oidc

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 26, 2024 License: Apache-2.0 Imports: 80 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	ClaimsSourceIDToken  = "id_token"
	ClaimsSourceUserInfo = "userinfo"
)
View Source 
const (
	ProfileUrl       string = "" /* 146-byte string literal not displayed */
	EmailUrl         string = "https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))"
	IntrospectionURL string = "https://www.linkedin.com/oauth/v2/introspectToken"
)
View Source 
const (
	RouteBase = "/self-service/methods/oidc"

	RouteAuth                 = RouteBase + "/auth/:flow"
	RouteCallback             = RouteBase + "/callback/:provider"
	RouteCallbackGeneric      = RouteBase + "/callback"
	RouteOrganizationCallback = RouteBase + "/organization/:organization/callback/:provider"
)

Variables

View Source 
var (
	ErrScopeMissing = herodot.ErrBadRequest.
					WithError("authentication failed because a required scope was not granted").
					WithReasonf(`Unable to finish because one or more permissions were not granted. Please retry and accept all permissions.`)

	ErrIDTokenMissing = herodot.ErrBadRequest.
						WithError("authentication failed because id_token is missing").
						WithReasonf(`Authentication failed because no id_token was returned. Please accept the "openid" permission and try again.`)
)
View Source 
var ConnectionExistValidationError = &jsonschema.ValidationError{
	Message: "can not link unknown or already existing OpenID Connect connection", InstancePtr: "#/",
}
View Source 
var (
	UnknownConnectionValidationError = &jsonschema.ValidationError{
		Message: "can not unlink non-existing OpenID Connect connection", InstancePtr: "#/",
	}
)
View Source 
var UnlinkAllFirstFactorConnectionsError = &jsonschema.ValidationError{
	Message: "can not unlink OpenID Connect connection because it is the last remaining first factor credential", InstancePtr: "#/",
}

Functions

func AddProvider 

func AddProvider(c *container.Container, providerID string, message *text.Message)

func AddProviders 

func AddProviders(c *container.Container, providers []Configuration, message func(provider string, providerId string) *text.Message)

func DecryptState added in v1.3.0 

func DecryptState(ctx context.Context, c cipher.Cipher, ciphertext string) (*oidcv1.State, error)

func NewLinkNode 

func NewLinkNode(providerID, providerLabel string) *node.Node

func NewUnlinkNode 

func NewUnlinkNode(providerID, providerLabel string) *node.Node

func PKCEChallenge added in v1.3.0 

func PKCEChallenge(s *oidcv1.State) []oauth2.AuthCodeOption

func PKCEVerifier added in v1.3.0 

func PKCEVerifier(s *oidcv1.State) []oauth2.AuthCodeOption

func UpstreamParameters added in v0.13.0 

func UpstreamParameters(upstreamParameters map[string]string) []oauth2.AuthCodeOption

UpstreamParameters returns a list of oauth2.AuthCodeOption based on the upstream parameters.

Only allowed parameters are returned and the rest is ignored. Allowed parameters are also defined in the `oidc/.schema/link.schema.json` file, however, this function also validates the parameters to prevent any potential security issues.

Allowed parameters are: - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. - `auth_type` (string): The `auth_type` parameter specifies the requested authentication features (as a comma-separated list), e.g. `reauthenticate`.

Types

type AuthCodeContainer added in v1.1.0 

type AuthCodeContainer struct {
	FlowID           string          `json:"flow_id"`
	State            string          `json:"state"`
	Traits           json.RawMessage `json:"traits"`
	TransientPayload json.RawMessage `json:"transient_payload"`
}

type Claims 

type Claims struct {
	Issuer              string                 `json:"iss,omitempty"`
	Subject             string                 `json:"sub,omitempty"`
	Name                string                 `json:"name,omitempty"`
	GivenName           string                 `json:"given_name,omitempty"`
	FamilyName          string                 `json:"family_name,omitempty"`
	LastName            string                 `json:"last_name,omitempty"`
	MiddleName          string                 `json:"middle_name,omitempty"`
	Nickname            string                 `json:"nickname,omitempty"`
	PreferredUsername   string                 `json:"preferred_username,omitempty"`
	Profile             string                 `json:"profile,omitempty"`
	Picture             string                 `json:"picture,omitempty"`
	Website             string                 `json:"website,omitempty"`
	Email               string                 `json:"email,omitempty"`
	EmailVerified       x.ConvertibleBoolean   `json:"email_verified,omitempty"`
	Gender              string                 `json:"gender,omitempty"`
	Birthdate           string                 `json:"birthdate,omitempty"`
	Zoneinfo            string                 `json:"zoneinfo,omitempty"`
	Locale              Locale                 `json:"locale,omitempty"`
	PhoneNumber         string                 `json:"phone_number,omitempty"`
	PhoneNumberVerified bool                   `json:"phone_number_verified,omitempty"`
	UpdatedAt           int64                  `json:"updated_at,omitempty"`
	HD                  string                 `json:"hd,omitempty"`
	Team                string                 `json:"team,omitempty"`
	Nonce               string                 `json:"nonce,omitempty"`
	NonceSupported      bool                   `json:"nonce_supported,omitempty"`
	RawClaims           map[string]interface{} `json:"raw_claims,omitempty"`
}

ConvertibleBoolean is used as Apple casually sends the email_verified field as a string.

func (*Claims) Validate added in v0.11.1 

func (c *Claims) Validate() error

Validate checks if the claims are valid.

type Configuration 

type Configuration struct {
	// ID is the provider's ID
	ID string `json:"id"`

	// Provider is either "generic" for a generic OAuth 2.0 / OpenID Connect Provider or one of:
	// - generic
	// - google
	// - github
	// - github-app
	// - gitlab
	// - microsoft
	// - discord
	// - salesforce
	// - slack
	// - facebook
	// - auth0
	// - vk
	// - yandex
	// - apple
	// - spotify
	// - netid
	// - dingtalk
	// - linkedin
	// - patreon
	Provider string `json:"provider"`

	// Label represents an optional label which can be used in the UI generation.
	Label string `json:"label"`

	// ClientID is the application's Client ID.
	ClientID string `json:"client_id"`

	// ClientSecret is the application's secret.
	ClientSecret string `json:"client_secret"`

	// IssuerURL is the OpenID Connect Server URL. You can leave this empty if `provider` is not set to `generic`.
	// If set, neither `auth_url` nor `token_url` are required.
	IssuerURL string `json:"issuer_url"`

	// AuthURL is the authorize url, typically something like: https://example.org/oauth2/auth
	// Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
	// `provider` is set to `generic`.
	AuthURL string `json:"auth_url"`

	// TokenURL is the token url, typically something like: https://example.org/oauth2/token
	// Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
	// `provider` is set to `generic`.
	TokenURL string `json:"token_url"`

	// Tenant is the Azure AD Tenant to use for authentication, and must be set when `provider` is set to `microsoft`.
	// Can be either `common`, `organizations`, `consumers` for a multitenant application or a specific tenant like
	// `8eaef023-2b34-4da1-9baa-8bc8c9d6a490` or `contoso.onmicrosoft.com`.
	Tenant string `json:"microsoft_tenant"`

	// SubjectSource is a flag which controls from which endpoint the subject identifier is taken by microsoft provider.
	// Can be either `userinfo` or `me`.
	// If the value is `userinfo` then the subject identifier is taken from sub field of userinfo standard endpoint response.
	// If the value is `me` then the `id` field of https://graph.microsoft.com/v1.0/me response is taken as subject.
	// The default is `userinfo`.
	SubjectSource string `json:"subject_source"`

	// TeamId is the Apple Developer Team ID that's needed for the `apple` `provider` to work.
	// It can be found Apple Developer website and combined with `apple_private_key` and `apple_private_key_id`
	// is used to generate `client_secret`
	TeamId string `json:"apple_team_id"`

	// PrivateKeyId is the private Apple key identifier. Keys can be generated via developer.apple.com.
	// This key should be generated with the `Sign In with Apple` option checked.
	// This is needed when `provider` is set to `apple`
	PrivateKeyId string `json:"apple_private_key_id"`

	// PrivateKeyId is the Apple private key identifier that can be downloaded during key generation.
	// This is needed when `provider` is set to `apple`
	PrivateKey string `json:"apple_private_key"`

	// Scope specifies optional requested permissions.
	Scope []string `json:"scope"`

	// Mapper specifies the JSONNet code snippet which uses the OpenID Connect Provider's data (e.g. GitHub or Google
	// profile information) to hydrate the identity's data.
	//
	// It can be either a URL (file://, http(s)://, base64://) or an inline JSONNet code snippet.
	Mapper string `json:"mapper_url"`

	// RequestedClaims is a string encoded json object that specifies claims and optionally their properties that should be
	// included in the id_token or returned from the UserInfo Endpoint.
	//
	// More information: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
	RequestedClaims json.RawMessage `json:"requested_claims"`

	// An optional organization ID that this provider belongs to.
	// This parameter is only effective in the Ory Network.
	OrganizationID string `json:"organization_id"`

	// AdditionalIDTokenAudiences is a list of additional audiences allowed in the ID Token.
	// This is only relevant in OIDC flows that submit an IDToken instead of using the callback from the OIDC provider.
	AdditionalIDTokenAudiences []string `json:"additional_id_token_audiences"`

	// ClaimsSource is a flag which controls where the claims are taken from when
	// using the generic provider. Can be either `userinfo` (calls the userinfo
	// endpoint to get the claims) or `id_token` (takes the claims from the id
	// token). It defaults to `id_token`.
	ClaimsSource string `json:"claims_source"`

	// PKCE controls if the OpenID Connect OAuth2 flow should use PKCE (Proof Key for Code Exchange).
	// Possible values are: `auto` (default), `never`, `force`.
	// - `auto`: PKCE is used if the provider supports it. Requires setting `issuer_url`.
	// - `never`: Disable PKCE entirely for this provider, even if the provider advertises support for it.
	// - `force`: Always use PKCE, even if the provider does not advertise support for it. OAuth2 flows will fail if the provider does not support PKCE.
	// IMPORTANT: If you set this to `force`, you must whitelist a different return URL for your OAuth2 client in the provider's configuration.
	// Instead of <base-url>/self-service/methods/oidc/callback/<provider>, you must use <base-url>/self-service/methods/oidc/callback
	// (Note the missing <provider> path segment and no trailing slash).
	PKCE string `json:"pkce"`
}

func (Configuration) Redir 

func (p Configuration) Redir(public *url.URL) string

type ConfigurationCollection 

type ConfigurationCollection struct {
	BaseRedirectURI string          `json:"base_redirect_uri"`
	Providers       []Configuration `json:"providers"`
}

func (ConfigurationCollection) Provider 

func (c ConfigurationCollection) Provider(id string, reg Dependencies) (Provider, error)

type Dependencies added in v1.1.0 

type Dependencies interface {
	errorx.ManagementProvider

	config.Provider

	x.LoggingProvider
	x.CookieProvider
	x.CSRFProvider
	x.CSRFTokenGeneratorProvider
	x.WriterProvider
	x.HTTPClientProvider
	x.TracingProvider

	identity.ValidationProvider
	identity.PrivilegedPoolProvider
	identity.ActiveCredentialsCounterStrategyProvider
	identity.ManagementProvider

	session.ManagementProvider
	session.HandlerProvider
	sessiontokenexchange.PersistenceProvider

	login.HookExecutorProvider
	login.FlowPersistenceProvider
	login.HooksProvider
	login.StrategyProvider
	login.HandlerProvider
	login.ErrorHandlerProvider

	registration.HookExecutorProvider
	registration.FlowPersistenceProvider
	registration.HooksProvider
	registration.StrategyProvider
	registration.HandlerProvider
	registration.ErrorHandlerProvider

	settings.ErrorHandlerProvider
	settings.FlowPersistenceProvider
	settings.HookExecutorProvider

	continuity.ManagementProvider

	cipher.Provider

	jsonnetsecure.VMProvider
}

type FlowMethod 

type FlowMethod struct {
	*container.Container
}

func NewFlowMethod 

func NewFlowMethod(f *container.Container) *FlowMethod

type IDTokenVerifier added in v1.1.0 

type IDTokenVerifier interface {
	Verify(ctx context.Context, rawIDToken string) (*Claims, error)
}

type LinkedInEmail added in v0.13.0 

type LinkedInEmail struct {
	Elements []struct {
		Handle struct {
			EmailAddress string `json:"emailAddress"`
		} `json:"handle~"`
		HandleUrn string `json:"handle"`
	} `json:"elements"`
}

type LinkedInIntrospection added in v0.13.0 

type LinkedInIntrospection struct {
	Active       bool   `json:"active"`
	ClientID     string `json:"client_id"`
	AuthorizedAt uint32 `json:"authorized_at"`
	CreatedAt    uint32 `json:"created_at"`
	ExpiresAt    uint32 `json:"expires_at"`
	Status       string `json:"status"`
	Scope        string `json:"scope"`
	AuthType     string `json:"auth_type"`
}

type LinkedInProfile added in v0.13.0 

type LinkedInProfile struct {
	LocalizedLastName  string `json:"localizedLastName"`
	LocalizedFirstName string `json:"localizedFirstName"`
	ProfilePicture     *struct {
		DisplayImage struct {
			Elements []struct {
				Identifiers []struct {
					Identifier string `json:"identifier"`
				} `json:"identifiers"`
			} `json:"elements"`
		} `json:"displayImage~"`
	} `json:"profilePicture,omitempty"`
	ID string `json:"id"`
}

type Locale added in v1.2.0 

type Locale string

func (*Locale) UnmarshalJSON added in v1.2.0 

func (l *Locale) UnmarshalJSON(data []byte) error

type MetadataType added in v0.11.0 

type MetadataType string
const (
	VerifiedAddressesKey = "identity.verified_addresses"

	PublicMetadata MetadataType = "identity.metadata_public"
	AdminMetadata  MetadataType = "identity.metadata_admin"
)

type NonceValidationSkipper added in v1.1.0 

type NonceValidationSkipper interface {
	CanSkipNonce(*Claims) bool
}

type OAuth1Provider added in v1.2.0 

type OAuth1Provider interface {
	Provider
	OAuth1(ctx context.Context) *oauth1.Config
	AuthURL(ctx context.Context, state string) (string, error)
	Claims(ctx context.Context, token *oauth1.Token) (*Claims, error)
	ExchangeToken(ctx context.Context, req *http.Request) (*oauth1.Token, error)
}

type OAuth2Provider added in v1.2.0 

type OAuth2Provider interface {
	Provider
	AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption
	OAuth2(ctx context.Context) (*oauth2.Config, error)
	Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)
}

type OAuth2TokenExchanger added in v1.2.0 

type OAuth2TokenExchanger interface {
	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
}

type PatreonIdentityResponse added in v0.13.0 

type PatreonIdentityResponse struct {
	Data struct {
		Attributes struct {
			Email     string `json:"email"`
			FirstName string `json:"first_name"`
			FullName  string `json:"full_name"`
			ImageUrl  string `json:"image_url"`
			LastName  string `json:"last_name"`
		} `json:"attributes"`
		Id   string `json:"id"`
		Type string `json:"type"`
	} `json:"data"`
}

type Provider 

type Provider interface {
	Config() *Configuration
}

func NewProviderApple 

func NewProviderApple(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderAuth0 

func NewProviderAuth0(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderDingTalk added in v0.11.0 

func NewProviderDingTalk(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderDiscord 

func NewProviderDiscord(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderFacebook 

func NewProviderFacebook(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderGenericOIDC 

func NewProviderGenericOIDC(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderGitHub 

func NewProviderGitHub(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderGitHubApp 

func NewProviderGitHubApp(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderGitLab 

func NewProviderGitLab(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderGoogle 

func NewProviderGoogle(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderLark added in v1.0.0 

func NewProviderLark(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderLinkedIn added in v0.13.0 

func NewProviderLinkedIn(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderLinkedInV2 added in v1.2.0 

func NewProviderLinkedInV2(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderMicrosoft 

func NewProviderMicrosoft(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderNetID 

func NewProviderNetID(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderPatreon added in v0.13.0 

func NewProviderPatreon(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderSalesforce added in v1.3.0 

func NewProviderSalesforce(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderSlack 

func NewProviderSlack(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderSpotify 

func NewProviderSpotify(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderVK 

func NewProviderVK(
	config *Configuration,
	reg Dependencies,
) Provider

func NewProviderX added in v1.2.0 

func NewProviderX(
	config *Configuration,
	reg Dependencies) Provider

func NewProviderYandex 

func NewProviderYandex(
	config *Configuration,
	reg Dependencies,
) Provider

type ProviderApple 

type ProviderApple struct {
	*ProviderGenericOIDC
	JWKSUrl string
}

func (*ProviderApple) AuthCodeURLOptions 

func (a *ProviderApple) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderApple) CanSkipNonce added in v1.1.0 

func (a *ProviderApple) CanSkipNonce(c *Claims) bool

func (*ProviderApple) Claims 

func (a *ProviderApple) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderApple) DecodeQuery added in v1.1.0 

func (a *ProviderApple) DecodeQuery(query url.Values, claims *Claims)

decodeQuery decodes extra user info from Apple into the given `Claims`. The info is sent as an extra query parameter to the redirect URL. See https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple#3331292 Note that there's no way to make sure the info hasn't been tampered with.

func (*ProviderApple) OAuth2 

func (a *ProviderApple) OAuth2(ctx context.Context) (*oauth2.Config, error)

func (*ProviderApple) Verify added in v1.1.0 

func (a *ProviderApple) Verify(ctx context.Context, rawIDToken string) (*Claims, error)

type ProviderAuth0 

type ProviderAuth0 struct {
	*ProviderGenericOIDC
}

func (*ProviderAuth0) Claims 

func (g *ProviderAuth0) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderAuth0) OAuth2 

func (g *ProviderAuth0) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderDingTalk added in v0.11.0 

type ProviderDingTalk struct {
	// contains filtered or unexported fields
}

func (*ProviderDingTalk) AuthCodeURLOptions added in v0.11.0 

func (g *ProviderDingTalk) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderDingTalk) Claims added in v0.11.0 

func (g *ProviderDingTalk) Claims(ctx context.Context, exchange *oauth2.Token, _ url.Values) (*Claims, error)

func (*ProviderDingTalk) Config added in v0.11.0 

func (g *ProviderDingTalk) Config() *Configuration

func (*ProviderDingTalk) ExchangeOAuth2Token added in v1.2.0 

func (g *ProviderDingTalk) ExchangeOAuth2Token(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)

func (*ProviderDingTalk) OAuth2 added in v0.11.0 

func (g *ProviderDingTalk) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderDiscord 

type ProviderDiscord struct {
	// contains filtered or unexported fields
}

func (*ProviderDiscord) AuthCodeURLOptions 

func (d *ProviderDiscord) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderDiscord) Claims 

func (d *ProviderDiscord) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderDiscord) Config 

func (d *ProviderDiscord) Config() *Configuration

func (*ProviderDiscord) OAuth2 

func (d *ProviderDiscord) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderFacebook 

type ProviderFacebook struct {
	*ProviderGenericOIDC
}

func (*ProviderFacebook) Claims 

func (g *ProviderFacebook) Claims(ctx context.Context, token *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderFacebook) OAuth2 

func (g *ProviderFacebook) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGenericOIDC 

type ProviderGenericOIDC struct {
	// contains filtered or unexported fields
}

func (*ProviderGenericOIDC) AuthCodeURLOptions 

func (g *ProviderGenericOIDC) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderGenericOIDC) Claims 

func (g *ProviderGenericOIDC) Claims(ctx context.Context, exchange *oauth2.Token, _ url.Values) (*Claims, error)

func (*ProviderGenericOIDC) Config 

func (g *ProviderGenericOIDC) Config() *Configuration

func (*ProviderGenericOIDC) OAuth2 

func (g *ProviderGenericOIDC) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGitHub 

type ProviderGitHub struct {
	// contains filtered or unexported fields
}

func (*ProviderGitHub) AuthCodeURLOptions 

func (g *ProviderGitHub) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderGitHub) Claims 

func (g *ProviderGitHub) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderGitHub) Config 

func (g *ProviderGitHub) Config() *Configuration

func (*ProviderGitHub) OAuth2 

func (g *ProviderGitHub) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGitHubApp 

type ProviderGitHubApp struct {
	// contains filtered or unexported fields
}

func (*ProviderGitHubApp) AuthCodeURLOptions 

func (g *ProviderGitHubApp) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderGitHubApp) Claims 

func (g *ProviderGitHubApp) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderGitHubApp) Config 

func (g *ProviderGitHubApp) Config() *Configuration

func (*ProviderGitHubApp) OAuth2 

func (g *ProviderGitHubApp) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGitLab 

type ProviderGitLab struct {
	*ProviderGenericOIDC
}

func (*ProviderGitLab) Claims 

func (g *ProviderGitLab) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderGitLab) OAuth2 

func (g *ProviderGitLab) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderGoogle 

type ProviderGoogle struct {
	*ProviderGenericOIDC
	JWKSUrl string
}

func (*ProviderGoogle) AuthCodeURLOptions added in v0.13.0 

func (g *ProviderGoogle) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderGoogle) CanSkipNonce added in v1.1.0 

func (a *ProviderGoogle) CanSkipNonce(c *Claims) bool

func (*ProviderGoogle) OAuth2 added in v0.13.0 

func (g *ProviderGoogle) OAuth2(ctx context.Context) (*oauth2.Config, error)

func (*ProviderGoogle) Verify added in v1.1.0 

func (p *ProviderGoogle) Verify(ctx context.Context, rawIDToken string) (*Claims, error)

type ProviderLark added in v1.0.0 

type ProviderLark struct {
	*ProviderGenericOIDC
}

func (*ProviderLark) AuthCodeURLOptions added in v1.0.0 

func (pl *ProviderLark) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderLark) Claims added in v1.0.0 

func (g *ProviderLark) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderLark) Config added in v1.0.0 

func (g *ProviderLark) Config() *Configuration

func (*ProviderLark) OAuth2 added in v1.0.0 

func (g *ProviderLark) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderLinkedIn added in v0.13.0 

type ProviderLinkedIn struct {
	// contains filtered or unexported fields
}

func (*ProviderLinkedIn) AuthCodeURLOptions added in v0.13.0 

func (l *ProviderLinkedIn) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderLinkedIn) Claims added in v0.13.0 

func (l *ProviderLinkedIn) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (_ *Claims, err error)

func (*ProviderLinkedIn) Config added in v0.13.0 

func (l *ProviderLinkedIn) Config() *Configuration

func (*ProviderLinkedIn) Email added in v0.13.0 

func (l *ProviderLinkedIn) Email(ctx context.Context, client *retryablehttp.Client) (*LinkedInEmail, error)

func (*ProviderLinkedIn) OAuth2 added in v0.13.0 

func (l *ProviderLinkedIn) OAuth2(ctx context.Context) (*oauth2.Config, error)

func (*ProviderLinkedIn) Profile added in v0.13.0 

func (l *ProviderLinkedIn) Profile(ctx context.Context, client *retryablehttp.Client) (*LinkedInProfile, error)

func (*ProviderLinkedIn) ProfilePicture added in v0.13.0 

func (l *ProviderLinkedIn) ProfilePicture(profile *LinkedInProfile) string

type ProviderMicrosoft 

type ProviderMicrosoft struct {
	*ProviderGenericOIDC
}

func (*ProviderMicrosoft) Claims 

func (m *ProviderMicrosoft) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderMicrosoft) OAuth2 

func (m *ProviderMicrosoft) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderNetID 

type ProviderNetID struct {
	*ProviderGenericOIDC
}

func (*ProviderNetID) Claims 

func (n *ProviderNetID) Claims(ctx context.Context, exchange *oauth2.Token, _ url.Values) (*Claims, error)

func (*ProviderNetID) OAuth2 

func (n *ProviderNetID) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderPatreon added in v0.13.0 

type ProviderPatreon struct {
	// contains filtered or unexported fields
}

func (*ProviderPatreon) AuthCodeURLOptions added in v0.13.0 

func (d *ProviderPatreon) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderPatreon) Claims added in v0.13.0 

func (d *ProviderPatreon) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderPatreon) Config added in v0.13.0 

func (d *ProviderPatreon) Config() *Configuration

func (*ProviderPatreon) OAuth2 added in v0.13.0 

func (d *ProviderPatreon) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderSalesforce added in v1.3.0 

type ProviderSalesforce struct {
	*ProviderGenericOIDC
}

func (*ProviderSalesforce) Claims added in v1.3.0 

func (g *ProviderSalesforce) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderSalesforce) OAuth2 added in v1.3.0 

func (g *ProviderSalesforce) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderSlack 

type ProviderSlack struct {
	// contains filtered or unexported fields
}

func (*ProviderSlack) AuthCodeURLOptions 

func (d *ProviderSlack) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderSlack) Claims 

func (d *ProviderSlack) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderSlack) Config 

func (d *ProviderSlack) Config() *Configuration

func (*ProviderSlack) OAuth2 

func (d *ProviderSlack) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderSpotify 

type ProviderSpotify struct {
	// contains filtered or unexported fields
}

func (*ProviderSpotify) AuthCodeURLOptions 

func (g *ProviderSpotify) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderSpotify) Claims 

func (g *ProviderSpotify) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderSpotify) Config 

func (g *ProviderSpotify) Config() *Configuration

func (*ProviderSpotify) OAuth2 

func (g *ProviderSpotify) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderVK 

type ProviderVK struct {
	// contains filtered or unexported fields
}

func (*ProviderVK) AuthCodeURLOptions 

func (g *ProviderVK) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderVK) Claims 

func (g *ProviderVK) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderVK) Config 

func (g *ProviderVK) Config() *Configuration

func (*ProviderVK) OAuth2 

func (g *ProviderVK) OAuth2(ctx context.Context) (*oauth2.Config, error)

type ProviderX added in v1.2.0 

type ProviderX struct {
	// contains filtered or unexported fields
}

func (*ProviderX) AuthURL added in v1.2.0 

func (p *ProviderX) AuthURL(ctx context.Context, state string) (_ string, err error)

func (*ProviderX) CheckError added in v1.2.0 

func (p *ProviderX) CheckError(ctx context.Context, r *http.Request) error

func (*ProviderX) Claims added in v1.2.0 

func (p *ProviderX) Claims(ctx context.Context, token *oauth1.Token) (*Claims, error)

func (*ProviderX) Config added in v1.2.0 

func (p *ProviderX) Config() *Configuration

func (*ProviderX) ExchangeToken added in v1.2.0 

func (p *ProviderX) ExchangeToken(ctx context.Context, req *http.Request) (*oauth1.Token, error)

func (*ProviderX) OAuth1 added in v1.2.0 

func (p *ProviderX) OAuth1(ctx context.Context) *oauth1.Config

type ProviderYandex 

type ProviderYandex struct {
	// contains filtered or unexported fields
}

func (*ProviderYandex) AuthCodeURLOptions 

func (g *ProviderYandex) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption

func (*ProviderYandex) Claims 

func (g *ProviderYandex) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)

func (*ProviderYandex) Config 

func (g *ProviderYandex) Config() *Configuration

func (*ProviderYandex) OAuth2 

func (g *ProviderYandex) OAuth2(ctx context.Context) (*oauth2.Config, error)

type Strategy 

type Strategy struct {
	// contains filtered or unexported fields
}

Strategy implements selfservice.LoginStrategy, selfservice.RegistrationStrategy and selfservice.SettingsStrategy. It supports login, registration and settings via OpenID Providers.

func NewStrategy 

func NewStrategy(d any) *Strategy

func (*Strategy) CompletedAuthenticationMethod 

func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context) session.AuthenticationMethod

func (*Strategy) Config 

func (s *Strategy) Config(ctx context.Context) (*ConfigurationCollection, error)

func (*Strategy) CountActiveFirstFactorCredentials 

func (s *Strategy) CountActiveFirstFactorCredentials(_ context.Context, cc map[identity.CredentialsType]identity.Credentials) (count int, err error)

func (*Strategy) CountActiveMultiFactorCredentials 

func (s *Strategy) CountActiveMultiFactorCredentials(_ context.Context, _ map[identity.CredentialsType]identity.Credentials) (count int, err error)

func (*Strategy) ExchangeCode added in v1.1.0 

func (s *Strategy) ExchangeCode(ctx context.Context, provider Provider, code string, opts []oauth2.AuthCodeOption) (token *oauth2.Token, err error)

func (*Strategy) GenerateState added in v1.3.0 

func (s *Strategy) GenerateState(ctx context.Context, p Provider, flowID uuid.UUID) (stateParam string, pkce []oauth2.AuthCodeOption, err error)

func (*Strategy) HandleCallback added in v1.1.0 

func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps httprouter.Params)

func (*Strategy) ID 

func (s *Strategy) ID() identity.CredentialsType
func (s *Strategy) Link(ctx context.Context, i *identity.Identity, credentialsConfig sqlxx.JSONRawMessage) error

func (*Strategy) Login 

func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, _ *session.Session) (i *identity.Identity, err error)

func (*Strategy) NodeGroup 

func (s *Strategy) NodeGroup() node.UiNodeGroup

func (*Strategy) PopulateLoginMethodFirstFactor added in v1.3.0 

func (s *Strategy) PopulateLoginMethodFirstFactor(r *http.Request, f *login.Flow) error

func (*Strategy) PopulateLoginMethodFirstFactorRefresh added in v1.3.0 

func (s *Strategy) PopulateLoginMethodFirstFactorRefresh(r *http.Request, lf *login.Flow) error

func (*Strategy) PopulateLoginMethodIdentifierFirstCredentials added in v1.3.0 

func (s *Strategy) PopulateLoginMethodIdentifierFirstCredentials(r *http.Request, f *login.Flow, mods ...login.FormHydratorModifier) (err error)

func (*Strategy) PopulateLoginMethodIdentifierFirstIdentification added in v1.3.0 

func (s *Strategy) PopulateLoginMethodIdentifierFirstIdentification(r *http.Request, f *login.Flow) error

func (*Strategy) PopulateLoginMethodSecondFactor added in v1.3.0 

func (s *Strategy) PopulateLoginMethodSecondFactor(r *http.Request, sr *login.Flow) error

func (*Strategy) PopulateLoginMethodSecondFactorRefresh added in v1.3.0 

func (s *Strategy) PopulateLoginMethodSecondFactorRefresh(r *http.Request, sr *login.Flow) error

func (*Strategy) PopulateRegistrationMethod 

func (s *Strategy) PopulateRegistrationMethod(r *http.Request, f *registration.Flow) error

func (*Strategy) PopulateSettingsMethod 

func (s *Strategy) PopulateSettingsMethod(r *http.Request, id *identity.Identity, sr *settings.Flow) error

func (*Strategy) Register 

func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registration.Flow, _ *identity.Identity) (err error)

func (*Strategy) RegisterLoginRoutes 

func (s *Strategy) RegisterLoginRoutes(r *x.RouterPublic)

func (*Strategy) RegisterRegistrationRoutes 

func (s *Strategy) RegisterRegistrationRoutes(r *x.RouterPublic)

func (*Strategy) RegisterSettingsRoutes 

func (s *Strategy) RegisterSettingsRoutes(router *x.RouterPublic)

func (*Strategy) Settings 

func (s *Strategy) Settings(w http.ResponseWriter, r *http.Request, f *settings.Flow, ss *session.Session) (_ *settings.UpdateContext, err error)

func (*Strategy) SettingsStrategyID 

func (s *Strategy) SettingsStrategyID() string

func (*Strategy) ValidateCallback added in v1.1.0 

func (s *Strategy) ValidateCallback(w http.ResponseWriter, r *http.Request, ps httprouter.Params) (flow.Flow, *oidcv1.State, *AuthCodeContainer, error)

type UpdateLoginFlowWithOidcMethod added in v0.11.0 

type UpdateLoginFlowWithOidcMethod struct {
	// The provider to register with
	//
	// required: true
	Provider string `json:"provider"`

	// The CSRF Token
	CSRFToken string `json:"csrf_token"`

	// Method to use
	//
	// This field must be set to `oidc` when using the oidc method.
	//
	// required: true
	Method string `json:"method"`

	// The identity traits. This is a placeholder for the registration flow.
	Traits json.RawMessage `json:"traits"`

	// UpstreamParameters are the parameters that are passed to the upstream identity provider.
	//
	// These parameters are optional and depend on what the upstream identity provider supports.
	// Supported parameters are:
	// - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.
	// - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.
	// - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.
	//
	// required: false
	UpstreamParameters json.RawMessage `json:"upstream_parameters"`

	// IDToken is an optional id token provided by an OIDC provider
	//
	// If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate
	// the OIDC credentials of the identity.
	// If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use
	// the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.
	//
	// Supported providers are
	// - Apple
	// - Google
	// required: false
	IDToken string `json:"id_token,omitempty"`

	// IDTokenNonce is the nonce, used when generating the IDToken.
	// If the provider supports nonce validation, the nonce will be validated against this value and required.
	//
	// required: false
	IDTokenNonce string `json:"id_token_nonce,omitempty"`

	// Transient data to pass along to any webhooks
	//
	// required: false
	TransientPayload json.RawMessage `json:"transient_payload,omitempty" form:"transient_payload"`
}

Update Login Flow with OpenID Connect Method

swagger:model updateLoginFlowWithOidcMethod

type UpdateRegistrationFlowWithOidcMethod added in v0.11.0 

type UpdateRegistrationFlowWithOidcMethod struct {
	// The provider to register with
	//
	// required: true
	Provider string `json:"provider"`

	// The CSRF Token
	CSRFToken string `json:"csrf_token"`

	// The identity traits
	Traits json.RawMessage `json:"traits"`

	// Method to use
	//
	// This field must be set to `oidc` when using the oidc method.
	//
	// required: true
	Method string `json:"method"`

	// UpstreamParameters are the parameters that are passed to the upstream identity provider.
	//
	// These parameters are optional and depend on what the upstream identity provider supports.
	// Supported parameters are:
	// - `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.
	// - `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.
	// - `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.
	//
	// required: false
	UpstreamParameters json.RawMessage `json:"upstream_parameters"`

	// IDToken is an optional id token provided by an OIDC provider
	//
	// If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate
	// the OIDC credentials of the identity.
	// If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use
	// the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.
	//
	// Supported providers are
	// - Apple
	// - Google
	// required: false
	IDToken string `json:"id_token,omitempty"`

	// IDTokenNonce is the nonce, used when generating the IDToken.
	// If the provider supports nonce validation, the nonce will be validated against this value and is required.
	//
	// required: false
	IDTokenNonce string `json:"id_token_nonce,omitempty"`

	// Transient data to pass along to any webhooks
	//
	// required: false
	TransientPayload json.RawMessage `json:"transient_payload,omitempty" form:"transient_payload"`
}

Update Registration Flow with OpenID Connect Method

swagger:model updateRegistrationFlowWithOidcMethod

type VerifiedAddress added in v1.1.0 

type VerifiedAddress struct {
	Value string                         `json:"value"`
	Via   identity.VerifiableAddressType `json:"via"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.