oauthx

package module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 24, 2024 License: MIT Imports: 34 Imported by: 0

README

oauthx a complete oauth2/oidc client library

implements:

  • rfc6749/openid-connect-core: OAuth2/OIDC Authorization code flow
  • rfc7636: PKCE and none auth method
  • rfc6772: OAuth2 Token Introspection
  • draft-ietf-oauth-jwt-introspection-response-03: JWT Response for OAuth Token Introspection
  • rfc7009: OAuth2 Token Revocation
  • rfc8414: OAuth 2.0 Authorization Server Metadata
  • rfc6749: OAuth2 RefreshToken
  • rfc6749: client_secret_basic, client_secret_post auth method
  • rfc7523: OAuth2 private_key_jwt
  • rfc9101: JAR (request= jwt parameter)
  • rfc9126: Pushed Authorization Request (request_uri parameter)
  • rfc9396: RAR (authorization_details)
  • openid-connect-core: 3.1.3.7. ID Token Validation
  • openid-connect-core: 3.1.3.8. Access Token Validation
  • openid-connect-core: 5.5. Requesting Claims using the "claims" Request Parameterclaims=
  • openid-connect-core: 5.3. UserInfo Endpoint
  • openid-connect-core: 5.1. Standard Claims
  • openid-connect-discovery: /.well-known/openid-configuration
  • openid-connect-rpinitiated: RP initiated logout (endSession)

WARNING: 🚧 still under construction 🚧

Inspired by

Documentation

Index

Constants

View Source 
const (
	TokenTypeAccessToken  = "access_token"
	TokenTypeRefreshToken = "refresh_token"
)
View Source 
const (
	PKCEMethodPlain = "plain"
	PKCEMethodS256  = "S256"
)

Constants defined in the RFC7636 https://datatracker.ietf.org/doc/html/rfc7636#section-4.1

Variables

View Source 
var (
	ErrRFC9396MissingRequiredType = errors.New("RFC9396  missing required 'type' in 'authorization_details' ")
)
View Source 
var (
	ErrValidationMissingAtHash = errors.New("id_token: missing 'at_hash' claims")
)

sentinel error

Functions

func GenerateAtHash 

func GenerateAtHash(accessToken string, h hash.Hash) string

GenerateAtHash generate the at_hash claim 

at_hash

	OPTIONAL.  Access Token hash value.  Its value is the base64url
	encoding of the left-most half of the hash of the octets of the
	ASCII representation of the "access_token" value, where the hash
	algorithm used is the hash algorithm used in the "alg" Header
	Parameter of the ID Token's JOSE Header.  For instance, if the
	"alg" is "RS256", hash the "access_token" value with SHA-256, then
	take the left-most 128 bits and base64url-encode them.  The
	"at_hash" value is a case-sensitive string.

func GenerateVerifier 

func GenerateVerifier() string

GenerateVerifier generates a PKCE code verifier with 32 octets of randomness. This follows recommendations in RFC 7636.

func NewNonce 

func NewNonce(size int) string

NewNonce generates a new base64-urlencoded nonce

func NewState 

func NewState(size int) string

NewState generates a new base64-urlencoded state

func PKCES256ChallengeFromVerifier 

func PKCES256ChallengeFromVerifier(verifier string) string

PKCES256ChallengeFromVerifier returns a PKCE code challenge derived from verifier with method S256.

Prefer to use S256ChallengeOption where possible.

func PlumbingAddParamToEndpoint 

func PlumbingAddParamToEndpoint(endpoint string, params url.Values) string

func RandString 

func RandString(nByte int) (string, error)

RandString generates a base64-urlencoded string from nByte random data

func RegisterAuthorizationDetail 

func RegisterAuthorizationDetail(iface AuthorizationDetailI)

RegisterAuthorizationDetail registers a struct implementing the oauthx.AuthorizationDetailI interface

Types

type AuthMethod 

type AuthMethod interface {
	// NewOAuthAuthenticatedRequest creates a new [*http.Request] for the [endpoint] of type [oauthEndpoint]
	// by adding the OAuth2 Credentials paramater for this [AuthMethod] to the OAuth2 Request [params]
	NewOAuthAuthenticatedRequest(oauthEndpoint OAuthAuthenticatedEndpoint, endpoint string, params url.Values) (*http.Request, error)
}

type AuthZRequest 

type AuthZRequest struct {
	// contains filtered or unexported fields
}

func NewAuthZRequest 

func NewAuthZRequest(opts ...OAuthOption) *AuthZRequest

func NewBaseAuthzRequest 

func NewBaseAuthzRequest() *AuthZRequest

NewBaseAuthzRequest create a new base AuthZRequest with resonable default:

  • nonce
  • state
  • response_type=code
  • pkce S256

func (*AuthZRequest) AddOpts added in v0.1.1 

func (r *AuthZRequest) AddOpts(opts ...OAuthOption)

type AuthorizationDetailI 

type AuthorizationDetailI interface {

	// type:
	//    An identifier for the authorization details type as a string.
	//    The value of the type field determines the allowable contents of
	//    the object that contains it.  The value is unique for the
	//    described API in the context of the AS.  This field is REQUIRED.
	GetRegisteredType() string

	// Factory returns a pointer to
	// the concrete struct implementing the
	// [oauthx.AuthorizationDetailI] interface
	Factory() AuthorizationDetailI

	// Validate validates the authorization
	// This is where you can enforce required field
	// for your custom authorization_details schema.
	Validate() error
}

type AuthorizationDetails 

type AuthorizationDetails []AuthorizationDetailI

AuthorizationDetails rfc9396 'authorization_details'. 

 The request parameter authorization_details contains, in JSON
 notation, an array of objects.  Each JSON object contains the data to
 specify the authorization requirements for a certain type of
 resource.  The type of resource or access requirement is determined
 by the type field, which is defined as follows:

 type:

	An identifier for the authorization details type as a string.
	The value of the type field determines the allowable contents of
	the object that contains it.  The value is unique for the
	described API in the context of the AS.  This field is REQUIRED.

 An authorization_details array MAY contain multiple entries of the
 same type.

func (*AuthorizationDetails) UnmarshalJSON 

func (ads *AuthorizationDetails) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler interface

This will validate each json object within the json array have the required "type" (string) field.

For each "type" value, it will look for oauthx.RegisterAuthorizationDetail registered type

type AuthorizationRequest 

type AuthorizationRequest struct {
	Url     string
	ReqCtx  *OAuthContext
	PARResp *PushedAuthorizationRequestResponse
}

type ClientSecretBasic 

type ClientSecretBasic struct {
	ClientId     string
	ClientSecret string
}

ClientSecretBasic OAuth client_secret_basic Authentication method 

 client_secret_basic

	Clients that have received a "client_secret" value from the
	Authorization Server authenticate with the Authorization Server in
	accordance with Section 2.3.1 of OAuth 2.0 [RFC6749] using the
	HTTP Basic authentication scheme.

func NewBasicAuth 

func NewBasicAuth(clientId, secret string) *ClientSecretBasic

func (*ClientSecretBasic) NewOAuthAuthenticatedRequest 

func (a *ClientSecretBasic) NewOAuthAuthenticatedRequest(oauthEndpoint OAuthAuthenticatedEndpoint, endpoint string, params url.Values) (*http.Request, error)

type ClientSecretPost 

type ClientSecretPost struct {
	ClientId     string
	ClientSecret string
}

ClientSecretPost OAuth client_secret_post Authentication method 

 client_secret_post

	Clients that have received a "client_secret" value from the
	Authorization Server, authenticate with the Authorization Server
	in accordance with Section 2.3.1 of OAuth 2.0 [RFC6749] by
	including the Client Credentials in the request body.

func NewClientSecretPost 

func NewClientSecretPost(clientId, secret string) *ClientSecretPost

func (*ClientSecretPost) NewOAuthAuthenticatedRequest 

func (a *ClientSecretPost) NewOAuthAuthenticatedRequest(oauthEndpoint OAuthAuthenticatedEndpoint, endpoint string, params url.Values) (*http.Request, error)

type ECJWTSigner 

type ECJWTSigner struct {
	PrivateKey *ecdsa.PrivateKey
	PublicKey  *ecdsa.PublicKey
	Kid        string
	// contains filtered or unexported fields
}

ECJWTSigner an implementation of oauthx.OAuthPrivateKey and oauthx.JwtAdvertiser for ecdsa.PrivateKey

func NewECJWTSigner 

func NewECJWTSigner(k *ecdsa.PrivateKey, alg, staticKid string) (*ECJWTSigner, error)

NewECJWTSigner create a oauthx.ECJWTSigner from ecdsa.PrivateKey, with alg (MUST one of ES256,ES384, ES512).

if staticKid is empty generate a kid based on the bytes of the ecdsa.PublicKey

func (*ECJWTSigner) DecryptJWT 

func (k *ECJWTSigner) DecryptJWT(encryptedJwt, alg string) (string, error)

func (*ECJWTSigner) GetKid added in v0.1.1 

func (k *ECJWTSigner) GetKid() string

func (*ECJWTSigner) JWKS 

func (k *ECJWTSigner) JWKS() ([]byte, error)

JWKS is the JSON JWKS representation of the rsa.PublicKey

func (*ECJWTSigner) SignJWT 

func (k *ECJWTSigner) SignJWT(claims jwt.Claims) (string, error)

SignJWT signs jwt.Claims with the Keypair and returns a token string

func (*ECJWTSigner) SupportedDecryptAlg 

func (k *ECJWTSigner) SupportedDecryptAlg(alg string) bool

type EndSessionRequest 

type EndSessionRequest struct {
	// contains filtered or unexported fields
}

func NewEndSessionRequest 

func NewEndSessionRequest(opts ...OAuthOption) *EndSessionRequest

NewEndSessionRequest OpenID Connect RP-Initiated Logout Request

Example 

// create a OpenID Connect RP-Initiated Logout Request
req := oauthx.NewEndSessionRequest(
    // id_token_hint
    //    RECOMMENDED.  ID Token previously issued by the OP to the RP
    //    passed to the Logout Endpoint as a hint about the End-User's
    //    current authenticated session with the Client.  This is used as an
    //    indication of the identity of the End-User that the RP is
    //    requesting be logged out by the OP.
    oauthx.IdTokenHintOpt(idToken),
    // client_id
    //    OPTIONAL.  OAuth 2.0 Client Identifier valid at the Authorization
    //    Server.  When both "client_id" and "id_token_hint" are present,
    //    the OP MUST verify that the Client Identifier matches the one used
    //    when issuing the ID Token.  The most common use case for this
    //    parameter is to specify the Client Identifier when
    //    "post_logout_redirect_uri" is used but "id_token_hint" is not.
    //    Another use is for symmetrically encrypted ID Tokens used as
    //    "id_token_hint" values that require the Client Identifier to be
    //    specified by other means, so that the ID Tokens can be decrypted
    //    by the OP.
    oauthx.ClientIdOpt("my_client_id"),
    // post_logout_redirect_uri
    //    OPTIONAL.  URI to which the RP is requesting that the End-User's
    //    User Agent be redirected after a logout has been performed.  This
    //    URI SHOULD use the "https" scheme and MAY contain port, path, and
    //    query parameter components; however, it MAY use the "http" scheme,
    //    provided that the Client Type is "confidential", as defined in
    //    Section 2.1 of OAuth 2.0 [RFC6749], and provided the OP allows the
    //    use of "http" RP URIs.  The URI MAY use an alternate scheme, such
    //    as one that is intended to identify a callback into a native
    //    application.  The value MUST have been previously registered with
    //    the OP, either using the "post_logout_redirect_uris" Registration
    //    parameter or via another mechanism.  An "id_token_hint" is also
    //    RECOMMENDED when this parameter is included.
    oauthx.PostLogoutRedirectUriOpt("https://mydomain.com/post/logout"),
)

func (*EndSessionRequest) AddOpts added in v0.1.1 

func (r *EndSessionRequest) AddOpts(opts ...OAuthOption)

type EndSessionResponse 

type EndSessionResponse struct {
	// the post_logout_redirect_uri if provided in the request
	// of empty string "" otherwise
	Redirect string
}

EndSessionResponse response of OpenID Connect RP-Initiated Logout 1.0, 2. RP-Initiated Logout

type HttpErr 

type HttpErr struct {
	RespBody       []byte      `json:"resp_body"`
	StatusCode     int         `json:"status_code"`
	ResponseHeader http.Header `json:"res_headers"`
	Err            error       `json:"err"`
}

HttpErr error resulting from http call.

useful to have access to response header/response body in case of error for troubleshooting.

Use AsRFC6749Error() to try unmarshalling the response body into standard rfc6749 OAuth2 Error

func (HttpErr) AsRFC6749Error 

func (e HttpErr) AsRFC6749Error() (*RFC6749Error, error)

func (*HttpErr) Error 

func (e *HttpErr) Error() string

type IDToken 

type IDToken struct {

	// iss
	//    REQUIRED.  Issuer Identifier for the Issuer of the response.  The
	//    "iss" value is a case-sensitive URL using the "https" scheme that
	//    contains scheme, host, and optionally, port number and path
	//    components and no query or fragment components.
	Issuer string `json:"iss,omitempty" validate:"required"`

	// sub
	//    REQUIRED.  Subject Identifier.  A locally unique and never
	//    reassigned identifier within the Issuer for the End-User, which is
	//    intended to be consumed by the Client, e.g., "24400320" or
	//    "AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4".  It MUST NOT exceed 255
	//    ASCII [RFC20] characters in length.  The "sub" value is a case-
	//    sensitive string.
	Subject string `json:"sub,omitempty" validate:"required"`

	// aud
	//    REQUIRED.  Audience(s) that this ID Token is intended for.  It
	//    MUST contain the OAuth 2.0 "client_id" of the Relying Party as an
	//    audience value.  It MAY also contain identifiers for other
	//    audiences.  In the general case, the "aud" value is an array of
	//    case-sensitive strings.  In the common special case when there is
	//    one audience, the "aud" value MAY be a single case-sensitive
	//    string.
	Audience jwt.ClaimStrings `json:"aud,omitempty" validate:"required"`

	// exp
	//    REQUIRED.  Expiration time on or after which the ID Token MUST NOT
	//    be accepted by the RP when performing authentication with the OP.
	//    The processing of this parameter requires that the current date/
	//    time MUST be before the expiration date/time listed in the value.
	//    Implementers MAY provide for some small leeway, usually no more
	//    than a few minutes, to account for clock skew.  Its value is a
	//    JSON [RFC8259] number representing the number of seconds from
	//    1970-01-01T00:00:00Z as measured in UTC until the date/time.  See
	//    RFC 3339 [RFC3339] for details regarding date/times in general and
	//    UTC in particular.  NOTE: The ID Token expiration time is
	//    unrelated the lifetime of the authenticated session between the RP
	//    and the OP.
	ExpiresAt *jwt.NumericDate `json:"exp,omitempty" validate:"required"`

	// iat
	//    REQUIRED.  Time at which the JWT was issued.  Its value is a JSON
	//    number representing the number of seconds from 1970-01-
	//    01T00:00:00Z as measured in UTC until the date/time.
	IssuedAt *jwt.NumericDate `json:"iat,omitempty" validate:"required"`

	// auth_time
	//    Time when the End-User authentication occurred.  Its value is a
	//    JSON number representing the number of seconds from 1970-01-
	//    01T00:00:00Z as measured in UTC until the date/time.  When a
	//    "max_age" request is made or when "auth_time" is requested as an
	//    Essential Claim, then this Claim is REQUIRED; otherwise, its
	//    inclusion is OPTIONAL.  (The "auth_time" Claim semantically
	//    corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] "auth_time"
	//    response parameter.)
	AuthTime *jwt.NumericDate `json:"auth_time,omitempty" `

	// nonce
	//    String value used to associate a Client session with an ID Token,
	//    and to mitigate replay attacks.  The value is passed through
	//    unmodified from the Authentication Request to the ID Token.  If
	//    present in the ID Token, Clients MUST verify that the "nonce"
	//    Claim Value is equal to the value of the "nonce" parameter sent in
	//    the Authentication Request.  If present in the Authentication
	//    Request, Authorization Servers MUST include a "nonce" Claim in the
	//    ID Token with the Claim Value being the nonce value sent in the
	//    Authentication Request.  Authorization Servers SHOULD perform no
	//    other processing on "nonce" values used.  The "nonce" value is a
	//    case-sensitive string.
	Nonce string `json:"nonce,omitempty"`

	// acr
	//    OPTIONAL.  Authentication Context Class Reference.  String
	//    specifying an Authentication Context Class Reference value that
	//    identifies the Authentication Context Class that the
	//    authentication performed satisfied.  The value "0" indicates the
	//    End-User authentication did not meet the requirements of ISO/IEC
	//    29115 [ISO29115] level 1.  For historic reasons, the value "0" is
	//    used to indicate that there is no confidence that the same person
	//    is actually there.  Authentications with level 0 SHOULD NOT be
	//    used to authorize access to any resource of any monetary value.
	//    (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE]
	//    "nist_auth_level" 0.)  An absolute URI or an RFC 6711 [RFC6711]
	//    registered name SHOULD be used as the "acr" value; registered
	//    names MUST NOT be used with a different meaning than that which is
	//    registered.  Parties using this claim will need to agree upon the
	//    meanings of the values used, which may be context specific.  The
	//    "acr" value is a case-sensitive string.
	Acr string `json:"acr,omitempty"`

	// amr
	//    OPTIONAL.  Authentication Methods References.  JSON array of
	//    strings that are identifiers for authentication methods used in
	//    the authentication.  For instance, values might indicate that both
	//    password and OTP authentication methods were used.  The "amr"
	//    value is an array of case-sensitive strings.  Values used in the
	//    "amr" Claim SHOULD be from those registered in the IANA
	//    Authentication Method Reference Values registry [IANA.AMR]
	//    established by [RFC8176]; parties using this claim will need to
	//    agree upon the meanings of any unregistered values used, which may
	//    be context specific.
	Amr []string `json:"amr,omitempty"`

	// azp
	//    OPTIONAL.  Authorized party - the party to which the ID Token was
	//    issued.  If present, it MUST contain the OAuth 2.0 Client ID of
	//    this party.  The "azp" value is a case-sensitive string containing
	//    a StringOrURI value.  Note that in practice, the "azp" Claim only
	//    occurs when extensions beyond the scope of this specification are
	//    used; therefore, implementations not using such extensions are
	//    encouraged to not use "azp" and to ignore it when it does occur.
	Azp string `json:"azp,omitempty"`

	// at_hash
	//    OPTIONAL.  Access Token hash value.  Its value is the base64url
	//    encoding of the left-most half of the hash of the octets of the
	//    ASCII representation of the "access_token" value, where the hash
	//    algorithm used is the hash algorithm used in the "alg" Header
	//    Parameter of the ID Token's JOSE Header.  For instance, if the
	//    "alg" is "RS256", hash the "access_token" value with SHA-256, then
	//    take the left-most 128 bits and base64url-encode them.  The
	//    "at_hash" value is a case-sensitive string.
	AtHash string `json:"at_hash,omitempty"`

	// the `nbf` (Not Before) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
	NotBefore *jwt.NumericDate `json:"nbf,omitempty"`

	// the `jti` (JWT ID) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7
	Jti string `json:"jti,omitempty"`

	// raw claims
	RawPayload []byte
	RawHeader  []byte
	RawSig     []byte

	RawToken       string
	RawSignedToken string

	Sig jose.Signature
}

openid-core-spec 2. ID Token 

The primary extension that OpenID Connect makes to OAuth 2.0 to
enable End-Users to be Authenticated is the ID Token data structure.
The ID Token is a security token that contains Claims about the
Authentication of an End-User by an Authorization Server when using a
Client, and potentially other requested Claims.  The ID Token is
represented as a JSON Web Token (JWT) [JWT].

The following Claims are used within the ID Token for all OAuth 2.0 flows used by OpenID Connect:

func (*IDToken) UnmarshallClaims 

func (t *IDToken) UnmarshallClaims(claims any) error

UnmarshallClaims json.Unmarshal jwt payload into custom claims struct.

Example: 

// try to parse idToken payload to extract
// openid standard claims set
var stdClaims oauthx.OpendIdStandardClaims
err := idToken.UnmarshallClaims(&stdClaims)
if err != nil {
    return err
}

func (*IDToken) Validate added in v0.1.1 

func (t *IDToken) Validate(ctx context.Context, opts ...IDTokenValidationFunc) error

Validate apply the oauthx.IDTokenValidationFunc validation opts in order

func (*IDToken) ValidateAccessTokenHash 

func (t *IDToken) ValidateAccessTokenHash(accessToken string) error

ValidateAccessTokenHash validate 'at_hash' claim at_hash 

OPTIONAL.  Access Token hash value.  Its value is the base64url
encoding of the left-most half of the hash of the octets of the
ASCII representation of the "access_token" value, where the hash
algorithm used is the hash algorithm used in the "alg" Header
Parameter of the ID Token's JOSE Header.  For instance, if the
"alg" is "RS256", hash the "access_token" value with SHA-256, then
take the left-most 128 bits and base64url-encode them.  The
"at_hash" value is a case-sensitive string.

type IDTokenParseOptFunc 

type IDTokenParseOptFunc func(opt *IDTokenParseOption)

func WithIDTokenParseOptCustomValidation 

func WithIDTokenParseOptCustomValidation(validationOpts ...IDTokenValidationFunc) IDTokenParseOptFunc

WithIDTokenParseOptCustomValidation replace defaults validations with the validationOpts

func WithIDTokenParseOptExtraValidation 

func WithIDTokenParseOptExtraValidation(extra ...IDTokenValidationFunc) IDTokenParseOptFunc

WithIDTokenParseOptExtraValidation adds extra validation to default validations oauthx.NewIDTokenDefaultValidation

func WithIDTokenParseOptRequiredEncryption 

func WithIDTokenParseOptRequiredEncryption() IDTokenParseOptFunc

WithIDTokenParseOptRequiredEncryption requires the oauthx.IDToken to be encrypted and supported by the oauthx.OAuthPrivateKey for this client

type IDTokenParseOption 

type IDTokenParseOption struct {
	// contains filtered or unexported fields
}

type IDTokenValidationFunc 

type IDTokenValidationFunc func(cxt context.Context, t *IDToken) error

func WithIDTokenAcrWhitelist 

func WithIDTokenAcrWhitelist(whitelist []string) IDTokenValidationFunc
  1. If the "acr" Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate. The meaning and processing of "acr" Claim Values is out of scope for this specification.

func WithIDTokenAuthTimeValidation 

func WithIDTokenAuthTimeValidation(maxDuration time.Duration) IDTokenValidationFunc

WithIDTokenAuthTimeValidation

  1. If the "auth_time" Claim was requested, either through a specific request for this Claim or by using the "max_age" parameter, the Client SHOULD check the "auth_time" Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication.

func WithIDTokenExpirationValidation 

func WithIDTokenExpirationValidation() IDTokenValidationFunc

WithIDTokenExpirationValidation

  1. The current time MUST be before the time represented by the "exp" Claim.

  2. The "iat" Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.

func WithIDTokenNonceValidation 

func WithIDTokenNonceValidation(nonce string) IDTokenValidationFunc

WithIDTokenNonceValidation

  1. If a nonce value was sent in the Authentication Request, a "nonce" Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the "nonce" value for replay attacks. The precise method for detecting replay attacks is Client specific.

func WithIDTokenRequiredClaimsValidation 

func WithIDTokenRequiredClaimsValidation() IDTokenValidationFunc

WithIDTokenRequiredClaimsValidation validate the oauthx.IDToken struct fields tagged as 'validate:"required"'

type IntrospectionParseOptFunc 

type IntrospectionParseOptFunc func(opt *IntrospectionParseOption)

func WithIntrospectionParseDisableSignClaimValidation 

func WithIntrospectionParseDisableSignClaimValidation() IntrospectionParseOptFunc

func WithIntrospectionParseIgnoreStdClaims 

func WithIntrospectionParseIgnoreStdClaims() IntrospectionParseOptFunc

func WithIntrospectionParseOverrideSupportedSigAlg 

func WithIntrospectionParseOverrideSupportedSigAlg(alg []string) IntrospectionParseOptFunc

func WithIntrospectionParseRequiredEncryption 

func WithIntrospectionParseRequiredEncryption() IntrospectionParseOptFunc

func WithIntrospectionParseRequiredSignature 

func WithIntrospectionParseRequiredSignature() IntrospectionParseOptFunc

type IntrospectionParseOption 

type IntrospectionParseOption struct {
	// contains filtered or unexported fields
}

type IntrospectionRequest 

type IntrospectionRequest struct {
	// contains filtered or unexported fields
}

func NewIntrospectionRequest 

func NewIntrospectionRequest(opts ...OAuthOption) *IntrospectionRequest

NewIntrospectionRequest create a new introspection request with opts

Example: 

	req := oauthx.NewIntrospectionRequest(
        // token
        //
        //    REQUIRED.  The string value of the token.  For access tokens, this
        //    is the "access_token" value returned from the token endpoint
        //    defined in OAuth 2.0 [RFC6749], Section 5.1.  For refresh tokens,
        //    this is the "refresh_token" value returned from the token endpoint
        //    as defined in OAuth 2.0 [RFC6749], Section 5.1.  Other token types
        //    are outside the scope of this specification.
        oauthx.TokenOpt(token),
        // token_type_hint
        //
        //    OPTIONAL.  A hint about the type of the token submitted for
        //    introspection.  The protected resource MAY pass this parameter to
        //    help the authorization server optimize the token lookup.  If the
        //    server is unable to locate the token using the given hint, it MUST
        //    extend its search across all of its supported token types.  An
        //    authorization server MAY ignore this parameter, particularly if it
        //    is able to detect the token type automatically.  Values for this
        //    field are defined in the "OAuth Token Type Hints" registry defined
        //    in OAuth Token Revocation [RFC7009].
        oauthx.TokenTypeHintOpt(oauthx.TokenTypeAccessToken),

	)

rfc7662: Introspect Request

func (*IntrospectionRequest) AddOpts added in v0.1.1 

func (r *IntrospectionRequest) AddOpts(opts ...OAuthOption)

type IntrospectionResponse 

type IntrospectionResponse struct {
	// active
	//    REQUIRED.  Boolean indicator of whether or not the presented token
	//    is currently active.  The specifics of a token's "active" state
	//    will vary depending on the implementation of the authorization
	//    server and the information it keeps about its tokens, but a "true"
	//    value return for the "active" property will generally indicate
	//    that a given token has been issued by this authorization server,
	//    has not been revoked by the resource owner, and is within its
	//    given time window of validity (e.g., after its issuance time and
	//    before its expiration time).  See Section 4 for information on
	//    implementation of such checks.
	Active bool `json:"active"`

	// scope
	//    OPTIONAL.  A JSON string containing a space-separated list of
	//    scopes associated with this token, in the format described in
	//    Section 3.3 of OAuth 2.0 [RFC6749].
	Scope string `json:"scope,omitempty"`

	// client_id
	//    OPTIONAL.  Client identifier for the OAuth 2.0 client that
	//    requested this token.
	ClientId string `json:"client_id,omitempty"`

	// username
	//    OPTIONAL.  Human-readable identifier for the resource owner who
	//    authorized this token.
	Username string `json:"username,omitempty"`

	// token_type
	//    OPTIONAL.  Type of the token as defined in Section 5.1 of OAuth
	//    2.0 [RFC6749].
	TokenType string `json:"token_type,omitempty"`

	// exp
	//    OPTIONAL.  Integer timestamp, measured in the number of seconds
	//    since January 1 1970 UTC, indicating when this token will expire,
	//    as defined in JWT [RFC7519].
	ExpiresAt *jwt.NumericDate `json:"exp,omitempty" `

	// iat
	//    OPTIONAL.  Integer timestamp, measured in the number of seconds
	//    since January 1 1970 UTC, indicating when this token was
	//    originally issued, as defined in JWT [RFC7519].
	IssuedAt *jwt.NumericDate `json:"iat,omitempty" `

	// nbf
	//    OPTIONAL.  Integer timestamp, measured in the number of seconds
	//    since January 1 1970 UTC, indicating when this token is not to be
	//    used before, as defined in JWT [RFC7519].
	NotBefore *jwt.NumericDate `json:"nbf,omitempty"`

	// sub
	//    OPTIONAL.  Subject of the token, as defined in JWT [RFC7519].
	//    Usually a machine-readable identifier of the resource owner who
	//    authorized this token.
	Subject string `json:"sub,omitempty"`

	// aud
	//    OPTIONAL.  Service-specific string identifier or list of string
	//    identifiers representing the intended audience for this token, as
	//    defined in JWT [RFC7519].
	Audience jwt.ClaimStrings `json:"aud,omitempty"`

	// iss
	//    OPTIONAL.  String representing the issuer of this token, as
	//    defined in JWT [RFC7519].
	Issuer string `json:"iss,omitempty"`

	// jti
	//    OPTIONAL.  String identifier for the token, as defined in JWT
	//    [RFC7519].
	Jti string `json:"jti,omitempty"`

	// raw claims
	RawPayload []byte
	RawHeader  []byte
	RawSig     []byte

	RawToken       string
	RawSignedToken string

	Sig jose.Signature
}

2.2. Introspection Response

func (*IntrospectionResponse) UnmarshallClaims 

func (r *IntrospectionResponse) UnmarshallClaims(claims any) error

type IntrospectionStandardClaims 

type IntrospectionStandardClaims struct {
	// active
	//    REQUIRED.  Boolean indicator of whether or not the presented token
	//    is currently active.  The specifics of a token's "active" state
	//    will vary depending on the implementation of the authorization
	//    server and the information it keeps about its tokens, but a "true"
	//    value return for the "active" property will generally indicate
	//    that a given token has been issued by this authorization server,
	//    has not been revoked by the resource owner, and is within its
	//    given time window of validity (e.g., after its issuance time and
	//    before its expiration time).  See Section 4 for information on
	//    implementation of such checks.
	Active bool `json:"active"`

	// scope
	//    OPTIONAL.  A JSON string containing a space-separated list of
	//    scopes associated with this token, in the format described in
	//    Section 3.3 of OAuth 2.0 [RFC6749].
	Scope string `json:"scope,omitempty"`

	// client_id
	//    OPTIONAL.  Client identifier for the OAuth 2.0 client that
	//    requested this token.
	ClientId string `json:"client_id,omitempty"`

	// username
	//    OPTIONAL.  Human-readable identifier for the resource owner who
	//    authorized this token.
	Username string `json:"username,omitempty"`

	// token_type
	//    OPTIONAL.  Type of the token as defined in Section 5.1 of OAuth
	//    2.0 [RFC6749].
	TokenType string `json:"token_type,omitempty"`

	// exp
	//    OPTIONAL.  Integer timestamp, measured in the number of seconds
	//    since January 1 1970 UTC, indicating when this token will expire,
	//    as defined in JWT [RFC7519].
	ExpiresAt *jwt.NumericDate `json:"exp,omitempty" `

	// iat
	//    OPTIONAL.  Integer timestamp, measured in the number of seconds
	//    since January 1 1970 UTC, indicating when this token was
	//    originally issued, as defined in JWT [RFC7519].
	IssuedAt *jwt.NumericDate `json:"iat,omitempty" `

	// nbf
	//    OPTIONAL.  Integer timestamp, measured in the number of seconds
	//    since January 1 1970 UTC, indicating when this token is not to be
	//    used before, as defined in JWT [RFC7519].
	NotBefore *jwt.NumericDate `json:"nbf,omitempty"`

	// sub
	//    OPTIONAL.  Subject of the token, as defined in JWT [RFC7519].
	//    Usually a machine-readable identifier of the resource owner who
	//    authorized this token.
	Subject string `json:"sub,omitempty"`

	// aud
	//    OPTIONAL.  Service-specific string identifier or list of string
	//    identifiers representing the intended audience for this token, as
	//    defined in JWT [RFC7519].
	Audience jwt.ClaimStrings `json:"aud,omitempty"`

	// iss
	//    OPTIONAL.  String representing the issuer of this token, as
	//    defined in JWT [RFC7519].
	Issuer string `json:"iss,omitempty"`

	// jti
	//    OPTIONAL.  String identifier for the token, as defined in JWT
	//    [RFC7519].
	Jti string `json:"jti,omitempty"`
}

type JWKSet 

type JWKSet interface {
	VerifySignature(ctx context.Context, sig *jose.JSONWebSignature) error
}

type JwtAdvertiser 

type JwtAdvertiser interface {
	GetKid() string        // return active kid
	JWKS() ([]byte, error) // marshal of JWKS
}

type None 

type None struct {
	ClientId string
}

None auth method from OpenID Connect Discovery 1.0 

 none

	The Client does not authenticate itself at the Token Endpoint,
	either because it uses only the Implicit Flow (and so does not use
	the Token Endpoint) or because it is a Public Client with no
	Client Secret or other authentication mechanism.

func NewAuthMethodNone 

func NewAuthMethodNone(clientId string) *None

NewAuthMethodNone creates a None auth method

if clientId is not empty then always adds "client_id=" parameter

func (*None) NewOAuthAuthenticatedRequest 

func (a *None) NewOAuthAuthenticatedRequest(oauthEndpoint OAuthAuthenticatedEndpoint, endpoint string, params url.Values) (*http.Request, error)

type OAuthAuthenticatedEndpoint 

type OAuthAuthenticatedEndpoint int
const (
	PushedAuthorizationRequestEndpoint OAuthAuthenticatedEndpoint = iota
	TokenEndpoint
	IntrospectionEndpoint
	RevocationEndpoint
)

func (OAuthAuthenticatedEndpoint) String 

func (e OAuthAuthenticatedEndpoint) String() string

type OAuthClient 

type OAuthClient struct {
	ClientId string
	// contains filtered or unexported fields
}

func NewOAuthClient 

func NewOAuthClient(clientId string, wk *WellKnownConfiguration, opts ...OAuthClientOptFunc) *OAuthClient

NewOAuthClient create a new oauthx.OAuthClient with options

Example: 

// you should create your own *http.Client especially for
// production
httpClient := client_http.GenerateMyCustomHttpClient()
//
// create a context with trace-id header, for
// making the initial WellKnown http request
ctx := context.Background()
traceId := uuid.New().String()
ctx = tracing.ContextWithTraceID(ctx, "x-trace-id", traceId)
//
// fetch the '/.well-known/openid-configuration' metadata
issuer := "https://my.authorization.server.com"
wk, err = oauthx.NewWellKnownOpenidConfiguration(ctx, issuer, httpClient)
if err != nil {
    return nil, fmt.Errorf("oidc wellknown: %w", err)
}
//
// create a AuthMethod
clientId := "my_client_id"
auth := oauthx.NewClientSecretPost(clientId, "my-super-secure-secret")
//
// finally create the OAuthClient, with some options
client := oauthx.NewOAuthClient(clientId, wk,
    // settting the auth method
    oauthx.WithAuthMethod(auth),
    // setting the production http.Client
    oauthx.WithHttpClient(httpClient),
)

func (*OAuthClient) DoAuthorizationRequest 

func (c *OAuthClient) DoAuthorizationRequest(ctx context.Context, authz *AuthZRequest) (*AuthorizationRequest, error)

DoAuthorizationRequest make authorization code flow request

Example: 

// NewBaseAuthzRequest create a new base AuthZRequest with
// resonable default:
//  - nonce
//  - state
//  - response_type=code
//  - pkce S256
req := oauthx.NewBaseAuthzRequest()
// add client specific options
req.AddOpts(
	oauthx.ClientIdOpt("my_client_id"),
	oauthx.RedirectUriOpt("https://my.domain.com/callback"),
	oauthx.ScopeOpt([]string{"openid", "profile", "email"}),
)
// let's make the authorization request via PAR.
// Some options are not related to specific oauth parameter
// but how the DoAuthorizationRequest() function should behave
req.AddOpts(
	// sends authorization request options via
	// pushed authorization endpoint and
	// only use client_id and request_uri for
	// redirect to the authorization_endpoint
	oauthx.WithPushedAuthotizationRequest(),
)
// now let's make the authorzation request
// (if using options shuch as WithPushedAuthotizationRequest()
// this will make an acutual http request), then this will
// generate the authorization url use to redirect the user to the
// Authorization Server, a OauthContext (containing relevant parameter
// that may be required to make the associated token request: pkce code_verifier,
// redirect_uri, client_id, etc).
authRequest, err := client.DoAuthorizationRequest(ctx, req)
if err != nil {
	// handle err
	return err
}
// authRequest.Url is the authorization request url

implements rfc6749 authorization code flow, rfc9126, rfc9101

func (*OAuthClient) DoEndSessionRequest 

func (c *OAuthClient) DoEndSessionRequest(ctx context.Context, r *EndSessionRequest) (*EndSessionResponse, error)

DoEndSessionRequest

OpenID Connect RP-Initiated Logout 1.0, 2. RP-Initiated Logout 

An RP requests that the OP log out the End-User by redirecting the
End-User's User Agent to the OP's Logout Endpoint.  This URL is
normally obtained via the "end_session_endpoint" element of the OP's
Discovery response or may be learned via other mechanisms.

