openid

package

v0.0.0-...-ab483ee Latest Latest Go to latest Published: Feb 10, 2025 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/nais/wonderwall

Documentation ¶

Index ¶

Constants
func StateMismatchError(queryParams url.Values, expectedState string) error
type AuthorizationCodeParams
- func (a AuthorizationCodeParams) Cookie() LoginCookie
- func (a AuthorizationCodeParams) RequestParams() RequestParams
type IDToken
- func NewIDToken(raw string, jwtToken jwt.Token) *IDToken
- func ParseIDToken(raw string) (*IDToken, error)
type LoginCookie
- func GetLoginCookie(r *http.Request, crypter crypto.Crypter) (*LoginCookie, error)
type LogoutCookie
- func GetLogoutCookie(r *http.Request, crypter crypto.Crypter) (*LogoutCookie, error)
type PushedAuthorizationResponse
type RequestParams
type TokenErrorResponse
type TokenResponse
type Tokens
- func NewTokens(src *oauth2.Token, jwks *jwk.Set, cfg openidconfig.Config, cookie *LoginCookie) (*Tokens, error)

Constants ¶

View Source

const (
	AcrClaim      = "acr"
	AmrClaim      = "amr"
	AuthTimeClaim = "auth_time"
	LocaleClaim   = "locale"
	SidClaim      = "sid"
	OidClaim      = "oid"

	AcceptableSkew = 5 * time.Second
)

Variables ¶

This section is empty.

Functions ¶

func StateMismatchError ¶

func StateMismatchError(queryParams url.Values, expectedState string) error

Types ¶

type AuthorizationCodeParams ¶

type AuthorizationCodeParams struct {
	AcrValues    string
	ClientID     string
	CodeVerifier string
	Nonce        string
	Prompt       string
	RedirectURI  string
	Resource     string
	Scope        scopes.Scopes
	State        string
	UILocales    string
}

AuthorizationCodeParams represents the (variable) parameters for the authorization code flow.

func (a AuthorizationCodeParams) Cookie() LoginCookie

Cookie creates a LoginCookie for storing client-side state as part of the authorization code flow.

func (AuthorizationCodeParams) RequestParams ¶

func (a AuthorizationCodeParams) RequestParams() RequestParams

RequestParams converts AuthorizationCodeParams the actual parameters to be sent to the authorization server as part of the authorization code flow. This mandates required use of PKCE (RFC 7636), state and nonce.

type IDToken ¶

type IDToken struct {
	jwt.Token
	// contains filtered or unexported fields
}

func NewIDToken ¶

func NewIDToken(raw string, jwtToken jwt.Token) *IDToken

func ParseIDToken ¶

func ParseIDToken(raw string) (*IDToken, error)

ParseIDToken parses a raw ID token string into an IDToken struct. It does not validate the token nor verify the signature.

func (*IDToken) Acr ¶

func (in *IDToken) Acr() string

func (*IDToken) Amr ¶

func (in *IDToken) Amr() string

func (*IDToken) AuthTime ¶

func (in *IDToken) AuthTime() time.Time

func (*IDToken) Claim ¶

func (in *IDToken) Claim(claim string) (any, error)

func (*IDToken) Locale ¶

func (in *IDToken) Locale() string

func (*IDToken) Oid ¶

func (in *IDToken) Oid() string

func (*IDToken) Serialized ¶

func (in *IDToken) Serialized() string

func (*IDToken) Sid ¶

func (in *IDToken) Sid() (string, error)

func (*IDToken) StringClaim ¶

func (in *IDToken) StringClaim(claim string) (string, error)

func (*IDToken) StringClaimOrEmpty ¶

func (in *IDToken) StringClaimOrEmpty(claim string) string

func (*IDToken) StringSliceClaim ¶

func (in *IDToken) StringSliceClaim(claim string) ([]string, error)

func (*IDToken) StringSliceClaimOrEmpty ¶

func (in *IDToken) StringSliceClaimOrEmpty(claim string) []string

func (*IDToken) TimeClaim ¶

func (in *IDToken) TimeClaim(claim string) time.Time

func (*IDToken) Validate ¶

func (in *IDToken) Validate(cfg openidconfig.Config, cookie *LoginCookie, jwks *jwk.Set) error

