oauth2

package
v1.0.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 29, 2019 License: Apache-2.0 Imports: 45 Imported by: 249

Documentation

Index

Constants

View Source 
const (
	DefaultLoginPath      = "/oauth2/fallbacks/login"
	DefaultConsentPath    = "/oauth2/fallbacks/consent"
	DefaultPostLogoutPath = "/oauth2/fallbacks/logout/callback"
	DefaultLogoutPath     = "/oauth2/fallbacks/logout"
	DefaultErrorPath      = "/oauth2/fallbacks/error"
	TokenPath             = "/oauth2/token"
	AuthPath              = "/oauth2/auth"
	LogoutPath            = "/oauth2/sessions/logout"

	UserinfoPath  = "/userinfo"
	WellKnownPath = "/.well-known/openid-configuration"
	JWKPath       = "/.well-known/jwks.json"

	// IntrospectPath points to the OAuth2 introspection endpoint.
	IntrospectPath = "/oauth2/introspect"
	RevocationPath = "/oauth2/revoke"
	FlushPath      = "/oauth2/flush"
)

Variables

View Source 
var Migrations = map[string]*dbal.PackrMigrationSource{
	dbal.DriverMySQL: dbal.NewMustPackerMigrationSource(logrus.New(), AssetNames(), Asset, []string{
		"migrations/sql/shared",
		"migrations/sql/mysql",
	}, true),
	dbal.DriverPostgreSQL: dbal.NewMustPackerMigrationSource(logrus.New(), AssetNames(), Asset, []string{
		"migrations/sql/shared",
		"migrations/sql/postgres",
	}, true),
	dbal.DriverCockroachDB: dbal.NewMustPackerMigrationSource(logrus.New(), AssetNames(), Asset, []string{
		"migrations/sql/cockroach",
	}, true),
}

Functions

func AssertObjectKeysEqual 

func AssertObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)

func AssertObjectKeysNotEqual 

func AssertObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)

func Asset 

func Asset(name string) ([]byte, error)

Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetDigest added in v1.0.1 

func AssetDigest(name string) ([sha256.Size]byte, error)

AssetDigest returns the digest of the file with the given name. It returns an error if the asset could not be found or the digest could not be loaded.

func AssetDir 

func AssetDir(name string) ([]string, error)

AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy: 

data/
  foo.txt
  img/
    a.png
    b.png

then AssetDir("data") would return []string{"foo.txt", "img"}, AssetDir("data/img") would return []string{"a.png", "b.png"}, AssetDir("foo.txt") and AssetDir("notexist") would return an error, and AssetDir("") will return []string{"data"}.

func AssetInfo 

func AssetInfo(name string) (os.FileInfo, error)

AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetNames 

func AssetNames() []string

AssetNames returns the names of the assets.

func AssetString added in v1.0.1 

func AssetString(name string) (string, error)

AssetString returns the asset contents as a string (instead of a []byte).

func Digests added in v1.0.1 

func Digests() (map[string][sha256.Size]byte, error)

Digests returns a map of all known files and their checksums.

func MustAsset 

func MustAsset(name string) []byte

MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.

func MustAssetString added in v1.0.1 

func MustAssetString(name string) string

MustAssetString is like AssetString but panics when Asset would return an error. It simplifies safe initialization of global variables.

func RequireObjectKeysEqual 

func RequireObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)

func RequireObjectKeysNotEqual 

func RequireObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)

func RestoreAsset 

func RestoreAsset(dir, name string) error

RestoreAsset restores an asset under the given directory.

func RestoreAssets 

func RestoreAssets(dir, name string) error

RestoreAssets restores an asset under the given directory recursively.

func TestHelperRunner 

func TestHelperRunner(t *testing.T, store InternalRegistry, k string)

TestHelperRunner is used to run the database suite of tests in this package. KEEP EXPORTED AND AVAILABLE FOR THIRD PARTIES TO TEST PLUGINS!

Types

type Configuration 

type Configuration interface {
	configuration.Provider
}

type FlushInactiveOAuth2TokensRequest 

type FlushInactiveOAuth2TokensRequest struct {
	// NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history
	// of recently issued tokens for auditing.
	NotAfter time.Time `json:"notAfter"`
}

swagger:model flushInactiveOAuth2TokensRequest

type FositeMemoryStore 

type FositeMemoryStore struct {
	AuthorizeCodes map[string]authorizeCode
	IDSessions     map[string]fosite.Requester
	AccessTokens   map[string]fosite.Requester
	RefreshTokens  map[string]fosite.Requester
	PKCES          map[string]fosite.Requester

	sync.RWMutex
	// contains filtered or unexported fields
}

func NewFositeMemoryStore 

func NewFositeMemoryStore(
	r InternalRegistry,
	c Configuration,
) *FositeMemoryStore

func (*FositeMemoryStore) Authenticate 

func (s *FositeMemoryStore) Authenticate(ctx context.Context, id string, secret []byte) (*client.Client, error)

func (*FositeMemoryStore) CreateAccessTokenSession 

func (s *FositeMemoryStore) CreateAccessTokenSession(_ context.Context, signature string, req fosite.Requester) error

func (*FositeMemoryStore) CreateAuthorizeCodeSession 

func (s *FositeMemoryStore) CreateAuthorizeCodeSession(_ context.Context, code string, req fosite.Requester) error

func (*FositeMemoryStore) CreateClient 

func (s *FositeMemoryStore) CreateClient(ctx context.Context, c *client.Client) error

func (*FositeMemoryStore) CreateImplicitAccessTokenSession 

func (s *FositeMemoryStore) CreateImplicitAccessTokenSession(ctx context.Context, code string, req fosite.Requester) error

func (*FositeMemoryStore) CreateOpenIDConnectSession 

func (s *FositeMemoryStore) CreateOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) error

func (*FositeMemoryStore) CreatePKCERequestSession 

func (s *FositeMemoryStore) CreatePKCERequestSession(_ context.Context, code string, req fosite.Requester) error

func (*FositeMemoryStore) CreateRefreshTokenSession 

func (s *FositeMemoryStore) CreateRefreshTokenSession(_ context.Context, signature string, req fosite.Requester) error

func (*FositeMemoryStore) DeleteAccessTokenSession 

func (s *FositeMemoryStore) DeleteAccessTokenSession(ctx context.Context, signature string) error

func (*FositeMemoryStore) DeleteClient 

func (s *FositeMemoryStore) DeleteClient(ctx context.Context, id string) error

func (*FositeMemoryStore) DeleteOpenIDConnectSession 

func (s *FositeMemoryStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error

func (*FositeMemoryStore) DeletePKCERequestSession 

func (s *FositeMemoryStore) DeletePKCERequestSession(_ context.Context, code string) error

func (*FositeMemoryStore) DeleteRefreshTokenSession 

func (s *FositeMemoryStore) DeleteRefreshTokenSession(ctx context.Context, signature string) error

func (*FositeMemoryStore) FlushInactiveAccessTokens 

func (s *FositeMemoryStore) FlushInactiveAccessTokens(ctx context.Context, notAfter time.Time) error

func (*FositeMemoryStore) GetAccessTokenSession 

func (s *FositeMemoryStore) GetAccessTokenSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error)

func (*FositeMemoryStore) GetAuthorizeCodeSession 

func (s *FositeMemoryStore) GetAuthorizeCodeSession(ctx context.Context, code string, _ fosite.Session) (fosite.Requester, error)

func (*FositeMemoryStore) GetClient 

func (s *FositeMemoryStore) GetClient(ctx context.Context, id string) (fosite.Client, error)

func (*FositeMemoryStore) GetClients 

func (s *FositeMemoryStore) GetClients(ctx context.Context, limit, offset int) (map[string]client.Client, error)

func (*FositeMemoryStore) GetConcreteClient 

func (s *FositeMemoryStore) GetConcreteClient(ctx context.Context, id string) (*client.Client, error)

func (*FositeMemoryStore) GetOpenIDConnectSession 

func (s *FositeMemoryStore) GetOpenIDConnectSession(ctx context.Context, code string, requester fosite.Requester) (fosite.Requester, error)

func (*FositeMemoryStore) GetPKCERequestSession 

func (s *FositeMemoryStore) GetPKCERequestSession(ctx context.Context, code string, _ fosite.Session) (fosite.Requester, error)

func (*FositeMemoryStore) GetRefreshTokenSession 

func (s *FositeMemoryStore) GetRefreshTokenSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error)

func (*FositeMemoryStore) InvalidateAuthorizeCodeSession 

func (s *FositeMemoryStore) InvalidateAuthorizeCodeSession(ctx context.Context, code string) error

func (*FositeMemoryStore) RevokeAccessToken 

func (s *FositeMemoryStore) RevokeAccessToken(ctx context.Context, id string) error

func (*FositeMemoryStore) RevokeRefreshToken 

func (s *FositeMemoryStore) RevokeRefreshToken(ctx context.Context, id string) error

func (*FositeMemoryStore) UpdateClient 

func (s *FositeMemoryStore) UpdateClient(ctx context.Context, c *client.Client) error

type FositeSQLStore 

type FositeSQLStore struct {
	DB *sqlx.DB

	HashSignature bool
	// contains filtered or unexported fields
}

func NewFositeSQLStore 

func NewFositeSQLStore(db *sqlx.DB, r InternalRegistry, c Configuration) *FositeSQLStore

func (*FositeSQLStore) Authenticate 

func (s *FositeSQLStore) Authenticate(ctx context.Context, id string, secret []byte) (*client.Client, error)

func (*FositeSQLStore) BeginTX 

func (s *FositeSQLStore) BeginTX(ctx context.Context) (context.Context, error)

func (*FositeSQLStore) Commit 

func (s *FositeSQLStore) Commit(ctx context.Context) error

func (*FositeSQLStore) CreateAccessTokenSession 

func (s *FositeSQLStore) CreateAccessTokenSession(ctx context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateAuthorizeCodeSession 

func (s *FositeSQLStore) CreateAuthorizeCodeSession(ctx context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateClient 

func (s *FositeSQLStore) CreateClient(ctx context.Context, c *client.Client) error

func (*FositeSQLStore) CreateImplicitAccessTokenSession 

func (s *FositeSQLStore) CreateImplicitAccessTokenSession(ctx context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateOpenIDConnectSession 

func (s *FositeSQLStore) CreateOpenIDConnectSession(ctx context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreatePKCERequestSession 

func (s *FositeSQLStore) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateRefreshTokenSession 

func (s *FositeSQLStore) CreateRefreshTokenSession(ctx context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateSchemas 

func (s *FositeSQLStore) CreateSchemas(dbName string) (int, error)

func (*FositeSQLStore) DeleteAccessTokenSession 

func (s *FositeSQLStore) DeleteAccessTokenSession(ctx context.Context, signature string) error

func (*FositeSQLStore) DeleteClient 

func (s *FositeSQLStore) DeleteClient(ctx context.Context, id string) error

func (*FositeSQLStore) DeleteOpenIDConnectSession 

func (s *FositeSQLStore) DeleteOpenIDConnectSession(ctx context.Context, signature string) error

func (*FositeSQLStore) DeletePKCERequestSession 

func (s *FositeSQLStore) DeletePKCERequestSession(ctx context.Context, signature string) error

func (*FositeSQLStore) DeleteRefreshTokenSession 

func (s *FositeSQLStore) DeleteRefreshTokenSession(ctx context.Context, signature string) error

func (*FositeSQLStore) FlushInactiveAccessTokens 

func (s *FositeSQLStore) FlushInactiveAccessTokens(ctx context.Context, notAfter time.Time) error

func (*FositeSQLStore) GetAccessTokenSession 

func (s *FositeSQLStore) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*FositeSQLStore) GetAuthorizeCodeSession 

func (s *FositeSQLStore) GetAuthorizeCodeSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*FositeSQLStore) GetClient 

