Documentation ¶
Index ¶
- Constants
- Variables
- func AccessTokenFromRequest(req *http.Request) string
- func GetRedirectURIFromRequestValues(values url.Values) (string, error)
- func HierarchicScopeStrategy(haystack []string, needle string) bool
- func IsRedirectURISecure(redirectURI *url.URL) bool
- func IsValidRedirectURI(redirectURI *url.URL) bool
- func MatchRedirectURIWithClientRedirectURIs(rawurl string, client Client) (*url.URL, error)
- func NewContext() context.Context
- func StringInSlice(needle string, haystack []string) bool
- type AccessRequest
- type AccessRequester
- type AccessResponder
- type AccessResponse
- func (a *AccessResponse) GetAccessToken() string
- func (a *AccessResponse) GetExtra(key string) interface{}
- func (a *AccessResponse) GetTokenType() string
- func (a *AccessResponse) SetAccessToken(token string)
- func (a *AccessResponse) SetExpiresIn(expiresIn time.Duration)
- func (a *AccessResponse) SetExtra(key string, value interface{})
- func (a *AccessResponse) SetScopes(scopes Arguments)
- func (a *AccessResponse) SetTokenType(name string)
- func (a *AccessResponse) ToMap() map[string]interface{}
- type Arguments
- type AuthorizeEndpointHandler
- type AuthorizeEndpointHandlers
- type AuthorizeRequest
- func (d *AuthorizeRequest) DidHandleAllResponseTypes() bool
- func (d *AuthorizeRequest) GetRedirectURI() *url.URL
- func (d *AuthorizeRequest) GetResponseTypes() Arguments
- func (d *AuthorizeRequest) GetState() string
- func (d *AuthorizeRequest) IsRedirectURIValid() bool
- func (d *AuthorizeRequest) SetResponseTypeHandled(name string)
- type AuthorizeRequester
- type AuthorizeResponder
- type AuthorizeResponse
- func (a *AuthorizeResponse) AddFragment(key, value string)
- func (a *AuthorizeResponse) AddHeader(key, value string)
- func (a *AuthorizeResponse) AddQuery(key, value string)
- func (a *AuthorizeResponse) GetCode() string
- func (a *AuthorizeResponse) GetFragment() url.Values
- func (a *AuthorizeResponse) GetHeader() http.Header
- func (a *AuthorizeResponse) GetQuery() url.Values
- type Client
- type ClientManager
- type DefaultClient
- type Fosite
- func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session interface{}) (AccessRequester, error)
- func (f *Fosite) NewAccessResponse(ctx context.Context, req *http.Request, requester AccessRequester) (AccessResponder, error)
- func (c *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (AuthorizeRequester, error)
- func (o *Fosite) NewAuthorizeResponse(ctx context.Context, r *http.Request, ar AuthorizeRequester, ...) (AuthorizeResponder, error)
- func (f *Fosite) ValidateToken(ctx context.Context, token string, tokenType TokenType, session interface{}, ...) (AccessRequester, error)
- func (c *Fosite) WriteAccessError(rw http.ResponseWriter, _ AccessRequester, err error)
- func (c *Fosite) WriteAccessResponse(rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
- func (c *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error)
- func (c *Fosite) WriteAuthorizeResponse(rw http.ResponseWriter, ar AuthorizeRequester, resp AuthorizeResponder)
- type OAuth2Provider
- type RFC6749Error
- type Request
- func (a *Request) AppendRequestedScope(scope string)
- func (a *Request) GetClient() Client
- func (a *Request) GetGrantedScopes() Arguments
- func (a *Request) GetRequestForm() url.Values
- func (a *Request) GetRequestedAt() time.Time
- func (a *Request) GetRequestedScopes() Arguments
- func (a *Request) GetSession() interface{}
- func (a *Request) GrantScope(scope string)
- func (a *Request) Merge(request Requester)
- func (a *Request) SetRequestedScopes(s Arguments)
- func (a *Request) SetSession(session interface{})
- type Requester
- type ScopeStrategy
- type Storage
- type TokenEndpointHandler
- type TokenEndpointHandlers
- type TokenType
- type TokenValidator
- type TokenValidators
Constants ¶
const MinParameterEntropy = 8
const (
UnknownErrorName = "unknown_error"
)
Variables ¶
var ( ErrRequestForbidden = errors.New("The request is not allowed") ErrInvalidRequest = errors.New("The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed") ErrAccessDenied = errors.New("The resource owner or authorization server denied the request") ErrUnsupportedResponseType = errors.New("The authorization server does not support obtaining a token using this method") ErrInvalidScope = errors.New("The requested scope is invalid, unknown, or malformed") ErrServerError = errors.New("The authorization server encountered an unexpected condition that prevented it from fulfilling the request") ErrUnsupportedGrantType = errors.New("The authorization grant type is not supported by the authorization server") ErrInvalidGrant = errors.New("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client") ErrInvalidClient = errors.New("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)") ErrInvalidState = errors.Errorf("The state is missing or has less than %d characters and is therefore considered too weak", MinParameterEntropy) ErrInsufficientEntropy = errors.Errorf("The request used a security parameter (e.g., anti-replay, anti-csrf) with insufficient entropy (minimum of %d characters)", MinParameterEntropy) ErrMisconfiguration = errors.New("The request failed because of an internal error that is probably caused by misconfiguration") ErrNotFound = errors.New("Could not find the requested resource(s)") ErrInvalidTokenFormat = errors.New("Invalid token format") ErrTokenSignatureMismatch = errors.New("Token signature mismatch") ErrTokenExpired = errors.New("Token expired") ErrScopeNotGranted = errors.New("The token was not granted the requested scope") ErrTokenClaim = errors.New("The token failed validation due to a claim mismatch") )
var ErrUnknownRequest = errors.New("The handler is not responsible for this request.")
Functions ¶
func AccessTokenFromRequest ¶ added in v0.2.0
func GetRedirectURIFromRequestValues ¶
GetRedirectURIFromRequestValues extracts the redirect_uri from values but does not do any sort of validation.
Considered specifications
- https://tools.ietf.org/html/rfc6749#section-3.1 The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters.
func HierarchicScopeStrategy ¶ added in v0.2.0
func IsRedirectURISecure ¶
func IsValidRedirectURI ¶
IsValidRedirectURI validates a redirect_uri as specified in:
* https://tools.ietf.org/html/rfc6749#section-3.1.2
- The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3.
- The endpoint URI MUST NOT include a fragment component.
- https://tools.ietf.org/html/rfc3986#section-4.3 absolute-URI = scheme ":" hier-part [ "?" query ]
- https://tools.ietf.org/html/rfc6819#section-5.1.1
func MatchRedirectURIWithClientRedirectURIs ¶
MatchRedirectURIWithClientRedirectURIs if the given uri is a registered redirect uri. Does not perform uri validation.
Considered specifications
https://tools.ietf.org/html/rfc6749#section-3.1.2.3 If multiple redirection URIs have been registered, if only part of the redirection URI has been registered, or if no redirection URI has been registered, the client MUST include a redirection URI with the authorization request using the "redirect_uri" request parameter.
When a redirection URI is included in an authorization request, the authorization server MUST compare and match the value received against at least one of the registered redirection URIs (or URI components) as defined in [RFC3986] Section 6, if any redirection URIs were registered. If the client registration included the full redirection URI, the authorization server MUST compare the two URIs using simple string comparison as defined in [RFC3986] Section 6.2.1.
* https://tools.ietf.org/html/rfc6819#section-4.4.1.7
- The authorization server may also enforce the usage and validation of pre-registered redirect URIs (see Section 5.2.3.5). This will allow for early recognition of authorization "code" disclosure to counterfeit clients.