Example 

// create a OpenID Connect RP-Initiated Logout Request
req := oauthx.NewEndSessionRequest(
    // id_token_hint
    //    RECOMMENDED.  ID Token previously issued by the OP to the RP
    //    passed to the Logout Endpoint as a hint about the End-User's
    //    current authenticated session with the Client.  This is used as an
    //    indication of the identity of the End-User that the RP is
    //    requesting be logged out by the OP.
    oauthx.IdTokenHintOpt(idToken),
    // client_id
    //    OPTIONAL.  OAuth 2.0 Client Identifier valid at the Authorization
    //    Server.  When both "client_id" and "id_token_hint" are present,
    //    the OP MUST verify that the Client Identifier matches the one used
    //    when issuing the ID Token.  The most common use case for this
    //    parameter is to specify the Client Identifier when
    //    "post_logout_redirect_uri" is used but "id_token_hint" is not.
    //    Another use is for symmetrically encrypted ID Tokens used as
    //    "id_token_hint" values that require the Client Identifier to be
    //    specified by other means, so that the ID Tokens can be decrypted
    //    by the OP.
    oauthx.ClientIdOpt("my_client_id"),
    // post_logout_redirect_uri
    //    OPTIONAL.  URI to which the RP is requesting that the End-User's
    //    User Agent be redirected after a logout has been performed.  This
    //    URI SHOULD use the "https" scheme and MAY contain port, path, and
    //    query parameter components; however, it MAY use the "http" scheme,
    //    provided that the Client Type is "confidential", as defined in
    //    Section 2.1 of OAuth 2.0 [RFC6749], and provided the OP allows the
    //    use of "http" RP URIs.  The URI MAY use an alternate scheme, such
    //    as one that is intended to identify a callback into a native
    //    application.  The value MUST have been previously registered with
    //    the OP, either using the "post_logout_redirect_uris" Registration
    //    parameter or via another mechanism.  An "id_token_hint" is also
    //    RECOMMENDED when this parameter is included.
    oauthx.PostLogoutRedirectUriOpt("https://mydomain.com/post/logout"),
)
//
// send endSession request
resp, err := client.DoEndSessionRequest(ctx,req)
if err != nil {
    return err
}
// resp.Redirect is the redirect to the post_logout_redirect_uri

func (*OAuthClient) DoIntrospectionRequest 

func (c *OAuthClient) DoIntrospectionRequest(ctx context.Context, r *IntrospectionRequest, opts ...IntrospectionParseOptFunc) (*IntrospectionResponse, error)

DoIntrospectionRequest

Example: 

// create new introspect request
req := oauthx.NewIntrospectionRequest(
    oauthx.TokenOpt(token), // the token to introspect
)
// make introspect request with the OAuthClient client
// using the default opts
resp, err := client.DoIntrospectionRequest(ctx, req)
if err != nil {
    // handle err
    return err
}

Implements rfc7662, draft-ietf-oauth-jwt-introspection-response-03

func (*OAuthClient) DoRevokeRequest 

func (c *OAuthClient) DoRevokeRequest(ctx context.Context, r *RevokeRequest) error

DoRevokeRequest

Example: 

req := oauthx.NewRevokeRequest(
    oauthx.TokenOpt(token),
    oauthx.TokenTypeHintOpt(oauthx.TokenTypeRefreshToken),
)

err := c.client.DoRevokeRequest(ctx, req)
if err != nil {
    // handle err
    return err
}

implements rfc7009

func (*OAuthClient) DoTokenRequest 

func (c *OAuthClient) DoTokenRequest(ctx context.Context, tr *TokenRequest) (*TokenResponse, error)

func (*OAuthClient) DoUserinfoRequest 

func (c *OAuthClient) DoUserinfoRequest(ctx context.Context, accessToken string, opts ...UserinfoParseOptFunc) (*Userinfo, error)

5.3.1. UserInfo Request 

The Client sends the UserInfo Request using either HTTP "GET" or HTTP
"POST".  The Access Token obtained from an OpenID Connect
Authentication Request MUST be sent as a Bearer Token, per Section 2
of OAuth 2.0 Bearer Token Usage [RFC6750].

It is RECOMMENDED that the request use the HTTP "GET" method and the
Access Token be sent using the "Authorization" header field.

Use 'oauthx.WithUserinfoHttpMethod(http.MethodPost)' when creating OAuthClient to use POST instead of GET method when calling userinfo

5.3.2. Successful UserInfo Response 

The UserInfo Claims MUST be returned as the members of a JSON object
unless a signed or encrypted response was requested during Client
Registration.  The Claims defined in Section 5.1 can be returned, as
can additional Claims not specified there.

For privacy reasons, OpenID Providers MAY elect to not return values
for some requested Claims.  It is not an error condition to not
return a requested Claim.

If a Claim is not returned, that Claim Name SHOULD be omitted from
the JSON object representing the Claims; it SHOULD NOT be present
with a null or empty string value.

The "sub" (subject) Claim MUST always be returned in the UserInfo
Response.

Upon receipt of the UserInfo Request, the UserInfo Endpoint MUST
return the JSON Serialization of the UserInfo Response as in
Section 13.3 in the HTTP response body unless a different format was
specified during Registration [OpenID.Registration].  The UserInfo
Endpoint MUST return a content-type header to indicate which format
is being returned.  The content-type of the HTTP response MUST be
"application/json" if the response body is a text JSON object; the
response body SHOULD be encoded using UTF-8.

If the UserInfo Response is signed and/or encrypted, then the Claims
are returned in a JWT and the content-type MUST be "application/jwt".
The response MAY be encrypted without also being signed.  If both
signing and encryption are requested, the response MUST be signed
then encrypted, with the result being a Nested JWT, as defined in
[JWT].

Use 'oauthx.WithUserinfoParseRequiredEncryption()' and/or 'oauthx.WithUserinfoParseRequiredSignature()' to required jwt encrypted and/or signed. 

If signed, the UserInfo Response MUST contain the Claims "iss"
(issuer) and "aud" (audience) as members.  The "iss" value MUST be
the OP's Issuer Identifier URL.  The "aud" value MUST be or include
the RP's Client ID value.

Use 'oauthx.WithUserinfoParseDisableSignClaimValidation()' to disbale 'iss' and 'aud' claims validation

func (*OAuthClient) GetAuthzRequestOptions 

func (c *OAuthClient) GetAuthzRequestOptions() []OAuthOption

GetAuthzRequestOptions return static otpions configured for this client

func (*OAuthClient) GetJWKSet 

func (c *OAuthClient) GetJWKSet() JWKSet

func (*OAuthClient) GetOAuthPrivateKey 

func (c *OAuthClient) GetOAuthPrivateKey() OAuthPrivateKey

func (*OAuthClient) GetWellknown 

func (c *OAuthClient) GetWellknown() *WellKnownConfiguration

func (*OAuthClient) NewClientBaseAuthzRequest added in v0.1.1 

func (c *OAuthClient) NewClientBaseAuthzRequest(extra ...OAuthOption) *AuthZRequest

NewBaseAuthzRequest make new oauthx.AuthZRequest based on option passed with oauthx.WithStaticAuthzRequestOpt during client creation.

Then adds the extra opt OAuthOption

func (*OAuthClient) NewIDTokenDefaultValidation 

func (c *OAuthClient) NewIDTokenDefaultValidation(extraOpts ...IDTokenValidationFunc) []IDTokenValidationFunc

NewIDTokenDefaultValidation creates default validation options for IDToken validation

func (*OAuthClient) ParseIDToken 

func (c *OAuthClient) ParseIDToken(ctx context.Context, idToken string, parseOpts ...IDTokenParseOptFunc) (*IDToken, error)

ParseIDToken parse and validate the idToken string, using OAuthClient.NewIDTokenDefaultValidation by default or override validation options from the parseOpts

func (*OAuthClient) PlumbingDoHttpEndSessionRequest 

func (c *OAuthClient) PlumbingDoHttpEndSessionRequest(ctx context.Context, req *http.Request) (_ *EndSessionResponse, err error)

func (*OAuthClient) PlumbingDoHttpIntrospectionRequest 

func (c *OAuthClient) PlumbingDoHttpIntrospectionRequest(ctx context.Context, req *http.Request, opts ...IntrospectionParseOptFunc) (_ *IntrospectionResponse, err error)

func (*OAuthClient) PlumbingDoHttpPARRequest 

func (c *OAuthClient) PlumbingDoHttpPARRequest(ctx context.Context, req *http.Request) (_ *PushedAuthorizationRequestResponse, err error)

func (*OAuthClient) PlumbingDoHttpRevocationRequest 

func (c *OAuthClient) PlumbingDoHttpRevocationRequest(ctx context.Context, req *http.Request) (err error)

func (*OAuthClient) PlumbingDoHttpTokenRequest 

func (c *OAuthClient) PlumbingDoHttpTokenRequest(ctx context.Context, req *http.Request) (_ *TokenResponse, err error)

func (*OAuthClient) PlumbingDoHttpUserinfoRequest 

func (c *OAuthClient) PlumbingDoHttpUserinfoRequest(ctx context.Context, req *http.Request, opts ...UserinfoParseOptFunc) (_ *Userinfo, err error)

func (*OAuthClient) PlumbingGenerateAuthZRequestParam 

func (c *OAuthClient) PlumbingGenerateAuthZRequestParam(req *AuthZRequest) (url.Values, error)

func (*OAuthClient) PlumbingGenerateAuthorizationUrl 

func (c *OAuthClient) PlumbingGenerateAuthorizationUrl(params url.Values) string

func (*OAuthClient) PlumbingGenerateEndSessionRequestParam 

func (c *OAuthClient) PlumbingGenerateEndSessionRequestParam(req *EndSessionRequest) (url.Values, error)

func (*OAuthClient) PlumbingGenerateIntrospectionRequestParam 

func (c *OAuthClient) PlumbingGenerateIntrospectionRequestParam(req *IntrospectionRequest) (url.Values, error)

func (*OAuthClient) PlumbingGenerateRFC9101RequestJwt 

func (c *OAuthClient) PlumbingGenerateRFC9101RequestJwt(claims map[string]interface{}) (string, error)

func (*OAuthClient) PlumbingGenerateRevokeRequestParam 

func (c *OAuthClient) PlumbingGenerateRevokeRequestParam(req *RevokeRequest) (url.Values, error)

func (*OAuthClient) PlumbingGenerateTokenRequestParam 

func (c *OAuthClient) PlumbingGenerateTokenRequestParam(req *TokenRequest) (url.Values, error)

func (*OAuthClient) PlumbingNewHttpEndSessionRequest 

func (c *OAuthClient) PlumbingNewHttpEndSessionRequest(params url.Values) (*http.Request, error)

func (*OAuthClient) PlumbingNewHttpIntrospectionRequest 

func (c *OAuthClient) PlumbingNewHttpIntrospectionRequest(params url.Values) (*http.Request, error)

func (*OAuthClient) PlumbingNewHttpPARRequest 

func (c *OAuthClient) PlumbingNewHttpPARRequest(params url.Values) (*http.Request, error)

func (*OAuthClient) PlumbingNewHttpRevocationRequest 

func (c *OAuthClient) PlumbingNewHttpRevocationRequest(params url.Values) (*http.Request, error)

func (*OAuthClient) PlumbingNewHttpTokenRequest 

func (c *OAuthClient) PlumbingNewHttpTokenRequest(params url.Values) (*http.Request, error)

func (*OAuthClient) PlumbingNewHttpUserinfoRequest 

func (c *OAuthClient) PlumbingNewHttpUserinfoRequest(ctx context.Context, accessToken string) (*http.Request, error)

func (*OAuthClient) WithIDTokenAudianceValidation 

func (c *OAuthClient) WithIDTokenAudianceValidation() IDTokenValidationFunc

WithIDTokenAudianceValidation

  1. The Client MUST validate that the "aud" (audience) Claim contains its "client_id" value registered at the Issuer identified by the "iss" (issuer) Claim as an audience. The "aud" (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

func (*OAuthClient) WithIDTokenAuthorizePartyValidation 

func (c *OAuthClient) WithIDTokenAuthorizePartyValidation() IDTokenValidationFunc

WithIDTokenAuthorizePartyValidation

  1. If the implementation is using extensions (which are beyond the scope of this specification) that result in the "azp" (authorized party) Claim being present, it SHOULD validate the "azp" value as specified by those extensions.
  2. This validation MAY include that when an "azp" (authorized party) Claim is present, the Client SHOULD verify that its "client_id" is the Claim Value.

func (*OAuthClient) WithIDTokenIssuerValidation 

func (c *OAuthClient) WithIDTokenIssuerValidation() IDTokenValidationFunc

WithIDTokenIssuerValidation

  1. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the "iss" (issuer) Claim.

func (*OAuthClient) WithIDTokenSignatureValidation 

func (c *OAuthClient) WithIDTokenSignatureValidation(overrideSupportedAlg []string) IDTokenValidationFunc

WithIDTokenSignatureValidation

  1. If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT "alg" Header Parameter. The Client MUST use the keys provided by the Issuer.
  2. The "alg" value SHOULD be the default of "RS256" or the algorithm sent by the Client in the "id_token_signed_response_alg" parameter during Registration.

type OAuthClientOptFunc 

type OAuthClientOptFunc func(*OAuthClient)

func WithAuthMethod 

func WithAuthMethod(method AuthMethod) OAuthClientOptFunc

WithAuthMethod set the oauthx.AuthMethod for this client

default to oauthx.None

func WithEndSessionHttpMethod 

func WithEndSessionHttpMethod(method string) OAuthClientOptFunc

WithEndSessionHttpMethod override the default http.MethodGet for making endSession request

func WithHttpClient 

func WithHttpClient(client *http.Client) OAuthClientOptFunc

WithHttpClient override the default http.DefaultClient for this oauthx.OAuthClient

func WithKeySet 

func WithKeySet(ks JWKSet) OAuthClientOptFunc

WithKeySet override the default oauthx.RemoteJWKSet from the 'jwks_uri' endpoint of the WellKknown

func WithOAuthPrivateKey 

func WithOAuthPrivateKey(key OAuthPrivateKey) OAuthClientOptFunc

WithOAuthPrivateKey set the oauthx.OAuthPrivateKey for this client used to generate 'request=' jwt parameter, decrypt eventually encrytped userinfo, introspect, id_token jwt.

func WithRFC9101JarJwtTTL 

func WithRFC9101JarJwtTTL(ttl time.Duration) OAuthClientOptFunc

WithRFC9101JarJwtTTL set the time to live for the 'request=' jwt parameter when using oauthx.WithGeneratedRequestJWT or oauthx.WithStrictGeneratedRequestJWT

func WithStaticAuthzRequestOpt 

func WithStaticAuthzRequestOpt(opt ...OAuthOption) OAuthClientOptFunc

WithStaticAuthzRequestOpt add static oauthx.OAuthOption that can be used to contruct a new oauthx.AuthZRequest with oauthx.NewClientBaseAuthzRequest

func WithUserinfoHttpMethod 

func WithUserinfoHttpMethod(method string) OAuthClientOptFunc

WithUserinfoHttpMethod override the default http.MethodGet for making userinfo request

type OAuthContext 

type OAuthContext struct {
	ClientId         string `json:"client_id"`
	Nonce            string `json:"nonce"`
	State            string `json:"state"`
	PKCECodeVerifier string `json:"code_verifier"`
	Scope            string `json:"scope"`
	AcrValues        string `json:"acr_values"`
	RedirectUri      string `json:"redirect_uri"`

	WithRFC9126Par                        bool
	WithRFC9101Request                    bool
	WithStrictRequiredAuthorizationParams bool
}

type OAuthOption 

type OAuthOption interface {
	// SetValue set querystring paramater
	SetValue(url.Values)
	// SetClaim set RFC9101 'request' jwt claim
	SetClaim(map[string]interface{})
	// SetRequestContext save option in request context
	SetRequestContext(oauthCtx *OAuthContext)
}

OAuthOption a OAuth2 request parameter option

func AcrValuesOpt 

func AcrValuesOpt(acrValues []string) OAuthOption

AcrValuesOpt format acrValues as a space separated string set 'acr_values=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func AuthorizationCodeGrantTypeOpt 

func AuthorizationCodeGrantTypeOpt() OAuthOption

AuthorizationCodeGrantTypeOpt set 'grant_type=authorization_code' as parameter and request jwt claims

func AuthorizationDetailsParamaterOpt added in v0.1.1 

func AuthorizationDetailsParamaterOpt(authDetails AuthorizationDetails) OAuthOption

AuthorizationDetailsParamaterOpt add rfc9396 'authorization_details=' parameter as a JSON parameter.

JSON will be stringify if passed as query string parameter, and kept as JSON object in request= jwt

func ClaimsParameterOpt 

func ClaimsParameterOpt(claims *OpenIdRequestedClaimsParam) OAuthOption

5.5. Requesting Claims using the "claims" Request Parameter 

OpenID Connect defines the following Authorization Request parameter
to enable requesting individual Claims and specifying parameters that
apply to the requested Claims:

claims
   OPTIONAL.  This parameter is used to request that specific Claims
   be returned.  The value is a JSON object listing the requested
   Claims.

The "claims" Authentication Request parameter requests that specific Claims be returned from the UserInfo Endpoint and/or in the ID Token. It is represented as a JSON object containing lists of Claims being requested from these locations. Properties of the Claims being requested MAY also be specified.

claim parameter is passed using oauthx.SetOAuthJSONParam

func ClientIdOpt 

func ClientIdOpt(clientId string) OAuthOption

ClientIdOpt set 'client_id=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func CodeOpt 

func CodeOpt(code string) OAuthOption

CodeOpt set 'code=' parameter

func GrantTypeOpt 

func GrantTypeOpt(grant string) OAuthOption

GrantTypeOpt set 'grant_type=' as parameter and request jwt claims

func IdTokenHintOpt 

func IdTokenHintOpt(idToken string) OAuthOption

IdTokenHintOpt set 'id_token_hint=' parameter for OIDC RP Initiated Logout

func LogoutHintOpt 

func LogoutHintOpt(hint string) OAuthOption

LogoutHintOpt set 'logout_hint=' parameter

func NonceOpt 

func NonceOpt() OAuthOption

NonceOpt generate and set 'nonce=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func PKCEOpt added in v0.1.1 

func PKCEOpt() OAuthOption

PKCEOpt generates a new verifier and adds pkce option with method S256.

func PKCES256ChallengeOpt 

func PKCES256ChallengeOpt(verifier string) OAuthOption

PKCES256ChallengeOpt derives a PKCE code challenge derived from verifier with method S256.

func PKCEVerifierOpt 

func PKCEVerifierOpt(verifier string) OAuthOption

VerifierOption returns a PKCE code verifier AuthCodeOption

func PlumbingRequestUriOpt 

func PlumbingRequestUriOpt(requestUri string) OAuthOption

func PostLogoutRedirectUriOpt 

func PostLogoutRedirectUriOpt(uri string) OAuthOption

LogoutHintOpt set 'post_logout_redirect_uri=' parameter for OIDC RP Initiated Logout

func RFC9101RequestOpt 

func RFC9101RequestOpt(token string) OAuthOption

RFC9101RequestOpt set rfc9101 'request' jwt as parameter only

CANNOT be used with oauthx.WithGeneratedRequestJWT

func RedirectUriOpt 

func RedirectUriOpt(redirectUri string) OAuthOption

RedirectUriOpt set 'redirect_uri=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func RefreshTokenGrantTypeOpt 

func RefreshTokenGrantTypeOpt() OAuthOption

RefreshTokenGrantTypeOpt set 'grant_type=refresh_token' parameter

func RefreshTokenOpt 

func RefreshTokenOpt(token string) OAuthOption

RefreshTokenOpt set 'refresh_token=' parameter

func ResponseTypeCodeOpt 

func ResponseTypeCodeOpt() OAuthOption

ResponseTypeCodeOpt set response_type=code in both param and request jwt

func ScopeOpt 

func ScopeOpt(scopes []string) OAuthOption

ScopeOpt format scopes as a space separated string set 'scope=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func SetNonceOpt 

func SetNonceOpt(nonce string) OAuthOption

SetNonceOpt set 'nonce=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func SetOAuthClaimOnly 

func SetOAuthClaimOnly(key string, value interface{}) OAuthOption

SetOAuthClaimOnly set parameter key/value only in request jwt (see oauthx.WithGeneratedRequestJWT)

ONLY for oauthx.AuthZRequest

func SetOAuthJSONParam 

func SetOAuthJSONParam(key string, value interface{}) OAuthOption

SetOAuthJSONParam when passed at parameter the value is json.Unmarshall as a string, but when parameter key is passed in request jwt it is kept as json object

func SetOAuthParam 

func SetOAuthParam(key, value string) OAuthOption

SetOAuthParam set key/value as both query parameter and claims in the request jwt (see oauthx.WithGeneratedRequestJWT).

This also stores in the value in the oauthx.OAuthContext for the following key:

  • "client_id"
  • "redirect_uri"
  • "nonce"
  • "state"
  • "scope"
  • "acr_values"

When used for oauthx.AuthZRequest

func SetOAuthParamOnly 

func SetOAuthParamOnly(key, value string) OAuthOption

SetOAuthParamOnly set parameter key/value only as parameter (and not in the request jwt)

func SetStateOpt 

func SetStateOpt(state string) OAuthOption

SetStateOpt set 'state=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func StateOpt 

func StateOpt() OAuthOption

StateOpt generate a new state and set 'state=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func TokenOpt 

func TokenOpt(token string) OAuthOption

TokenOpt set 'token=' parameter

func TokenTypeHintOpt 

func TokenTypeHintOpt(tokenType string) OAuthOption

TokenTypeHintOpt set 'token_type_hint=' parameter

func UILocalesOpt 

func UILocalesOpt(uiLocales []string) OAuthOption

UILocalesOpt format uiLocales as a space separated string set 'ui_locales=' parameter in parameter in request jwt as claims, and in oauthx.OAuthContext

func WithGeneratedRequestJWT 

func WithGeneratedRequestJWT() OAuthOption

WithGeneratedRequestJWT rfc9101 generate the 'request' jwt parameter inluding the claims defined with the SetClaim() function from the oauthx.OAuthOption interface

ONLY for oauthx.AuthZRequest

func WithPushedAuthotizationRequest 

func WithPushedAuthotizationRequest() OAuthOption

WithPushedAuthotizationRequest rfc9126 make authorization request via pushed authorization endpoint, and use the 'request_uri' , 'client_id' for the authorization_endpoint

ONLY for oauthx.AuthZRequest

func WithStrictGeneratedRequestJWT added in v0.1.1 

func WithStrictGeneratedRequestJWT(keep ...string) OAuthOption

WithStrictGeneratedRequestJWT rfc9101 generate the 'request' jwt parameter inluding the claims defined with the SetClaim() function from the oauthx.OAuthOption interface.

AND will remove all other previsouly set parameter not in the keep list. use []string{} to remove all param other than authentication paramater and the 'request='.

WARNING use as last option

ONLY for oauthx.AuthZRequest

func WithStrictRequiredAuthorizationParams added in v0.1.1 

func WithStrictRequiredAuthorizationParams() OAuthOption

WithStrictRequiredAuthorizationParams

Use this option with oauthx.WithPushedAuthotizationRequest or oauthx.WithStrictGeneratedRequestJWT to still include the following required oauth2/oidc paramater on the authorization endpoint, alongside 'request=' or 'request_uri=' parameter.

RCF6749 (OAuth2 ) and OIDC standard requires mandatory parameter present RCF6749 Section 4.1.1

  • response_type
  • client_id

openid core spec:

  • scope (MUST includes 'openid')
  • redirect_uri

type OAuthPrivateKey 

type OAuthPrivateKey interface {
	SignJWT(claims jwt.Claims) (string, error)           // signs jwt claims
	SupportedDecryptAlg(alg string) bool                 // return true if alg is suppported for decryption
	DecryptJWT(encryptedJwt, alg string) (string, error) // decrypt jwt
}

OAuthPrivateKey interface for signing jwt

func NewOAuthPrivateKey 

func NewOAuthPrivateKey(key crypto.PrivateKey, alg, staticKid string) (OAuthPrivateKey, error)

NewJwtSigner create a OAuthPrivateKey for the correspond key type

supported key tupes are rsa.PrivateKey and ecdsa.PrivateKey

Set [staticKid] to "" (empty string) to generate kid based on public key

type OpenIdRequestedClaim 

type OpenIdRequestedClaim struct {
	//    essential
	//       OPTIONAL.  Indicates whether the Claim being requested is an
	//       Essential Claim.  If the value is "true", this indicates that
	//       the Claim is an Essential Claim.
	// The default is "false".
	Essential bool `json:"essential,omitempty"`

	// value
	//    OPTIONAL.  Requests that the Claim be returned with a
	//    particular value.
	Value interface{} `json:"value,omitempty"`

	// values
	//    OPTIONAL.  Requests that the Claim be returned with one of a
	//    set of values, with the values appearing in order of
	//    preference.  This is processed equivalently to a "value"
	//    request, except that a choice of acceptable Claim values is
	//    provided.
	Values []interface{} `json:"values,omitempty"`
}

5.5.1. Individual Claims Requests

JSON Object 

Used to provide additional information about the Claim being
requested.  This specification defines the following members:

func NewOpenIdRequestedClaim 

func NewOpenIdRequestedClaim(essential bool, values []interface{}) *OpenIdRequestedClaim

func (*OpenIdRequestedClaim) GetValues 

func (c *OpenIdRequestedClaim) GetValues() []interface{}

type OpenIdRequestedClaimsParam added in v0.1.1 

type OpenIdRequestedClaimsParam struct {

	// userinfo
	//    OPTIONAL.  Requests that the listed individual Claims be returned
	//    from the UserInfo Endpoint.  If present, the listed Claims are
	//    being requested to be added to any Claims that are being requested
	//    using "scope" values.  If not present, the Claims being requested
	//    from the UserInfo Endpoint are only those requested using "scope"
	//    values.
	//    When the "userinfo" member is used, the request MUST also use a
	//    "response_type" value that results in an Access Token being issued
	//    to the Client for use at the UserInfo Endpoint.
	Userinfo map[string]*OpenIdRequestedClaim `json:"userinfo,omitempty"`

	// id_token
	//    OPTIONAL.  Requests that the listed individual Claims be returned
	//    in the ID Token.  If present, the listed Claims are being
	//    requested to be added to the default Claims in the ID Token.  If
	//    not present, the default ID Token Claims are requested, as per the
	//    ID Token definition in Section 2 and per the additional per-flow
	//    ID Token requirements in Sections 3.1.3.6, 3.2.2.10, 3.3.2.11, and
	//    3.3.3.6.
	IDToken map[string]*OpenIdRequestedClaim `json:"id_token,omitempty"`
}

5.5. Requesting Claims using the "claims" Request Parameter

type OpenIdStandardClaimAddress 

type OpenIdStandardClaimAddress struct {
	// Full mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines.
	// Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
	Formatted string `json:"formatted,omitempty"`

	// Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended
	// street address information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either
	// as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
	StreetAddress string `json:"street_address,omitempty"`

	// City or locality component.
	Locality string `json:"locality,omitempty"`
	// State, province, prefecture, or region component.
	Region string `json:"region,omitempty"`

	// Zip code or postal code component.
	PostalCode string `json:"postal_code,omitempty"`

	// Country name component.
	Country string `json:"country,omitempty"`
}

openid-core-spec 5.1.1. Address Claim 

The Address Claim represents a physical mailing address.
Implementations MAY return only a subset of the fields of an
"address", depending upon the information available and the End-
User's privacy preferences.  For example, the "country" and "region"
might be returned without returning more fine-grained address
information.

Implementations MAY return just the full address as a single string
in the formatted sub-field, or they MAY return just the individual
component fields using the other sub-fields, or they MAY return both.
If both variants are returned, they SHOULD represent the same
address, with the formatted address indicating how the component
fields are combined.

All the address values defined below are represented as JSON strings.

type OpendIdStandardClaims 

type OpendIdStandardClaims struct {

	//  Subject - Identifier for the End-User at the Issuer.
	Sub string `json:"sub,omitempty"`

	// End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to
	// the End-User's locale and preferences.
	Name string `json:"name,omitempty"`

	// Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names;
	// all can be present, with the names being separated by space characters.
	GivenName string `json:"given_name,omitempty"`

	// Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name;
	// all can be present, with the names being separated by space characters.
	FamilyName string `json:"family_name,omitempty"`

	// Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present,
	// with the names being separated by space characters. Also note that in some cultures, middle names are not used.
	MiddleName string `json:"middle_name,omitempty"`

	// Casual name of the End-User that may or may not be the same as the given_name.
	Nickname string `json:"nickname,omitempty"`

	// Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string
	// including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
	PreferredUsername string `json:"preferred_username,omitempty"`

	// URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
	Profile string `json:"profile,omitempty"`

	// URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file),
	// rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User
	// suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
	Picture string `json:"picture,omitempty"`

	// URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization
	// that the End-User is affiliated with.
	Website string `json:"website,omitempty"`

	// End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax.
	// The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
	Email string `json:"email,omitempty"`

	// True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that
	// the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the
	// verification was performed. The means by which an e-mail address is verified is context specific, and dependent
	// upon the trust framework or contractual agreements within which the parties are operating.
	EmailVerified bool `json:"email_verified,omitempty"`

	// End-User's gender. Values defined by this specification are female and male.
	// Other values MAY be used when neither of the defined values are applicable.
	Gender string `json:"gender,omitempty"`

	// End-User's birthday, represented as an ISO 8601-1 [ISO8601‑1] YYYY-MM-DD format. The year MAY be 0000, indicating
	// that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying
	// platform's date related function, providing just year can result in varying month and day, so the implementers
	// need to take this factor into account to correctly process the dates.
	Birthdate string `json:"birthdate,omitempty"`

	// String from IANA Time Zone Database [IANA.time‑zones] representing the End-User's time zone.
	// For example, Europe/Paris or America/Los_Angeles.
	Zoneinfo string `json:"zoneinfo,omitempty"`

	// End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639 Alpha-2 [ISO639] language code
	// in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA.
	// As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US;
	// Relying Parties MAY choose to accept this locale syntax as well.
	Locale string `json:"locale,omitempty"`

	// End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim,
	// for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension,
	// it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax,
	// for example, +1 (604) 555-1234;ext=5678.
	PhoneNumber string `json:"phone_number,omitempty"`

	// True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the
	// OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed.
	// The means by which a phone number is verified is context specific, and dependent upon the trust framework or contractual agreements
	// within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and
	// any extensions MUST be represented in RFC 3966 format.
	PhoneNumberVerified bool `json:"phone_number_verified,omitempty"`

	// End-User's preferred postal address. The value of the address member is a JSON [RFC8259] structure containing
	// some or all of the members defined in Section 5.1.1.
	Address *OpenIdStandardClaimAddress `json:"address,omitempty"`

	// Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds
	// from 1970-01-01T00:00:00Z as measured in UTC until the date/time.
	UpdatedAt *jwt.NumericDate `json:"updated_at,omitempty"`
}

openid-core-spec 5.1. Standard Claims

This specification defines a set of standard Claims. They can be requested to be returned either in the UserInfo Response, per Section 5.3.2, or in the ID Token, per Section 2.

type PrivateKeyJwt 

type PrivateKeyJwt struct {
	ClientId string
	// contains filtered or unexported fields
}

PrivateKeyJwt from OpenID Connect Discovery 1.0 

private_key_jwt
   Clients that have registered a public key sign a JWT using that
   key.  The Client authenticates in accordance with JSON Web Token
   (JWT) Profile for OAuth 2.0 Client Authentication and
   Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth
   2.0 Client Authentication and Authorization Grants
   [OAuth.Assertions].  The JWT MUST contain the following REQUIRED
   Claim Values and MAY contain the following OPTIONAL Claim Values:

   iss
      REQUIRED.  Issuer.  This MUST contain the "client_id" of the
      OAuth Client.

   sub
      REQUIRED.  Subject.  This MUST contain the "client_id" of the
      OAuth Client.

   aud
      REQUIRED.  Audience.  The "aud" (audience) Claim.  Value that
      identifies the Authorization Server as an intended audience.
      The Authorization Server MUST verify that it is an intended
      audience for the token.  The Audience SHOULD be the URL of the
      Authorization Server's Token Endpoint.

   jti
      REQUIRED.  JWT ID.  A unique identifier for the token, which
      can be used to prevent reuse of the token.  These tokens MUST
      only be used once, unless conditions for reuse were negotiated
      between the parties; any such negotiation is beyond the scope
      of this specification.

   exp
      REQUIRED.  Expiration time on or after which the JWT MUST NOT
      be accepted for processing.

   iat
      OPTIONAL.  Time at which the JWT was issued.

   The JWT MAY contain other Claims.  Any Claims used that are not
   understood MUST be ignored.

   The authentication token MUST be sent as the value of the
   [OAuth.Assertions] "client_assertion" parameter.

   The value of the [OAuth.Assertions] "client_assertion_type"
   parameter MUST be
   "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", per
   [OAuth.JWT].

func NewPrivateKeyJwt 

func NewPrivateKeyJwt(clientId string, signer OAuthPrivateKey, opts ...PrivateKeyJwtOptFunc) *PrivateKeyJwt

NewPrivateKeyJwt creates a new 'private_key_jwt' authmethod

func (*PrivateKeyJwt) GenerateJwtProfileAssertion 

func (a *PrivateKeyJwt) GenerateJwtProfileAssertion(endpointType OAuthAuthenticatedEndpoint, endpoint string) (string, error)

func (*PrivateKeyJwt) NewOAuthAuthenticatedRequest 

func (a *PrivateKeyJwt) NewOAuthAuthenticatedRequest(oauthEndpoint OAuthAuthenticatedEndpoint, endpoint string, params url.Values) (*http.Request, error)

type PrivateKeyJwtOptFunc 

type PrivateKeyJwtOptFunc func(*PrivateKeyJwt)

func WithPrivateKeyJwtAlternativeEndpointAudiance added in v0.1.1 

func WithPrivateKeyJwtAlternativeEndpointAudiance(endpoint OAuthAuthenticatedEndpoint, aud string) PrivateKeyJwtOptFunc

WithPrivateKeyJwtPushedAuthorizationRequestEndpointAudiance set the 'aud' claims the jwt assertion to the aud for the endpoint

func WithPrivateKeyJwtAlwaysIncludeClientIdParam added in v0.1.1 

func WithPrivateKeyJwtAlwaysIncludeClientIdParam() PrivateKeyJwtOptFunc

WithPrivateKeyJwtAlwaysIncludeClientIdParam always add the 'client_id=' parameter along side the 'client_assertion=' and 'client_assertion_type='

func WithPrivateKeyJwtEndpointAsAudiance added in v0.1.1 

func WithPrivateKeyJwtEndpointAsAudiance() PrivateKeyJwtOptFunc

WithPrivateKeyJwtEndpointAsAudiance set the 'aud' claims the jwt assertion to the current endpoint of the request

Since it cannot be used with oauthx.WithPrivateKeyJwtFixedAudiance it resets any fixed audiance previously set

func WithPrivateKeyJwtFixedAudiance added in v0.1.1 

func WithPrivateKeyJwtFixedAudiance(aud string) PrivateKeyJwtOptFunc

WithPrivateKeyJwtFixedAudiance set the 'aud' claims the jwt assertion to the aud for all endpoint

typically aud should be the issuer

Since it cannot be used with oauthx.WithPrivateKeyJwtEndpointAsAudiance it disables WithPrivateKeyJwtEndpointAsAudiance option

func WithPrivateKeyJwtTTL added in v0.1.1 

func WithPrivateKeyJwtTTL(ttl time.Duration) PrivateKeyJwtOptFunc

WithPrivateKeyJwtTTL used to set the "exp" claims default ttl is 5 minutes

type PushedAuthorizationRequestResponse 

type PushedAuthorizationRequestResponse struct {

	// request_uri
	//    The request URI corresponding to the authorization request posted.
	//    This URI is a single-use reference to the respective request data
	//    in the subsequent authorization request.  The way the
	//    authorization process obtains the authorization request data is at
	//    the discretion of the authorization server and is out of scope of
	//    this specification.  There is no need to make the authorization
	//    request data available to other parties via this URI.
	RequestUri string `json:"request_uri"`

	// expires_in
	//    A JSON number that represents the lifetime of the request URI in
	//    seconds as a positive integer.  The request URI lifetime is at the
	//    discretion of the authorization server but will typically be
	//    relatively short (e.g., between 5 and 600 seconds).
	ExpiresIn int `json:"expires_in"`

	// raw json body
	Raw json.RawMessage
	// contains filtered or unexported fields
}

func (*PushedAuthorizationRequestResponse) GetExpiration 

func (resp *PushedAuthorizationRequestResponse) GetExpiration() time.Time

type RFC6749Error 

type RFC6749Error struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
	ErrorUri         string `json:"error_uri,omitempty"`
}

5.2. Error Response 

 The authorization server responds with an HTTP 400 (Bad Request)
 status code (unless specified otherwise) and includes the following
 parameters with the response:
 error
       REQUIRED.  A single ASCII [USASCII] error code from the
       following:

       invalid_request
             The request is missing a required parameter, includes an
             unsupported parameter value (other than grant type),
             repeats a parameter, includes multiple credentials,
             utilizes more than one mechanism for authenticating the
             client, or is otherwise malformed.

       invalid_client
             Client authentication failed (e.g., unknown client, no
             client authentication included, or unsupported
             authentication method).  The authorization server MAY
             return an HTTP 401 (Unauthorized) status code to indicate
             which HTTP authentication schemes are supported.  If the
             client attempted to authenticate via the "Authorization"
             request header field, the authorization server MUST
             respond with an HTTP 401 (Unauthorized) status code and
             include the "WWW-Authenticate" response header field
             matching the authentication scheme used by the client.

       invalid_grant
             The provided authorization grant (e.g., authorization
             code, resource owner credentials) or refresh token is
             invalid, expired, revoked, does not match the redirection
             URI used in the authorization request, or was issued to
             another client.

       unauthorized_client
             The authenticated client is not authorized to use this
             authorization grant type.

       unsupported_grant_type
             The authorization grant type is not supported by the
             authorization server.

      invalid_scope
            The requested scope is invalid, unknown, malformed, or
            exceeds the scope granted by the resource owner.

      Values for the "error" parameter MUST NOT include characters
      outside the set %x20-21 / %x23-5B / %x5D-7E.

error_description
      OPTIONAL.  Human-readable ASCII [USASCII] text providing
      additional information, used to assist the client developer in
      understanding the error that occurred.
      Values for the "error_description" parameter MUST NOT include
      characters outside the set %x20-21 / %x23-5B / %x5D-7E.

error_uri
      OPTIONAL.  A URI identifying a human-readable web page with
      information about the error, used to provide the client
      developer with additional information about the error.
      Values for the "error_uri" parameter MUST conform to the
      URI-reference syntax and thus MUST NOT include characters
      outside the set %x21 / %x23-5B / %x5D-7E.

