrorCode, description string) OAuthError
type OAuthRedirectError ¶
type OAuthRedirectError struct { OAuthBaseError AuthorizationParameters }
type PromptType ¶
type PromptType string
const ( PromptTypeNone PromptType = "none" PromptTypeLogin PromptType = "login" PromptTypeConsent PromptType = "consent" PromptTypeSelectAccount PromptType = "select_account" )
type ResponseMode ¶
type ResponseMode string
const ( ResponseModeQuery ResponseMode = "query" ResponseModeFragment ResponseMode = "fragment" ResponseModeFormPost ResponseMode = "form_post" // JARM - JWT Secured Authorization Response Mode. // For more information, see https://openid.net/specs/oauth-v2-jarm.html. ResponseModeQueryJWT ResponseMode = "query.jwt" ResponseModeFragmentJWT ResponseMode = "fragment.jwt" ResponseModeFormPostJWT ResponseMode = "form_post.jwt" ResponseModeJWT ResponseMode = "jwt" )
func (ResponseMode) IsJARM ¶
func (rm ResponseMode) IsJARM() bool
func (ResponseMode) IsQuery ¶
func (rm ResponseMode) IsQuery() bool
type ResponseType ¶
type ResponseType string
const ( ResponseTypeCode ResponseType = "code" ResponseTypeIDToken ResponseType = "id_token" ResponseTypeToken ResponseType = "token" ResponseTypeCodeAndIDToken ResponseType = "code id_token" ResponseTypeCodeAndToken ResponseType = "code token" ResponseTypeIDTokenAndToken ResponseType = "id_token token" ResponseTypeCodeAndIDTokenAndToken ResponseType = "code id_token token" )
func (ResponseType) Contains ¶
func (rt ResponseType) Contains(responseType ResponseType) bool
func (ResponseType) DefaultResponseMode ¶
func (rt ResponseType) DefaultResponseMode(jarm bool) ResponseMode
DefaultResponseMode returns the response mode based on the response type. According to "5. Definitions of Multiple-Valued Response Type Combinations" of https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations.
func (ResponseType) IsImplicit ¶
func (rt ResponseType) IsImplicit() bool
type Scope ¶
type Scope struct { // ID is the string representation of the scope. // Its value will be exported as is. ID string // Matches validates if a requested scope is valid. Matches ScopeMatchingFunc }
func NewDynamicScope ¶
func NewDynamicScope( scope string, matchingFunc ScopeMatchingFunc, ) Scope
NewDynamicScope creates a scope with custom logic that will be used to validate the scopes requested by the client.
dynamicScope := NewDynamicScope( "payment", func(requestedScope string) bool { return strings.HasPrefix(requestedScope, "payment") }, ) // This results in true. dynamicScope.Matches("payment:30")
type ScopeMatchingFunc ¶
type SetUpAuthnFunc ¶
type SetUpAuthnFunc func(Context, *Client, *AuthnSession) bool
SetUpAuthnFunc is responsible for deciding if the corresponding policy will be executed.
type SubjectIdentifierType ¶
type SubjectIdentifierType string
For more information, see: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
const ( // The server provides the same sub (subject) value to all Clients. SubjectIdentifierPublic SubjectIdentifierType = "public" )
type TestContext ¶
type TestContext struct {
OAuthScopes Scopes
}
func (TestContext) AuthnHints ¶
func (testCtx TestContext) AuthnHints(info *UserInfo, session *AuthnSession) ([]AuthnHint, error)
func (TestContext) Request ¶
func (testCtx TestContext) Request() *http.Request
func (TestContext) Response ¶
func (testCtx TestContext) Response() http.ResponseWriter
type TokenFormat ¶
type TokenFormat string
const ( TokenFormatJWT TokenFormat = "jwt" TokenFormatOpaque TokenFormat = "opaque" )
type TokenOptions ¶
type TokenOptions struct { TokenFormat TokenFormat `json:"token_format" bson:"token_format"` TokenLifetimeSecs int `json:"token_lifetime_secs" bson:"token_lifetime_secs"` JWTSignatureKeyID string `json:"token_signature_key_id,omitempty" bson:"token_signature_key_id,omitempty"` OpaqueTokenLength int `json:"opaque_token_length,omitempty" bson:"opaque_token_length,omitempty"` AdditionalTokenClaims map[string]any `json:"additional_token_claims,omitempty" bson:"additional_token_claims,omitempty"` }
TODO: Allow passing the token ID? Or a prefix?
func NewJWTTokenOptions ¶
func NewJWTTokenOptions( signatureKeyID string, tokenLifetimeSecs int, ) TokenOptions
func NewOpaqueTokenOptions ¶
func NewOpaqueTokenOptions( tokenLength int, tokenLifetimeSecs int, ) TokenOptions
func (*TokenOptions) AddTokenClaims ¶
func (opts *TokenOptions) AddTokenClaims(claims map[string]any)
type TokenOptionsFunc ¶
type TokenOptionsFunc func(client *Client, scopes string) (TokenOptions, error)
type TokenTypeHint ¶
type TokenTypeHint string
const ( TokenHintAccess TokenTypeHint = "access_token" TokenHintRefresh TokenTypeHint = "refresh_token" )
type UserInfo ¶
type UserInfo struct { UserID string AuthnTimestamp int AuthnContext AuthenticationContextReference AuthnMethods []AuthenticationMethodReference }