Documentation ¶
Index ¶
- Constants
- func AssertObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)
- func AssertObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)
- func RequireObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)
- func RequireObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)
- func TestHelperRunner(t *testing.T, store InternalRegistry, k string)
- type AccessRequestHook
- type AssertionJWTReader
- type BlacklistedJTI
- type FlushInactiveOAuth2TokensRequest
- type Handler
- func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) DefaultErrorHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) DeleteHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) FlushHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) LogoutHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request)
- func (h *Handler) SetRoutes(admin *x.RouterAdmin, public *x.RouterPublic, ...)
- func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request)
- func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request)
- func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request)
- type InternalRegistry
- type Introspection
- type RefreshTokenHookRequest
- type RefreshTokenHookResponse
- type Registry
- type Requester
- type Session
- type WellKnown
Constants ¶
const ( DefaultLoginPath = "/oauth2/fallbacks/login" DefaultConsentPath = "/oauth2/fallbacks/consent" DefaultPostLogoutPath = "/oauth2/fallbacks/logout/callback" DefaultLogoutPath = "/oauth2/fallbacks/logout" DefaultErrorPath = "/oauth2/fallbacks/error" TokenPath = "/oauth2/token" // #nosec G101 AuthPath = "/oauth2/auth" LogoutPath = "/oauth2/sessions/logout" UserinfoPath = "/userinfo" WellKnownPath = "/.well-known/openid-configuration" JWKPath = "/.well-known/jwks.json" // IntrospectPath points to the OAuth2 introspection endpoint. IntrospectPath = "/oauth2/introspect" RevocationPath = "/oauth2/revoke" FlushPath = "/oauth2/flush" DeleteTokensPath = "/oauth2/tokens" // #nosec G101 )
Variables ¶
This section is empty.
Functions ¶
func AssertObjectKeysEqual ¶
func RequireObjectKeysEqual ¶
func TestHelperRunner ¶
func TestHelperRunner(t *testing.T, store InternalRegistry, k string)
TestHelperRunner is used to run the database suite of tests in this package. KEEP EXPORTED AND AVAILABLE FOR THIRD PARTIES TO TEST PLUGINS!
Types ¶
type AccessRequestHook ¶ added in v1.10.7
type AccessRequestHook func(ctx context.Context, requester fosite.AccessRequester) error
AccessRequestHook is called when an access token is being refreshed.
func RefreshTokenHook ¶ added in v1.10.7
func RefreshTokenHook(config *config.Provider) AccessRequestHook
RefreshTokenHook is an AccessRequestHook called for `refresh_token` grant type.
type AssertionJWTReader ¶ added in v1.9.0
type AssertionJWTReader interface { x.FositeStorer GetClientAssertionJWT(ctx context.Context, jti string) (*BlacklistedJTI, error) SetClientAssertionJWTRaw(context.Context, *BlacklistedJTI) error }
type BlacklistedJTI ¶ added in v1.5.0
type BlacklistedJTI struct { JTI string `db:"-"` ID string `db:"signature"` Expiry time.Time `db:"expires_at"` }
func NewBlacklistedJTI ¶ added in v1.9.0
func NewBlacklistedJTI(jti string, exp time.Time) *BlacklistedJTI
func (*BlacklistedJTI) AfterFind ¶ added in v1.9.0
func (j *BlacklistedJTI) AfterFind(_ *pop.Connection) error
func (BlacklistedJTI) TableName ¶ added in v1.5.0
func (BlacklistedJTI) TableName() string
type FlushInactiveOAuth2TokensRequest ¶
type FlushInactiveOAuth2TokensRequest struct { // NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history // of recently issued tokens for auditing. NotAfter time.Time `json:"notAfter"` }
swagger:model flushInactiveOAuth2TokensRequest
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func NewHandler(r InternalRegistry, c *config.Provider) *Handler
func (*Handler) AuthHandler ¶
func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route GET /oauth2/auth public oauthAuth
The OAuth 2.0 Authorize Endpoint ¶
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.
To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
Consumes: - application/x-www-form-urlencoded Schemes: http, https Responses: 302: emptyResponse 401: jsonError 500: jsonError
func (*Handler) DefaultErrorHandler ¶
func (h *Handler) DefaultErrorHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
func (*Handler) DeleteHandler ¶ added in v1.8.0
func (h *Handler) DeleteHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route DELETE /oauth2/tokens admin deleteOAuth2Token
Delete OAuth2 Access Tokens from a Client ¶
This endpoint deletes OAuth2 access tokens issued for a client from the database
Consumes: - application/json Schemes: http, https Responses: 204: emptyResponse 401: jsonError 500: jsonError
func (*Handler) FlushHandler ¶
func (h *Handler) FlushHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /oauth2/flush admin flushInactiveOAuth2Tokens
Flush Expired OAuth2 Access Tokens ¶
This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted automatically when performing the refresh flow.
Consumes: - application/json Schemes: http, https Responses: 204: emptyResponse 401: jsonError 500: jsonError
func (*Handler) IntrospectHandler ¶
func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /oauth2/introspect admin introspectOAuth2Token
Introspect OAuth2 Tokens ¶
The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting `accessTokenExtra` during the consent flow.
For more information [read this blog post](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/).
Consumes: - application/x-www-form-urlencoded Produces: - application/json Schemes: http, https Responses: 200: oAuth2TokenIntrospection 401: jsonError 500: jsonError
func (*Handler) LogoutHandler ¶
func (h *Handler) LogoutHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route GET /oauth2/sessions/logout public disconnectUser
OpenID Connect Front-Backchannel Enabled Logout ¶
This endpoint initiates and completes user logout at Ory Hydra and initiates OpenID Connect Front-/Back-channel logout:
- https://openid.net/specs/openid-connect-frontchannel-1_0.html - https://openid.net/specs/openid-connect-backchannel-1_0.html
Back-channel logout is performed asynchronously and does not affect logout flow.
Schemes: http, https Responses: 302: emptyResponse
func (*Handler) RevocationHandler ¶
func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request)
swagger:route POST /oauth2/revoke public revokeOAuth2Token
Revoke OAuth2 Tokens ¶
Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by the client the token was generated for.
Consumes: - application/x-www-form-urlencoded Schemes: http, https Security: basic: oauth2: Responses: 200: emptyResponse 401: jsonError 500: jsonError
func (*Handler) SetRoutes ¶
func (h *Handler) SetRoutes(admin *x.RouterAdmin, public *x.RouterPublic, corsMiddleware func(http.Handler) http.Handler)
func (*Handler) TokenHandler ¶
func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request)
swagger:route POST /oauth2/token public oauth2Token
The OAuth 2.0 Token Endpoint ¶
The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" HTTP request entity-body.
> Do not implement a client for this endpoint yourself. Use a library. There are many libraries > available for any programming language. You can find a list of libraries here: https://oauth.net/code/ > > Do note that Hydra SDK does not implement this endpoint properly. Use one of the libraries listed above!
Consumes: - application/x-www-form-urlencoded Produces: - application/json Schemes: http, https Security: basic: oauth2: Responses: 200: oauth2TokenResponse 401: jsonError 400: jsonError 500: jsonError
func (*Handler) UserinfoHandler ¶
func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request)
swagger:route GET /userinfo public userinfo
OpenID Connect Userinfo ¶
This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 Access Token.
For more information please [refer to the spec](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo).
In the case of authentication error, a WWW-Authenticate header might be set in the response with more information about the error. See [the spec](https://datatracker.ietf.org/doc/html/rfc6750#section-3) for more details about header format.
Produces: - application/json Schemes: http, https Security: oauth2: Responses: 200: userinfoResponse 401: jsonError 500: jsonError
func (*Handler) WellKnownHandler ¶
func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request)
swagger:route GET /.well-known/openid-configuration public discoverOpenIDConfiguration
OpenID Connect Discovery ¶
The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html .
Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others. For a full list of clients go here: https://openid.net/developers/certified/
Produces: - application/json Schemes: http, https Responses: 200: wellKnown 401: jsonError 500: jsonError
type InternalRegistry ¶
type Introspection ¶
type Introspection struct { // Active is a boolean indicator of whether or not the presented token // is currently active. The specifics of a token's "active" state // will vary depending on the implementation of the authorization // server and the information it keeps about its tokens, but a "true" // value return for the "active" property will generally indicate // that a given token has been issued by this authorization server, // has not been revoked by the resource owner, and is within its // given time window of validity (e.g., after its issuance time and // before its expiration time). // // required: true Active bool `json:"active"` // Scope is a JSON string containing a space-separated list of // scopes associated with this token. Scope string `json:"scope,omitempty"` // ID is aclient identifier for the OAuth 2.0 client that // requested this token. ClientID string `json:"client_id"` // Subject of the token, as defined in JWT [RFC7519]. // Usually a machine-readable identifier of the resource owner who // authorized this token. Subject string `json:"sub"` // ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization. // It is the `sub` value of the ID Token that was issued. ObfuscatedSubject string `json:"obfuscated_subject,omitempty"` // Expires at is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token will expire. ExpiresAt int64 `json:"exp"` // Issued at is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token was // originally issued. IssuedAt int64 `json:"iat"` // NotBefore is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token is not to be // used before. NotBefore int64 `json:"nbf"` // Username is a human-readable identifier for the resource owner who // authorized this token. Username string `json:"username,omitempty"` // Audience contains a list of the token's intended audiences. Audience []string `json:"aud"` // IssuerURL is a string representing the issuer of this token Issuer string `json:"iss"` // TokenType is the introspected token's type, typically `Bearer`. TokenType string `json:"token_type"` // TokenUse is the introspected token's use, for example `access_token` or `refresh_token`. TokenUse string `json:"token_use"` // Extra is arbitrary data set by the session. Extra map[string]interface{} `json:"ext,omitempty"` }
Introspection contains an access token's session data as specified by IETF RFC 7662, see: https://tools.ietf.org/html/rfc7662 swagger:model oAuth2TokenIntrospection
type RefreshTokenHookRequest ¶ added in v1.10.7
type RefreshTokenHookRequest struct { // Subject is the identifier of the authenticated end-user. Subject string `json:"subject"` // Session is the request's session.. Session *Session `json:"session"` // Requester is a token endpoint's request context. Requester Requester `json:"requester"` // ClientID is the identifier of the OAuth 2.0 client. ClientID string `json:"client_id"` // GrantedScopes is the list of scopes granted to the OAuth 2.0 client. GrantedScopes []string `json:"granted_scopes"` // GrantedAudience is the list of audiences granted to the OAuth 2.0 client. GrantedAudience []string `json:"granted_audience"` }
RefreshTokenHookRequest is the request body sent to the refresh token hook.
swagger:model refreshTokenHookRequest
type RefreshTokenHookResponse ¶ added in v1.10.7
type RefreshTokenHookResponse struct { // Session is the session data returned by the hook. Session consent.ConsentRequestSessionData `json:"session"` }
RefreshTokenHookResponse is the response body received from the refresh token hook.
swagger:model refreshTokenHookResponse
type Registry ¶
type Registry interface { OAuth2Storage() x.FositeStorer OAuth2Provider() fosite.OAuth2Provider AudienceStrategy() fosite.AudienceMatchingStrategy ScopeStrategy() fosite.ScopeStrategy AccessTokenJWTStrategy() jwk.JWTStrategy OpenIDJWTStrategy() jwk.JWTStrategy OpenIDConnectRequestValidator() *openid.OpenIDConnectRequestValidator AccessRequestHooks() []AccessRequestHook }
type Requester ¶ added in v1.11.10
type Requester struct { // ClientID is the identifier of the OAuth 2.0 client. ClientID string `json:"client_id"` // GrantedScopes is the list of scopes granted to the OAuth 2.0 client. GrantedScopes []string `json:"granted_scopes"` // GrantedAudience is the list of audiences granted to the OAuth 2.0 client. GrantedAudience []string `json:"granted_audience"` // GrantTypes is the requests grant types. GrantTypes []string `json:"grant_types"` }
Requester is a token endpoint's request context.
swagger:model oAuth2AccessRequest
type Session ¶
type Session struct { *openid.DefaultSession `json:"id_token"` Extra map[string]interface{} `json:"extra"` KID string `json:"kid"` ClientID string `json:"client_id"` ConsentChallenge string `json:"consent_challenge"` ExcludeNotBeforeClaim bool `json:"exclude_not_before_claim"` AllowedTopLevelClaims []string `json:"allowed_top_level_claims"` }
func NewSession ¶
func NewSessionWithCustomClaims ¶ added in v1.10.3
func (*Session) GetJWTClaims ¶
func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer
func (*Session) GetJWTHeader ¶
func (*Session) UnmarshalJSON ¶ added in v1.11.10
type WellKnown ¶
type WellKnown struct { // URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier. // If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned // by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL. // // required: true // example: https://playground.ory.sh/ory-hydra/public/ Issuer string `json:"issuer"` // URL of the OP's OAuth 2.0 Authorization Endpoint. // // required: true // example: https://playground.ory.sh/ory-hydra/public/oauth2/auth AuthURL string `json:"authorization_endpoint"` // URL of the OP's Dynamic Client Registration Endpoint. // example: https://playground.ory.sh/ory-hydra/admin/client RegistrationEndpoint string `json:"registration_endpoint,omitempty"` // URL of the OP's OAuth 2.0 Token Endpoint // // required: true // example: https://playground.ory.sh/ory-hydra/public/oauth2/token TokenURL string `json:"token_endpoint"` // URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate // signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs // to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) // parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. // Although some algorithms allow the same key to be used for both signatures and encryption, doing so is // NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of // keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. // // required: true // example: https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json JWKsURI string `json:"jwks_uri"` // JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include // pairwise and public. // // required: true // example: // - public // - pairwise SubjectTypes []string `json:"subject_types_supported"` // JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID // Providers MUST support the code, id_token, and the token id_token Response Type values. // // required: true ResponseTypes []string `json:"response_types_supported"` // JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply // values for. Note that for privacy or other reasons, this might not be an exhaustive list. ClaimsSupported []string `json:"claims_supported"` // JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. GrantTypesSupported []string `json:"grant_types_supported"` // JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports. ResponseModesSupported []string `json:"response_modes_supported"` // URL of the OP's UserInfo Endpoint. UserinfoEndpoint string `json:"userinfo_endpoint"` // SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST // support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used ScopesSupported []string `json:"scopes_supported"` // JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are // client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` // JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported"` // JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token // to encode the Claims in a JWT. // // required: true IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"` // Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. RequestParameterSupported bool `json:"request_parameter_supported"` // Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. RequestURIParameterSupported bool `json:"request_uri_parameter_supported"` // Boolean value specifying whether the OP requires any request_uri values used to be pre-registered // using the request_uris registration parameter. RequireRequestURIRegistration bool `json:"require_request_uri_registration"` // Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. ClaimsParameterSupported bool `json:"claims_parameter_supported"` // URL of the authorization server's OAuth 2.0 revocation endpoint. RevocationEndpoint string `json:"revocation_endpoint"` // Boolean value specifying whether the OP supports back-channel logout, with true indicating support. BackChannelLogoutSupported bool `json:"backchannel_logout_supported"` // Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP // session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"` // Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"` // Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify // the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also // included in ID Tokens issued by the OP. FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"` // URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. EndSessionEndpoint string `json:"end_session_endpoint"` // JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, // which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when // the Request Object is passed by value (using the request parameter) and when it is passed by reference // (using the request_uri parameter). RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"` // JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported // by this authorization server. CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` }
WellKnown represents important OpenID Connect discovery metadata
It includes links to several endpoints (e.g. /oauth2/token) and exposes information on supported signature algorithms among others.
swagger:model wellKnown