utils

package
v0.0.0-...-e0d3fc9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 20, 2024 License: MIT Imports: 32 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TestHost                          string = "https://example.com"
	TestKeyID                         string = "test_rsa256_key"
	TestClientID                      string = "test_client_id"
	TestClientSecret                  string = "test_client_secret"
	TestClientRedirectURI             string = "https://example.com/callback"
	TestClientRegistrationAccessToken string = "random_registration_access_token"
)

Variables

View Source 
var (
	TestScope1           = goidc.NewScope("scope1")
	TestScope2           = goidc.NewScope("scope2")
	TestServerPrivateJWK = PrivateRS256JWK(nil, TestKeyID)
)

Functions

func All 

func All[T interface{}](slice []T, condition func(T) bool) bool

Return true if all the elements in the slice respect the condition.

func AllEquals 

func AllEquals[T comparable](values []T) bool

Return true only if all the elements in values are equal.

func AuthnSessions 

func AuthnSessions(_ *testing.T, ctx *Context) []*goidc.AuthnSession

func ClientID 

func ClientID() (string, error)

func ClientSecret 

func ClientSecret() (string, error)

func Clients 

func Clients(_ *testing.T, ctx *Context) []*goidc.Client

func ComparePublicKeys 

func ComparePublicKeys(k1 any, k2 any) bool

func EncryptJWT 

func EncryptJWT(
	_ *Context,
	jwtString string,
	encryptionJWK jose.JSONWebKey,
	contentKeyEncryptionAlgorithm jose.ContentEncryption,
) (
	string,
	goidc.OAuthError,
)

func GetAuthenticatedClient 

func GetAuthenticatedClient(
	ctx *Context,
	req ClientAuthnRequest,
) (
	*goidc.Client,
	goidc.OAuthError,
)

func GrantSessions 

func GrantSessions(_ *testing.T, ctx *Context) []*goidc.GrantSession

func HalfHashIDTokenClaim 

func HalfHashIDTokenClaim(claimValue string, idTokenAlgorithm jose.SignatureAlgorithm) string

func HashBase64URLSHA256 

func HashBase64URLSHA256(s string) string

func HashSHA1 

func HashSHA1(s []byte) string

func HashSHA256 

func HashSHA256(s []byte) string

func IsJWE 

func IsJWE(token string) bool

func IsJWS 

func IsJWS(token string) bool

func IsPkceValid 

func IsPkceValid(codeVerifier string, codeChallenge string, codeChallengeMethod goidc.CodeChallengeMethod) bool

func JWKThumbprint 

func JWKThumbprint(dpopJWT string, dpopSigningAlgorithms []jose.SignatureAlgorithm) string

JWKThumbprint generates a JWK thumbprint for a valid DPoP JWT.

func MakeIDToken 

func MakeIDToken(
	ctx *Context,
	client *goidc.Client,
	idTokenOpts IDTokenOptions,
) (
	string,
	goidc.OAuthError,
)

func NewAuthnSession 

func NewAuthnSession(authParams goidc.AuthorizationParameters, client *goidc.Client) *goidc.AuthnSession

func NewGrantSession 

func NewGrantSession(grantOptions goidc.GrantOptions, token Token) *goidc.GrantSession

func NewTestClient 

func NewTestClient(_ *testing.T) *goidc.Client

func PrivatePS256JWK 

func PrivatePS256JWK(t *testing.T, keyID string) jose.JSONWebKey

func PrivatePS256JWKWithUsage 

func PrivatePS256JWKWithUsage(
	_ *testing.T,
	keyID string,
	usage goidc.KeyUsage,
) jose.JSONWebKey

func PrivateRS256JWK 

func PrivateRS256JWK(t *testing.T, keyID string) jose.JSONWebKey

func PrivateRS256JWKWithUsage 

func PrivateRS256JWKWithUsage(
	_ *testing.T,
	keyID string,
	usage goidc.KeyUsage,
) jose.JSONWebKey

func ProtectedParamsFromForm 

func ProtectedParamsFromForm(ctx *Context) map[string]any

func ProtectedParamsFromRequestObject 

func ProtectedParamsFromRequestObject(ctx *Context, request string) map[string]any

