Documentation
¶
Overview ¶
Package discovery implements both a server handler and client side for interacting with the OIDC discovery mechanism.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func WithCoreDefaults ¶
func WithCoreDefaults() func(h *ConfigurationHandler)
WithCoreDefaults is an option that will set the metadata to match the capabilities of the `core` OIDC implementation, if they're not otherwise set
func WithHTTPClient ¶
WithHTTPClient will set a http.Client for the initial discovery, and key fetching. If not set, http.DefaultClient will be used.
Types ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client can be used to fetch the provider metadata for a given issuer, and can also return the signing keys on demand.
It should be created via `NewClient` to ensure it is initialized correctly.
func (*Client) GetKey ¶
GetKey will return the key for the given kid. If the key has already been fetched, no network request will be made - the cached version will be returned. Otherwise, a call to the keys endpoint will be made.
func (*Client) Metadata ¶
func (c *Client) Metadata() *ProviderMetadata
Metadata returns the ProviderMetadata that was retrieved when the client was instantiated
type ConfigurationHandler ¶
type ConfigurationHandler struct {
// contains filtered or unexported fields
}
ConfigurationHandler is a http.ConfigurationHandler that can serve the OIDC provider metadata endpoint, and optionally keys from a source
It should be mounted at `<issuer>/.well-known/openid-configuration`, and all subpaths. This can be achieved with the stdlib mux by using a trailing slash. Any prefix should be stripped before calling this ConfigurationHandler
func NewConfigurationHandler ¶
func NewConfigurationHandler(metadata *ProviderMetadata, opts ...ConfigurationHandlerOpt) (*ConfigurationHandler, error)
NewConfigurationHandler configures and returns a ConfigurationHandler.
func (*ConfigurationHandler) ServeHTTP ¶
func (h *ConfigurationHandler) ServeHTTP(w http.ResponseWriter, req *http.Request)
type ConfigurationHandlerOpt ¶
type ConfigurationHandlerOpt func(h *ConfigurationHandler)
ConfigurationHandlerOpt is an option that can configure
type KeySource ¶
type KeySource interface {
// PublicKeys should return the current signing key set
PublicKeys(ctx context.Context) (*jose.JSONWebKeySet, error)
}
KeySource is used to retrieve the public keys this provider is signing with
type KeysHandler ¶
type KeysHandler struct {
// contains filtered or unexported fields
}
KeysHandler is a http.Handler that correctly serves the "keys" endpoint from a keysource
func NewKeysHandler ¶
func NewKeysHandler(s KeySource, cacheFor time.Duration) *KeysHandler
NewKeysHandler returns a KeysHandler configured to serve the keys froom KeySource. It will cache key lookups for the cacheFor duration
func (*KeysHandler) ServeHTTP ¶
func (h *KeysHandler) ServeHTTP(w http.ResponseWriter, req *http.Request)
type ProviderMetadata ¶
type ProviderMetadata struct {
// REQUIRED. URL using the https scheme with no query or fragment component
// that the OP asserts as its Issuer Identifier. If Issuer discovery is
// supported (see Section 2), this value MUST be identical to the issuer
// value returned by WebFinger. This also MUST be identical to the iss Claim
// value in ID Tokens issued from this Issuer.
Issuer string `json:"issuer,omitempty"`
// REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
// URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED
// unless only the Implicit Flow is used.
TokenEndpoint string `json:"token_endpoint,omitempty"`
// RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL
// MUST use the https scheme and MAY contain port, path, and query parameter
// components.
UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
// REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains
// the signing key(s) the RP uses to validate signatures from the OP. The
// JWK Set MAY also contain the Server's encryption key(s), which are used
// by RPs to encrypt requests to the Server. When both signing and
// encryption keys are made available, a use (Key Use) parameter value is
// REQUIRED for all keys in the referenced JWK Set to indicate each key's
// intended usage. Although some algorithms allow the same key to be used
// for both signatures and encryption, doing so is NOT RECOMMENDED, as it is
// less secure. The JWK x5c parameter MAY be used to provide X.509
// representations of keys provided. When used, the bare key values MUST
// still be present and MUST match those in the certificate.
JWKSURI string `json:"jwks_uri,omitempty"`
// RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint
// [OpenID.Registration].
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
// RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749]
// scope values that this server supports. The server MUST support the
// openid scope value. Servers MAY choose not to advertise some supported
// scope values even when this parameter is used, although those defined in
// [OpenID.Core] SHOULD be listed, if supported.
ScopesSupported []string `json:"scopes_supported,omitempty"`
// REQUIRED. JSON array containing a list of the OAuth 2.0 response_type
// values that this OP supports. Dynamic OpenID Providers MUST support the
// code, id_token, and the token id_token Response Type values.
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode
// values that this OP supports, as specified in OAuth 2.0 Multiple Response
// Type Encoding Practices [OAuth.Responses]. If omitted, the default for
// Dynamic OpenID Providers is ["query", "fragment"].
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values
// that this OP supports. Dynamic OpenID Providers MUST support the
// authorization_code and implicit Grant Type values and MAY support other
// Grant Types. If omitted, the default value is ["authorization_code",
// "implicit"].
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the Authentication Context
// Class References that this OP supports.
ACRValuesSupported []string `json:"acr_values_supported,omitempty"`
// REQUIRED. JSON array containing a list of the Subject Identifier types
// that this OP supports. Valid types include pairwise and public.
SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
// REQUIRED. JSON array containing a list of the JWS signing algorithms (alg
// values) supported by the OP for the ID Token to encode the Claims in a
// JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be
// supported, but MUST NOT be used unless the Response Type used returns no
// ID Token from the Authorization Endpoint (such as when using the
// Authorization Code Flow).
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (alg values) supported by the OP for the ID Token to encode the Claims in
// a JWT [JWT].
IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (enc values) supported by the OP for the ID Token to encode the Claims in
// a JWT [JWT].
IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWS [JWS] signing
// algorithms (alg values) [JWA] supported by the UserInfo Endpoint to
// encode the Claims in a JWT [JWT]. The value none MAY be included.
UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWE [JWE] encryption
// algorithms (alg values) [JWA] supported by the UserInfo Endpoint to
// encode the Claims in a JWT [JWT].
UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (enc values) [JWA] supported by the UserInfo Endpoint to encode the
// Claims in a JWT [JWT].
UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg
// values) supported by the OP for Request Objects, which are described in
// Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms
// are used both when the Request Object is passed by value (using the
// request parameter) and when it is passed by reference (using the
// request_uri parameter). Servers SHOULD support none and RS256.
RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (alg values) supported by the OP for Request Objects. These algorithms
// are used both when the Request Object is passed by value and when it is
// passed by reference.
RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
// (enc values) supported by the OP for Request Objects. These algorithms
// are used both when the Request Object is passed by value and when it is
// passed by reference.
RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of Client Authentication methods
// supported by this Token Endpoint. The options are client_secret_post,
// client_secret_basic, client_secret_jwt, and private_key_jwt, as described
// in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other
// authentication methods MAY be defined by extensions. If omitted, the
// default is client_secret_basic -- the HTTP Basic Authentication Scheme
// specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg
// values) supported by the Token Endpoint for the signature on the JWT
// [JWT] used to authenticate the Client at the Token Endpoint for the
// private_key_jwt and client_secret_jwt authentication methods. Servers
// SHOULD support RS256. The value none MUST NOT be used.
TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the display parameter values
// that the OpenID Provider supports. These values are described in Section
// 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core].
DisplayValuesSupported []string `json:"display_values_supported,omitempty"`
// OPTIONAL. JSON array containing a list of the Claim Types that the OpenID
// Provider supports. These Claim Types are described in Section 5.6 of
// OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this
// specification are normal, aggregated, and distributed. If omitted, the
// implementation supports only normal Claims.
ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`
// RECOMMENDED. JSON array containing a list of the Claim Names of the
// Claims that the OpenID Provider MAY be able to supply values for. Note
// that for privacy or other reasons, this might not be an exhaustive list.
ClaimsSupported []string `json:"claims_supported,omitempty"`
// OPTIONAL. URL of a page containing human-readable information that
// developers might want or need to know when using the OpenID Provider. In
// particular, if the OpenID Provider does not support Dynamic Client
// Registration, then information on how to register Clients needs to be
// provided in this documentation.
ServiceDocumentation string `json:"service_documentation,omitempty"`
// OPTIONAL. Languages and scripts supported for values in Claims being
// returned, represented as a JSON array of BCP47 [RFC5646] language tag
// values. Not all languages and scripts are necessarily supported for all
// Claim values.
ClaimLocalesSupported []string `json:"claims_locales_supported,omitempty"`
// OPTIONAL. Languages and scripts supported for the user interface,
// represented as a JSON array of BCP47 [RFC5646] language tag values.
UILocalesSupported []string `json:"ui_locales_supported,omitempty"`
// OPTIONAL. Boolean value specifying whether the OP supports use of the
// claims parameter, with true indicating support. If omitted, the default
// value is false.
ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"`
// OPTIONAL. Boolean value specifying whether the OP supports use of the
// request parameter, with true indicating support. If omitted, the default
// value is false.
RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`
// OPTIONAL. Boolean value specifying whether the OP supports use of the
// request_uri parameter, with true indicating support. If omitted, the
// default value is true.
RequestURIParameterSupported bool `json:"request_uri_parameter_supported,omitempty"`
// OPTIONAL. Boolean value specifying whether the OP requires any
// request_uri values used to be pre-registered using the request_uris
// registration parameter. Pre-registration is REQUIRED when the value is
// true. If omitted, the default value is false.
RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"`
// OPTIONAL. URL that the OpenID Provider provides to the person registering
// the Client to read about the OP's requirements on how the Relying Party
// can use the data provided by the OP. The registration process SHOULD
// display this URL to the person registering the Client if it is given.
OPPolicyURI string `json:"op_policy_uri,omitempty"`
// OPTIONAL. URL that the OpenID Provider provides to the person registering
// the Client to read about OpenID Provider's terms of service. The
// registration process SHOULD display this URL to the person registering
// the Client if it is given.
OPTOSURI string `json:"op_tos_uri,omitempty"`
}
ProviderMetadata implements the JSON structure that describes the configuration of an OIDC provider
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
Source Files
Click to show internal directories.
Click to hide internal directories.