- The attacker will need to use another redirect URI for its authorization process rather than the target web site because it needs to intercept the flow. So, if the authorization server associates the authorization "code" with the redirect URI of a particular end-user authorization and validates this redirect URI with the redirect URI passed to the token's endpoint, such an attack is detected (see Section 5.2.4.5).
func NewContext ¶
func StringInSlice ¶
StringInSlice returns true if needle exists in haystack
Types ¶
type AccessRequest ¶
type AccessRequest struct { GrantTypes Arguments `json:"grantTypes" gorethink:"grantTypes"` HandledGrantType Arguments `json:"handledGrantType" gorethink:"handledGrantType"` Request }
func NewAccessRequest ¶
func NewAccessRequest(session interface{}) *AccessRequest
func (*AccessRequest) GetGrantTypes ¶
func (a *AccessRequest) GetGrantTypes() Arguments
type AccessRequester ¶
type AccessRequester interface { // GetGrantType returns the requests grant type. GetGrantTypes() (grantTypes Arguments) Requester }
AccessRequester is a token endpoint's request context.
type AccessResponder ¶
type AccessResponder interface { // SetExtra sets a key value pair for the access response. SetExtra(key string, value interface{}) // GetExtra returns a key's value. GetExtra(key string) interface{} SetExpiresIn(time.Duration) SetScopes(scopes Arguments) // SetAccessToken sets the responses mandatory access token. SetAccessToken(token string) // SetTokenType set's the responses mandatory token type SetTokenType(tokenType string) // SetAccessToken returns the responses access token. GetAccessToken() (token string) // GetTokenType returns the responses token type. GetTokenType() (token string) // ToMap converts the response to a map. ToMap() map[string]interface{} }
AccessResponder is a token endpoint's response.
func NewAccessResponse ¶
func NewAccessResponse() AccessResponder
type AccessResponse ¶
func (*AccessResponse) GetAccessToken ¶
func (a *AccessResponse) GetAccessToken() string
func (*AccessResponse) GetExtra ¶
func (a *AccessResponse) GetExtra(key string) interface{}
func (*AccessResponse) GetTokenType ¶
func (a *AccessResponse) GetTokenType() string
func (*AccessResponse) SetAccessToken ¶
func (a *AccessResponse) SetAccessToken(token string)
func (*AccessResponse) SetExpiresIn ¶
func (a *AccessResponse) SetExpiresIn(expiresIn time.Duration)
func (*AccessResponse) SetExtra ¶
func (a *AccessResponse) SetExtra(key string, value interface{})
func (*AccessResponse) SetScopes ¶
func (a *AccessResponse) SetScopes(scopes Arguments)
func (*AccessResponse) SetTokenType ¶
func (a *AccessResponse) SetTokenType(name string)
func (*AccessResponse) ToMap ¶
func (a *AccessResponse) ToMap() map[string]interface{}
type AuthorizeEndpointHandler ¶
type AuthorizeEndpointHandler interface { // HandleAuthorizeRequest handles an authorize endpoint request. To extend the handler's capabilities, the http request // is passed along, if further information retrieval is required. If the handler feels that he is not responsible for // the authorize request, he must return nil and NOT modify session nor responder neither requester. // // The following spec is a good example of what HandleAuthorizeRequest should do. // * https://tools.ietf.org/html/rfc6749#section-3.1.1 // response_type REQUIRED. // The value MUST be one of "code" for requesting an // authorization code as described by Section 4.1.1, "token" for // requesting an access token (implicit grant) as described by // Section 4.2.1, or a registered extension value as described by Section 8.4. HandleAuthorizeEndpointRequest(ctx context.Context, req *http.Request, requester AuthorizeRequester, responder AuthorizeResponder) error }
type AuthorizeEndpointHandlers ¶
type AuthorizeEndpointHandlers []AuthorizeEndpointHandler
AuthorizeEndpointHandlers is a list of AuthorizeEndpointHandler
func (*AuthorizeEndpointHandlers) Append ¶
func (a *AuthorizeEndpointHandlers) Append(h AuthorizeEndpointHandler)
Add adds an AuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
type AuthorizeRequest ¶
type AuthorizeRequest struct { ResponseTypes Arguments `json:"responseTypes" gorethink:"responseTypes"` RedirectURI *url.URL `json:"redirectUri" gorethink:"redirectUri"` State string `json:"state" gorethink:"state"` HandledResponseTypes Arguments `json:"handledResponseTypes" gorethink:"handledResponseTypes"` Request }
AuthorizeRequest is an implementation of AuthorizeRequester
func NewAuthorizeRequest ¶
func NewAuthorizeRequest() *AuthorizeRequest
func (*AuthorizeRequest) DidHandleAllResponseTypes ¶
func (d *AuthorizeRequest) DidHandleAllResponseTypes() bool
func (*AuthorizeRequest) GetRedirectURI ¶
func (d *AuthorizeRequest) GetRedirectURI() *url.URL
func (*AuthorizeRequest) GetResponseTypes ¶
func (d *AuthorizeRequest) GetResponseTypes() Arguments
func (*AuthorizeRequest) GetState ¶
func (d *AuthorizeRequest) GetState() string
func (*AuthorizeRequest) IsRedirectURIValid ¶
func (d *AuthorizeRequest) IsRedirectURIValid() bool
func (*AuthorizeRequest) SetResponseTypeHandled ¶
func (d *AuthorizeRequest) SetResponseTypeHandled(name string)
type AuthorizeRequester ¶
type AuthorizeRequester interface { // GetResponseTypes returns the requested response types GetResponseTypes() (responseTypes Arguments) // SetResponseTypeHandled marks a response_type (e.g. token or code) as handled indicating that the response type // is supported. SetResponseTypeHandled(responseType string) // DidHandleAllResponseTypes returns if all requested response types have been handled correctly DidHandleAllResponseTypes() (didHandle bool) // GetRedirectURI returns the requested redirect URI GetRedirectURI() (redirectURL *url.URL) // IsRedirectURIValid returns false if the redirect is not rfc-conform (i.e. missing client, not on white list, // or malformed) IsRedirectURIValid() (isValid bool) // GetState returns the request's state. GetState() (state string) Requester }
AuthorizeRequester is an authorize endpoint's request context.
type AuthorizeResponder ¶
type AuthorizeResponder interface { // GetCode returns the response's authorize code if set. GetCode() string // GetHeader returns the response's header GetHeader() (header http.Header) // AddHeader adds an header key value pair to the response AddHeader(key, value string) // GetQuery returns the response's query GetQuery() (query url.Values) // AddQuery adds an url query key value pair to the response AddQuery(key, value string) // GetHeader returns the response's url fragments GetFragment() (fragment url.Values) // AddHeader adds a key value pair to the response's url fragment AddFragment(key, value string) }
AuthorizeResponder is an authorization endpoint's response.
type AuthorizeResponse ¶
type AuthorizeResponse struct { Header http.Header Query url.Values Fragment url.Values // contains filtered or unexported fields }
AuthorizeResponse is an implementation of AuthorizeResponder
func NewAuthorizeResponse ¶
func NewAuthorizeResponse() *AuthorizeResponse
func (*AuthorizeResponse) AddFragment ¶
func (a *AuthorizeResponse) AddFragment(key, value string)
func (*AuthorizeResponse) AddHeader ¶
func (a *AuthorizeResponse) AddHeader(key, value string)
func (*AuthorizeResponse) AddQuery ¶
func (a *AuthorizeResponse) AddQuery(key, value string)
func (*AuthorizeResponse) GetCode ¶
func (a *AuthorizeResponse) GetCode() string
func (*AuthorizeResponse) GetFragment ¶
func (a *AuthorizeResponse) GetFragment() url.Values
func (*AuthorizeResponse) GetHeader ¶
func (a *AuthorizeResponse) GetHeader() http.Header
func (*AuthorizeResponse) GetQuery ¶
func (a *AuthorizeResponse) GetQuery() url.Values
type Client ¶
type Client interface { // GetID returns the client ID. GetID() string // GetHashedSecret returns the hashed secret as it is stored in the store. GetHashedSecret() []byte // Returns the client's allowed redirect URIs. GetRedirectURIs() []string // Returns the client's allowed grant types. GetGrantTypes() Arguments // Returns the client's allowed response types. GetResponseTypes() Arguments // Returns the scopes this client is allowed to request. GetScopes() Arguments }
Client represents a client or an app.
type ClientManager ¶
type ClientManager interface { // GetClient loads the client by its ID or returns an error // if the client does not exist or another error occurred. GetClient(id string) (Client, error) }
ClientManager defines the (persistent) manager interface for clients.
type DefaultClient ¶
type DefaultClient struct { ID string `json:"id"` Secret []byte `json:"client_secret,omitempty"` RedirectURIs []string `json:"redirect_uris"` GrantTypes []string `json:"grant_types"` ResponseTypes []string `json:"response_types"` Scopes []string `json:"scopes"` }
DefaultClient is a simple default implementation of the Client interface.
func (*DefaultClient) GetGrantTypes ¶
func (c *DefaultClient) GetGrantTypes() Arguments
func (*DefaultClient) GetHashedSecret ¶
func (c *DefaultClient) GetHashedSecret() []byte
func (*DefaultClient) GetID ¶
func (c *DefaultClient) GetID() string
func (*DefaultClient) GetRedirectURIs ¶
func (c *DefaultClient) GetRedirectURIs() []string
func (*DefaultClient) GetResponseTypes ¶
func (c *DefaultClient) GetResponseTypes() Arguments
func (*DefaultClient) GetScopes ¶ added in v0.2.0
func (c *DefaultClient) GetScopes() Arguments
type Fosite ¶
type Fosite struct { Store Storage AuthorizeEndpointHandlers AuthorizeEndpointHandlers TokenEndpointHandlers TokenEndpointHandlers TokenValidators TokenValidators Hasher hash.Hasher Logger logrus.StdLogger ScopeStrategy ScopeStrategy }
Fosite implements OAuth2Provider.
func (*Fosite) NewAccessRequest ¶
func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session interface{}) (AccessRequester, error)
Implements
- https://tools.ietf.org/html/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password. The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password. Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). The parameters can only be transmitted in the request-body and MUST NOT be included in the request URI.
- https://tools.ietf.org/html/rfc6749#section-3.2.1
- Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.
- If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.
func (*Fosite) NewAccessResponse ¶
func (f *Fosite) NewAccessResponse(ctx context.Context, req *http.Request, requester AccessRequester) (AccessResponder, error)
func (*Fosite) NewAuthorizeRequest ¶
func (*Fosite) NewAuthorizeResponse ¶
func (o *Fosite) NewAuthorizeResponse(ctx context.Context, r *http.Request, ar AuthorizeRequester, session interface{}) (AuthorizeResponder, error)
func (*Fosite) ValidateToken ¶ added in v0.2.0
func (*Fosite) WriteAccessError ¶
func (c *Fosite) WriteAccessError(rw http.ResponseWriter, _ AccessRequester, err error)
func (*Fosite) WriteAccessResponse ¶
func (c *Fosite) WriteAccessResponse(rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
func (*Fosite) WriteAuthorizeError ¶
func (c *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error)
func (*Fosite) WriteAuthorizeResponse ¶
func (c *Fosite) WriteAuthorizeResponse(rw http.ResponseWriter, ar AuthorizeRequester, resp AuthorizeResponder)
type OAuth2Provider ¶
type OAuth2Provider interface { // NewAuthorizeRequest returns an AuthorizeRequest. // // The following specs must be considered in any implementation of this method: // * https://tools.ietf.org/html/rfc6749#section-3.1 // Extension response types MAY contain a space-delimited (%x20) list of // values, where the order of values does not matter (e.g., response // type "a b" is the same as "b a"). The meaning of such composite // response types is defined by their respective specifications. // * https://tools.ietf.org/html/rfc6749#section-3.1.2 // The redirection endpoint URI MUST be an absolute URI as defined by // [RFC3986] Section 4.3. The endpoint URI MAY include an // "application/x-www-form-urlencoded" formatted (per Appendix B) query // component ([RFC3986] Section 3.4), which MUST be retained when adding // additional query parameters. The endpoint URI MUST NOT include a // fragment component. // * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented) NewAuthorizeRequest(ctx context.Context, req *http.Request) (AuthorizeRequester, error) // NewAuthorizeResponse iterates through all response type handlers and returns their result or // ErrUnsupportedResponseType if none of the handler's were able to handle it. // // The following specs must be considered in any implementation of this method: // * https://tools.ietf.org/html/rfc6749#section-3.1.1 // Extension response types MAY contain a space-delimited (%x20) list of // values, where the order of values does not matter (e.g., response // type "a b" is the same as "b a"). The meaning of such composite // response types is defined by their respective specifications. // If an authorization request is missing the "response_type" parameter, // or if the response type is not understood, the authorization server // MUST return an error response as described in Section 4.1.2.1. NewAuthorizeResponse(ctx context.Context, req *http.Request, requester AuthorizeRequester, session interface{}) (AuthorizeResponder, error) // WriteAuthorizeError returns the error codes to the redirection endpoint or shows the error to the user, if no valid // redirect uri was given. Implements rfc6749#section-4.1.2.1 // // The following specs must be considered in any implementation of this method: // * https://tools.ietf.org/html/rfc6749#section-3.1.2 // The redirection endpoint URI MUST be an absolute URI as defined by // [RFC3986] Section 4.3. The endpoint URI MAY include an // "application/x-www-form-urlencoded" formatted (per Appendix B) query // component ([RFC3986] Section 3.4), which MUST be retained when adding // additional query parameters. The endpoint URI MUST NOT include a // fragment component. // * https://tools.ietf.org/html/rfc6749#section-4.1.2.1 (everything) // * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented) WriteAuthorizeError(rw http.ResponseWriter, requester AuthorizeRequester, err error) // WriteAuthorizeResponse persists the AuthorizeSession in the store and redirects the user agent to the provided // redirect url or returns an error if storage failed. // // The following specs must be considered in any implementation of this method: // * https://tools.ietf.org/html/rfc6749#rfc6749#section-4.1.2.1 // After completing its interaction with the resource owner, the // authorization server directs the resource owner's user-agent back to // the client. The authorization server redirects the user-agent to the // client's redirection endpoint previously established with the // authorization server during the client registration process or when // making the authorization request. // * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented) WriteAuthorizeResponse(rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder) // NewAccessRequest creates a new access request object and validates // various parameters. // // The following specs must be considered in any implementation of this method: // * https://tools.ietf.org/html/rfc6749#section-3.2 (everything) // * https://tools.ietf.org/html/rfc6749#section-3.2.1 (everything) // // Furthermore the registered handlers should implement their specs accordingly. NewAccessRequest(ctx context.Context, req *http.Request, session interface{}) (AccessRequester, error) // NewAccessResponse creates a new access response and validates that access_token and token_type are set. // // The following specs must be considered in any implementation of this method: // https://tools.ietf.org/html/rfc6749#section-5.1 NewAccessResponse(ctx context.Context, req *http.Request, requester AccessRequester) (AccessResponder, error) // WriteAccessError writes an access request error response. // // The following specs must be considered in any implementation of this method: // * https://tools.ietf.org/html/rfc6749#section-5.2 (everything) WriteAccessError(rw http.ResponseWriter, requester AccessRequester, err error) // WriteAccessResponse writes the access response. // // The following specs must be considered in any implementation of this method: // https://tools.ietf.org/html/rfc6749#section-5.1 WriteAccessResponse(rw http.ResponseWriter, requester AccessRequester, responder AccessResponder) // ValidateToken validates a token. Popular validators include authorize code, id token, access token and refresh token. // Returns an error if validation failed. ValidateToken(ctx context.Context, token string, tokenType TokenType, session interface{}, scope ...string) (AccessRequester, error) }
OAuth2Provider is an interface that enables you to write OAuth2 handlers with only a few lines of code. Check fosite.Fosite for an implementation of this interface.
type RFC6749Error ¶
type RFC6749Error struct { Name string `json:"name"` Description string `json:"description"` Hint string `json:"-"` StatusCode int `json:"statusCode"` Debug string `json:"-"` }
func ErrorToRFC6749Error ¶
func ErrorToRFC6749Error(err error) *RFC6749Error
type Request ¶
type Request struct { RequestedAt time.Time `json:"requestedAt" gorethink:"requestedAt"` Client Client `json:"client" gorethink:"client"` Scopes Arguments `json:"scopes" gorethink:"scopes"` GrantedScopes Arguments `json:"grantedScopes" gorethink:"grantedScopes"` Form url.Values `json:"form" gorethink:"form"` Session interface{} `json:"session" gorethink:"session"` }
Request is an implementation of Requester
func NewRequest ¶
func NewRequest() *Request
func (*Request) AppendRequestedScope ¶ added in v0.2.0
func (*Request) GetGrantedScopes ¶
func (*Request) GetRequestForm ¶
func (*Request) GetRequestedAt ¶
func (*Request) GetRequestedScopes ¶ added in v0.2.0
func (*Request) GetSession ¶
func (a *Request) GetSession() interface{}
func (*Request) GrantScope ¶
func (*Request) SetRequestedScopes ¶ added in v0.2.0
func (*Request) SetSession ¶
func (a *Request) SetSession(session interface{})
type Requester ¶
type Requester interface { // GetRequestedAt returns the time the request was created. GetRequestedAt() (requestedAt time.Time) // GetClient returns the requests client. GetClient() (client Client) // GetRequestedScopes returns the request's scopes. GetRequestedScopes() (scopes Arguments) // SetRequestedScopes sets the request's scopes. SetRequestedScopes(scopes Arguments) // AppendRequestedScope appends a scope to the request. AppendRequestedScope(scope string) // GetGrantScopes returns all granted scopes. GetGrantedScopes() (grantedScopes Arguments) // GrantScope marks a request's scope as granted. GrantScope(scope string) // GetSession returns a pointer to the request's session or nil if none is set. GetSession() (session interface{}) // GetSession sets the request's session pointer. SetSession(session interface{}) // GetRequestForm returns the request's form input. GetRequestForm() url.Values Merge(requester Requester) }
Requester is an abstract interface for handling requests in Fosite.
type ScopeStrategy ¶ added in v0.2.0
ScopeStrategy is a strategy for matching scopes.
type Storage ¶
type Storage interface { ClientManager }
Storage defines fosite's minimal storage interface.
type TokenEndpointHandler ¶
type TokenEndpointHandler interface { // PopulateTokenEndpointResponse is responsible for setting return values and should only be executed if // the handler's HandleTokenEndpointRequest did not return ErrUnknownRequest. PopulateTokenEndpointResponse(ctx context.Context, req *http.Request, requester AccessRequester, responder AccessResponder) error // HandleTokenEndpointRequest handles an authorize request. If the handler is not responsible for handling // the request, this method should return ErrUnknownRequest and otherwise handle the request. HandleTokenEndpointRequest(ctx context.Context, req *http.Request, requester AccessRequester) error }
type TokenEndpointHandlers ¶
type TokenEndpointHandlers []TokenEndpointHandler
TokenEndpointHandlers is a list of TokenEndpointHandler
func (*TokenEndpointHandlers) Append ¶
func (t *TokenEndpointHandlers) Append(h TokenEndpointHandler)
Add adds an TokenEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
type TokenValidator ¶ added in v0.2.0
type TokenValidators ¶ added in v0.2.0
type TokenValidators []TokenValidator
TokenValidators is a list of TokenValidator
func (*TokenValidators) Append ¶ added in v0.2.0
func (t *TokenValidators) Append(h TokenValidator)
Add adds an AccessTokenValidator to this list. Ignores duplicates based on reflect.TypeOf.
Source Files ¶
- access_error.go
- access_request.go
- access_request_handler.go
- access_response.go
- access_response_handler.go
- access_write.go
- arguments.go
- authorize_error.go
- authorize_helper.go
- authorize_request.go
- authorize_request_handler.go
- authorize_response.go
- authorize_response_handler.go
- authorize_write.go
- client.go
- client_manager.go
- context.go
- errors.go
- fosite.go
- handler.go
- helper.go
- oauth2.go
- request.go
- scope_strategy.go
- storage.go
- validator.go
Directories ¶
Path | Synopsis |
---|---|
handler
|
|
token
|
|
hmac
Package hmac is the default implementation for generating and validating challenges.
|
Package hmac is the default implementation for generating and validating challenges. |
jwt
Package jwt is able to generate and validate json web tokens.
|
Package jwt is able to generate and validate json web tokens. |