func RawJWKS 

func RawJWKS(jwk jose.JSONWebKey) []byte

func RefreshToken 

func RefreshToken() (string, error)

func RegistrationAccessToken 

func RegistrationAccessToken() (string, error)

func RunValidations 

func RunValidations(
	ctx *Context,
	params goidc.AuthorizationParameters,
	client *goidc.Client,
	validators ...func(
		ctx *Context,
		params goidc.AuthorizationParameters,
		client *goidc.Client,
	) goidc.OAuthError,
) goidc.OAuthError

func SafeClaims 

func SafeClaims(t *testing.T, jws string, privateJWK jose.JSONWebKey) map[string]any

func ScopesContainsOfflineAccess 

func ScopesContainsOfflineAccess(scopes string) bool

func ScopesContainsOpenID 

func ScopesContainsOpenID(scopes string) bool

func TokenID 

func TokenID(ctx *Context, token string) (string, goidc.OAuthError)

TokenID returns the ID of a token. If it's a JWT, the ID is the the "jti" claim. Otherwise, the token is considered opaque and its ID is the token itself.

func URLWithFragmentParams 

func URLWithFragmentParams(redirectURI string, params map[string]string) string

func URLWithQueryParams 

func URLWithQueryParams(redirectURI string, params map[string]string) string

func URLWithoutParams 

func URLWithoutParams(u string) (string, error)

func UnsafeClaims 

func UnsafeClaims(t *testing.T, jws string, algorithms []jose.SignatureAlgorithm) map[string]any

func ValidClaims 

func ValidClaims(
	ctx *Context,
	token string,
) (
	map[string]any,
	goidc.OAuthError,
)

ValidClaims verifies a token and returns its claims.

func ValidateDPoPJWT 

func ValidateDPoPJWT(
	ctx *Context,
	dpopJWT string,
	expectedDPoPClaims DPoPJWTValidationOptions,
) goidc.OAuthError

Types

type AuthorizationRequest 

type AuthorizationRequest struct {
	ClientID string `json:"client_id"`
	goidc.AuthorizationParameters
}

func JARFromRequestObject 

func JARFromRequestObject(
	ctx *Context,
	reqObject string,
	client *goidc.Client,
) (
	AuthorizationRequest,
	goidc.OAuthError,
)

func NewAuthorizationRequest 

func NewAuthorizationRequest(req *http.Request) AuthorizationRequest

type AuthorizationResponse 

type AuthorizationResponse struct {
	Response          string
	Issuer            string
	AccessToken       string
	TokenType         goidc.TokenType
	IDToken           string
	AuthorizationCode string
	State             string
	Error             goidc.ErrorCode
	ErrorDescription  string
}

func (AuthorizationResponse) Parameters 

func (rp AuthorizationResponse) Parameters() map[string]string

type ClientAuthnRequest 

type ClientAuthnRequest struct {
	// The client ID sent via form is not specific to authentication. It is also a param for /authorize.
	ClientID            string
	ClientSecret        string
	ClientAssertionType goidc.ClientAssertionType
	ClientAssertion     string
}

