Documentation ¶
Index ¶
- Variables
- func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string
- func AuthURLHandler(stateFn func() string, rp RelyingParty, urlParam ...URLParamOpt) http.HandlerFunc
- func ClientCredentials(ctx context.Context, rp RelyingParty, endpointParams url.Values) (token *oauth2.Token, err error)
- func CodeExchange[C oidc.IDClaims](ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens[C], err error)
- func CodeExchangeHandler[C oidc.IDClaims](callback CodeExchangeCallback[C], rp RelyingParty, urlParam ...URLParamOpt) http.HandlerFunc
- func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest
- func DeviceAccessToken(ctx context.Context, deviceCode string, interval time.Duration, ...) (resp *oidc.AccessTokenResponse, err error)
- func DeviceAuthorization(ctx context.Context, scopes []string, rp RelyingParty, authFn any) (*oidc.DeviceAuthorizationResponse, error)
- func EndSession(ctx context.Context, rp RelyingParty, ...) (*url.URL, error)
- func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error)
- func NewRemoteKeySet(client *http.Client, jwksURL string, opts ...func(*remoteKeySet)) oidc.KeySet
- func RefreshTokens[C oidc.IDClaims](ctx context.Context, rp RelyingParty, ...) (*oidc.Tokens[C], error)
- func RevokeToken(ctx context.Context, rp RelyingParty, token string, tokenTypeHint string) error
- func SkipRemoteCheck() func(set *remoteKeySet)
- func Userinfo[U SubjectGetter](ctx context.Context, token, tokenType, subject string, rp RelyingParty) (userinfo U, err error)
- func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error
- func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenVerifier) (claims C, err error)
- func VerifyTokens[C oidc.IDClaims](ctx context.Context, accessToken, idToken string, v *IDTokenVerifier) (claims C, err error)
- type AuthURLOpt
- type CodeExchangeCallback
- type CodeExchangeOpt
- type CodeExchangeUserinfoCallback
- type DelegationTokenExchangeRP
- type Endpoints
- type ErrorHandler
- type HasUnauthorizedHandler
- type IDTokenVerifier
- type Option
- func WithAuthStyle(oauthAuthStyle oauth2.AuthStyle) Option
- func WithClientKey(path string) Option
- func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option
- func WithCustomDiscoveryUrl(url string) Option
- func WithErrorHandler(errorHandler ErrorHandler) Option
- func WithHTTPClient(client *http.Client) Option
- func WithJWTProfile(signerFromKey SignerFromKey) Option
- func WithLogger(logger *slog.Logger) Option
- func WithPKCE(cookieHandler *httphelper.CookieHandler) Option
- func WithSigningAlgsFromDiscovery() Option
- func WithUnauthorizedHandler(unauthorizedHandler UnauthorizedHandler) Option
- func WithVerifierOpts(opts ...VerifierOption) Option
- type OptionFunc
- type RefreshTokenRequest
- type RelyingParty
- type SignerFromKey
- type SubjectGetter
- type TokenExchangeRP
- type URLParamOpt
- type UnauthorizedHandler
- type VerifierOption
- func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption
- func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption
- func WithIssuedAtMaxAge(maxAge time.Duration) VerifierOption
- func WithIssuedAtOffset(offset time.Duration) VerifierOption
- func WithNonce(nonce func(context.Context) string) VerifierOption
- func WithSupportedSigningAlgorithms(algs ...string) VerifierOption
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var ErrMissingIDToken = errors.New("id_token missing")
ErrMissingIDToken is returned when an id_token was expected, but not received in the token response.
var ErrRelyingPartyNotSupportRevokeCaller = errors.New("RelyingParty does not support RevokeCaller")
var ErrUserInfoSubNotMatching = errors.New("sub from userinfo does not match the sub from the id_token")
Functions ¶
func AuthURL ¶
func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string
AuthURL returns the auth request url (wrapping the oauth2 `AuthCodeURL`)
func AuthURLHandler ¶
func AuthURLHandler(stateFn func() string, rp RelyingParty, urlParam ...URLParamOpt) http.HandlerFunc
AuthURLHandler extends the `AuthURL` method with a http redirect handler including handling setting cookie for secure `state` transfer. Custom parameters can optionally be set to the redirect URL.
func ClientCredentials ¶ added in v3.5.0
func ClientCredentials(ctx context.Context, rp RelyingParty, endpointParams url.Values) (token *oauth2.Token, err error)
ClientCredentials requests an access token using the `client_credentials` grant, as defined in RFC 6749, section 4.4.
As there is no user associated to the request an ID Token can never be returned. Client Credentials are undefined in OpenID Connect and is a pure OAuth2 grant. Furthermore the server SHOULD NOT return a refresh token.
func CodeExchange ¶
func CodeExchange[C oidc.IDClaims](ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens[C], err error)
CodeExchange handles the oauth2 code exchange, extracting and validating the id_token returning it parsed together with the oauth2 tokens (access, refresh)
func CodeExchangeHandler ¶
func CodeExchangeHandler[C oidc.IDClaims](callback CodeExchangeCallback[C], rp RelyingParty, urlParam ...URLParamOpt) http.HandlerFunc
CodeExchangeHandler extends the `CodeExchange` method with a http handler including cookie handling for secure `state` transfer and optional PKCE code verifier checking. Custom parameters can optionally be set to the token URL.
func DelegationTokenRequest ¶
func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest
DelegationTokenRequest is an implementation of TokenExchangeRequest it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional "urn:ietf:params:oauth:token-type:access_token" actor token for an "urn:ietf:params:oauth:token-type:access_token" delegation token
func DeviceAccessToken ¶
func DeviceAccessToken(ctx context.Context, deviceCode string, interval time.Duration, rp RelyingParty) (resp *oidc.AccessTokenResponse, err error)
DeviceAccessToken attempts to obtain tokens from a Device Authorization, by means of polling as defined in RFC, section 3.3 and 3.4: https://www.rfc-editor.org/rfc/rfc8628#section-3.4
func DeviceAuthorization ¶
func DeviceAuthorization(ctx context.Context, scopes []string, rp RelyingParty, authFn any) (*oidc.DeviceAuthorizationResponse, error)
DeviceAuthorization starts a new Device Authorization flow as defined in RFC 8628, section 3.1 and 3.2: https://www.rfc-editor.org/rfc/rfc8628#section-3.1
func EndSession ¶
func GenerateAndStoreCodeChallenge ¶
func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error)
GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
func NewRemoteKeySet ¶
func RefreshTokens ¶
func RefreshTokens[C oidc.IDClaims](ctx context.Context, rp RelyingParty, refreshToken, clientAssertion, clientAssertionType string) (*oidc.Tokens[C], error)
RefreshTokens performs a token refresh. If it doesn't error, it will always provide a new AccessToken. It may provide a new RefreshToken, and if it does, then the old one should be considered invalid.
In case the RP is not OAuth2 only and an IDToken was part of the response, the IDToken and AccessToken will be verified and the IDToken and IDTokenClaims fields will be populated in the returned object.
func RevokeToken ¶
RevokeToken requires a RelyingParty that is also a client.RevokeCaller. The RelyingParty returned by NewRelyingPartyOIDC() meets that criteria, but the one returned by NewRelyingPartyOAuth() does not.
tokenTypeHint should be either "id_token" or "refresh_token".
func SkipRemoteCheck ¶
func SkipRemoteCheck() func(set *remoteKeySet)
SkipRemoteCheck will suppress checking for new remote keys if signature validation fails with cached keys and no kid header is set in the JWT
this might be handy to save some unnecessary round trips in cases where the JWT does not contain a kid header and there is only a single remote key please notice that remote keys will then only be fetched if cached keys are empty
func Userinfo ¶
func Userinfo[U SubjectGetter](ctx context.Context, token, tokenType, subject string, rp RelyingParty) (userinfo U, err error)
Userinfo will call the OIDC UserInfo Endpoint with the provided token and returns the response in an instance of type U. *oidc.UserInfo can be used as a good example, or use a custom type if type-safe access to custom claims is needed.
Example (Custom) ¶
package main import ( "context" "fmt" "github.com/zitadel/oidc/v3/pkg/client/rp" "github.com/zitadel/oidc/v3/pkg/oidc" ) type UserInfo struct { Subject string `json:"sub,omitempty"` oidc.UserInfoProfile oidc.UserInfoEmail oidc.UserInfoPhone Address *oidc.UserInfoAddress `json:"address,omitempty"` // Foo and Bar are custom claims Foo string `json:"foo,omitempty"` Bar struct { Val1 string `json:"val_1,omitempty"` Val2 string `json:"val_2,omitempty"` } `json:"bar,omitempty"` // Claims are all the combined claims, including custom. Claims map[string]any `json:"-,omitempty"` } func (u *UserInfo) GetSubject() string { return u.Subject } func main() { rpo, err := rp.NewRelyingPartyOIDC(context.TODO(), "http://localhost:8080", "clientid", "clientsecret", "http://example.com/redirect", []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone}) if err != nil { panic(err) } info, err := rp.Userinfo[*UserInfo](context.TODO(), "accesstokenstring", "Bearer", "userid", rpo) if err != nil { panic(err) } fmt.Println(info) }
Output:
func VerifyAccessToken ¶
func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error
VerifyAccessToken validates the access token according to https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
func VerifyIDToken ¶
func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenVerifier) (claims C, err error)
VerifyIDToken validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func VerifyTokens ¶
func VerifyTokens[C oidc.IDClaims](ctx context.Context, accessToken, idToken string, v *IDTokenVerifier) (claims C, err error)
VerifyTokens implement the Token Response Validation as defined in OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation
Example (CustomClaims) ¶
package main import ( "context" "fmt" tu "github.com/zitadel/oidc/v3/internal/testutil" "github.com/zitadel/oidc/v3/pkg/client/rp" "github.com/zitadel/oidc/v3/pkg/oidc" ) // MyCustomClaims extends the TokenClaims base, // so it implmeents the oidc.Claims interface. // Instead of carrying a map, we add needed fields// to the struct for type safe access. type MyCustomClaims struct { oidc.TokenClaims NotBefore oidc.Time `json:"nbf,omitempty"` AccessTokenHash string `json:"at_hash,omitempty"` Foo string `json:"foo,omitempty"` Bar *Nested `json:"bar,omitempty"` } // GetAccessTokenHash is required to implement // the oidc.IDClaims interface. func (c *MyCustomClaims) GetAccessTokenHash() string { return c.AccessTokenHash } // Nested struct types are also possible. type Nested struct { Count int `json:"count,omitempty"` Tags []string `json:"tags,omitempty"` } /* idToken carries the following claims. foo and bar are custom claims { "acr": "something", "amr": [ "foo", "bar" ], "at_hash": "2dzbm_vIxy-7eRtqUIGPPw", "aud": [ "unit", "test", "555666" ], "auth_time": 1678100961, "azp": "555666", "bar": { "count": 22, "tags": [ "some", "tags" ] }, "client_id": "555666", "exp": 4802238682, "foo": "Hello, World!", "iat": 1678101021, "iss": "local.com", "jti": "9876", "nbf": 1678101021, "nonce": "12345", "sub": "tim@local.com" } */ const idToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhY3IiOiJzb21ldGhpbmciLCJhbXIiOlsiZm9vIiwiYmFyIl0sImF0X2hhc2giOiIyZHpibV92SXh5LTdlUnRxVUlHUFB3IiwiYXVkIjpbInVuaXQiLCJ0ZXN0IiwiNTU1NjY2Il0sImF1dGhfdGltZSI6MTY3ODEwMDk2MSwiYXpwIjoiNTU1NjY2IiwiYmFyIjp7ImNvdW50IjoyMiwidGFncyI6WyJzb21lIiwidGFncyJdfSwiY2xpZW50X2lkIjoiNTU1NjY2IiwiZXhwIjo0ODAyMjM4NjgyLCJmb28iOiJIZWxsbywgV29ybGQhIiwiaWF0IjoxNjc4MTAxMDIxLCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc4MTAxMDIxLCJub25jZSI6IjEyMzQ1Iiwic3ViIjoidGltQGxvY2FsLmNvbSJ9.t3GXSfVNNwiW1Suv9_84v0sdn2_-RWHVxhphhRozDXnsO7SDNOlGnEioemXABESxSzMclM7gB7mYy5Qah2ZUNx7eP5t2njoxEYfavgHwx7UJZ2NCg8NDPQyr-hlxelEcfdXK-I0oTd-FRDvF4rqPkD9Us52IpnplChCxnHFgh4wKwPqZZjv2IXVCtn0ilKW3hff1rMOYKEuLRcN2YP0gkyuqyHvcf2dMmjod0t4sLOTJ82rsCbMBC5CLpqv3nIC9HOGITkt1Kd-Am0n1LrdZvWwTo6RFe8AnzF0gpqjcB5Wg4Qeh58DIjZOz4f_8wnmJ_gCqyRh5vfSW4XHdbum0Tw` const accessToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhdWQiOlsidW5pdCIsInRlc3QiXSwiYmFyIjp7ImNvdW50IjoyMiwidGFncyI6WyJzb21lIiwidGFncyJdfSwiZXhwIjo0ODAyMjM4NjgyLCJmb28iOiJIZWxsbywgV29ybGQhIiwiaWF0IjoxNjc4MTAxMDIxLCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc4MTAxMDIxLCJzdWIiOiJ0aW1AbG9jYWwuY29tIn0.Zrz3LWSRjCMJZUMaI5dUbW4vGdSmEeJQ3ouhaX0bcW9rdFFLgBI4K2FWJhNivq8JDmCGSxwLu3mI680GWmDaEoAx1M5sCO9lqfIZHGZh-lfAXk27e6FPLlkTDBq8Bx4o4DJ9Fw0hRJGjUTjnYv5cq1vo2-UqldasL6CwTbkzNC_4oQFfRtuodC4Ql7dZ1HRv5LXuYx7KPkOssLZtV9cwtJp5nFzKjcf2zEE_tlbjcpynMwypornRUp1EhCWKRUGkJhJeiP71ECY5pQhShfjBu9Nc5wDpSnZmnk2S4YsPrRK3QkE-iEkas8BfsOCrGoErHjEJexAIDjasGO5PFLWfCA` func main() { v := rp.NewIDTokenVerifier("local.com", "555666", tu.KeySet{}, rp.WithNonce(func(ctx context.Context) string { return "12345" }), ) // VerifyAccessToken can be called with the *MyCustomClaims. claims, err := rp.VerifyTokens[*MyCustomClaims](context.TODO(), accessToken, idToken, v) if err != nil { panic(err) } // Here we have typesafe access to the custom claims fmt.Println(claims.Foo, claims.Bar.Count, claims.Bar.Tags) }
Output: Hello, World! 22 [some tags]
Types ¶
type AuthURLOpt ¶
type AuthURLOpt func() []oauth2.AuthCodeOption
func WithCodeChallenge ¶
func WithCodeChallenge(codeChallenge string) AuthURLOpt
WithCodeChallenge sets the `code_challenge` params in the auth request
func WithPrompt ¶
func WithPrompt(prompt ...string) AuthURLOpt
WithPrompt sets the `prompt` params in the auth request
type CodeExchangeCallback ¶
type CodeExchangeCallback[C oidc.IDClaims] func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[C], state string, rp RelyingParty)
func UserinfoCallback ¶
func UserinfoCallback[C oidc.IDClaims, U SubjectGetter](f CodeExchangeUserinfoCallback[C, U]) CodeExchangeCallback[C]
UserinfoCallback wraps the callback function of the CodeExchangeHandler and calls the userinfo endpoint with the access token on success it will pass the userinfo into its callback function as well
type CodeExchangeOpt ¶
type CodeExchangeOpt func() []oauth2.AuthCodeOption
func WithClientAssertionJWT ¶
func WithClientAssertionJWT(clientAssertion string) CodeExchangeOpt
WithClientAssertionJWT sets the `client_assertion` param in the token request
func WithCodeVerifier ¶
func WithCodeVerifier(codeVerifier string) CodeExchangeOpt
