goidcp

package
v0.0.0-...-e0d3fc9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 20, 2024 License: MIT Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewInMemoryAuthnSessionManager 

func NewInMemoryAuthnSessionManager() goidc.AuthnSessionManager

func NewInMemoryClientManager 

func NewInMemoryClientManager() goidc.ClientManager

func NewInMemoryGrantSessionManager 

func NewInMemoryGrantSessionManager() goidc.GrantSessionManager

func NewMongoDBAuthnSessionManager 

func NewMongoDBAuthnSessionManager(database *mongo.Database) goidc.AuthnSessionManager

func NewMongoDBClientManager 

func NewMongoDBClientManager(database *mongo.Database) goidc.ClientManager

func NewMongoDBGrantSessionManager 

func NewMongoDBGrantSessionManager(database *mongo.Database) goidc.GrantSessionManager

Types

type Provider 

type Provider struct {
	// contains filtered or unexported fields
}

func New 

func New(
	host string,
	clientManager goidc.ClientManager,
	authnSessionManager goidc.AuthnSessionManager,
	grantSessionManager goidc.GrantSessionManager,
	privateJWKS jose.JSONWebKeySet,
	defaultTokenKeyID string,
	defaultIDTokenKeyID string,
) *Provider

TODO: Make it smaller.

func (*Provider) AddClient 

func (p *Provider) AddClient(client *goidc.Client)

AddClient creates or updates a static client.

func (*Provider) AddPolicy 

func (p *Provider) AddPolicy(policy goidc.AuthnPolicy)

AddPolicy adds an authentication policy that will be evaluated at runtime and then executed if selected.

func (*Provider) AddUserInfoSignatureKeyIDs 

func (p *Provider) AddUserInfoSignatureKeyIDs(userInfoSignatureKeyIDs ...string)

AddUserInfoSignatureKeyIDs makes more keys available to sign the user info endpoint response and ID tokens. There should be at most one per algorithm, in other words, there shouldn't be two key IDs that point to two keys that have the same algorithm. This is because clients can choose signing keys per algorithm, e.g. a client can choose the key to sign its ID tokens with the attribute "id_token_signed_response_alg".

func (*Provider) EnableAuthorizationDetailsParameter 

func (p *Provider) EnableAuthorizationDetailsParameter(types ...string)

func (*Provider) EnableBasicSecretClientAuthn 

func (p *Provider) EnableBasicSecretClientAuthn()

func (*Provider) EnableClaimsParameter 

func (p *Provider) EnableClaimsParameter()

func (*Provider) EnableClientSecretJWTAuthn 

func (p *Provider) EnableClientSecretJWTAuthn(
	assertionLifetimeSecs int,
	signatureAlgorithms ...jose.SignatureAlgorithm,
)

func (*Provider) EnableDemonstrationProofOfPossesion 

func (p *Provider) EnableDemonstrationProofOfPossesion(
	dpopLifetimeSecs int,
	dpopSigningAlgorithms ...jose.SignatureAlgorithm,
)

func (*Provider) EnableDynamicClientRegistration 

func (p *Provider) EnableDynamicClientRegistration(
	dcrPlugin goidc.DCRPluginFunc,
	shouldRotateTokens bool,
)

EnableDynamicClientRegistration allows clients to be registered dynamically. The dcrPlugin is executed during registration and update of the client to perform custom validations (e.g. validate a custom property) or set default values (set the default scopes).

func (*Provider) EnableImplicitGrantType 

func (p *Provider) EnableImplicitGrantType()

EnableImplicitGrantType allows the implicit grant type and the associated response types.

func (*Provider) EnableIssuerResponseParameter 

func (p *Provider) EnableIssuerResponseParameter()

func (*Provider) EnableJWTSecuredAuthorizationRequestEncryption 

func (p *Provider) EnableJWTSecuredAuthorizationRequestEncryption(
	keyEncryptionIDs []string,
	contentEncryptionAlgorithms []jose.ContentEncryption,
)

func (*Provider) EnableJWTSecuredAuthorizationRequests 

func (p *Provider) EnableJWTSecuredAuthorizationRequests(
	jarLifetimeSecs int,
	jarAlgorithms ...jose.SignatureAlgorithm,
)

func (*Provider) EnableJWTSecuredAuthorizationResponseMode 

func (p *Provider) EnableJWTSecuredAuthorizationResponseMode(
	jarmLifetimeSecs int,
	defaultJARMSignatureKeyID string,
	jarmSignatureKeyIDs ...string,
)

EnableJWTSecuredAuthorizationResponseMode makes available JARM and the associated response modes.

func (*Provider) EnableJWTSecuredAuthorizationResponseModeEncryption 

func (p *Provider) EnableJWTSecuredAuthorizationResponseModeEncryption(
	keyEncryptionAlgorithms []jose.KeyAlgorithm,
	contentEncryptionAlgorithms []jose.ContentEncryption,
)

func (*Provider) EnableMTLS 

func (p *Provider) EnableMTLS(mtlsHost string)

func (*Provider) EnableNoneClientAuthn 

func (p *Provider) EnableNoneClientAuthn()

func (*Provider) EnablePrivateKeyJWTClientAuthn 

func (p *Provider) EnablePrivateKeyJWTClientAuthn(
	assertionLifetimeSecs int,
	signatureAlgorithms ...jose.SignatureAlgorithm,
)

func (*Provider) EnableProofKeyForCodeExchange 

func (p *Provider) EnableProofKeyForCodeExchange(
	codeChallengeMethods ...goidc.CodeChallengeMethod,
)

EnableProofKeyForCodeExchange makes PKCE available to clients.

func (*Provider) EnablePushedAuthorizationRequests 

func (p *Provider) EnablePushedAuthorizationRequests(parLifetimeSecs int)

EnablePushedAuthorizationRequests allows authorization flows to start at the /par endpoint.

func (*Provider) EnableRefreshTokenGrantType 

func (p *Provider) EnableRefreshTokenGrantType(
	refreshTokenLifetimeSecs int,
	shouldRotateTokens bool,
)

EnableRefreshTokenGrantType makes available the refresh token grant. If set to true, shouldRotateTokens will cause a new refresh token to be issued each time one is used. The one used during the request then becomes invalid.

func (*Provider) EnableSecretPostClientAuthn 

func (p *Provider) EnableSecretPostClientAuthn()

func (*Provider) EnableSelfSignedTLSClientAuthn 

func (p *Provider) EnableSelfSignedTLSClientAuthn()

func (*Provider) EnableTLSBoundTokens 

func (p *Provider) EnableTLSBoundTokens()

func (*Provider) EnableTLSClientAuthn 

func (p *Provider) EnableTLSClientAuthn()

func (*Provider) EnableTokenIntrospection 

func (p *Provider) EnableTokenIntrospection(
	clientAuthnMethods ...goidc.ClientAuthnType,
)

func (*Provider) EnableUserInfoEncryption 

func (p *Provider) EnableUserInfoEncryption(
	keyEncryptionAlgorithms []jose.KeyAlgorithm,
	contentEncryptionAlgorithms []jose.ContentEncryption,
)

EnableUserInfoEncryption allows encryption of ID tokens and of the user info endpoint response.

func (*Provider) Handler 

func (p *Provider) Handler() http.Handler

func (*Provider) RequireDemonstrationProofOfPossesion 

func (p *Provider) RequireDemonstrationProofOfPossesion(
	dpopLifetimeSecs int,
	dpopSigningAlgorithms ...jose.SignatureAlgorithm,
)

func (*Provider) RequireJWTSecuredAuthorizationRequests 

func (p *Provider) RequireJWTSecuredAuthorizationRequests(
	jarLifetimeSecs int,
	jarAlgorithms ...jose.SignatureAlgorithm,
)

RequireJWTSecuredAuthorizationRequests makes JAR required.

func (*Provider) RequireOpenIDScope 

func (p *Provider) RequireOpenIDScope()

RequireOpenIDScope forces the openid scope in all requests.

func (*Provider) RequireProofKeyForCodeExchange 

func (p *Provider) RequireProofKeyForCodeExchange(
	codeChallengeMethods ...goidc.CodeChallengeMethod,
)

RequireProofKeyForCodeExchange makes PCKE required.

func (*Provider) RequirePushedAuthorizationRequests 

func (p *Provider) RequirePushedAuthorizationRequests(parLifetimeSecs int)

RequirePushedAuthorizationRequests forces authorization flows to start at the /par endpoint.

func (*Provider) RequireSenderConstrainedTokens 

func (p *Provider) RequireSenderConstrainedTokens()

RequireSenderConstrainedTokens will make at least one sender constraining mechanism (TLS or DPoP) be required, in order to issue an access token to a client.

func (*Provider) Run 

func (p *Provider) Run(
	address string,
	middlewares ...api.WrapHandlerFunc,
) error

func (*Provider) RunTLS 

func (p *Provider) RunTLS(
	config TLSOptions,
	middlewares ...api.WrapHandlerFunc,
) error

func (*Provider) SetAuthenticationSessionTimeout 

func (p *Provider) SetAuthenticationSessionTimeout(timeoutSecs int)

SetAuthenticationSessionTimeout sets the user authentication session lifetime.

func (*Provider) SetAuthorizeErrorPlugin 

func (p *Provider) SetAuthorizeErrorPlugin(plugin goidc.AuthorizeErrorPluginFunc)

SetAuthorizeErrorPlugin defines a handler to be executed when the authorization request results in error, but the error can't be redirected. This can be used to display a page with the error. The default behavior is to display a JSON with the error information to the user.

func (*Provider) SetClaimTypesSupported 

func (p *Provider) SetClaimTypesSupported(types ...goidc.ClaimType)

func (*Provider) SetDisplayValuesSupported 

func (p *Provider) SetDisplayValuesSupported(values ...goidc.DisplayValue)

func (*Provider) SetIDTokenLifetime 

func (p *Provider) SetIDTokenLifetime(idTokenLifetimeSecs int)

func (*Provider) SetProfileFAPI2 

func (p *Provider) SetProfileFAPI2()

SetProfileFAPI2 defines the OpenID Provider profile as FAPI 2.0. The server will only be able to run if it is configured respecting the FAPI 2.0 profile. This will also change some of the behavior of the server during runtime to be compliant with the FAPI 2.0.

func (*Provider) SetScopes 

func (p *Provider) SetScopes(scopes ...goidc.Scope)

func (*Provider) SetSupportedAuthenticationContextReferences 

func (p *Provider) SetSupportedAuthenticationContextReferences(
	acrValues ...goidc.AuthenticationContextReference,
)

func (*Provider) SetSupportedUserClaims 

func (p *Provider) SetSupportedUserClaims(claims ...string)

func (*Provider) SetTokenOptions 

func (p *Provider) SetTokenOptions(getTokenOpts goidc.TokenOptionsFunc)

SetTokenOptions defines how access tokens are issued.

type TLSOptions 

type TLSOptions struct {
	TLSAddress                     string
	ServerCertificate              string
	ServerKey                      string
	CipherSuites                   []uint16
	MTLSAddress                    string
	CaCertificatePool              *x509.CertPool
	UnsecureCertificatesAreAllowed bool
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.