The parameters are included in the entity-body of the HTTP response
using the "application/json" media type as defined by [RFC4627].  The
parameters are serialized into a JSON structure by adding each
parameter at the highest structure level.  Parameter names and string
values are included as JSON strings.  Numerical values are included
as JSON numbers.  The order of parameters does not matter and can
vary.

type RSAJWTSigner 

type RSAJWTSigner struct {
	PrivateKey *rsa.PrivateKey
	PublicKey  *rsa.PublicKey
	Kid        string
	// contains filtered or unexported fields
}

RSAJWTSigner an implementation of oauthx.OAuthPrivateKey and oauthx.JwtAdvertiser for rsa.PrivateKey

func NewRSAJWTSigner 

func NewRSAJWTSigner(k *rsa.PrivateKey, alg, staticKid string) (*RSAJWTSigner, error)

NewRSAJWTSigner create a oauthx.ECJWTSigner from rsa.PrivateKey, with alg (MUST one of RS256,RS384, RS512).

if staticKid is empty generate a kid based on the bytes of the rsa.PublicKey

func (*RSAJWTSigner) DecryptJWT 

func (k *RSAJWTSigner) DecryptJWT(encryptedJwt, alg string) (string, error)

DecryptJWT decrypt jwt

func (*RSAJWTSigner) GetKid added in v0.1.1 

func (k *RSAJWTSigner) GetKid() string

func (*RSAJWTSigner) JWKS 

func (k *RSAJWTSigner) JWKS() ([]byte, error)

JWKS is the JSON JWKS representation of the rsa.PublicKey

func (*RSAJWTSigner) SignJWT 

func (k *RSAJWTSigner) SignJWT(claims jwt.Claims) (string, error)

SignJWT signs jwt.Claims with the Keypair and returns a token string

func (*RSAJWTSigner) SupportedDecryptAlg 

func (k *RSAJWTSigner) SupportedDecryptAlg(alg string) bool

type RemoteJWKSet 

type RemoteJWKSet struct {
	JwksUri string
	// contains filtered or unexported fields
}

RemoteJWKSet implements the oauthx.JWKSet interface.

It will fetch and cache the Jwks from the remote jwks_uri endpoint.

func NewRemoteJWKSet 

func NewRemoteJWKSet(jwksUri string, opts ...RemoteJWKSetOptFunc) *RemoteJWKSet

func (*RemoteJWKSet) VerifySignature 

func (ks *RemoteJWKSet) VerifySignature(ctx context.Context, sig *jose.JSONWebSignature) error

type RemoteJWKSetOptFunc 

type RemoteJWKSetOptFunc func(ks *RemoteJWKSet)

func WithRemoteJWKSetAlwaysSyncOnErr 

func WithRemoteJWKSetAlwaysSyncOnErr() RemoteJWKSetOptFunc

func WithRemoteJWKSetHttpClient 

func WithRemoteJWKSetHttpClient(client *http.Client) RemoteJWKSetOptFunc

type RevokeRequest 

type RevokeRequest struct {
	// contains filtered or unexported fields
}

func NewRevokeRequest 

func NewRevokeRequest(opts ...OAuthOption) *RevokeRequest

NewRevokeRequest creates a new revocation request

Example 

req := oauthx.NewRevokeRequest(
    // token   REQUIRED.  The token that the client wants to get revoked.
    oauthx.TokenOpt(token),
    // token_type_hint  OPTIONAL.  A hint about the type of the token
    //         submitted for revocation.  Clients MAY pass this parameter in
    //         order to help the authorization server to optimize the token
    //         lookup.  If the server is unable to locate the token using
    //         the given hint, it MUST extend its search across all of its
    //         supported token types.  An authorization server MAY ignore
    //         this parameter, particularly if it is able to detect the
    //         token type automatically.  This specification defines two
    //         such values:
    //         * access_token: An access token as defined in [RFC6749],
    //           Section 1.4
    //         * refresh_token: A refresh token as defined in [RFC6749],
    //           Section 1.5
    oauthx.TokenTypeHintOpt(oauthx.TokenTypeRefreshToken),
)

rfc7009

func (*RevokeRequest) AddOpts added in v0.1.1 

func (r *RevokeRequest) AddOpts(opts ...OAuthOption)

type TokenRequest 

type TokenRequest struct {
	// contains filtered or unexported fields
}

TokenRequest a token_endpoint request

func NewAuthorizationCodeGrantTokenRequest 

func NewAuthorizationCodeGrantTokenRequest(code string, reqCtx *OAuthContext) *TokenRequest

NewAuthorizationCodeGrantTokenRequest creates a token_endpoint request for the authorization code flow with

and the following option if present in the oauthx.OAuthContext:

func NewRefreshTokenGrantTokenRequest 

func NewRefreshTokenGrantTokenRequest(token string) *TokenRequest

NewRefreshTokenGrantTokenRequest creates a token_endpoint request for the refresh token flow with:

func NewTokenRequest 

func NewTokenRequest(opts ...OAuthOption) *TokenRequest

func (*TokenRequest) AddOpts added in v0.1.1 

func (r *TokenRequest) AddOpts(opts ...OAuthOption)

func (*TokenRequest) Validate 

func (r *TokenRequest) Validate() error

Validate validate that the token request contains the required parameter based on the "grant_type"

type TokenResponse 

type TokenResponse struct {
	//    access_token
	//          REQUIRED.  The access token issued by the authorization server.
	AccessToken string `json:"access_token"`
	//    token_type
	//          REQUIRED.  The type of the token issued as described in
	//          Section 7.1.  Value is case insensitive.
	TokenType string `json:"token_type"`
	//    expires_in
	//          RECOMMENDED.  The lifetime in seconds of the access token.  For
	//          example, the value "3600" denotes that the access token will
	//          expire in one hour from the time the response was generated.
	//          If omitted, the authorization server SHOULD provide the
	//          expiration time via other means or document the default value.
	//
	ExpiresIn expirationTime `json:"expires_in,omitempty"`
	//    refresh_token
	//          OPTIONAL.  The refresh token, which can be used to obtain new
	//          access tokens using the same authorization grant as described
	//          in Section 6.
	RefreshToken string `json:"refresh_token,omitempty"`
	//    scope
	//          OPTIONAL, if identical to the scope requested by the client;
	//          otherwise, REQUIRED.  The scope of the access token as
	//          described by Section 3.3.
	Scope string `json:"scope,omitempty"`

	// OpenID Connect Core 1.0
	// 3.1.3.3.  Successful Token Response
	// id_token
	//    ID Token value associated with the authenticated session.
	IDToken string `json:"id_token,omitempty"`
	// raw json body
	Raw json.RawMessage
	// contains filtered or unexported fields
}

5.1. Successful Response 

The authorization server issues an access token and optional refresh
token, and constructs the response by adding the following parameters
to the entity-body of the HTTP response with a 200 (OK) status code:

access_token
      REQUIRED.  The access token issued by the authorization server.

token_type
      REQUIRED.  The type of the token issued as described in
      Section 7.1.  Value is case insensitive.

expires_in
      RECOMMENDED.  The lifetime in seconds of the access token.  For
      example, the value "3600" denotes that the access token will
      expire in one hour from the time the response was generated.
      If omitted, the authorization server SHOULD provide the
      expiration time via other means or document the default value.

refresh_token
      OPTIONAL.  The refresh token, which can be used to obtain new
      access tokens using the same authorization grant as described
      in Section 6.

scope
      OPTIONAL, if identical to the scope requested by the client;
      otherwise, REQUIRED.  The scope of the access token as
      described by Section 3.3.

The parameters are included in the entity-body of the HTTP response
using the "application/json" media type as defined by [RFC4627].  The
parameters are serialized into a JavaScript Object Notation (JSON)
structure by adding each parameter at the highest structure level.
Parameter names and string values are included as JSON strings.
Numerical values are included as JSON numbers.  The order of
parameters does not matter and can vary.

The authorization server MUST include the HTTP "Cache-Control"
response header field [RFC2616] with a value of "no-store" in any
response containing tokens, credentials, or other sensitive
information, as well as the "Pragma" response header field [RFC2616]
with a value of "no-cache".

OpenID Connect Core 1.0 3.1.3.3. Successful Token Response id_token 

ID Token value associated with the authenticated session.

func (*TokenResponse) GetExpiration 

func (resp *TokenResponse) GetExpiration() time.Time

type UnregisteredAuthorizationDetail 

type UnregisteredAuthorizationDetail struct {
	json.RawMessage
}

UnregisteredAuthorizationDetail a json.RawMessage wrapper that implements the oauthx.AuthorizationDetailI interface

func (UnregisteredAuthorizationDetail) Factory 

func (ad UnregisteredAuthorizationDetail) Factory() AuthorizationDetailI

func (UnregisteredAuthorizationDetail) GetRegisteredType 

func (ad UnregisteredAuthorizationDetail) GetRegisteredType() string

func (UnregisteredAuthorizationDetail) Validate 

func (ad UnregisteredAuthorizationDetail) Validate() error

type Userinfo 

type Userinfo struct {
	//    The "sub" (subject) Claim MUST always be returned in the UserInfo
	Sub string `json:"sub,omitempty" validate:"required"`

	// raw properties
	RawPayload []byte

	// if as jwt
	RawHeader []byte
	RawSig    []byte

	RawToken       string
	RawSignedToken string

	Sig jose.Signature
}

func (*Userinfo) UnmarshallClaims 

func (u *Userinfo) UnmarshallClaims(claims any) error

type UserinfoParseOptFunc 

type UserinfoParseOptFunc func(opt *UserinfoParseOption)

func WithUserinfoParseDisableSignClaimValidation 

func WithUserinfoParseDisableSignClaimValidation() UserinfoParseOptFunc

func WithUserinfoParseOverrideSupportedSigAlg 

func WithUserinfoParseOverrideSupportedSigAlg(alg []string) UserinfoParseOptFunc

func WithUserinfoParseRequiredEncryption 

func WithUserinfoParseRequiredEncryption() UserinfoParseOptFunc

func WithUserinfoParseRequiredSignature 

func WithUserinfoParseRequiredSignature() UserinfoParseOptFunc

type UserinfoParseOption 

type UserinfoParseOption struct {
	// contains filtered or unexported fields
}

type WellKnownConfiguration 

type WellKnownConfiguration struct {

	// REQUIRED.  The authorization server's issuer identifier, which is
	// a URL that uses the "https" scheme and has no query or fragment
	// components.  Authorization server metadata is published at a
	// location that is ".well-known" according to RFC 5785 [RFC5785]
	// derived from this issuer identifier, as described in Section 3.
	// The issuer identifier is used to prevent authorization server mix-
	// up attacks, as described in "OAuth 2.0 Mix-Up Mitigation"
	// [MIX-UP].
	Issuer string `json:"issuer,omitempty"  validate:"required"`

	// URL of the authorization server's authorization endpoint
	// [RFC6749].  This is REQUIRED unless no grant types are supported
	// that use the authorization endpoint.
	AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"  `

	// OPTIONAL.  URL of the authorization server's JWK Set [JWK]
	// document.  The referenced document contains the signing key(s) the
	// client uses to validate signatures from the authorization server.
	// This URL MUST use the "https" scheme.  The JWK Set MAY also
	// contain the server's encryption key or keys, which are used by
	// clients to encrypt requests to the server.  When both signing and
	// encryption keys are made available, a "use" (public key use)
	// parameter value is REQUIRED for all keys in the referenced JWK Set
	// to indicate each key's intended usage.
	JwksUri string `json:"jwks_uri,omitempty"  `

	// RECOMMENDED.  URL of the OP's UserInfo Endpoint [OpenID.Core].
	// This URL MUST use the "https" scheme and MAY contain port, path,
	// and query parameter components.
	UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"  `

	// OPTIONAL.  URL of the authorization server's OAuth 2.0 Dynamic
	// Client Registration endpoint [RFC7591].
	RegistrationEndpoint string `json:"registration_endpoint,omitempty"  `

	// RECOMMENDED.  JSON array containing a list of the OAuth 2.0
	// [RFC6749] "scope" values that this authorization server supports.
	// Servers MAY choose not to advertise some supported scope values
	// even when this parameter is used.
	ScopesSupported []string `json:"scopes_supported,omitempty"  `

	// REQUIRED.  JSON array containing a list of the OAuth 2.0
	// "response_type" values that this authorization server supports.
	// The array values used are the same as those used with the
	// "response_types" parameter defined by "OAuth 2.0 Dynamic Client
	// Registration Protocol" [RFC7591].
	ResponseTypesSupported []string `json:"response_types_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the OAuth 2.0
	// "response_mode" values that this authorization server supports, as
	// specified in "OAuth 2.0 Multiple Response Type Encoding Practices"
	// [OAuth.Responses].  If omitted, the default is "["query",
	// "fragment"]".  The response mode value "form_post" is also defined
	// in "OAuth 2.0 Form Post Response Mode" [OAuth.Post].
	ResponseModeSupported []string `json:"response_modes_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the OAuth 2.0 grant
	// type values that this authorization server supports.  The array
	// values used are the same as those used with the "grant_types"
	// parameter defined by "OAuth 2.0 Dynamic Client Registration
	// Protocol" [RFC7591].  If omitted, the default value is
	// "["authorization_code", "implicit"]".
	GrantTypesSupported []string `json:"grant_types_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of Proof Key for Code
	// Exchange (PKCE) [RFC7636] code challenge methods supported by this
	// authorization server.  Code challenge method values are used in
	// the "code_challenge_method" parameter defined in Section 4.3 of
	// [RFC7636].  The valid code challenge method values are those
	// registered in the IANA "PKCE Code Challenge Methods" registry
	// [IANA.OAuth.Parameters].  If omitted, the authorization server
	// does not support PKCE.
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`

	// OPTIONAL.  JSON array containing a list of the Authentication
	// Context Class References that this OP supports.
	AcrValuesSupported []string `json:"acr_values_supported,omitempty"  `

	// REQUIRED.  JSON array containing a list of the Subject Identifier
	// types that this OP supports.  Valid types include "pairwise" and
	// "public".
	SubjectTypesSupported []string `json:"subject_types_supported,omitempty"  `

	// REQUIRED.  JSON array containing a list of the JWS signing
	// algorithms ("alg" values) supported by the OP for the ID Token to
	// encode the Claims in a JWT [JWT].  The algorithm "RS256" MUST be
	// included.  The value "none" MAY be supported but MUST NOT be used
	// unless the Response Type used returns no ID Token from the
	// Authorization Endpoint (such as when using the Authorization Code
	// Flow).
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWE encryption
	// algorithms ("enc" values) supported by the OP for the ID Token to
	// encode the Claims in a JWT [JWT].
	IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWE encryption
	// algorithms ("enc" values) supported by the OP for the ID Token to
	// encode the Claims in a JWT [JWT].
	IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWS [JWS] signing
	// algorithms ("alg" values) [JWA] supported by the UserInfo Endpoint
	// to encode the Claims in a JWT [JWT].  The value "none" MAY be
	// included.
	UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWE [JWE]
	// encryption algorithms ("alg" values) [JWA] supported by the
	// UserInfo Endpoint to encode the Claims in a JWT [JWT].
	UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWE encryption
	// algorithms ("enc" values) [JWA] supported by the UserInfo Endpoint
	// to encode the Claims in a JWT [JWT].
	UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWS signing
	// algorithms ("alg" values) supported by the OP for Request Objects,
	// which are described in Section 6.1 of OpenID Connect Core 1.0
	// [OpenID.Core].  These algorithms are used both when the Request
	// Object is passed by value (using the "request" parameter) and when
	// it is passed by reference (using the "request_uri" parameter).
	// Servers SHOULD support "none" and "RS256".
	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWE encryption
	// algorithms ("alg" values) supported by the OP for Request Objects.
	// These algorithms are used both when the Request Object is passed
	// by value and when it is passed by reference.
	RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWE encryption
	// algorithms ("enc" values) supported by the OP for Request Objects.
	// These algorithms are used both when the Request Object is passed
	// by value and when it is passed by reference.
	RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the "display" parameter
	// values that the OpenID Provider supports.  These values are
	// described in Section 3.1.2.1 of OpenID Connect Core 1.0
	// [OpenID.Core].
	DisplayValuesSupported []string `json:"display_values_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the Claim Types that
	// the OpenID Provider supports.  These Claim Types are described in
	// Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].  Values
	// defined by this specification are "normal", "aggregated", and
	// "distributed".  If omitted, the implementation supports only
	// "normal" Claims.
	ClaimTypesSupported []string `json:"claim_types_supported,omitempty"  `

	// RECOMMENDED.  JSON array containing a list of the Claim Names of
	// the Claims that the OpenID Provider MAY be able to supply values
	// for.  Note that for privacy or other reasons, this might not be an
	// exhaustive list.
	ClaimsSupported []string `json:"claims_supported,omitempty"  `

	// OPTIONAL.  Languages and scripts supported for values in Claims
	// being returned, represented as a JSON array of BCP47 [RFC5646]
	// language tag values.  Not all languages and scripts are
	// necessarily supported for all Claim values.
	ClaimsLocalesSupported []string `json:"claims_locales_supported,omitempty"  `

	// OPTIONAL.  Languages and scripts supported for the user interface,
	// represented as a JSON array of language tag values from BCP 47
	// [RFC5646].  If omitted, the set of supported languages and scripts
	// is unspecified.
	UILocalesSupported []string `json:"ui_locales_supported,omitempty"  `

	// OPTIONAL.  Boolean value specifying whether the OP supports use of
	// the "claims" parameter, with "true" indicating support.  If
	// omitted, the default value is "false".
	ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"  `

	// OPTIONAL.  Boolean value specifying whether the OP supports use of
	// the "request" parameter, with "true" indicating support.  If
	// omitted, the default value is "false".
	RequestParameterSupported bool `json:"request_parameter_supported,omitempty"  `

	// OPTIONAL.  Boolean value specifying whether the OP supports use of
	// the "request_uri" parameter, with "true" indicating support.  If
	// omitted, the default value is "true".
	RequestURIParameterSupported bool `json:"request_uri_parameter_supported,omitempty"  `

	// OPTIONAL.  Boolean value specifying whether the OP requires any
	// "request_uri" values used to be pre-registered using the
	// "request_uris" registration parameter.  Pre-registration is
	// REQUIRED when the value is "true".  If omitted, the default value
	// is "false".
	RequireRequestUriRegistration bool `json:"require_request_uri_registration,omitempty"  `

	// The URL of the pushed authorization request endpoint at which a
	// client can post an authorization request to exchange for a
	// "request_uri" value usable at the authorization server.
	// https://www.rfc-editor.org/rfc/rfc9126.html#name-authorization-server-metada
	PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"  `

	// Boolean parameter indicating whether the authorization server
	// accepts authorization request data only via PAR.  If omitted, the
	// default value is "false".
	RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests,omitempty"  `

	// URL of the authorization server's token endpoint [RFC6749].  This
	// is REQUIRED unless only the implicit grant type is supported.
	TokenEndpoint string `json:"token_endpoint,omitempty"  `

	// OPTIONAL.  JSON array containing a list of client authentication
	// methods supported by this token endpoint.  Client authentication
	// method values are used in the "token_endpoint_auth_method"
	// parameter defined in Section 2 of [RFC7591].  If omitted, the
	// default is "client_secret_basic" -- the HTTP Basic Authentication
	// Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"  `

	// OPTIONAL.  JSON array containing a list of the JWS signing
	// algorithms ("alg" values) supported by the token endpoint for the
	// signature on the JWT [JWT] used to authenticate the client at the
	// token endpoint for the "private_key_jwt" and "client_secret_jwt"
	// authentication methods.  This metadata entry MUST be present if
	// either of these authentication methods are specified in the
	// "token_endpoint_auth_methods_supported" entry.  No default
	// algorithms are implied if this entry is omitted.  Servers SHOULD
	// support "RS256".  The value "none" MUST NOT be used.
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"  `

	// OPTIONAL.  URL of the authorization server's OAuth 2.0
	// introspection endpoint [RFC7662].
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`

	// OPTIONAL.  JSON array containing a list of client authentication
	// methods supported by this introspection endpoint.  The valid
	// client authentication method values are those registered in the
	// IANA "OAuth Token Endpoint Authentication Methods" registry
	// [IANA.OAuth.Parameters] or those registered in the IANA "OAuth
	// Access Token Types" registry [IANA.OAuth.Parameters].  (These
	// values are and will remain distinct, due to Section 7.2.)  If
	// omitted, the set of supported authentication methods MUST be
	// determined by other means.
	IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`

	// OPTIONAL.  JSON array containing a list of the JWS signing
	// algorithms ("alg" values) supported by the introspection endpoint
	// for the signature on the JWT [JWT] used to authenticate the client
	// at the introspection endpoint for the "private_key_jwt" and
	// "client_secret_jwt" authentication methods.  This metadata entry
	// MUST be present if either of these authentication methods are
	// specified in the "introspection_endpoint_auth_methods_supported"
	// entry.  No default algorithms are implied if this entry is
	// omitted.  The value "none" MUST NOT be used.
	IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`

	// OPTIONAL.  URL of the authorization server's OAuth 2.0 revocation
	// endpoint [RFC7009].
	RevocationEndpoint string `json:"revocation_endpoint,omitempty"`

	// OPTIONAL.  JSON array containing a list of client authentication
	// methods supported by this revocation endpoint.  The valid client
	// authentication method values are those registered in the IANA
	// "OAuth Token Endpoint Authentication Methods" registry
	// [IANA.OAuth.Parameters].  If omitted, the default is
	// "client_secret_basic" -- the HTTP Basic Authentication Scheme
	// specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
	RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`

	// OPTIONAL.  JSON array containing a list of the JWS signing
	// algorithms ("alg" values) supported by the revocation endpoint for
	// the signature on the JWT [JWT] used to authenticate the client at
	// the revocation endpoint for the "private_key_jwt" and
	// "client_secret_jwt" authentication methods.  This metadata entry
	// MUST be present if either of these authentication methods are
	// specified in the "revocation_endpoint_auth_methods_supported"
	// entry.  No default algorithms are implied if this entry is
	// omitted.  The value "none" MUST NOT be used.
	RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`

	// OPTIONAL.  URL that the authorization server provides to the
	// person registering the client to read about the authorization
	// server's requirements on how the client can use the data provided
	// by the authorization server.  The registration process SHOULD
	// display this URL to the person registering the client if it is
	// given.  As described in Section 5, despite the identifier
	// "op_policy_uri" appearing to be OpenID-specific, its usage in this
	// specification is actually referring to a general OAuth 2.0 feature
	// that is not specific to OpenID Connect.
	OpPolicyUri string `json:"op_policy_uri,omitempty"  `

	// OPTIONAL.  URL that the authorization server provides to the
	// person registering the client to read about the authorization
	// server's terms of service.  The registration process SHOULD
	// display this URL to the person registering the client if it is
	// given.  As described in Section 5, despite the identifier
	// "op_tos_uri", appearing to be OpenID-specific, its usage in this
	// specification is actually referring to a general OAuth 2.0 feature
	// that is not specific to OpenID Connect.
	OpTosUri string `json:"op_tos_uri,omitempty"  `

	// OPTIONAL.  URL of a page containing human-readable information
	// that developers might want or need to know when using the
	// authorization server.  In particular, if the authorization server
	ServiceDocumentation string `json:"service_documentation,omitempty" `

	// end_session_endpoint
	//    REQUIRED.  URL at the OP to which an RP can perform a redirect to
	//    request that the End-User be logged out at the OP.  This URL MUST
	//    use the "https" scheme and MAY contain port, path, and query
	//    parameter components.
	EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`

	// check_session_endpoint  URL of an OP endpoint that provides a page to
	//    support cross-origin communications for session state information
	//    with the RP client, using the HTML5 postMessage API.  The page is
	//    loaded from an invisible iframe embedded in an RP page so that it
	//    can run in the OP's security context.  It accepts postMessage
	//    requests from the relevant RP iframe and postMessage back the
	//    login status of the user at the OP.
	CheckSessionEndpoint string `json:"check_session_endpoint,omitempty"`

	WellKnownRaw []byte
}

WellKnownConfiguration rfc8414 and openid Well known configuration metadata

func NewInsecureWellKnownEndpoint 

func NewInsecureWellKnownEndpoint(ctx context.Context, wkEndpoint string, client *http.Client) (_ *WellKnownConfiguration, err error)

NewInsecureWellKnownEndpoint fetch metadata from [wkEndpoint] without any validation

If [client] is nil http.DefaultClient is used

func NewWellKnownOAuthAuthorizationServer 

func NewWellKnownOAuthAuthorizationServer(ctx context.Context, issuer string, client *http.Client) (_ *WellKnownConfiguration, err error)

NewWellKnownOAuthAuthorizationServer fetch "/.well-known/oauth-authorization-server" based on [issuer] according to rfc8414: OAuth 2.0 Authorization Server Metadata

If [client] is nil http.DefaultClient is used

func NewWellKnownOpenidConfiguration 

func NewWellKnownOpenidConfiguration(ctx context.Context, issuer string, client *http.Client) (_ *WellKnownConfiguration, err error)

NewWellKnownOpenidConfiguration fetch "/.well-known/openid-configuration" based on [issuer] according to OpenID Connect Discovery 1.0

If [client] is nil http.DefaultClient is used

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.