WithCodeVerifier sets the `code_verifier` param in the token request
type CodeExchangeUserinfoCallback ¶
type CodeExchangeUserinfoCallback[C oidc.IDClaims, U SubjectGetter] func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[C], state string, provider RelyingParty, info U)
type DelegationTokenExchangeRP ¶
type DelegationTokenExchangeRP interface { TokenExchangeRP // DelegationTokenExchange implement the `Token Exchange Grant` // providing an access token in request for a `delegation` token for a given resource / audience DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error) }
DelegationTokenExchangeRP extends the `TokenExchangeRP` interface for the specific `delegation token` request
type Endpoints ¶
type Endpoints struct { oauth2.Endpoint IntrospectURL string UserinfoURL string JKWsURL string EndSessionURL string RevokeURL string DeviceAuthorizationURL string }
func GetEndpoints ¶
func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints
type ErrorHandler ¶
type ErrorHandler func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string)
var DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) { http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError) }
type HasUnauthorizedHandler ¶ added in v3.10.0
type IDTokenVerifier ¶
func NewIDTokenVerifier ¶
func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) *IDTokenVerifier
NewIDTokenVerifier returns a oidc.Verifier suitable for ID token verification.
type Option ¶
type Option func(*relyingParty) error
Option is the type for providing dynamic options to the relyingParty
func WithAuthStyle ¶ added in v3.12.0
func WithClientKey ¶
WithClientKey specifies the path to the key.json to be used for the JWT Profile Client Authentication on the token endpoint
deprecated: use WithJWTProfile(SignerFromKeyPath(path)) instead
func WithCookieHandler ¶
func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option
WithCookieHandler set a `CookieHandler` for securing the various redirects
func WithCustomDiscoveryUrl ¶
func WithErrorHandler ¶
func WithErrorHandler(errorHandler ErrorHandler) Option
func WithHTTPClient ¶
WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier
func WithJWTProfile ¶
func WithJWTProfile(signerFromKey SignerFromKey) Option
WithJWTProfile creates a signer used for the JWT Profile Client Authentication on the token endpoint When creating the signer, be sure to include the KeyID in the SigningKey. See client.NewSignerFromPrivateKeyByte for an example.
func WithLogger ¶
WithLogger sets a logger that is used in case the request context does not contain a logger.
func WithPKCE ¶
func WithPKCE(cookieHandler *httphelper.CookieHandler) Option
WithPKCE sets the RP to use PKCE (oauth2 code challenge) it also sets a `CookieHandler` for securing the various redirects and exchanging the code challenge
func WithSigningAlgsFromDiscovery ¶ added in v3.22.0
func WithSigningAlgsFromDiscovery() Option
WithSigningAlgsFromDiscovery appends the WithSupportedSigningAlgorithms option to the Verifier Options. The algorithms returned in the `id_token_signing_alg_values_supported` from the discovery response will be set.
