oidc

package
v0.8.0-alpha.4.pre.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 12, 2021 License: Apache-2.0 Imports: 60 Imported by: 1

Documentation

Index

Constants

View Source
const (
	RouteBase = "/self-service/methods/oidc"

	RouteAuth     = RouteBase + "/auth/:flow"
	RouteCallback = RouteBase + "/callback/:provider"
)

Variables

View Source
var (
	ErrScopeMissing = herodot.ErrBadRequest.
					WithError("authentication failed because a required scope was not granted").
					WithReasonf(`Unable to finish because one or more permissions were not granted. Please retry and accept all permissions.`)

	ErrIDTokenMissing = herodot.ErrBadRequest.
						WithError("authentication failed because id_token is missing").
						WithReasonf(`Authentication failed because no id_token was returned. Please accept the "openid" permission and try again.`)

	ErrAPIFlowNotSupported = herodot.ErrBadRequest.WithError("API-based flows are not supported for this method").
							WithReasonf("Social Sign In and OpenID Connect are only supported for flows initiated using the Browser endpoint.")
)
View Source
var ConnectionExistValidationError = &jsonschema.ValidationError{
	Message: "can not link unknown or already existing OpenID Connect connection", InstancePtr: "#/"}
View Source
var UnknownConnectionValidationError = &jsonschema.ValidationError{
	Message: "can not unlink non-existing OpenID Connect connection", InstancePtr: "#/"}

Functions

func AddProvider

func AddProvider(c *container.Container, providerID string, message *text.Message)

func AddProviders

func AddProviders(c *container.Container, providers []Configuration, message func(provider string) *text.Message)

func NewCredentials

func NewCredentials(idToken, accessToken, refreshToken, provider, subject string) (*identity.Credentials, error)

func NewLinkNode

func NewLinkNode(provider string) *node.Node

func NewUnlinkNode

func NewUnlinkNode(provider string) *node.Node

Types

type Claims

type Claims struct {
	Issuer              string               `json:"iss,omitempty"`
	Subject             string               `json:"sub,omitempty"`
	Name                string               `json:"name,omitempty"`
	GivenName           string               `json:"given_name,omitempty"`
	FamilyName          string               `json:"family_name,omitempty"`
	LastName            string               `json:"last_name,omitempty"`
	MiddleName          string               `json:"middle_name,omitempty"`
	Nickname            string               `json:"nickname,omitempty"`
	PreferredUsername   string               `json:"preferred_username,omitempty"`
	Profile             string               `json:"profile,omitempty"`
	Picture             string               `json:"picture,omitempty"`
	Website             string               `json:"website,omitempty"`
	Email               string               `json:"email,omitempty"`
	EmailVerified       x.ConvertibleBoolean `json:"email_verified,omitempty"`
	Gender              string               `json:"gender,omitempty"`
	Birthdate           string               `json:"birthdate,omitempty"`
	Zoneinfo            string               `json:"zoneinfo,omitempty"`
	Locale              string               `json:"locale,omitempty"`
	PhoneNumber         string               `json:"phone_number,omitempty"`
	PhoneNumberVerified bool                 `json:"phone_number_verified,omitempty"`
	UpdatedAt           int64                `json:"updated_at,omitempty"`
	HD                  string               `json:"hd,omitempty"`
	Team                string               `json:"team,omitempty"`
}

ConvertibleBoolean is used as Apple casually sends the email_verified field as a string.

type Configuration

type Configuration struct {
	// ID is the provider's ID
	ID string `json:"id"`

	// Provider is either "generic" for a generic OAuth 2.0 / OpenID Connect Provider or one of:
	// - generic
	// - google
	// - github
	// - github-app
	// - gitlab
	// - microsoft
	// - discord
	// - slack
	// - facebook
	// - vk
	// - yandex
	// - apple
	Provider string `json:"provider"`

	// Label represents an optional label which can be used in the UI generation.
	Label string `json:"label"`

	// ClientID is the application's Client ID.
	ClientID string `json:"client_id"`

	// ClientSecret is the application's secret.
	ClientSecret string `json:"client_secret"`

	// IssuerURL is the OpenID Connect Server URL. You can leave this empty if `provider` is not set to `generic`.
	// If set, neither `auth_url` nor `token_url` are required.
	IssuerURL string `json:"issuer_url"`

	// AuthURL is the authorize url, typically something like: https://example.org/oauth2/auth
	// Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
	// `provider` is set to `generic`.
	AuthURL string `json:"auth_url"`

	// TokenURL is the token url, typically something like: https://example.org/oauth2/token
	// Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
	// `provider` is set to `generic`.
	TokenURL string `json:"token_url"`

	// Tenant is the Azure AD Tenant to use for authentication, and must be set when `provider` is set to `microsoft`.
	// Can be either `common`, `organizations`, `consumers` for a multitenant application or a specific tenant like
	// `8eaef023-2b34-4da1-9baa-8bc8c9d6a490` or `contoso.onmicrosoft.com`.
	Tenant string `json:"tenant"`

	// TeamId is the Apple Developer Team ID that's needed for the `apple` `provider` to work.
	// It can be found Apple Developer website and combined with `private_key` and `private_key_id`
	// is used to generate `client_secret`
	TeamId string `json:"team_id"`

	// PrivateKeyId is the private Apple key identifier. Keys can be generated via developer.apple.com.
	// This key should be generated with the `Sign In with Apple` option checked.
	// This is needed when `provider` is set to `apple`
	PrivateKeyId string `json:"private_key_id"`

	// PrivateKeyId is the Apple private key identifier that can be downloaded during key generation.
	// This is needed when `provider` is set to `apple`
	PrivateKey string `json:"private_key"`

	// Scope specifies optional requested permissions.
	Scope []string `json:"scope"`

	// Mapper specifies the JSONNet code snippet which uses the OpenID Connect Provider's data (e.g. GitHub or Google
	// profile information) to hydrate the identity's data.
	//
	// It can be either a URL (file://, http(s)://, base64://) or an inline JSONNet code snippet.
	Mapper string `json:"mapper_url"`

	// RequestedClaims string encoded json object that specifies claims and optionally their properties which should be
	// included in the id_token or returned from the UserInfo Endpoint.
	//
	// More information: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
	RequestedClaims json.RawMessage `json:"requested_claims"`
}

func (Configuration) Redir

func (p Configuration) Redir(public *url.URL) string

type ConfigurationCollection

type ConfigurationCollection struct {
	Providers []Configuration `json:"providers"`
}

func (ConfigurationCollection) Provider

func (c ConfigurationCollection) Provider(id string, public *url.URL) (Provider, error)

type CredentialsConfig

type CredentialsConfig struct {
	Providers []ProviderCredentialsConfig `json:"providers"`
}

type FlowMethod

type FlowMethod struct {
	*container.Container
}

func NewFlowMethod

func NewFlowMethod(f *container.Container) *FlowMethod

type Provider

type Provider interface {
	Config() *Configuration
	OAuth2(ctx context.Context) (*oauth2.Config, error)
	Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)
	AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption
}

type ProviderApple

type ProviderApple struct {
	*ProviderGenericOIDC
}

func NewProviderApple

func NewProviderApple(
	config *Configuration,
	public *url.URL,
) *ProviderApple

func (*ProviderApple) AuthCodeURLOptions

func (a *ProviderApple) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderApple) OAuth2

type ProviderAuth0

type ProviderAuth0 struct {
	*ProviderGenericOIDC
}

func NewProviderAuth0

func NewProviderAuth0(
	config *Configuration,
	public *url.URL,
) *ProviderAuth0

func (*ProviderAuth0) Claims

func (g *ProviderAuth0) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderAuth0) OAuth2

func (g *ProviderAuth0) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderCredentialsConfig

type ProviderCredentialsConfig struct {
	Subject             string `json:"subject"`
	Provider            string `json:"provider"`
	InitialIDToken      string `json:"initial_id_token"`
	InitialAccessToken  string `json:"initial_access_token"`
	InitialRefreshToken string `json:"initial_refresh_token"`
}

type ProviderDiscord

type ProviderDiscord struct {
	// contains filtered or unexported fields
}

func NewProviderDiscord

func NewProviderDiscord(
	config *Configuration,
	public *url.URL,
) *ProviderDiscord

func (*ProviderDiscord) AuthCodeURLOptions

func (d *ProviderDiscord) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderDiscord) Claims

func (d *ProviderDiscord) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderDiscord) Config

func (d *ProviderDiscord) Config() *Configuration

func (*ProviderDiscord) OAuth2

func (d *ProviderDiscord) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderFacebook

type ProviderFacebook struct {
	*ProviderGenericOIDC
}

func NewProviderFacebook

func NewProviderFacebook(
	config *Configuration,
	public *url.URL,
) *ProviderFacebook

func (*ProviderFacebook) Claims

func (g *ProviderFacebook) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderFacebook) OAuth2

func (g *ProviderFacebook) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGenericOIDC

type ProviderGenericOIDC struct {
	// contains filtered or unexported fields
}

func NewProviderGenericOIDC

func NewProviderGenericOIDC(
	config *Configuration,
	public *url.URL,
) *ProviderGenericOIDC

func (*ProviderGenericOIDC) AuthCodeURLOptions

func (g *ProviderGenericOIDC) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderGenericOIDC) Claims

func (g *ProviderGenericOIDC) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderGenericOIDC) Config

func (g *ProviderGenericOIDC) Config() *Configuration

func (*ProviderGenericOIDC) OAuth2

type ProviderGitHub

type ProviderGitHub struct {
	// contains filtered or unexported fields
}

func NewProviderGitHub

func NewProviderGitHub(
	config *Configuration,
	public *url.URL,
) *ProviderGitHub

func (*ProviderGitHub) AuthCodeURLOptions

func (g *ProviderGitHub) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderGitHub) Claims

func (g *ProviderGitHub) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderGitHub) Config

func (g *ProviderGitHub) Config() *Configuration

func (*ProviderGitHub) OAuth2

func (g *ProviderGitHub) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGitHubApp

type ProviderGitHubApp struct {
	// contains filtered or unexported fields
}

func NewProviderGitHubApp

func NewProviderGitHubApp(
	config *Configuration,
	public *url.URL,
) *ProviderGitHubApp

func (*ProviderGitHubApp) AuthCodeURLOptions

func (g *ProviderGitHubApp) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderGitHubApp) Claims

func (g *ProviderGitHubApp) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderGitHubApp) Config

func (g *ProviderGitHubApp) Config() *Configuration

func (*ProviderGitHubApp) OAuth2

func (g *ProviderGitHubApp) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGitLab

type ProviderGitLab struct {
	*ProviderGenericOIDC
}

func NewProviderGitLab

func NewProviderGitLab(
	config *Configuration,
	public *url.URL,
) *ProviderGitLab

func (*ProviderGitLab) Claims

func (g *ProviderGitLab) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderGitLab) OAuth2

func (g *ProviderGitLab) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGoogle

type ProviderGoogle struct {
	*ProviderGenericOIDC
}

func NewProviderGoogle

func NewProviderGoogle(
	config *Configuration,
	public *url.URL,
) *ProviderGoogle

type ProviderMicrosoft

type ProviderMicrosoft struct {
	*ProviderGenericOIDC
}

func NewProviderMicrosoft

func NewProviderMicrosoft(
	config *Configuration,
	public *url.URL,
) *ProviderMicrosoft

func (*ProviderMicrosoft) Claims

func (m *ProviderMicrosoft) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderMicrosoft) OAuth2

func (m *ProviderMicrosoft) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderSlack

type ProviderSlack struct {
	// contains filtered or unexported fields
}

func NewProviderSlack

func NewProviderSlack(
	config *Configuration,
	public *url.URL,
) *ProviderSlack

func (*ProviderSlack) AuthCodeURLOptions

func (d *ProviderSlack) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderSlack) Claims

func (d *ProviderSlack) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderSlack) Config

func (d *ProviderSlack) Config() *Configuration

func (*ProviderSlack) OAuth2

func (d *ProviderSlack) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderSpotify

type ProviderSpotify struct {
	// contains filtered or unexported fields
}

func NewProviderSpotify

func NewProviderSpotify(
	config *Configuration,
	public *url.URL,
) *ProviderSpotify

func (*ProviderSpotify) AuthCodeURLOptions

func (g *ProviderSpotify) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderSpotify) Claims

func (g *ProviderSpotify) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderSpotify) Config

func (g *ProviderSpotify) Config() *Configuration

func (*ProviderSpotify) OAuth2

func (g *ProviderSpotify) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderVK

type ProviderVK struct {
	// contains filtered or unexported fields
}

func NewProviderVK

func NewProviderVK(
	config *Configuration,
	public *url.URL,
) *ProviderVK

func (*ProviderVK) AuthCodeURLOptions

func (g *ProviderVK) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderVK) Claims

func (g *ProviderVK) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderVK) Config

func (g *ProviderVK) Config() *Configuration

func (*ProviderVK) OAuth2

func (g *ProviderVK) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderYandex

type ProviderYandex struct {
	// contains filtered or unexported fields
}

func NewProviderYandex

func NewProviderYandex(
	config *Configuration,
	public *url.URL,
) *ProviderYandex

func (*ProviderYandex) AuthCodeURLOptions

func (g *ProviderYandex) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderYandex) Claims

func (g *ProviderYandex) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error)

func (*ProviderYandex) Config

func (g *ProviderYandex) Config() *Configuration

func (*ProviderYandex) OAuth2

func (g *ProviderYandex) OAuth2(ctx context.Context) (*oauth2.Config, error)

type Strategy

type Strategy struct {
	// contains filtered or unexported fields
}

Strategy implements selfservice.LoginStrategy, selfservice.RegistrationStrategy and selfservice.SettingsStrategy. It supports login, registration and settings via OpenID Providers.

func NewStrategy

func NewStrategy(d dependencies) *Strategy

func (*Strategy) Config

func (*Strategy) CountActiveCredentials

func (s *Strategy) CountActiveCredentials(cc map[identity.CredentialsType]identity.Credentials) (count int, err error)

func (*Strategy) ID

func (*Strategy) Login

func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, ss *session.Session) (i *identity.Identity, err error)

func (*Strategy) NodeGroup

func (s *Strategy) NodeGroup() node.Group

func (*Strategy) PopulateLoginMethod

func (s *Strategy) PopulateLoginMethod(r *http.Request, requestedAAL identity.AuthenticatorAssuranceLevel, l *login.Flow) error

func (*Strategy) PopulateRegistrationMethod

func (s *Strategy) PopulateRegistrationMethod(r *http.Request, f *registration.Flow) error

func (*Strategy) PopulateSettingsMethod

func (s *Strategy) PopulateSettingsMethod(r *http.Request, id *identity.Identity, sr *settings.Flow) error

func (*Strategy) Register

func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registration.Flow, i *identity.Identity) (err error)

func (*Strategy) RegisterLoginRoutes

func (s *Strategy) RegisterLoginRoutes(r *x.RouterPublic)

func (*Strategy) RegisterRegistrationRoutes

func (s *Strategy) RegisterRegistrationRoutes(r *x.RouterPublic)

func (*Strategy) RegisterSettingsRoutes

func (s *Strategy) RegisterSettingsRoutes(router *x.RouterPublic)

func (*Strategy) Settings

func (*Strategy) SettingsStrategyID

func (s *Strategy) SettingsStrategyID() string

type SubmitSelfServiceLoginFlowWithOidcMethodBody

type SubmitSelfServiceLoginFlowWithOidcMethodBody struct {
	// The provider to register with
	//
	// required: true
	Provider string `json:"provider"`

	// The CSRF Token
	CSRFToken string `json:"csrf_token"`

	// Method to use
	//
	// This field must be set to `oidc` when using the oidc method.
	//
	// required: true
	Method string `json:"method"`

	// The identity traits. This is a placeholder for the registration flow.
	Traits json.RawMessage `json:"traits"`
}

SubmitSelfServiceLoginFlowWithOidcMethodBody is used to decode the login form payload when using the oidc method.

swagger:model submitSelfServiceLoginFlowWithOidcMethodBody

type SubmitSelfServiceRegistrationFlowWithOidcMethodBody

type SubmitSelfServiceRegistrationFlowWithOidcMethodBody struct {
	// The provider to register with
	//
	// required: true
	Provider string `json:"provider"`

	// The CSRF Token
	CSRFToken string `json:"csrf_token"`

	// The identity traits
	Traits json.RawMessage `json:"traits"`

	// Method to use
	//
	// This field must be set to `oidc` when using the oidc method.
	//
	// required: true
	Method string `json:"method"`
}

SubmitSelfServiceRegistrationFlowWithOidcMethodBody is used to decode the registration form payload when using the oidc method.

swagger:model submitSelfServiceRegistrationFlowWithOidcMethodBody

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL