Documentation
¶
Index ¶
Constants ¶
const Prefix string = "/oauth2/" // default prefix for callback and logout. Can be changed by [Config.CallbackPrefix].
Variables ¶
This section is empty.
Functions ¶
func Token ¶
Token gets token from current session. If handler is not from OIDC.Secure then the value can be nil or invalid.
Types ¶
type Config ¶
type Config struct { // OIDC URL (ex: https://example.com/realm/my-realm). IssuerURL string // OIDC client name. This value doesn't need to be super secret. // Not advisable to share, but not designed to be a secret. ClientID string // OIDC client secret (aka: confidential mode) ClientSecret string // (optional) list of OAuth scopes. Default is minimal required: openid - [oidc.ScopeOpenID] Scopes []string // (optional) public server URL, // if not set system will try to detect it by request URL, X-Forwarded-Host, and X-Forwarded-Proto which is // potentially is not secure and can be forged (unless there is secure forward proxy in front) ServerURL string // (optional) prefix for path for callbacks URL. Default prefix is [Prefix] CallbackPrefix string // (optional) session manager. If not set, default in-memory session manager will be used. SessionManager *scs.SessionManager // (optional) handle user post-authorization. // If handler returned any error, user will be rejected with 403 code, otherwise it will return 303 StatusSeeOther. // Callback may set destination URL via Location header; if header is not set, root server URL will be used. // The callback always called for each header-based request (since it's stateless). // It's good place for claims-based filtering or sessions. PostAuth func(writer http.ResponseWriter, req *http.Request, idToken *oidc.IDToken) error // (optional) handle before user authorization (redirect to OIDC portal). The callback will not be called for M2M. // If handler returned any error, request will be rejected with 403 code. // It's a good place to save current URL in order to redirect user after authorization to the initial page. BeforeAuth func(writer http.ResponseWriter, req *http.Request) error // (optional) handle situation after ID token refresh. // Could be useful to reload profile or something related to user. // The callback will not be called for M2M. // If handler returned any error, user will be rejected with 403 code. PostRefresh func(writer http.ResponseWriter, req *http.Request, idToken *oidc.IDToken) error // (optional) tune allowed authorization types. Default - AllFlows Flows OAuthFlow // (optional) logger for messages, default is to std logger Logger Logger }
type LoggerFunc ¶
func (LoggerFunc) Log ¶
func (lf LoggerFunc) Log(level Level, message string)
type OAuthFlow ¶
type OAuthFlow uint8
OAuthFlow represents set of allowed OAuth flows.
const ( ClientCredentials OAuthFlow = 0b01 // client provides ID token in Authorization header (Bearer) AuthorizationCode OAuthFlow = 0b10 // UI flow with redirects. This flow will always be checked last since it can initiate redirects. AllFlows OAuthFlow = AuthorizationCode | ClientCredentials )
type OIDC ¶
type OIDC struct {
// contains filtered or unexported fields
}
func New ¶
New creates new service which handles OIDC (OAuth 2) authorization. It will fetch and cache OIDC information on init. Keys rotation will be done automatically.
Service does provide automatic ID token refresh for UI flow.
func (*OIDC) Config ¶
Config for OAUTH. Request is required for detecting public server URL (unless it is defined explicitly).
func (*OIDC) Secure ¶
Secure handler by checking authorization state.
If ClientCredentials enabled in [Config.Flows], and Authorization header present, service assumes ClientCredentials flow. In this case, invalid request will cause 401 if token invalid, or 403 if post-auth callback returned an error.
If AuthorizationCode enabled in [Config.Flows], service will try AuthorizationCode flow. In this case, invalid request will cause login sequence and redirect to IDP.
Current ID token get be obtained by Token from request.
func (*OIDC) SecureFunc ¶
func (svc *OIDC) SecureFunc(next http.HandlerFunc) http.Handler
SecureFunc is just an alias to OIDC.Secure for functional handlers.