func WithUnauthorizedHandler ¶ added in v3.10.0
func WithUnauthorizedHandler(unauthorizedHandler UnauthorizedHandler) Option
func WithVerifierOpts ¶
func WithVerifierOpts(opts ...VerifierOption) Option
type OptionFunc ¶
type OptionFunc func(RelyingParty)
type RefreshTokenRequest ¶
type RefreshTokenRequest struct { RefreshToken string `schema:"refresh_token"` Scopes oidc.SpaceDelimitedArray `schema:"scope,omitempty"` ClientID string `schema:"client_id,omitempty"` ClientSecret string `schema:"client_secret,omitempty"` ClientAssertion string `schema:"client_assertion,omitempty"` ClientAssertionType string `schema:"client_assertion_type,omitempty"` GrantType oidc.GrantType `schema:"grant_type"` }
type RelyingParty ¶
type RelyingParty interface { // OAuthConfig returns the oauth2 Config OAuthConfig() *oauth2.Config // Issuer returns the issuer of the oidc config Issuer() string // IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)` IsPKCE() bool // CookieHandler returns a http cookie handler used for various state transfer cookies CookieHandler() *httphelper.CookieHandler // HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint HttpClient() *http.Client // IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls IsOAuth2Only() bool // Signer is used if the relaying party uses the JWT Profile Signer() jose.Signer // GetEndSessionEndpoint returns the endpoint to sign out on a IDP GetEndSessionEndpoint() string // GetRevokeEndpoint returns the endpoint to revoke a specific token GetRevokeEndpoint() string // UserinfoEndpoint returns the userinfo UserinfoEndpoint() string // GetDeviceAuthorizationEndpoint returns the endpoint which can // be used to start a DeviceAuthorization flow. GetDeviceAuthorizationEndpoint() string // IDTokenVerifier returns the verifier used for oidc id_token verification IDTokenVerifier() *IDTokenVerifier // ErrorHandler returns the handler used for callback errors ErrorHandler() func(http.ResponseWriter, *http.Request, string, string, string) // Logger from the context, or a fallback if set. Logger(context.Context) (logger *slog.Logger, ok bool) }
RelyingParty declares the minimal interface for oidc clients
func NewRelyingPartyOAuth ¶
func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingParty, error)
NewRelyingPartyOAuth creates an (OAuth2) RelyingParty with the given OAuth2 Config and possible configOptions it will use the AuthURL and TokenURL set in config
func NewRelyingPartyOIDC ¶
func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error)
NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions it will run discovery on the provided issuer and use the found endpoints
type SignerFromKey ¶
type SignerFromKey func() (jose.Signer, error)
func SignerFromKeyAndKeyID ¶
func SignerFromKeyAndKeyID(key []byte, keyID string) SignerFromKey
func SignerFromKeyFile ¶
func SignerFromKeyFile(fileData []byte) SignerFromKey
func SignerFromKeyPath ¶
func SignerFromKeyPath(path string) SignerFromKey
type SubjectGetter ¶
type SubjectGetter interface {
GetSubject() string
}
type TokenExchangeRP ¶
type TokenExchangeRP interface { RelyingParty // TokenExchange implement the `Token Exchange Grant` exchanging some token for an other TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error) }
TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`
type URLParamOpt ¶
type URLParamOpt func() []oauth2.AuthCodeOption
func WithPromptURLParam ¶
func WithPromptURLParam(prompt ...string) URLParamOpt
WithPromptURLParam sets the `prompt` parameter in a URL.
func WithResponseModeURLParam ¶
func WithResponseModeURLParam(mode oidc.ResponseMode) URLParamOpt
WithResponseModeURLParam sets the `response_mode` parameter in a URL.
func WithURLParam ¶
func WithURLParam(key, value string) URLParamOpt
WithURLParam allows setting custom key-vale pairs to an OAuth2 URL.
type UnauthorizedHandler ¶ added in v3.10.0
http.Error(w, desc, http.StatusUnauthorized) }
type VerifierOption ¶
type VerifierOption func(*IDTokenVerifier)
VerifierOption is the type for providing dynamic options to the IDTokenVerifier
func WithACRVerifier ¶
func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption
WithACRVerifier sets the verifier for the acr claim
func WithAuthTimeMaxAge ¶
func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption
WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now
func WithIssuedAtMaxAge ¶
func WithIssuedAtMaxAge(maxAge time.Duration) VerifierOption
WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now
func WithIssuedAtOffset ¶
func WithIssuedAtOffset(offset time.Duration) VerifierOption
WithIssuedAtOffset mitigates the risk of iat to be in the future because of clock skews with the ability to add an offset to the current time
func WithNonce ¶
func WithNonce(nonce func(context.Context) string) VerifierOption
WithNonce sets the function to check the nonce
func WithSupportedSigningAlgorithms ¶
func WithSupportedSigningAlgorithms(algs ...string) VerifierOption
WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm