Documentation ¶
Overview ¶
oidc implements the authenticator.Token interface using the OpenID Connect protocol.
config := oidc.OIDCOptions{ IssuerURL: "https://accounts.google.com", ClientID: os.Getenv("GOOGLE_CLIENT_ID"), UsernameClaim: "email", } tokenAuthenticator, err := oidc.New(config)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type OIDCAuthenticator ¶
type OIDCAuthenticator struct {
// contains filtered or unexported fields
}
func New ¶
func New(opts OIDCOptions) (*OIDCAuthenticator, error)
New creates a token authenticator which validates OpenID Connect ID Tokens.
func (*OIDCAuthenticator) AuthenticateToken ¶
AuthenticateToken decodes and verifies an ID Token using the OIDC client, if the verification succeeds, then it will extract the user info from the JWT claims.
func (*OIDCAuthenticator) Close ¶
func (a *OIDCAuthenticator) Close()
Close stops all goroutines used by the authenticator.
type OIDCOptions ¶
type OIDCOptions struct { // IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss" // field of all tokens produced by the provider and is used for configuration // discovery. // // The URL is usually the provider's URL without a path, for example // "https://accounts.google.com" or "https://login.salesforce.com". // // The provider must implement configuration discovery. // See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig IssuerURL string // ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single // client to ensure the plugin can be used with public providers. // // The plugin supports the "authorized party" OpenID Connect claim, which allows // specialized providers to issue tokens to a client for a different client. // See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken ClientID string // Path to a PEM encoded root certificate of the provider. CAFile string // UsernameClaim is the JWT field to use as the user's username. UsernameClaim string // GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's // groups with an ID Token field. If the GrouppClaim field is present in an ID Token the value // must be a string or list of strings. GroupsClaim string }
Click to show internal directories.
Click to hide internal directories.