oidc

package
v0.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2024 License: MIT Imports: 11 Imported by: 0

Documentation

Overview

Package oidc is a complement of the package goidc containing private structs and functions that are not meant to be accessible for users of goidc.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Handler 

func Handler(
	config *Configuration,
	exec func(ctx Context),
) http.HandlerFunc

Types

type Configuration 

type Configuration struct {
	ClientManager       goidc.ClientManager
	AuthnSessionManager goidc.AuthnSessionManager
	GrantSessionManager goidc.GrantSessionManager

	Profile goidc.Profile
	// Host is the domain where the server runs. This value will be used as the
	// authorization server issuer.
	Host string

	// JWKSFunc retrieves the server's JWKS.
	// The returned JWKS must include private keys if SignFunc or DecryptFunc
	// (when server-side encryption is enabled) are not provided.
	// When exposing it at the jwks endpoint, any private information is removed.
	JWKSFunc      goidc.JWKSFunc
	SignerFunc    goidc.SignerFunc
	DecrypterFunc goidc.DecrypterFunc

	HandleGrantFunc         goidc.HandleGrantFunc
	TokenOptionsFunc        goidc.TokenOptionsFunc
	Policies                []goidc.AuthnPolicy
	Scopes                  []goidc.Scope
	OpenIDIsRequired        bool
	GrantTypes              []goidc.GrantType
	ResponseTypes           []goidc.ResponseType
	ResponseModes           []goidc.ResponseMode
	AuthnSessionTimeoutSecs int
	ACRs                    []goidc.ACR
	DisplayValues           []goidc.DisplayValue
	// Claims defines the user claims that can be returned in the userinfo
	// endpoint or in ID tokens.
	// This will be published in the /.well-known/openid-configuration endpoint.
	Claims                    []string
	ClaimTypes                []goidc.ClaimType
	DefaultSubIdentifierType  goidc.SubIdentifierType
	SubIdentifierTypes        []goidc.SubIdentifierType
	GeneratePairwiseSubIDFunc goidc.GeneratePairwiseSubIDFunc
	StaticClients             []*goidc.Client
	// IssuerRespParamIsEnabled indicates if the "iss" parameter will be
	// returned when redirecting the user back to the client application.
	IssuerRespParamIsEnabled bool
	// ClaimsParamIsEnabled informs the clients whether the server accepts
	// the "claims" parameter.
	// This will be published in the /.well-known/openid-configuration endpoint.
	ClaimsParamIsEnabled bool
	// TokenBindingIsRequired indicates that at least one mechanism of sender
	// contraining tokens is required, either DPoP or client TLS.
	TokenBindingIsRequired bool
	RenderErrorFunc        goidc.RenderErrorFunc
	NotifyErrorFunc        goidc.NotifyErrorFunc

	EndpointWellKnown           string
	EndpointJWKS                string
	EndpointToken               string
	EndpointAuthorize           string
	EndpointPushedAuthorization string
	EndpointCIBA                string
	EndpointDCR                 string
	EndpointUserInfo            string
	EndpointIntrospection       string
	EndpointTokenRevocation     string
	EndpointPrefix              string

	UserInfoDefaultSigAlg        goidc.SignatureAlgorithm
	UserInfoSigAlgs              []goidc.SignatureAlgorithm
	UserInfoEncIsEnabled         bool
	UserInfoKeyEncAlgs           []goidc.KeyEncryptionAlgorithm
	UserInfoDefaultContentEncAlg goidc.ContentEncryptionAlgorithm
	UserInfoContentEncAlgs       []goidc.ContentEncryptionAlgorithm

	IDTokenDefaultSigAlg        goidc.SignatureAlgorithm
	IDTokenSigAlgs              []goidc.SignatureAlgorithm
	IDTokenEncIsEnabled         bool
	IDTokenKeyEncAlgs           []goidc.KeyEncryptionAlgorithm
	IDTokenDefaultContentEncAlg goidc.ContentEncryptionAlgorithm
	IDTokenContentEncAlgs       []goidc.ContentEncryptionAlgorithm
	// IDTokenLifetimeSecs defines the expiry time of ID tokens.
	IDTokenLifetimeSecs int

	TokenAuthnMethods []goidc.ClientAuthnType

	// PrivateKeyJWTSigAlgs contains algorithms accepted for signing
	// client assertions during private_key_jwt.
	PrivateKeyJWTSigAlgs []goidc.SignatureAlgorithm
	// ClientSecretJWTSigAlgs constains algorithms accepted for
	// signing client assertions during client_secret_jwt.
	ClientSecretJWTSigAlgs []goidc.SignatureAlgorithm

	JWTLifetimeSecs   int
	JWTLeewayTimeSecs int

	DCRIsEnabled                   bool
	DCRTokenRotationIsEnabled      bool
	HandleDynamicClientFunc        goidc.HandleDynamicClientFunc
	ValidateInitialAccessTokenFunc goidc.ValidateInitialAccessTokenFunc

	TokenIntrospectionIsEnabled           bool
	TokenIntrospectionAuthnMethods        []goidc.ClientAuthnType
	IsClientAllowedTokenIntrospectionFunc goidc.IsClientAllowedFunc

	TokenRevocationIsEnabled           bool
	TokenRevocationAuthnMethods        []goidc.ClientAuthnType
	IsClientAllowedTokenRevocationFunc goidc.IsClientAllowedFunc

	ShouldIssueRefreshTokenFunc   goidc.ShouldIssueRefreshTokenFunc
	RefreshTokenRotationIsEnabled bool
	RefreshTokenLifetimeSecs      int

	JARMIsEnabled     bool
	JARMDefaultSigAlg goidc.SignatureAlgorithm
	JARMSigAlgs       []goidc.SignatureAlgorithm
	// JARMLifetimeSecs defines how long response objects are valid for.
	JARMLifetimeSecs         int
	JARMEncIsEnabled         bool
	JARMKeyEncAlgs           []goidc.KeyEncryptionAlgorithm
	JARMDefaultContentEncAlg goidc.ContentEncryptionAlgorithm
	JARMContentEncAlgs       []goidc.ContentEncryptionAlgorithm

	JARIsEnabled  bool
	JARIsRequired bool
	JARSigAlgs    []goidc.SignatureAlgorithm
	// JARByReferenceIsEnabled determines whether Request Objects can be provided
	// by reference using the "request_uri" parameter. When enabled, the authorization
	// server retrieves the request object from the specified URI.
	JARByReferenceIsEnabled             bool
	JARRequestURIRegistrationIsRequired bool
	JAREncIsEnabled                     bool
	JARKeyEncAlgs                       []goidc.KeyEncryptionAlgorithm
	JARContentEncAlgs                   []goidc.ContentEncryptionAlgorithm

	// PARIsEnabled allows client to push authorization requests.
	PARIsEnabled bool
	// PARIsRequired indicates that authorization requests can only be made if
	// they were pushed.
	PARIsRequired   bool
	PARLifetimeSecs int
	// PARAllowUnregisteredRedirectURI indicates whether the redirect URIs
	// informed during PAR must be previously registered or not.
	PARAllowUnregisteredRedirectURI bool

	CIBAIsEnabled                  bool
	CIBATokenDeliveryModels        []goidc.CIBATokenDeliveryMode
	InitBackAuthFunc               goidc.InitBackAuthFunc
	ValidateBackAuthFunc           goidc.ValidateBackAuthFunc
	CIBAUserCodeIsEnabled          bool
	CIBADefaultSessionLifetimeSecs int
	CIBAPollingIntervalSecs        int

	CIBAJARIsEnabled  bool
	CIBAJARIsRequired bool
	CIBAJARSigAlgs    []goidc.SignatureAlgorithm

	MTLSIsEnabled              bool
	MTLSHost                   string
	MTLSTokenBindingIsEnabled  bool
	MTLSTokenBindingIsRequired bool
	ClientCertFunc             goidc.ClientCertFunc

	DPoPIsEnabled  bool
	DPoPIsRequired bool
	DPoPSigAlgs    []goidc.SignatureAlgorithm

	PKCEIsEnabled              bool
	PKCEIsRequired             bool
	PKCEDefaultChallengeMethod goidc.CodeChallengeMethod
	PKCEChallengeMethods       []goidc.CodeChallengeMethod

	AuthDetailsIsEnabled   bool
	AuthDetailTypes        []string
	CompareAuthDetailsFunc goidc.CompareAuthDetailsFunc

	ResourceIndicatorsIsEnabled bool
	// ResourceIndicatorsIsRequired indicates that the resource parameter is
	// required during authorization requests.
	ResourceIndicatorsIsRequired bool
	Resources                    []string

	HTTPClientFunc goidc.HTTPClientFunc
	CheckJTIFunc   goidc.CheckJTIFunc

	JWTBearerGrantClientAuthnIsRequired bool
	HandleJWTBearerGrantAssertionFunc   goidc.HandleJWTBearerGrantAssertionFunc

	ErrorURI string
}

type Context 

type Context struct {
	Response http.ResponseWriter
	Request  *http.Request

	*Configuration
	// contains filtered or unexported fields
}

func FromContext added in v0.5.0 

func FromContext(ctx context.Context, config *Configuration) Context

TODO: Rename this.

func NewContext 

func NewContext(
	w http.ResponseWriter,
	r *http.Request,
	config *Configuration,
) Context

func (Context) AssertionAudiences added in v0.3.0 

func (ctx Context) AssertionAudiences() []string

AssertionAudiences returns the host names trusted by the server to validate assertions.

func (Context) AuthnSessionByAuthCode added in v0.5.0 

func (ctx Context) AuthnSessionByAuthCode(code string) (*goidc.AuthnSession, error)

func (Context) AuthnSessionByAuthReqID added in v0.5.0 

func (ctx Context) AuthnSessionByAuthReqID(id string) (*goidc.AuthnSession, error)

func (Context) AuthnSessionByCallbackID 

func (ctx Context) AuthnSessionByCallbackID(id string) (*goidc.AuthnSession, error)

func (Context) AuthnSessionByRequestURI 

func (ctx Context) AuthnSessionByRequestURI(uri string) (*goidc.AuthnSession, error)

func (Context) AuthorizationToken 

func (ctx Context) AuthorizationToken() (
	token string,
	tokenType goidc.TokenType,
	ok bool,
)

func (Context) AvailablePolicy 

func (ctx Context) AvailablePolicy(
	client *goidc.Client,
	session *goidc.AuthnSession,
) (
	policy goidc.AuthnPolicy,
	ok bool,
)

func (Context) BaseURL 

func (ctx Context) BaseURL() string

func (Context) BearerToken 

func (ctx Context) BearerToken() (string, bool)

func (Context) CheckJTI added in v0.3.0 

func (ctx Context) CheckJTI(jti string) error

func (Context) Client 

func (ctx Context) Client(id string) (*goidc.Client, error)

func (Context) ClientAuthnSigAlgs 

func (ctx Context) ClientAuthnSigAlgs() []goidc.SignatureAlgorithm

func (Context) ClientCert 

func (ctx Context) ClientCert() (*x509.Certificate, error)

func (Context) CompareAuthDetails added in v0.4.0 

func (ctx Context) CompareAuthDetails(
	granted []goidc.AuthorizationDetail,
	requested []goidc.AuthorizationDetail,
) error

func (Context) Context added in v0.4.0 

func (ctx Context) Context() context.Context

func (Context) Deadline 

func (ctx Context) Deadline() (deadline time.Time, ok bool)

func (Context) DeleteAuthnSession 

func (ctx Context) DeleteAuthnSession(id string) error

func (Context) DeleteClient 

func (ctx Context) DeleteClient(id string) error

func (Context) DeleteGrantSession 

func (ctx Context) DeleteGrantSession(id string) error

func (Context) DeleteGrantSessionByAuthorizationCode added in v0.3.0 

func (ctx Context) DeleteGrantSessionByAuthorizationCode(code string) error

func (Context) Done 

func (ctx Context) Done() <-chan struct{}

func (Context) Err 

func (ctx Context) Err() error

func (Context) ExportableSubject added in v0.5.0 

func (ctx Context) ExportableSubject(
	sub string,
	client *goidc.Client,
) string

TODO. ExportableSubject returns a subject identifier for the given client based on its subject identifier type. If the subject identifier type is "public", it returns the provided subject. If the subject identifier type is "pairwise", it generates a pairwise identifier using the sector URI or a redirect URI.

func (Context) GrantSessionByRefreshToken 

func (ctx Context) GrantSessionByRefreshToken(token string) (*goidc.GrantSession, error)

func (Context) GrantSessionByTokenID 

func (ctx Context) GrantSessionByTokenID(id string) (*goidc.GrantSession, error)

func (Context) HTTPClient added in v0.1.1 

func (ctx Context) HTTPClient() *http.Client

func (Context) HandleDynamicClient 

func (ctx Context) HandleDynamicClient(c *goidc.ClientMetaInfo) error

func (Context) HandleGrant added in v0.0.2 

func (ctx Context) HandleGrant(grantInfo *goidc.GrantInfo) error

func (Context) HandleJWTBearerGrantAssertion added in v0.4.0 

func (ctx Context) HandleJWTBearerGrantAssertion(assertion string) (goidc.JWTBearerGrantInfo, error)

func (Context) Header 

func (ctx Context) Header(name string) (string, bool)

func (Context) IDTokenSigAlgsContainsNone added in v0.6.0 

func (ctx Context) IDTokenSigAlgsContainsNone() bool

func (Context) InitBackAuth added in v0.5.0 

func (ctx Context) InitBackAuth(session *goidc.AuthnSession) error

func (Context) IsClientAllowedTokenIntrospection added in v0.4.0 

func (ctx Context) IsClientAllowedTokenIntrospection(c *goidc.Client) bool

func (Context) IsClientAllowedTokenRevocation added in v0.4.0 

func (ctx Context) IsClientAllowedTokenRevocation(c *goidc.Client) bool

func (Context) JWK added in v0.5.0 

func (ctx Context) JWK(keyID string) (goidc.JSONWebKey, error)

func (Context) JWKByAlg added in v0.6.0 

func (ctx Context) JWKByAlg(
	alg goidc.SignatureAlgorithm,
) (
	goidc.JSONWebKey,
	error,
)

JWKByAlg searches a key that matches the signature algorithm from the JWKS.

func (Context) JWKS added in v0.5.0 

func (ctx Context) JWKS() (goidc.JSONWebKeySet, error)

func (Context) MTLSBaseURL 

func (ctx Context) MTLSBaseURL() string

func (Context) NotifyError added in v0.4.0 

func (ctx Context) NotifyError(err error)

func (Context) Policy 

func (ctx Context) Policy(id string) goidc.AuthnPolicy

func (Context) PublicJWK added in v0.5.0 

func (ctx Context) PublicJWK(keyID string) (goidc.JSONWebKey, error)

func (Context) PublicJWKS added in v0.5.0 

func (ctx Context) PublicJWKS() (goidc.JSONWebKeySet, error)

func (Context) Redirect 

func (ctx Context) Redirect(redirectURL string)

func (Context) RenderError 

func (ctx Context) RenderError(err error) error

func (Context) RequestMethod 

func (ctx Context) RequestMethod() string

func (Context) SaveAuthnSession 

func (ctx Context) SaveAuthnSession(session *goidc.AuthnSession) error

func (Context) SaveClient 

func (ctx Context) SaveClient(client *goidc.Client) error

func (Context) SaveGrantSession 

func (ctx Context) SaveGrantSession(session *goidc.GrantSession) error

func (Context) ShouldIssueRefreshToken added in v0.1.1 

func (ctx Context) ShouldIssueRefreshToken(
	client *goidc.Client,
	grantInfo goidc.GrantInfo,
) bool

func (Context) SigAlgs 

func (ctx Context) SigAlgs() ([]goidc.SignatureAlgorithm, error)

func (Context) TokenAuthnSigAlgs added in v0.4.0 

func (ctx Context) TokenAuthnSigAlgs() []goidc.SignatureAlgorithm

func (Context) TokenIntrospectionAuthnSigAlgs added in v0.4.0 

func (ctx Context) TokenIntrospectionAuthnSigAlgs() []goidc.SignatureAlgorithm

func (Context) TokenOptions 

func (ctx Context) TokenOptions(
	grantInfo goidc.GrantInfo,
	client *goidc.Client,
) goidc.TokenOptions

func (Context) TokenRevocationAuthnSigAlgs added in v0.4.0 

func (ctx Context) TokenRevocationAuthnSigAlgs() []goidc.SignatureAlgorithm

func (Context) UserInfoSigAlgsContainsNone added in v0.4.0 

func (ctx Context) UserInfoSigAlgsContainsNone() bool

func (Context) ValidateBackAuth added in v0.5.0 

func (ctx Context) ValidateBackAuth(session *goidc.AuthnSession) error

func (Context) ValidateInitalAccessToken added in v0.4.0 

func (ctx Context) ValidateInitalAccessToken(token string) error

func (Context) Value 

func (ctx Context) Value(key any) any

func (Context) Write 

func (ctx Context) Write(obj any, status int) error

Write responds the current request writing obj as JSON.

func (Context) WriteError 

func (ctx Context) WriteError(err error)

func (Context) WriteHTML added in v0.6.0 

func (ctx Context) WriteHTML(
	html string,
	params any,
) error

func (Context) WriteJWT 

func (ctx Context) WriteJWT(token string, status int) error

func (Context) WriteStatus added in v0.3.0 

func (ctx Context) WriteStatus(status int)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.