type LoginCookie ¶

type LoginCookie struct {
	Acr          string `json:"acr"`
	CodeVerifier string `json:"code_verifier"`
	Nonce        string `json:"nonce"`
	RedirectURI  string `json:"redirect_uri"`
	Referer      string `json:"referer"`
	State        string `json:"state"`
}

func GetLoginCookie ¶

func GetLoginCookie(r *http.Request, crypter crypto.Crypter) (*LoginCookie, error)

type LogoutCookie ¶

type LogoutCookie struct {
	State      string `json:"state"`
	RedirectTo string `json:"redirect_to"`
}

func GetLogoutCookie ¶

func GetLogoutCookie(r *http.Request, crypter crypto.Crypter) (*LogoutCookie, error)

type PushedAuthorizationResponse ¶

type PushedAuthorizationResponse struct {
	RequestUri string `json:"request_uri"`
	ExpiresIn  int64  `json:"expires_in"`
}

PushedAuthorizationResponse is the struct representing the HTTP response from authorization servers as defined in RFC 9126, section 2.2.

type RequestParams ¶

type RequestParams map[string]string

func ClientAuthJwtBearerParams ¶

func ClientAuthJwtBearerParams(clientAssertion string) RequestParams

ClientAuthJwtBearerParams returns a map of parameters to be sent to the authorization server when using a JWT for client authentication in RFC 7523, section 2.2. The target authorization server must support the "private_key_jwt" client authentication method.

func ClientAuthSecretParams ¶

func ClientAuthSecretParams(clientSecret string) RequestParams

ClientAuthSecretParams returns a map of parameters to be sent to the authorization server when using a client secret for client authentication in RFC 6749, section 2.3.1. The target authorization server must support the "client_secret_post" client authentication method.

func ExchangeAuthorizationCodeParams ¶

func ExchangeAuthorizationCodeParams(clientID, code, codeVerifier, redirectURI string) RequestParams

ExchangeAuthorizationCodeParams returns a map of parameters to be sent to the authorization server when exchanging an authorization code for token request as defined in RFC 6749, section 4.1.3.

Additionally, PKCE (RFC 7636) is required for this request.

func ParAuthorizationRequestParams ¶

func ParAuthorizationRequestParams(clientID, requestUri string) RequestParams

ParAuthorizationRequestParams returns a map of parameters to be sent to the authorization server when using the authorization endpoint after performing a Pushed Authorization Request (PAR) as defined in RFC 9126, section 4.

func RefreshGrantParams ¶

func RefreshGrantParams(clientID, refreshToken string) RequestParams

RefreshGrantParams returns a map of parameters to be sent to the authorization server when performing the refresh token grant as defined in RFC 6749, section 6.

func (RequestParams) AuthCodeOptions ¶

func (a RequestParams) AuthCodeOptions() []oauth2.AuthCodeOption

AuthCodeOptions converts RequestParams to a slice of oauth2.AuthCodeOption.

func (RequestParams) URLValues ¶

func (a RequestParams) URLValues() url.Values

URLValues converts RequestParams to a url.Values.

func (RequestParams) With ¶

func (a RequestParams) With(other RequestParams) RequestParams

With returns a new RequestParams with the given RequestParams added. Conflicting keys are overridden by the given RequestParams.

type TokenErrorResponse ¶

type TokenErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
}

TokenErrorResponse is the struct representing the HTTP error response returned from authorization servers as defined in RFC 6749, section 5.2.

type TokenResponse ¶

type TokenResponse struct {
	AccessToken  string `json:"access_token"`
	ExpiresIn    int64  `json:"expires_in"`
	RefreshToken string `json:"refresh_token"`
	TokenType    string `json:"token_type"`
}

TokenResponse is the struct representing the HTTP response from authorization servers as defined in RFC 6749, section 5.1.

type Tokens ¶

type Tokens struct {
	AccessToken  string
	Expiry       time.Time
	IDToken      *IDToken
	RefreshToken string
	TokenType    string
}

func NewTokens ¶

func NewTokens(src *oauth2.Token, jwks *jwk.Set, cfg openidconfig.Config, cookie *LoginCookie) (*Tokens, error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
acr
client
config
provider
scopes

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL