Documentation
¶
Index ¶
- Constants
- type APIKeyAuthConfig
- type AccessRequestHook
- type AssertionJWTReader
- type BlacklistedJTI
- type CreateVerifiableCredentialRequestBody
- type CredentialSupportedDraft00
- type Handler
- type InternalRegistry
- type Introspection
- type RefreshTokenHookRequest
- type Registry
- type Request
- type Requester
- type Session
- type TokenHookRequest
- type TokenHookResponse
- type VerifableCredentialClaims
- type VerifiableCredentialClaim
- type VerifiableCredentialPrimingResponse
- type VerifiableCredentialProof
- type VerifiableCredentialResponse
Constants ¶
View Source
const ( DefaultLoginPath = "/oauth2/fallbacks/login" DefaultConsentPath = "/oauth2/fallbacks/consent" DefaultPostLogoutPath = "/oauth2/fallbacks/logout/callback" DefaultLogoutPath = "/oauth2/fallbacks/logout" DefaultErrorPath = "/oauth2/fallbacks/error" TokenPath = "/oauth2/token" // #nosec G101 AuthPath = "/oauth2/auth" LogoutPath = "/oauth2/sessions/logout" VerifiableCredentialsPath = "/credentials" UserinfoPath = "/userinfo" WellKnownPath = "/.well-known/openid-configuration" JWKPath = "/.well-known/jwks.json" // IntrospectPath points to the OAuth2 introspection endpoint. IntrospectPath = "/oauth2/introspect" RevocationPath = "/oauth2/revoke" DeleteTokensPath = "/oauth2/tokens" // #nosec G101 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type APIKeyAuthConfig ¶ added in v2.2.0
type AccessRequestHook ¶
type AccessRequestHook func(ctx context.Context, requester fosite.AccessRequester) error
AccessRequestHook is called when an access token request is performed.
func RefreshTokenHook ¶
func RefreshTokenHook(reg interface {
config.Provider
x.HTTPClientProvider
}) AccessRequestHook
RefreshTokenHook is an AccessRequestHook called for `refresh_token` grant type.
func TokenHook ¶
func TokenHook(reg interface {
config.Provider
x.HTTPClientProvider
}) AccessRequestHook
TokenHook is an AccessRequestHook called for all grant types.
type AssertionJWTReader ¶
type AssertionJWTReader interface {
x.FositeStorer
GetClientAssertionJWT(ctx context.Context, jti string) (*BlacklistedJTI, error)
SetClientAssertionJWTRaw(context.Context, *BlacklistedJTI) error
}
type BlacklistedJTI ¶
type BlacklistedJTI struct {
JTI string `db:"-"`
ID string `db:"signature"`
Expiry time.Time `db:"expires_at"`
NID gofrsuuid.UUID `db:"nid"`
}
func NewBlacklistedJTI ¶
func NewBlacklistedJTI(jti string, exp time.Time) *BlacklistedJTI
func (*BlacklistedJTI) AfterFind ¶
func (j *BlacklistedJTI) AfterFind(_ *pop.Connection) error
func (BlacklistedJTI) TableName ¶
func (BlacklistedJTI) TableName() string
type CreateVerifiableCredentialRequestBody ¶ added in v2.2.0
type CreateVerifiableCredentialRequestBody struct {
Format string `json:"format"`
Types []string `json:"types"`
Proof *VerifiableCredentialProof `json:"proof"`
}
CreateVerifiableCredentialRequestBody contains the request body to request a verifiable credential.
swagger:parameters createVerifiableCredentialRequestBody
type CredentialSupportedDraft00 ¶ added in v2.2.0
type CredentialSupportedDraft00 struct {
// OpenID Connect Verifiable Credentials Format
//
// Contains the format that is supported by this authorization server.
Format string `json:"format"`
// OpenID Connect Verifiable Credentials Types
//
// Contains the types of verifiable credentials supported.
Types []string `json:"types"`
// OpenID Connect Verifiable Credentials Cryptographic Binding Methods Supported
//
// Contains a list of cryptographic binding methods supported for signing the proof.
CryptographicBindingMethodsSupported []string `json:"cryptographic_binding_methods_supported"`
// OpenID Connect Verifiable Credentials Cryptographic Suites Supported
//
// Contains a list of cryptographic suites methods supported for signing the proof.
CryptographicSuitesSupported []string `json:"cryptographic_suites_supported"`
}
Verifiable Credentials Metadata (Draft 00)
Includes information about the supported verifiable credentials.
swagger:model credentialSupportedDraft00
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func NewHandler(r InternalRegistry, c *config.DefaultProvider) *Handler
func (*Handler) DefaultErrorHandler ¶
func (h *Handler) DefaultErrorHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
func (*Handler) SetRoutes ¶
func (h *Handler) SetRoutes(admin *httprouterx.RouterAdmin, public *httprouterx.RouterPublic, corsMiddleware func(http.Handler) http.Handler)
type InternalRegistry ¶
type InternalRegistry interface {
client.Registry
jwk.Registry
trust.Registry
x.RegistryWriter
x.RegistryLogger
consent.Registry
persistence.Provider
Registry
FlowCipher() *aead.XChaCha20Poly1305
}
type Introspection ¶
type Introspection struct {
// Active is a boolean indicator of whether or not the presented token
// is currently active. The specifics of a token's "active" state
// will vary depending on the implementation of the authorization
// server and the information it keeps about its tokens, but a "true"
// value return for the "active" property will generally indicate
// that a given token has been issued by this authorization server,
// has not been revoked by the resource owner, and is within its
// given time window of validity (e.g., after its issuance time and
// before its expiration time).
//
// required: true
Active bool `json:"active"`
// Scope is a JSON string containing a space-separated list of
// scopes associated with this token.
Scope string `json:"scope,omitempty"`
// ID is aclient identifier for the OAuth 2.0 client that
// requested this token.
ClientID string `json:"client_id"`
// Subject of the token, as defined in JWT [RFC7519].
// Usually a machine-readable identifier of the resource owner who
// authorized this token.
Subject string `json:"sub"`
// ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization.
// It is the `sub` value of the ID Token that was issued.
ObfuscatedSubject string `json:"obfuscated_subject,omitempty"`
// Expires at is an integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token will expire.
ExpiresAt int64 `json:"exp"`
// Issued at is an integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token was
// originally issued.
IssuedAt int64 `json:"iat"`
// NotBefore is an integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token is not to be
// used before.
NotBefore int64 `json:"nbf"`
// Username is a human-readable identifier for the resource owner who
// authorized this token.
Username string `json:"username,omitempty"`
// Audience contains a list of the token's intended audiences.
Audience []string `json:"aud"`
// IssuerURL is a string representing the issuer of this token
Issuer string `json:"iss"`
// TokenType is the introspected token's type, typically `Bearer`.
TokenType string `json:"token_type"`
// TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.
TokenUse string `json:"token_use"`
// Extra is arbitrary data set by the session.
Extra map[string]interface{} `json:"ext,omitempty"`
}
Introspection contains an access token's session data as specified by [IETF RFC 7662](https://tools.ietf.org/html/rfc7662)
swagger:model introspectedOAuth2Token
type RefreshTokenHookRequest ¶
type RefreshTokenHookRequest struct {
// Subject is the identifier of the authenticated end-user.
Subject string `json:"subject"`
// Session is the request's session..
Session *Session `json:"session"`
// Requester is a token endpoint's request context.
Requester Requester `json:"requester"`
// ClientID is the identifier of the OAuth 2.0 client.
ClientID string `json:"client_id"`
// GrantedScopes is the list of scopes granted to the OAuth 2.0 client.
GrantedScopes []string `json:"granted_scopes"`
// GrantedAudience is the list of audiences granted to the OAuth 2.0 client.
GrantedAudience []string `json:"granted_audience"`
}
RefreshTokenHookRequest is the request body sent to the refresh token hook.
swagger:ignore
type Registry ¶
type Registry interface {
OAuth2Storage() x.FositeStorer
OAuth2Provider() fosite.OAuth2Provider
AudienceStrategy() fosite.AudienceMatchingStrategy
AccessTokenJWTStrategy() jwk.JWTSigner
OpenIDConnectRequestValidator() *openid.OpenIDConnectRequestValidator
AccessRequestHooks() []AccessRequestHook
OAuth2ProviderConfig() fosite.Configurator
}
type Request ¶
type Request struct {
// ClientID is the identifier of the OAuth 2.0 client.
ClientID string `json:"client_id"`
// RequestedScopes is the list of scopes requested to the OAuth 2.0 client.
RequestedScopes []string `json:"requested_scopes"`
// GrantedScopes is the list of scopes granted to the OAuth 2.0 client.
GrantedScopes []string `json:"granted_scopes"`
// GrantedAudience is the list of audiences granted to the OAuth 2.0 client.
GrantedAudience []string `json:"granted_audience"`
// GrantTypes is the requests grant types.
GrantTypes []string `json:"grant_types"`
// Payload is the requests payload.
Payload map[string][]string `json:"payload"`
}
Request is a token endpoint's request context.
swagger:ignore
type Requester ¶
type Requester struct {
// ClientID is the identifier of the OAuth 2.0 client.
ClientID string `json:"client_id"`
// GrantedScopes is the list of scopes granted to the OAuth 2.0 client.
GrantedScopes []string `json:"granted_scopes"`
// GrantedAudience is the list of audiences granted to the OAuth 2.0 client.
GrantedAudience []string `json:"granted_audience"`
// GrantTypes is the requests grant types.
GrantTypes []string `json:"grant_types"`
}
Requester is a token endpoint's request context.
swagger:ignore
type Session ¶
type Session struct {
*openid.DefaultSession `json:"id_token"`
Extra map[string]interface{} `json:"extra"`
KID string `json:"kid"`
ClientID string `json:"client_id"`
ConsentChallenge string `json:"consent_challenge"`
ExcludeNotBeforeClaim bool `json:"exclude_not_before_claim"`
AllowedTopLevelClaims []string `json:"allowed_top_level_claims"`
MirrorTopLevelClaims bool `json:"mirror_top_level_claims"`
Flow *flow.Flow `json:"-"`
}
swagger:ignore
func NewSession ¶
func (*Session) GetExtraClaims ¶
GetExtraClaims implements ExtraClaimsSession for Session. The returned value can be modified in-place.
func (*Session) GetJWTClaims ¶
func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer
func (*Session) GetJWTHeader ¶
func (*Session) UnmarshalJSON ¶
type TokenHookRequest ¶
type TokenHookRequest struct {
// Session is the request's session..
Session *Session `json:"session"`
// Requester is a token endpoint's request context.
Request Request `json:"request"`
}
TokenHookRequest is the request body sent to the token hook.
swagger:ignore
type TokenHookResponse ¶
type TokenHookResponse struct {
// Session is the session data returned by the hook.
Session flow.AcceptOAuth2ConsentRequestSession `json:"session"`
}
TokenHookResponse is the response body received from the token hook.
swagger:ignore
type VerifableCredentialClaims ¶ added in v2.2.0
type VerifableCredentialClaims struct {
jwt.RegisteredClaims
VerifiableCredential VerifiableCredentialClaim `json:"vc"`
}
func (*VerifableCredentialClaims) GetAudience ¶ added in v2.2.0
func (v *VerifableCredentialClaims) GetAudience() (jwt.ClaimStrings, error)
func (*VerifableCredentialClaims) ToMapClaims ¶ added in v2.2.0
func (v *VerifableCredentialClaims) ToMapClaims() (res map[string]any, err error)
type VerifiableCredentialClaim ¶ added in v2.2.0
type VerifiableCredentialPrimingResponse ¶ added in v2.2.0
type VerifiableCredentialPrimingResponse struct {
Format string `json:"format"`
Nonce string `json:"c_nonce"`
NonceExpiresIn int64 `json:"c_nonce_expires_in"`
fosite.RFC6749ErrorJson
}
VerifiableCredentialPrimingResponse contains the nonce to include in the proof-of-possession JWT.
swagger:model verifiableCredentialPrimingResponse
type VerifiableCredentialProof ¶ added in v2.2.0
type VerifiableCredentialProof struct {
ProofType string `json:"proof_type"`
JWT string `json:"jwt"`
}
VerifiableCredentialProof contains the proof of a verifiable credential.
swagger:parameters verifiableCredentialProof
type VerifiableCredentialResponse ¶ added in v2.2.0
type VerifiableCredentialResponse struct {
Format string `json:"format"`
Credential string `json:"credential_draft_00"`
}
VerifiableCredentialResponse contains the verifiable credential.
swagger:model verifiableCredentialResponse
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.