oidcclient

package

v0.20.1 Latest Latest Go to latest Published: Apr 12, 2024 License: MIT Imports: 29 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/vdbulcke/oidc-client-demo

Links

Open Source Insights

Documentation ¶

Overview ¶

*

Authorization request & access token request: authorize.go
Pushed Authorization request: par.go
userinfo request: userinfo.go
introspect request: introspect.go
refresh_token request: refresh_token.go

*

Index ¶

func ValidateConfig(config *OIDCClientConfig) bool
type IntrospectResponse
type JSONAccessTokenResponse
type JwtProfileClaims
type OIDCClient
- func NewOIDCClient(c *OIDCClientConfig, jwtsigner signer.JwtSigner, clientCert tls.Certificate, ...) (*OIDCClient, error)
type OIDCClientConfig
- func ParseConfig(configFile string) (*OIDCClientConfig, error)
- func (c *OIDCClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error
type PARResponse

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ValidateConfig ¶

func ValidateConfig(config *OIDCClientConfig) bool

ValidateConfig validate config

Types ¶

type IntrospectResponse ¶

type IntrospectResponse struct {
	Active bool `json:"active"`

	Scope     string `json:"scope,omitempty"`
	ClientID  string `json:"client_id,omitempty"`
	Username  string `json:"username,omitempty"`
	TokenType string `json:"token_type,omitempty"`

	Exp expirationTime `json:"exp,omitempty"`
	Iat expirationTime `json:"iat,omitempty"`
	Nbf expirationTime `json:"nbf,omitempty"`

	Sub    string `json:"sub,omitempty"`
	Aud    string `json:"aud,omitempty"`
	Issuer string `json:"iss,omitempty"`
	Jti    string `json:"jti,omitempty"`

	// Human readable Timestamp
	Expiry    time.Time `json:"expiry,omitempty"`
	IssuedAt  time.Time `json:"issued_at,omitempty"`
	NotBefore time.Time `json:"not_before,omitempty"`
}

IntrospectResponse standard fields from rfc7662 https://datatracker.ietf.org/doc/html/rfc7662#section-2.2

type JSONAccessTokenResponse ¶

type JSONAccessTokenResponse struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
	Scope        string `json:"scope"`
	IDToken      string `json:"id_token"`
	TokenType    string `json:"token_type"`
	Nonce        string `json:"nonce"`
	// NOTE: this is reformatted as Human readable time
	ExpiresInHumanReadable string `json:"expires_in_human_readable"`
}

JSONAccessTokenResponse ...

type JwtProfileClaims ¶

type JwtProfileClaims struct {
	Jti string `json:"jti,omitempty"`
	// the `aud` (Audience) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
	Audience string `json:"aud,omitempty"`
	jwt.RegisteredClaims
}

type OIDCClient ¶

type OIDCClient struct {

	// oidc well-known
	Wellknown *discovery.OIDCWellKnownOpenidConfiguration
	// contains filtered or unexported fields
}

func NewOIDCClient ¶

func NewOIDCClient(c *OIDCClientConfig, jwtsigner signer.JwtSigner, clientCert tls.Certificate, l hclog.Logger) (*OIDCClient, error)

OIDCClient create a new OIDC Client

func (*OIDCClient) DoPARRequest ¶

func (c *OIDCClient) DoPARRequest(codeChallenge string, nonce string, state string) (*PARResponse, error)

func (*OIDCClient) GenerateJwtProfile ¶

func (c *OIDCClient) GenerateJwtProfile(endpoint string) (string, error)

https://www.rfc-editor.org/rfc/rfc7523.html

func (*OIDCClient) GenerateRequestJwt ¶

func (c *OIDCClient) GenerateRequestJwt(extraClaims map[string]interface{}) (string, error)

func (*OIDCClient) Info ¶

func (c *OIDCClient) Info()

Info Display info about current config

func (*OIDCClient) IntrospectToken ¶

func (c *OIDCClient) IntrospectToken(token string) error

IntrospectToken introspect the token

func (*OIDCClient) NewCodeChallenge ¶

func (c *OIDCClient) NewCodeChallenge(codeVerifier string) (string, error)

func (*OIDCClient) NewCodeVerifier ¶

func (c *OIDCClient) NewCodeVerifier(length int) (string, error)

func (*OIDCClient) NewNonce ¶

func (c *OIDCClient) NewNonce(length int) (string, error)

func (*OIDCClient) NewState ¶

func (c *OIDCClient) NewState(length int) (string, error)

func (*OIDCClient) OIDCAuthorizationCodeFlow ¶

func (c *OIDCClient) OIDCAuthorizationCodeFlow() error

OIDCAuthorizationCodeFlow starts a HTTP server and set handler for performing the Authorization code flow

func (*OIDCClient) RefreshTokenFlow ¶

func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerification bool) error

RefreshTokenFlow renew the refresh token

ref: https://github.com/nonbeing/awsconsoleauth/blob/master/http.go#L46

func (*OIDCClient) SetDefaultOutput ¶

func (c *OIDCClient) SetDefaultOutput()