func NewClientAuthnRequest 

func NewClientAuthnRequest(req *http.Request) ClientAuthnRequest

type Configuration 

type Configuration struct {
	Profile goidc.Profile
	// Host is the domain where the server runs. This value will be used the auth server issuer.
	Host                string
	MTLSIsEnabled       bool
	MTLSHost            string
	Scopes              goidc.Scopes
	ClientManager       goidc.ClientManager
	GrantSessionManager goidc.GrantSessionManager
	AuthnSessionManager goidc.AuthnSessionManager
	// PrivateJWKS contains the server JWKS with private and public information.
	// When exposing it, the private information is removed.
	PrivateJWKS jose.JSONWebKeySet
	// DefaultTokenSignatureKeyID is the default key used to sign access tokens. The key can be overridden with the TokenOptions.
	DefaultTokenSignatureKeyID      string
	GrantTypes                      []goidc.GrantType
	ResponseTypes                   []goidc.ResponseType
	ResponseModes                   []goidc.ResponseMode
	ClientAuthnMethods              []goidc.ClientAuthnType
	IntrospectionIsEnabled          bool
	IntrospectionClientAuthnMethods []goidc.ClientAuthnType
	// PrivateKeyJWTSignatureAlgorithms contains algorithms accepted for signing client assertions during private_key_jwt.
	PrivateKeyJWTSignatureAlgorithms []jose.SignatureAlgorithm
	// PrivateKeyJWTAssertionLifetimeSecs is used to validate that the assertion will expire in the near future during private_key_jwt.
	PrivateKeyJWTAssertionLifetimeSecs int
	// ClientSecretJWTSignatureAlgorithms constains algorithms accepted for signing client assertions during client_secret_jwt.
	ClientSecretJWTSignatureAlgorithms []jose.SignatureAlgorithm
	// It is used to validate that the assertion will expire in the near future during client_secret_jwt.
	ClientSecretJWTAssertionLifetimeSecs int
	OpenIDScopeIsRequired                bool
	// DefaultUserInfoSignatureKeyID defines the default key used to sign ID tokens and the user info endpoint response.
	// The key can be overridden depending on the client properties "id_token_signed_response_alg" and "userinfo_signed_response_alg".
	DefaultUserInfoSignatureKeyID string
	// UserInfoSignatureKeyIDs contains the IDs of the keys used to sign ID tokens and the user info endpoint response. There should be at most one per algorithm.
	// In other words, there shouldn't be two key IDs that point to two keys that have the same algorithm.
	UserInfoSignatureKeyIDs             []string
	UserInfoEncryptionIsEnabled         bool
	UserInfoKeyEncryptionAlgorithms     []jose.KeyAlgorithm
	UserInfoContentEncryptionAlgorithms []jose.ContentEncryption
	// IDTokenExpiresInSecs defines the expiry time of ID tokens.
	IDTokenExpiresInSecs      int
	ShouldRotateRefreshTokens bool
	RefreshTokenLifetimeSecs  int
	// UserClaims defines the user claims that can be returned in the userinfo endpoint or in the ID token.
	// This will be transmitted in the /.well-known/openid-configuration endpoint.
	UserClaims []string
	// ClaimTypes are claim types supported by the server.
	ClaimTypes []goidc.ClaimType
	// IssuerResponseParameterIsEnabled indicates if the "iss" parameter will be returned when redirecting the user back to the client application.
	IssuerResponseParameterIsEnabled bool
	// ClaimsParameterIsEnabled informs the clients whether the server accepts the "claims" parameter.
	// This will be transmitted in the /.well-known/openid-configuration endpoint.
	ClaimsParameterIsEnabled               bool
	AuthorizationDetailsParameterIsEnabled bool
	AuthorizationDetailTypes               []string
	JARMIsEnabled                          bool
	DefaultJARMSignatureKeyID              string
	JARMSignatureKeyIDs                    []string
	JARMLifetimeSecs                       int
	JARMEncryptionIsEnabled                bool
	JARMKeyEncrytionAlgorithms             []jose.KeyAlgorithm
	JARMContentEncryptionAlgorithms        []jose.ContentEncryption
	JARIsEnabled                           bool
	JARIsRequired                          bool
	JARSignatureAlgorithms                 []jose.SignatureAlgorithm
	JARLifetimeSecs                        int
	JAREncryptionIsEnabled                 bool
	JARKeyEncryptionIDs                    []string
	JARContentEncryptionAlgorithms         []jose.ContentEncryption
	// PARIsEnabled allows client to push authorization requests.
	PARIsEnabled bool
	// If PARIsRequired is true, authorization requests can only be made if they were pushed.
	PARIsRequired                    bool
	ParLifetimeSecs                  int
	DPoPIsEnabled                    bool
	DPoPIsRequired                   bool
	DPoPLifetimeSecs                 int
	DPoPSignatureAlgorithms          []jose.SignatureAlgorithm
	PkceIsEnabled                    bool
	PkceIsRequired                   bool
	CodeChallengeMethods             []goidc.CodeChallengeMethod
	SubjectIdentifierTypes           []goidc.SubjectIdentifierType
	Policies                         []goidc.AuthnPolicy
	TokenOptions                     goidc.TokenOptionsFunc
	DCRIsEnabled                     bool
	ShouldRotateRegistrationTokens   bool
	DCRPlugin                        goidc.DCRPluginFunc
	AuthenticationSessionTimeoutSecs int
	TLSBoundTokensIsEnabled          bool
	AuthenticationContextReferences  []goidc.AuthenticationContextReference
	DisplayValues                    []goidc.DisplayValue
	// If SenderConstrainedTokenIsRequired is true, at least one mechanism of sender contraining
	// tokens is required, either DPoP or client TLS.
	SenderConstrainedTokenIsRequired bool
	AuthorizeErrorPlugin             goidc.AuthorizeErrorPluginFunc
}

type Context 

type Context struct {
	Req  *http.Request
	Resp http.ResponseWriter
	Configuration
}

func NewContext 

func NewContext(
	configuration Configuration,
	req *http.Request,
	resp http.ResponseWriter,
) *Context

func NewTestContext 

func NewTestContext(t *testing.T) *Context

func (*Context) Audiences 

func (ctx *Context) Audiences() []string

Audiences returns the host names trusted by the server to validate assertions.

func (*Context) AuthnHints 

func (ctx *Context) AuthnHints(
	userInfo *goidc.UserInfo,
	session *goidc.AuthnSession,
) (
	[]goidc.AuthnHint,
	error,
)

TODO: Implement more hints.

func (*Context) AuthnSessionByAuthorizationCode 

func (ctx *Context) AuthnSessionByAuthorizationCode(authorizationCode string) (*goidc.AuthnSession, error)

func (*Context) AuthnSessionByCallbackID 

func (ctx *Context) AuthnSessionByCallbackID(callbackID string) (*goidc.AuthnSession, error)

func (*Context) AuthnSessionByRequestURI 

func (ctx *Context) AuthnSessionByRequestURI(requestURI string) (*goidc.AuthnSession, error)

func (*Context) AuthorizationToken 

func (ctx *Context) AuthorizationToken() (
	token string,
	tokenType goidc.TokenType,
	ok bool,
)

TODO: Return zero values.

func (*Context) BearerToken 

func (ctx *Context) BearerToken() string

func (*Context) Client 

func (ctx *Context) Client(clientID string) (*goidc.Client, error)

func (*Context) ClientCertificate 

func (ctx *Context) ClientCertificate() (*x509.Certificate, bool)

ClientCertificate tries to get the secure client certificate first, if it's not informed, it fallbacks to the insecure one.

func (*Context) ClientSignatureAlgorithms 

func (ctx *Context) ClientSignatureAlgorithms() []jose.SignatureAlgorithm

func (*Context) CreateOrUpdateAuthnSession 

func (ctx *Context) CreateOrUpdateAuthnSession(session *goidc.AuthnSession) error

func (*Context) CreateOrUpdateClient 

func (ctx *Context) CreateOrUpdateClient(client *goidc.Client) error

func (*Context) CreateOrUpdateGrantSession 

func (ctx *Context) CreateOrUpdateGrantSession(session *goidc.GrantSession) error

func (*Context) DPoPJWT 

func (ctx *Context) DPoPJWT() (string, bool)

DPoPJWT gets the DPoP JWT sent in the DPoP header. According to RFC 9449: "There is not more than one DPoP HTTP request header field." Therefore, an empty string and false will be returned if more than one value is found in the DPoP header.

func (*Context) DeleteAuthnSession 

func (ctx *Context) DeleteAuthnSession(id string) error

func (*Context) DeleteClient 

func (ctx *Context) DeleteClient(id string) error

func (*Context) DeleteGrantSession 

func (ctx *Context) DeleteGrantSession(id string) error

func (*Context) ExecuteAuthorizeErrorPlugin 

func (ctx *Context) ExecuteAuthorizeErrorPlugin(oauthErr goidc.OAuthError) goidc.OAuthError

func (*Context) ExecuteDCRPlugin 

func (ctx *Context) ExecuteDCRPlugin(clientInfo *goidc.ClientMetaInfo)

func (*Context) FindAvailablePolicy 

func (ctx *Context) FindAvailablePolicy(client *goidc.Client, session *goidc.AuthnSession) (
	policy goidc.AuthnPolicy,
	ok bool,
)

func (*Context) FormData 

func (ctx *Context) FormData() map[string]any

func (*Context) FormParam 

func (ctx *Context) FormParam(param string) string

func (*Context) GrantSessionByRefreshToken 

func (ctx *Context) GrantSessionByRefreshToken(refreshToken string) (*goidc.GrantSession, error)

func (*Context) GrantSessionByTokenID 

func (ctx *Context) GrantSessionByTokenID(tokenID string) (*goidc.GrantSession, error)

func (*Context) Header 

func (ctx *Context) Header(name string) (string, bool)

func (*Context) IDTokenSignatureKey 

func (ctx *Context) IDTokenSignatureKey(client *goidc.Client) jose.JSONWebKey

func (*Context) IntrospectionClientSignatureAlgorithms 

func (ctx *Context) IntrospectionClientSignatureAlgorithms() []jose.SignatureAlgorithm

func (*Context) JARKeyEncryptionAlgorithms 

func (ctx *Context) JARKeyEncryptionAlgorithms() []jose.KeyAlgorithm

func (*Context) JARMSignatureAlgorithms 

func (ctx *Context) JARMSignatureAlgorithms() []jose.SignatureAlgorithm

func (*Context) JARMSignatureKey 

func (ctx *Context) JARMSignatureKey(client *goidc.Client) jose.JSONWebKey

func (*Context) Policy 

func (ctx *Context) Policy(policyID string) goidc.AuthnPolicy

func (*Context) PrivateKey 

func (ctx *Context) PrivateKey(keyID string) (jose.JSONWebKey, bool)

func (*Context) PublicKey 

func (ctx *Context) PublicKey(keyID string) (jose.JSONWebKey, bool)

func (*Context) PublicKeys 

func (ctx *Context) PublicKeys() jose.JSONWebKeySet

func (*Context) Redirect 

func (ctx *Context) Redirect(redirectURL string)

func (*Context) RenderHTML 

func (ctx *Context) RenderHTML(
	html string,
	params any,
) error

func (*Context) Request 

func (ctx *Context) Request() *http.Request

func (*Context) RequestMethod 

func (ctx *Context) RequestMethod() string

func (*Context) Response 

func (ctx *Context) Response() http.ResponseWriter

func (*Context) SecureClientCertificate 

func (ctx *Context) SecureClientCertificate() (*x509.Certificate, bool)

func (*Context) SignatureAlgorithms 

func (ctx *Context) SignatureAlgorithms() []jose.SignatureAlgorithm

func (*Context) TokenSignatureKey 

func (ctx *Context) TokenSignatureKey(tokenOptions goidc.TokenOptions) jose.JSONWebKey

func (*Context) UserInfoSignatureAlgorithms 

func (ctx *Context) UserInfoSignatureAlgorithms() []jose.SignatureAlgorithm

func (*Context) UserInfoSignatureKey 

func (ctx *Context) UserInfoSignatureKey(client *goidc.Client) jose.JSONWebKey

func (*Context) Write 

func (ctx *Context) Write(obj any, status int) error

Write responds the current request writing obj as JSON.

func (*Context) WriteJWT 

func (ctx *Context) WriteJWT(token string, status int) error

type DPoPJWTClaims 

type DPoPJWTClaims struct {
	HTTPMethod      string `json:"htm"`
	HTTPURI         string `json:"htu"`
	AccessTokenHash string `json:"ath"`
}

type DPoPJWTValidationOptions 

type DPoPJWTValidationOptions struct {
	// AccessToken should be filled when the DPoP "ath" claim is expected and should be validated.
	AccessToken   string
	JWKThumbprint string
}

type DynamicClientRequest 

type DynamicClientRequest struct {
	ID string
	// This value is filled with the authorization header when creating a client with DCR.
	InitialAccessToken string
	// This value is filled with the authorization header for all DCM requests.
	RegistrationAccessToken string
	Secret                  string
	goidc.ClientMetaInfo
}

type DynamicClientResponse 

type DynamicClientResponse struct {
	ID                      string `json:"client_id"`
	Secret                  string `json:"client_secret,omitempty"`
	RegistrationAccessToken string `json:"registration_access_token,omitempty"`
	RegistrationURI         string `json:"registration_client_uri"`
	goidc.ClientMetaInfo
}

func (DynamicClientResponse) MarshalJSON 

func (resp DynamicClientResponse) MarshalJSON() ([]byte, error)

type IDTokenOptions 

type IDTokenOptions struct {
	Subject                 string
	AdditionalIDTokenClaims map[string]any
	// These values here below are intended to be hashed and placed in the ID token.
	// Then, the ID token can be used as a detached signature for the implicit grant.
	AccessToken       string
	AuthorizationCode string
	State             string
}

func NewIDTokenOptions 

func NewIDTokenOptions(grantOpts goidc.GrantOptions) IDTokenOptions

type OpenIDConfiguration 

type OpenIDConfiguration struct {
	Issuer                                         string                                 `json:"issuer"`
	ClientRegistrationEndpoint                     string                                 `json:"registration_endpoint"`
	AuthorizationEndpoint                          string                                 `json:"authorization_endpoint"`
	TokenEndpoint                                  string                                 `json:"token_endpoint"`
	UserinfoEndpoint                               string                                 `json:"userinfo_endpoint"`
	JWKSEndpoint                                   string                                 `json:"jwks_uri"`
	ParEndpoint                                    string                                 `json:"pushed_authorization_request_endpoint,omitempty"`
	PARIsRequired                                  bool                                   `json:"require_pushed_authorization_requests,omitempty"`
	ResponseTypes                                  []goidc.ResponseType                   `json:"response_types_supported"`
	ResponseModes                                  []goidc.ResponseMode                   `json:"response_modes_supported"`
	GrantTypes                                     []goidc.GrantType                      `json:"grant_types_supported"`
	Scopes                                         []string                               `json:"scopes_supported"`
	UserClaimsSupported                            []string                               `json:"claims_supported"`
	ClaimTypesSupported                            []goidc.ClaimType                      `json:"claim_types_supported,omitempty"`
	SubjectIdentifierTypes                         []goidc.SubjectIdentifierType          `json:"subject_types_supported"`
	IDTokenSignatureAlgorithms                     []jose.SignatureAlgorithm              `json:"id_token_signing_alg_values_supported"`
	IDTokenKeyEncryptionAlgorithms                 []jose.KeyAlgorithm                    `json:"id_token_encryption_alg_values_supported,omitempty"`
	IDTokenContentEncryptionAlgorithms             []jose.ContentEncryption               `json:"id_token_encryption_enc_values_supported,omitempty"`
	UserInfoKeyEncryptionAlgorithms                []jose.KeyAlgorithm                    `json:"userinfo_encryption_alg_values_supported,omitempty"`
	UserInfoContentEncryptionAlgorithms            []jose.ContentEncryption               `json:"userinfo_encryption_enc_values_supported,omitempty"`
	UserInfoSignatureAlgorithms                    []jose.SignatureAlgorithm              `json:"userinfo_signing_alg_values_supported"`
	ClientAuthnMethods                             []goidc.ClientAuthnType                `json:"token_endpoint_auth_methods_supported"`
	JARIsRequired                                  bool                                   `json:"require_signed_request_object,omitempty"`
	JARIsEnabled                                   bool                                   `json:"request_parameter_supported"`
	JARAlgorithms                                  []jose.SignatureAlgorithm              `json:"request_object_signing_alg_values_supported,omitempty"`
	JARKeyEncrytionAlgorithms                      []jose.KeyAlgorithm                    `json:"request_object_encryption_alg_values_supported,omitempty"`
	JARContentEncryptionAlgorithms                 []jose.ContentEncryption               `json:"request_object_encryption_enc_values_supported,omitempty"`
	JARMAlgorithms                                 []jose.SignatureAlgorithm              `json:"authorization_signing_alg_values_supported,omitempty"`
	JARMKeyEncryptionAlgorithms                    []jose.KeyAlgorithm                    `json:"authorization_encryption_alg_values_supported,omitempty"`
	JARMContentEncryptionAlgorithms                []jose.ContentEncryption               `json:"authorization_encryption_enc_values_supported,omitempty"`
	TokenEndpointClientSigningAlgorithms           []jose.SignatureAlgorithm              `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
	IssuerResponseParameterIsEnabled               bool                                   `json:"authorization_response_iss_parameter_supported"`
	ClaimsParameterIsEnabled                       bool                                   `json:"claims_parameter_supported"`
	AuthorizationDetailsIsSupported                bool                                   `json:"authorization_details_supported"`
	AuthorizationDetailTypesSupported              []string                               `json:"authorization_data_types_supported,omitempty"`
	DPoPSignatureAlgorithms                        []jose.SignatureAlgorithm              `json:"dpop_signing_alg_values_supported,omitempty"`
	IntrospectionEndpoint                          string                                 `json:"introspection_endpoint,omitempty"`
	IntrospectionEndpointClientAuthnMethods        []goidc.ClientAuthnType                `json:"introspection_endpoint_auth_methods_supported,omitempty"`
	IntrospectionEndpointClientSignatureAlgorithms []jose.SignatureAlgorithm              `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
	MTLSConfiguration                              *OpenIDMTLSConfiguration               `json:"mtls_endpoint_aliases,omitempty"`
	TLSBoundTokensIsEnabled                        bool                                   `json:"tls_client_certificate_bound_access_tokens,omitempty"`
	AuthenticationContextReferences                []goidc.AuthenticationContextReference `json:"acr_values_supported,omitempty"`
	DisplayValuesSupported                         []goidc.DisplayValue                   `json:"display_values_supported,omitempty"`
}

type OpenIDMTLSConfiguration 

type OpenIDMTLSConfiguration struct {
	TokenEndpoint         string `json:"token_endpoint"`
	ParEndpoint           string `json:"pushed_authorization_request_endpoint,omitempty"`
	UserinfoEndpoint      string `json:"userinfo_endpoint"`
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
}

type PushedAuthorizationRequest 

type PushedAuthorizationRequest struct {
	ClientAuthnRequest
	goidc.AuthorizationParameters
}

func NewPushedAuthorizationRequest 

func NewPushedAuthorizationRequest(req *http.Request) PushedAuthorizationRequest

type PushedAuthorizationResponse 

type PushedAuthorizationResponse struct {
	RequestURI string `json:"request_uri"`
	ExpiresIn  int    `json:"expires_in"`
}

type ResultChannel 

type ResultChannel struct {
	Result any
	Err    goidc.OAuthError
}

type Token 

type Token struct {
	ID                    string
	Format                goidc.TokenFormat
	Value                 string
	Type                  goidc.TokenType
	JWKThumbprint         string
	CertificateThumbprint string
}

func MakeToken 

func MakeToken(
	ctx *Context,
	client *goidc.Client,
	grantOptions goidc.GrantOptions,
) (
	Token,
	goidc.OAuthError,
)

type TokenIntrospectionInfo 

type TokenIntrospectionInfo struct {
	IsActive                    bool
	Scopes                      string
	AuthorizationDetails        []goidc.AuthorizationDetail
	ClientID                    string
	Subject                     string
	ExpiresAtTimestamp          int
	JWKThumbprint               string
	ClientCertificateThumbprint string
	AdditionalTokenClaims       map[string]any
}

func (TokenIntrospectionInfo) MarshalJSON 

func (info TokenIntrospectionInfo) MarshalJSON() ([]byte, error)

type TokenIntrospectionRequest 

type TokenIntrospectionRequest struct {
	ClientAuthnRequest
	Token         string
	TokenTypeHint goidc.TokenTypeHint
}

func NewTokenIntrospectionRequest 

func NewTokenIntrospectionRequest(req *http.Request) TokenIntrospectionRequest

type TokenRequest 

type TokenRequest struct {
	ClientAuthnRequest
	GrantType         goidc.GrantType
	Scopes            string
	AuthorizationCode string
	RedirectURI       string
	RefreshToken      string
	CodeVerifier      string
}

func NewTokenRequest 

func NewTokenRequest(req *http.Request) TokenRequest

type TokenResponse 

type TokenResponse struct {
	AccessToken          string                      `json:"access_token"`
	IDToken              string                      `json:"id_token,omitempty"`
	RefreshToken         string                      `json:"refresh_token,omitempty"`
	ExpiresIn            int                         `json:"expires_in"`
	TokenType            goidc.TokenType             `json:"token_type"`
	Scopes               string                      `json:"scope,omitempty"`
	AuthorizationDetails []goidc.AuthorizationDetail `json:"authorization_details,omitempty"`
}

type UserInfoResponse 

type UserInfoResponse struct {
	JWTClaims string
	Claims    map[string]any
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.