Documentation ¶
Overview ¶
*
- Authorization request & access token request: authorize.go
- Pushed Authorization request: par.go
- userinfo request: userinfo.go
- introspect request: introspect.go
- refresh_token request: refresh_token.go
*
Index ¶
- func ValidateConfig(config *OIDCClientConfig) bool
- type IntrospectResponse
- type JSONAccessTokenResponse
- type JwtProfileClaims
- type OIDCClient
- func (c *OIDCClient) DoPARRequest(codeChallenge string, nonce string, state string) (*PARResponse, error)
- func (c *OIDCClient) GenerateJwtProfile(endpoint string) (string, error)
- func (c *OIDCClient) GenerateRequestJwt(extraClaims map[string]interface{}) (string, error)
- func (c *OIDCClient) Info()
- func (c *OIDCClient) IntrospectToken(token string) error
- func (c *OIDCClient) NewCodeChallenge(codeVerifier string) (string, error)
- func (c *OIDCClient) NewCodeVerifier(length int) (string, error)
- func (c *OIDCClient) NewNonce(length int) (string, error)
- func (c *OIDCClient) NewState(length int) (string, error)
- func (c *OIDCClient) OIDCAuthorizationCodeFlow() error
- func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerification bool) error
- func (c *OIDCClient) SetDefaultOutput()
- func (c *OIDCClient) TokenExchange(params url.Values) (*internaloauth2.Token, error)
- type OIDCClientConfig
- type PARResponse
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ValidateConfig ¶
func ValidateConfig(config *OIDCClientConfig) bool
ValidateConfig validate config
Types ¶
type IntrospectResponse ¶
type IntrospectResponse struct { Active bool `json:"active"` Scope string `json:"scope,omitempty"` ClientID string `json:"client_id,omitempty"` Username string `json:"username,omitempty"` TokenType string `json:"token_type,omitempty"` Exp expirationTime `json:"exp,omitempty"` Iat expirationTime `json:"iat,omitempty"` Nbf expirationTime `json:"nbf,omitempty"` Sub string `json:"sub,omitempty"` Aud string `json:"aud,omitempty"` Issuer string `json:"iss,omitempty"` Jti string `json:"jti,omitempty"` // Human readable Timestamp Expiry time.Time `json:"expiry,omitempty"` IssuedAt time.Time `json:"issued_at,omitempty"` NotBefore time.Time `json:"not_before,omitempty"` }
IntrospectResponse standard fields from rfc7662 https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
type JSONAccessTokenResponse ¶
type JSONAccessTokenResponse struct { AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` Scope string `json:"scope"` IDToken string `json:"id_token"` TokenType string `json:"token_type"` Nonce string `json:"nonce"` // NOTE: this is reformatted as Human readable time ExpiresInHumanReadable string `json:"expires_in_human_readable"` }
JSONAccessTokenResponse ...
type JwtProfileClaims ¶
type JwtProfileClaims struct { Jti string `json:"jti,omitempty"` // the `aud` (Audience) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3 Audience string `json:"aud,omitempty"` jwt.RegisteredClaims }
type OIDCClient ¶
type OIDCClient struct { // oidc well-known Wellknown *discovery.OIDCWellKnownOpenidConfiguration // contains filtered or unexported fields }
func NewOIDCClient ¶
func NewOIDCClient(c *OIDCClientConfig, jwtsigner signer.JwtSigner, clientCert tls.Certificate, l hclog.Logger) (*OIDCClient, error)
OIDCClient create a new OIDC Client
func (*OIDCClient) DoPARRequest ¶
func (c *OIDCClient) DoPARRequest(codeChallenge string, nonce string, state string) (*PARResponse, error)
func (*OIDCClient) GenerateJwtProfile ¶
func (c *OIDCClient) GenerateJwtProfile(endpoint string) (string, error)
func (*OIDCClient) GenerateRequestJwt ¶
func (c *OIDCClient) GenerateRequestJwt(extraClaims map[string]interface{}) (string, error)
func (*OIDCClient) IntrospectToken ¶
func (c *OIDCClient) IntrospectToken(token string) error
IntrospectToken introspect the token
func (*OIDCClient) NewCodeChallenge ¶
func (c *OIDCClient) NewCodeChallenge(codeVerifier string) (string, error)
func (*OIDCClient) NewCodeVerifier ¶
func (c *OIDCClient) NewCodeVerifier(length int) (string, error)
func (*OIDCClient) OIDCAuthorizationCodeFlow ¶
func (c *OIDCClient) OIDCAuthorizationCodeFlow() error
OIDCAuthorizationCodeFlow starts a HTTP server and set handler for performing the Authorization code flow
func (*OIDCClient) RefreshTokenFlow ¶
func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerification bool) error
RefreshTokenFlow renew the refresh token
ref: https://github.com/nonbeing/awsconsoleauth/blob/master/http.go#L46
func (*OIDCClient) SetDefaultOutput ¶
func (c *OIDCClient) SetDefaultOutput()
SetDefaultOutput Set default output file name
func (*OIDCClient) TokenExchange ¶ added in v0.19.0
func (c *OIDCClient) TokenExchange(params url.Values) (*internaloauth2.Token, error)
TokenExchange call oauth2 token endpoint with the configured auth method expects the querystring parameters as input (token=..., grant_type=...)
type OIDCClientConfig ¶
type OIDCClientConfig struct { ClientID string `yaml:"client_id" validate:"required"` ClientSecret string `yaml:"client_secret" ` AuthMethod string `yaml:"auth_method" validate:"required,oneof=client_secret_basic client_secret_post private_key_jwt tls_client_auth"` ClientIDParamForTokenEndpoint bool `yaml:"always_set_client_id_for_token_endpoint" default:"false"` UsePKCE bool `yaml:"use_pkce"` PKCEChallengeMethod string `yaml:"pkce_challenge_method"` PKCECodeLength int FakePKCEVerifier bool AccessTokenJwt bool `yaml:"access_token_jwt"` RefreshTokenJwt bool `yaml:"refresh_token_jwt"` Scopes []string `yaml:"scopes" validate:"required"` AcrValues string `yaml:"acr_values"` Issuer string `yaml:"issuer" validate:"required"` TokenEndpoint string `yaml:"token_endpoint" ` AuthorizeEndpoint string `yaml:"authorize_endpoint" ` JwksEndpoint string `yaml:"jwks_endpoint"` IntrospectEndpoint string `yaml:"introspect_endpoint"` PAREndpoint string `yaml:"par_endpoint"` AlternativeWellKnownEndpoint string `yaml:"alternative_wellknown_endpoint"` InsecureWellKnownEndpoint bool `yaml:"insecure_wellknown_endpoint"` UsePAR bool `yaml:"use_par"` PARIntrospectEndpointWellKnownKey string `yaml:"par_endpoint_wellknown_key"` PARAdditionalParameter map[string]string `yaml:"par_additional_parameters"` AuthorizeAdditionalParameter map[string]string `yaml:"authorize_additional_parameters"` TokenSigningAlg []string `yaml:"token_signing_alg" validate:"required"` TokenEncryptionAlg []string `yaml:"token_encryption_alg" validate:"dive,oneof=ECDH-ES RSA-OAEP RSA-OAEP-256 ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW"` AMRWhitelist []string `yaml:"amr_list"` ACRWhitelist []string `yaml:"acr_list"` RedirectUri string `yaml:"override_redirect_uri"` UseRequestParameter bool `yaml:"use_request_parameter" default:"false"` JwtProfileTokenDuration time.Duration `yaml:"jwt_profile_token_duration" default:"5m"` JwtProfileAudiance string `yaml:"jwt_profile_token_audiance" ` JwtRequestTokenDuration time.Duration `yaml:"jwt_request_token_duration" default:"5m"` JwtRequestAudiance string `yaml:"jwt_request_token_audiance" ` JwtRequestAdditionalParameter map[string]string `yaml:"jwt_request_token_additional_parameters"` JwtSigningAlg string `yaml:"jwt_signing_alg" default:"RS256" validate:"required,oneof=ES256 ES384 ES512 RS256 RS384 RS512"` HttpClientConfig *client_http.HttpClientConfig `yaml:"http_client_config" ` // Mock MockState string MockNonce string MockCodeVerifier string // Output OutputEnabled bool OutputDir string AccessTokenRespFile string IDTokenFile string AccessTokenFile string RefreshTokenFile string UserinfoFile string IntrospectFile string // NOTE: default is false SkipTLSVerification bool `yaml:"skip_tls_verification"` // NOTE: default is false SkipUserinfo bool `yaml:"skip_userinfo_call"` // Listen Address ListenAddress string // Listen Port ListenPort int }
func ParseConfig ¶
func ParseConfig(configFile string) (*OIDCClientConfig, error)
ParseConfig Parse config file
func (*OIDCClientConfig) UnmarshalYAML ¶
func (c *OIDCClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error