func (s *FositeSQLStore) GetClient(ctx context.Context, id string) (fosite.Client, error)

func (*FositeSQLStore) GetClients 

func (s *FositeSQLStore) GetClients(ctx context.Context, limit, offset int) (map[string]client.Client, error)

func (*FositeSQLStore) GetConcreteClient 

func (s *FositeSQLStore) GetConcreteClient(ctx context.Context, id string) (*client.Client, error)

func (*FositeSQLStore) GetOpenIDConnectSession 

func (s *FositeSQLStore) GetOpenIDConnectSession(ctx context.Context, signature string, requester fosite.Requester) (fosite.Requester, error)

func (*FositeSQLStore) GetPKCERequestSession 

func (s *FositeSQLStore) GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*FositeSQLStore) GetRefreshTokenSession 

func (s *FositeSQLStore) GetRefreshTokenSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*FositeSQLStore) InvalidateAuthorizeCodeSession 

func (s *FositeSQLStore) InvalidateAuthorizeCodeSession(ctx context.Context, signature string) error

func (*FositeSQLStore) PlanMigration 

func (s *FositeSQLStore) PlanMigration(dbName string) ([]*migrate.PlannedMigration, error)

func (*FositeSQLStore) RevokeAccessToken 

func (s *FositeSQLStore) RevokeAccessToken(ctx context.Context, id string) error

func (*FositeSQLStore) RevokeRefreshToken 

func (s *FositeSQLStore) RevokeRefreshToken(ctx context.Context, id string) error

func (*FositeSQLStore) Rollback 

func (s *FositeSQLStore) Rollback(ctx context.Context) error

func (*FositeSQLStore) UpdateClient 

func (s *FositeSQLStore) UpdateClient(ctx context.Context, c *client.Client) error

type Handler 

type Handler struct {
	// contains filtered or unexported fields
}

func NewHandler 

func NewHandler(r InternalRegistry, c Configuration) *Handler

func (*Handler) AuthHandler 

func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route GET /oauth2/auth public oauthAuth

The OAuth 2.0 authorize endpoint

This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.

To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749 

Consumes:
- application/x-www-form-urlencoded

Schemes: http, https

Responses:
  302: emptyResponse
  401: genericError
  500: genericError

func (*Handler) DefaultErrorHandler 

func (h *Handler) DefaultErrorHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

func (*Handler) FlushHandler 

func (h *Handler) FlushHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /oauth2/flush admin flushInactiveOAuth2Tokens

Flush Expired OAuth2 Access Tokens

This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted automatically when performing the refresh flow. 

Consumes:
- application/json

Schemes: http, https

Responses:
  204: emptyResponse
  401: genericError
  500: genericError

func (*Handler) IntrospectHandler 

func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /oauth2/introspect admin introspectOAuth2Token

Introspect OAuth2 tokens

The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting `accessTokenExtra` during the consent flow.

For more information [read this blog post](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/). 

Consumes:
- application/x-www-form-urlencoded

Produces:
- application/json

Schemes: http, https

Security:
  basic:
  oauth2:

Responses:
  200: oAuth2TokenIntrospection
  401: genericError
  500: genericError

func (*Handler) LogoutHandler 

func (h *Handler) LogoutHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

swagger:route GET /oauth2/sessions/logout public disconnectUser

OpenID Connect Front-Backchannel enabled Logout

This endpoint initiates and completes user logout at ORY Hydra and initiates OpenID Connect Front-/Back-channel logout:

- https://openid.net/specs/openid-connect-frontchannel-1_0.html - https://openid.net/specs/openid-connect-backchannel-1_0.html 

Schemes: http, https

Responses:
  302: emptyResponse

func (*Handler) RevocationHandler 

func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request)

swagger:route POST /oauth2/revoke public revokeOAuth2Token

Revoke OAuth2 tokens

Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by the client the token was generated for. 

Consumes:
- application/x-www-form-urlencoded

Schemes: http, https

Security:
  basic:
  oauth2:

Responses:
  200: emptyResponse
  401: genericError
  500: genericError

func (*Handler) SetRoutes 

func (h *Handler) SetRoutes(admin *x.RouterAdmin, public *x.RouterPublic, corsMiddleware func(http.Handler) http.Handler)

func (*Handler) TokenHandler 

func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request)

swagger:route POST /oauth2/token public oauth2Token

The OAuth 2.0 token endpoint

The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" HTTP request entity-body.

> Do not implement a client for this endpoint yourself. Use a library. There are many libraries > available for any programming language. You can find a list of libraries here: https://oauth.net/code/ > > Do not the the Hydra SDK does not implement this endpoint properly. Use one of the libraries listed above! 

Consumes:
- application/x-www-form-urlencoded

Produces:
- application/json

Schemes: http, https

Security:
  basic:
  oauth2:

Responses:
  200: oauth2TokenResponse
  401: genericError
  500: genericError

func (*Handler) UserinfoHandler 

func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request)

swagger:route GET /userinfo public userinfo

OpenID Connect Userinfo

This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 Access Token.

For more information please [refer to the spec](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo). 

Produces:
- application/json

Schemes: http, https

Security:
  oauth2:

Responses:
  200: userinfoResponse
  401: genericError
  500: genericError

func (*Handler) WellKnownHandler 

func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request)

swagger:route GET /.well-known/openid-configuration public discoverOpenIDConfiguration

OpenID Connect Discovery

The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html .

Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others. For a full list of clients go here: https://openid.net/developers/certified/ 

Produces:
- application/json

Schemes: http, https

Responses:
  200: wellKnown
  401: genericError
  500: genericError

type InternalRegistry 

type InternalRegistry interface {
	client.Registry
	x.RegistryWriter
	x.RegistryLogger
	consent.Registry
	Registry
}

type Introspection 

type Introspection struct {
	// Active is a boolean indicator of whether or not the presented token
	// is currently active.  The specifics of a token's "active" state
	// will vary depending on the implementation of the authorization
	// server and the information it keeps about its tokens, but a "true"
	// value return for the "active" property will generally indicate
	// that a given token has been issued by this authorization server,
	// has not been revoked by the resource owner, and is within its
	// given time window of validity (e.g., after its issuance time and
	// before its expiration time).
	//
	// required: true
	Active bool `json:"active"`

	// Scope is a JSON string containing a space-separated list of
	// scopes associated with this token.
	Scope string `json:"scope,omitempty"`

	// ClientID is aclient identifier for the OAuth 2.0 client that
	// requested this token.
	ClientID string `json:"client_id,omitempty"`

	// Subject of the token, as defined in JWT [RFC7519].
	// Usually a machine-readable identifier of the resource owner who
	// authorized this token.
	Subject string `json:"sub,omitempty"`

	// ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization.
	// It is the `sub` value of the ID Token that was issued.
	ObfuscatedSubject string `json:"obfuscated_subject,omitempty"`

	// Expires at is an integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token will expire.
	ExpiresAt int64 `json:"exp,omitempty"`

	// Issued at is an integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token was
	// originally issued.
	IssuedAt int64 `json:"iat,omitempty"`

	// NotBefore is an integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token is not to be
	// used before.
	NotBefore int64 `json:"nbf,omitempty"`

	// Username is a human-readable identifier for the resource owner who
	// authorized this token.
	Username string `json:"username,omitempty"`

	// Audience contains a list of the token's intended audiences.
	Audience []string `json:"aud,omitempty"`

	// IssuerURL is a string representing the issuer of this token
	Issuer string `json:"iss,omitempty"`

	// TokenType is the introspected token's type, for example `access_token` or `refresh_token`.
	TokenType string `json:"token_type,omitempty"`

	// Extra is arbitrary data set by the session.
	Extra map[string]interface{} `json:"ext,omitempty"`
}

Introspection contains an access token's session data as specified by IETF RFC 7662, see: https://tools.ietf.org/html/rfc7662 swagger:model oAuth2TokenIntrospection

type Registry 

type Registry interface {
	OAuth2Storage() x.FositeStorer
	OAuth2Provider() fosite.OAuth2Provider
	AudienceStrategy() fosite.AudienceMatchingStrategy
	ScopeStrategy() fosite.ScopeStrategy

	AccessTokenJWTStrategy() jwk.JWTStrategy
	OpenIDJWTStrategy() jwk.JWTStrategy

	OpenIDConnectRequestValidator() *openid.OpenIDConnectRequestValidator
}

type Session 

type Session struct {
	*openid.DefaultSession `json:"idToken"`
	Extra                  map[string]interface{} `json:"extra"`
	KID                    string
	ClientID               string
	ConsentChallenge       string
}

func NewSession 

func NewSession(subject string) *Session

func (*Session) Clone 

func (s *Session) Clone() fosite.Session

func (*Session) GetJWTClaims 

func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer

func (*Session) GetJWTHeader 

func (s *Session) GetJWTHeader() *jwt.Headers

type WellKnown 

type WellKnown struct {
	// URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.
	// If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned
	// by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.
	//
	// required: true
	// example: https://playground.ory.sh/ory-hydra/public/
	Issuer string `json:"issuer"`

	// URL of the OP's OAuth 2.0 Authorization Endpoint.
	//
	// required: true
	// example: https://playground.ory.sh/ory-hydra/public/oauth2/auth
	AuthURL string `json:"authorization_endpoint"`

	// URL of the OP's Dynamic Client Registration Endpoint.
	// example: https://playground.ory.sh/ory-hydra/admin/client
	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`

	// URL of the OP's OAuth 2.0 Token Endpoint
	//
	// required: true
	// example: https://playground.ory.sh/ory-hydra/public/oauth2/token
	TokenURL string `json:"token_endpoint"`

	// URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
	// signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
	// to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
	// parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
	// Although some algorithms allow the same key to be used for both signatures and encryption, doing so is
	// NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
	// keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
	//
	// required: true
	// example: https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json
	JWKsURI string `json:"jwks_uri"`

	// JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
	// pairwise and public.
	//
	// required: true
	// example: public, pairwise
	SubjectTypes []string `json:"subject_types_supported"`

	// JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
	// Providers MUST support the code, id_token, and the token id_token Response Type values.
	//
	// required: true
	ResponseTypes []string `json:"response_types_supported"`

	// JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
	// values for. Note that for privacy or other reasons, this might not be an exhaustive list.
	ClaimsSupported []string `json:"claims_supported"`

	// JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
	GrantTypesSupported []string `json:"grant_types_supported"`

	// JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.
	ResponseModesSupported []string `json:"response_modes_supported"`

	// URL of the OP's UserInfo Endpoint.
	UserinfoEndpoint string `json:"userinfo_endpoint"`

	// SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST
	// support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used
	ScopesSupported []string `json:"scopes_supported"`

	// JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are
	// client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`

	// 	JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].
	UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported"`

	// JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
	// to encode the Claims in a JWT.
	//
	// required: true
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`

	// 	Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.
	RequestParameterSupported bool `json:"request_parameter_supported"`

	// Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.
	RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`

	// Boolean value specifying whether the OP requires any request_uri values used to be pre-registered
	// using the request_uris registration parameter.
	RequireRequestURIRegistration bool `json:"require_request_uri_registration"`

	// Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
	ClaimsParameterSupported bool `json:"claims_parameter_supported"`

	// URL of the authorization server's OAuth 2.0 revocation endpoint.
	RevocationEndpoint string `json:"revocation_endpoint"`

	// Boolean value specifying whether the OP supports back-channel logout, with true indicating support.
	BackChannelLogoutSupported bool `json:"backchannel_logout_supported"`

	// Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP
	// session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP
	BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`

	// Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support.
	FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"`

	// Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify
	// the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also
	// included in ID Tokens issued by the OP.
	FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"`

	// URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
	EndSessionEndpoint string `json:"end_session_endpoint"`
}

WellKnown represents important OpenID Connect discovery metadata

It includes links to several endpoints (e.g. /oauth2/token) and exposes information on supported signature algorithms among others.

swagger:model wellKnown

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.