SetDefaultOutput Set default output file name

func (*OIDCClient) TokenExchange ¶ added in v0.19.0

func (c *OIDCClient) TokenExchange(params url.Values) (*internaloauth2.Token, error)

TokenExchange call oauth2 token endpoint with the configured auth method expects the querystring parameters as input (token=..., grant_type=...)

type OIDCClientConfig ¶

type OIDCClientConfig struct {
	ClientID     string `yaml:"client_id"  validate:"required"`
	ClientSecret string `yaml:"client_secret" `
	AuthMethod   string `yaml:"auth_method"  validate:"required,oneof=client_secret_basic client_secret_post private_key_jwt tls_client_auth"`

	ClientIDParamForTokenEndpoint bool `yaml:"always_set_client_id_for_token_endpoint" default:"false"`

	UsePKCE             bool   `yaml:"use_pkce"`
	PKCEChallengeMethod string `yaml:"pkce_challenge_method"`
	PKCECodeLength      int
	FakePKCEVerifier    bool

	AccessTokenJwt  bool `yaml:"access_token_jwt"`
	RefreshTokenJwt bool `yaml:"refresh_token_jwt"`

	Scopes []string `yaml:"scopes"  validate:"required"`

	AcrValues string `yaml:"acr_values"`

	Issuer string `yaml:"issuer"  validate:"required"`

	TokenEndpoint                string `yaml:"token_endpoint"  `
	AuthorizeEndpoint            string `yaml:"authorize_endpoint"  `
	JwksEndpoint                 string `yaml:"jwks_endpoint"`
	IntrospectEndpoint           string `yaml:"introspect_endpoint"`
	PAREndpoint                  string `yaml:"par_endpoint"`
	AlternativeWellKnownEndpoint string `yaml:"alternative_wellknown_endpoint"`
	InsecureWellKnownEndpoint    bool   `yaml:"insecure_wellknown_endpoint"`

	UsePAR                            bool              `yaml:"use_par"`
	PARIntrospectEndpointWellKnownKey string            `yaml:"par_endpoint_wellknown_key"`
	PARAdditionalParameter            map[string]string `yaml:"par_additional_parameters"`
	AuthorizeAdditionalParameter      map[string]string `yaml:"authorize_additional_parameters"`

	TokenSigningAlg    []string `yaml:"token_signing_alg" validate:"required"`
	TokenEncryptionAlg []string `yaml:"token_encryption_alg" validate:"dive,oneof=ECDH-ES RSA-OAEP RSA-OAEP-256 ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW"`

	AMRWhitelist []string `yaml:"amr_list"`
	ACRWhitelist []string `yaml:"acr_list"`

	RedirectUri string `yaml:"override_redirect_uri"`

	UseRequestParameter           bool              `yaml:"use_request_parameter" default:"false"`
	JwtProfileTokenDuration       time.Duration     `yaml:"jwt_profile_token_duration" default:"5m"`
	JwtProfileAudiance            string            `yaml:"jwt_profile_token_audiance" `
	JwtRequestTokenDuration       time.Duration     `yaml:"jwt_request_token_duration" default:"5m"`
	JwtRequestAudiance            string            `yaml:"jwt_request_token_audiance" `
	JwtRequestAdditionalParameter map[string]string `yaml:"jwt_request_token_additional_parameters"`
	JwtSigningAlg                 string            `yaml:"jwt_signing_alg" default:"RS256" validate:"required,oneof=ES256 ES384 ES512 RS256 RS384 RS512"`

	HttpClientConfig *client_http.HttpClientConfig `yaml:"http_client_config"  `
	// Mock
	MockState        string
	MockNonce        string
	MockCodeVerifier string

	// Output
	OutputEnabled       bool
	OutputDir           string
	AccessTokenRespFile string
	IDTokenFile         string
	AccessTokenFile     string
	RefreshTokenFile    string
	UserinfoFile        string
	IntrospectFile      string

	// NOTE: default is false
	SkipTLSVerification bool `yaml:"skip_tls_verification"`

	// NOTE: default is false
	SkipUserinfo bool `yaml:"skip_userinfo_call"`

	// Listen Address
	ListenAddress string
	// Listen Port
	ListenPort int
}

func ParseConfig ¶

func ParseConfig(configFile string) (*OIDCClientConfig, error)

ParseConfig Parse config file

func (*OIDCClientConfig) UnmarshalYAML ¶

func (c *OIDCClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error

type PARResponse ¶

type PARResponse struct {
	RequestUri string `json:"request_uri"`
	ExpiresIn  int    `json:"expires_in"`
}

https://www.rfc-editor.org/rfc/rfc9126.html#section-2.2

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
http
internal
oauth2
oidc/discovery
pkce
jwt
signer

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL