Documentation ¶
Index ¶
- Constants
- Variables
- func AppendClientIDToAudience(clientID string, audience []string) []string
- func CheckAudience(claims Claims, clientID string) error
- func CheckAuthTime(claims Claims, maxAge time.Duration) error
- func CheckAuthorizationContextClassReference(claims Claims, acr ACRVerifier) error
- func CheckAuthorizedParty(claims Claims, clientID string) error
- func CheckExpiration(claims Claims, offset time.Duration) error
- func CheckIssuedAt(claims Claims, maxAgeIAT, offset time.Duration) error
- func CheckIssuer(claims Claims, issuer string) error
- func CheckNonce(claims Claims, nonce string) error
- func CheckSignature(ctx context.Context, token string, payload []byte, claims ClaimsSignature, ...) error
- func CheckSubject(claims Claims) error
- func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, error)
- func DecryptToken(tokenString string) (string, error)
- func FindKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (jose.JSONWebKey, bool)
- func FindMatchingKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (key jose.JSONWebKey, err error)
- func GenerateJWTProfileToken(assertion *JWTProfileAssertionClaims) (string, error)
- func GetKeyIDAndAlg(jws *jose.JSONWebSignature) (string, string)
- func JWTProfileCustomClaim(key string, value any) func(*JWTProfileAssertionClaims)
- func JWTProfileDelegatedSubject(sub string) func(*JWTProfileAssertionClaims)
- func NewEncoder() *schema.Encoder
- func NewJWTProfileAssertionStringFromFileData(data []byte, audience []string, opts ...AssertionOption) (string, error)
- func NewSHACodeChallenge(code string) string
- func ParseToken(tokenString string, claims any) ([]byte, error)
- func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool
- type ACRVerifier
- type AccessTokenClaims
- type AccessTokenRequest
- type AccessTokenResponse
- type AssertionOption
- type Audience
- type AuthMethod
- type AuthRequest
- type Bool
- type Claims
- type ClaimsSignature
- type ClientAssertionParams
- type ClientCredentialsRequest
- type CodeChallenge
- type CodeChallengeMethod
- type DeviceAccessTokenRequest
- type DeviceAuthorizationRequest
- type DeviceAuthorizationResponse
- type DiscoveryConfiguration
- type Display
- type EndSessionRequest
- type Error
- func (e *Error) Error() string
- func (e *Error) Is(target error) bool
- func (e *Error) IsRedirectDisabled() bool
- func (e *Error) LogLevel() slog.Level
- func (e *Error) LogValue() slog.Value
- func (e *Error) Unwrap() error
- func (e *Error) WithDescription(desc string, args ...any) *Error
- func (e *Error) WithParent(err error) *Error
- type Gender
- type GrantType
- type IDClaims
- type IDTokenClaims
- type IntrospectionRequest
- type IntrospectionResponse
- type JWTProfileAssertionClaims
- func NewJWTProfileAssertion(userID, keyID string, audience []string, key []byte, opts ...AssertionOption) *JWTProfileAssertionClaims
- func NewJWTProfileAssertionFromFileData(data []byte, audience []string, opts ...AssertionOption) (*JWTProfileAssertionClaims, error)
- func NewJWTProfileAssertionFromKeyJSON(filename string, audience []string, opts ...AssertionOption) (*JWTProfileAssertionClaims, error)
- type JWTProfileGrantRequest
- type JWTTokenRequest
- func (j *JWTTokenRequest) GetAudience() []string
- func (j *JWTTokenRequest) GetAuthTime() time.Time
- func (j *JWTTokenRequest) GetAuthenticationContextClassReference() string
- func (j *JWTTokenRequest) GetAuthorizedParty() string
- func (j *JWTTokenRequest) GetCustomClaim(key string) any
- func (j *JWTTokenRequest) GetExpiration() time.Time
- func (j *JWTTokenRequest) GetIssuedAt() time.Time
- func (j *JWTTokenRequest) GetIssuer() string
- func (j *JWTTokenRequest) GetNonce() string
- func (j *JWTTokenRequest) GetScopes() []string
- func (j *JWTTokenRequest) GetSubject() string
- func (j *JWTTokenRequest) MarshalJSON() ([]byte, error)
- func (j *JWTTokenRequest) SetSignatureAlgorithm(_ jose.SignatureAlgorithm)
- func (j *JWTTokenRequest) UnmarshalJSON(data []byte) error
- type KeySet
- type Locale
- type Locales
- type MaxAge
- type Prompt
- type RefreshTokenRequest
- type RequestObject
- type ResponseMode
- type ResponseType
- type RevocationRequest
- type SpaceDelimitedArray
- func (s SpaceDelimitedArray) MarshalJSON() ([]byte, error)
- func (s SpaceDelimitedArray) MarshalText() ([]byte, error)
- func (s *SpaceDelimitedArray) Scan(src any) error
- func (s SpaceDelimitedArray) String() string
- func (s *SpaceDelimitedArray) UnmarshalJSON(data []byte) error
- func (s *SpaceDelimitedArray) UnmarshalText(text []byte) error
- func (s SpaceDelimitedArray) Value() (driver.Value, error)
- type Time
- type TokenClaims
- func (c *TokenClaims) GetAudience() []string
- func (c *TokenClaims) GetAuthTime() time.Time
- func (c *TokenClaims) GetAuthenticationContextClassReference() string
- func (c *TokenClaims) GetAuthorizedParty() string
- func (c *TokenClaims) GetExpiration() time.Time
- func (c *TokenClaims) GetIssuedAt() time.Time
- func (c *TokenClaims) GetIssuer() string
- func (c *TokenClaims) GetNonce() string
- func (c *TokenClaims) GetSignatureAlgorithm() jose.SignatureAlgorithm
- func (c *TokenClaims) GetSubject() string
- func (c *TokenClaims) SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm)
- type TokenExchangeRequest
- type TokenExchangeResponse
- type TokenRequest
- type TokenRequestType
- type TokenType
- type Tokens
- type UserInfo
- type UserInfoAddress
- type UserInfoEmail
- type UserInfoPhone
- type UserInfoProfile
- type UserInfoRequest
- type Verifier
Constants ¶
const ( // ScopeOpenID defines the scope `openid` // OpenID Connect requests MUST contain the `openid` scope value ScopeOpenID = "openid" // ScopeProfile defines the scope `profile` // This (optional) scope value requests access to the End-User's default profile Claims, // which are: name, family_name, given_name, middle_name, nickname, preferred_username, // profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at. ScopeProfile = "profile" // ScopeEmail defines the scope `email` // This (optional) scope value requests access to the email and email_verified Claims. ScopeEmail = "email" // ScopeAddress defines the scope `address` // This (optional) scope value requests access to the address Claim. ScopeAddress = "address" // ScopePhone defines the scope `phone` // This (optional) scope value requests access to the phone_number and phone_number_verified Claims. ScopePhone = "phone" // ScopeOfflineAccess defines the scope `offline_access` // This (optional) scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token // that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in). ScopeOfflineAccess = "offline_access" // ResponseTypeCode for the Authorization Code Flow returning a code from the Authorization Server ResponseTypeCode ResponseType = "code" // ResponseTypeIDToken for the Implicit Flow returning id and access tokens directly from the Authorization Server ResponseTypeIDToken ResponseType = "id_token token" // ResponseTypeIDTokenOnly for the Implicit Flow returning only id token directly from the Authorization Server ResponseTypeIDTokenOnly ResponseType = "id_token" DisplayPage Display = "page" DisplayPopup Display = "popup" DisplayTouch Display = "touch" DisplayWAP Display = "wap" ResponseModeQuery ResponseMode = "query" ResponseModeFragment ResponseMode = "fragment" // PromptNone (`none`) disallows the Authorization Server to display any authentication or consent user interface pages. // An error (login_required, interaction_required, ...) will be returned if the user is not already authenticated or consent is needed PromptNone = "none" // PromptLogin (`login`) directs the Authorization Server to prompt the End-User for reauthentication. PromptLogin = "login" // PromptConsent (`consent`) directs the Authorization Server to prompt the End-User for consent (of sharing information). PromptConsent = "consent" // PromptSelectAccount (`select_account `) directs the Authorization Server to prompt the End-User to select a user account (to enable multi user / session switching) PromptSelectAccount = "select_account" )
const ( InvalidRequest errorType = "invalid_request" InvalidScope errorType = "invalid_scope" InvalidClient errorType = "invalid_client" InvalidGrant errorType = "invalid_grant" UnsupportedGrantType errorType = "unsupported_grant_type" ServerError errorType = "server_error" InteractionRequired errorType = "interaction_required" LoginRequired errorType = "login_required" RequestNotSupported errorType = "request_not_supported" // Additional error codes as defined in // https://www.rfc-editor.org/rfc/rfc8628#section-3.5 // Device Access Token Response AuthorizationPending errorType = "authorization_pending" SlowDown errorType = "slow_down" AccessDenied errorType = "access_denied" ExpiredToken errorType = "expired_token" )
const ( // BearerToken defines the token_type `Bearer`, which is returned in a successful token response BearerToken = "Bearer" PrefixBearer = BearerToken + " " )
const (
DiscoveryEndpoint = "/.well-known/openid-configuration"
)
const (
KeyUseSignature = "sig"
)
Variables ¶
var ( ErrInvalidRequest = func() *Error { return &Error{ ErrorType: InvalidRequest, } } ErrInvalidRequestRedirectURI = func() *Error { return &Error{ ErrorType: InvalidRequest, redirectDisabled: true, } } ErrInvalidScope = func() *Error { return &Error{ ErrorType: InvalidScope, } } ErrInvalidClient = func() *Error { return &Error{ ErrorType: InvalidClient, } } ErrInvalidGrant = func() *Error { return &Error{ ErrorType: InvalidGrant, } } return &Error{ ErrorType: UnauthorizedClient, } } ErrUnsupportedGrantType = func() *Error { return &Error{ ErrorType: UnsupportedGrantType, } } ErrServerError = func() *Error { return &Error{ ErrorType: ServerError, } } ErrInteractionRequired = func() *Error { return &Error{ ErrorType: InteractionRequired, } } ErrLoginRequired = func() *Error { return &Error{ ErrorType: LoginRequired, } } ErrRequestNotSupported = func() *Error { return &Error{ ErrorType: RequestNotSupported, } } // Device Access Token errors: ErrAuthorizationPending = func() *Error { return &Error{ ErrorType: AuthorizationPending, Description: "The client SHOULD repeat the access token request to the token endpoint, after interval from device authorization response.", } } ErrSlowDown = func() *Error { return &Error{ ErrorType: SlowDown, Description: "Polling should continue, but the interval MUST be increased by 5 seconds for this and all subsequent requests.", } } ErrAccessDenied = func() *Error { return &Error{ ErrorType: AccessDenied, Description: "The authorization request was denied.", } } ErrExpiredDeviceCode = func() *Error { return &Error{ ErrorType: ExpiredToken, Description: "The \"device_code\" has expired.", } } )
var ( ErrKeyMultiple = errors.New("multiple possible keys match") ErrKeyNone = errors.New("no possible keys matches") )
var ( ErrParse = errors.New("parsing of request failed") ErrIssuerInvalid = errors.New("issuer does not match") ErrSubjectMissing = errors.New("subject missing") ErrAudience = errors.New("audience is not valid") ErrAzpMissing = errors.New("authorized party is not set. If Token is valid for multiple audiences, azp must not be empty") ErrAzpInvalid = errors.New("authorized party is not valid") ErrSignatureMissing = errors.New("id_token does not contain a signature") ErrSignatureMultiple = errors.New("id_token contains multiple signatures") ErrSignatureUnsupportedAlg = errors.New("signature algorithm not supported") ErrSignatureInvalidPayload = errors.New("signature does not match Payload") ErrSignatureInvalid = errors.New("invalid signature") ErrExpired = errors.New("token has expired") ErrIatMissing = errors.New("issuedAt of token is missing") ErrIatInFuture = errors.New("issuedAt of token is in the future") ErrIatToOld = errors.New("issuedAt of token is to old") ErrNonceInvalid = errors.New("nonce does not match") ErrAcrInvalid = errors.New("acr is invalid") ErrAuthTimeNotPresent = errors.New("claim `auth_time` of token is missing") ErrAuthTimeToOld = errors.New("auth time of token is too old") ErrAtHash = errors.New("at_hash does not correspond to access token") )
var AllAuthMethods = []AuthMethod{ AuthMethodBasic, AuthMethodPost, AuthMethodNone, AuthMethodPrivateKeyJWT, }
var AllGrantTypes = []GrantType{ GrantTypeCode, GrantTypeRefreshToken, GrantTypeClientCredentials, GrantTypeBearer, GrantTypeTokenExchange, GrantTypeImplicit, GrantTypeDeviceCode, ClientAssertionTypeJWTAssertion, }
var AllTokenTypes = []TokenType{ AccessTokenType, RefreshTokenType, IDTokenType, JWTTokenType, }
Functions ¶
func CheckAudience ¶
func CheckAuthorizationContextClassReference ¶
func CheckAuthorizationContextClassReference(claims Claims, acr ACRVerifier) error
func CheckAuthorizedParty ¶
CheckAuthorizedParty checks azp (authorized party) claim requirements.
If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. If an azp Claim is present, the Client SHOULD verify that its client_id is the Claim Value. https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func CheckIssuer ¶
func CheckNonce ¶
func CheckSignature ¶
func CheckSubject ¶
func DecryptToken ¶
func FindKey ¶
func FindKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (jose.JSONWebKey, bool)
FindKey searches the given JSON Web Keys for the requested key ID, usage and key type
will return the key immediately if matches exact (id, usage, type)
will return false none or multiple match
deprecated: use FindMatchingKey which will return an error (more specific) instead of just a bool moved implementation already to FindMatchingKey
func FindMatchingKey ¶
func FindMatchingKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (key jose.JSONWebKey, err error)
FindMatchingKey searches the given JSON Web Keys for the requested key ID, usage and alg type
will return the key immediately if matches exact (id, usage, type)
will return a specific error if none (ErrKeyNone) or multiple (ErrKeyMultiple) match
func GenerateJWTProfileToken ¶
func GenerateJWTProfileToken(assertion *JWTProfileAssertionClaims) (string, error)
func GetKeyIDAndAlg ¶
func GetKeyIDAndAlg(jws *jose.JSONWebSignature) (string, string)
GetKeyIDAndAlg returns the `kid` and `alg` claim from the JWS header
func JWTProfileCustomClaim ¶
func JWTProfileCustomClaim(key string, value any) func(*JWTProfileAssertionClaims)
func JWTProfileDelegatedSubject ¶
func JWTProfileDelegatedSubject(sub string) func(*JWTProfileAssertionClaims)
func NewEncoder ¶
NewEncoder returns a schema Encoder with a registered encoder for SpaceDelimitedArray.
func NewJWTProfileAssertionStringFromFileData ¶
func NewJWTProfileAssertionStringFromFileData(data []byte, audience []string, opts ...AssertionOption) (string, error)
func NewSHACodeChallenge ¶
func VerifyCodeChallenge ¶
func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool
Types ¶
type ACRVerifier ¶
ACRVerifier specifies the function to be used by the `DefaultVerifier` for validating the acr claim
func DefaultACRVerifier ¶
func DefaultACRVerifier(possibleValues []string) ACRVerifier
DefaultACRVerifier implements `ACRVerifier` returning an error if none of the provided values matches the acr claim
type AccessTokenClaims ¶
type AccessTokenClaims struct { TokenClaims Scopes SpaceDelimitedArray `json:"scope,omitempty"` Claims map[string]any `json:"-"` }
func NewAccessTokenClaims ¶
func (*AccessTokenClaims) MarshalJSON ¶
func (a *AccessTokenClaims) MarshalJSON() ([]byte, error)
func (*AccessTokenClaims) UnmarshalJSON ¶
func (a *AccessTokenClaims) UnmarshalJSON(data []byte) error
type AccessTokenRequest ¶
type AccessTokenRequest struct { Code string `schema:"code"` RedirectURI string `schema:"redirect_uri"` ClientID string `schema:"client_id"` ClientSecret string `schema:"client_secret"` CodeVerifier string `schema:"code_verifier"` ClientAssertion string `schema:"client_assertion"` ClientAssertionType string `schema:"client_assertion_type"` }
func (*AccessTokenRequest) GrantType ¶
func (a *AccessTokenRequest) GrantType() GrantType
func (*AccessTokenRequest) SetClientID ¶
func (a *AccessTokenRequest) SetClientID(clientID string)
SetClientID implements op.AuthenticatedTokenRequest
func (*AccessTokenRequest) SetClientSecret ¶
func (a *AccessTokenRequest) SetClientSecret(clientSecret string)
SetClientSecret implements op.AuthenticatedTokenRequest
type AccessTokenResponse ¶
type AccessTokenResponse struct { AccessToken string `json:"access_token,omitempty" schema:"access_token,omitempty"` TokenType string `json:"token_type,omitempty" schema:"token_type,omitempty"` RefreshToken string `json:"refresh_token,omitempty" schema:"refresh_token,omitempty"` ExpiresIn uint64 `json:"expires_in,omitempty" schema:"expires_in,omitempty"` IDToken string `json:"id_token,omitempty" schema:"id_token,omitempty"` State string `json:"state,omitempty" schema:"state,omitempty"` }
type AssertionOption ¶
type AssertionOption func(*JWTProfileAssertionClaims)
type AuthMethod ¶
type AuthMethod string
const ( AuthMethodBasic AuthMethod = "client_secret_basic" AuthMethodPost AuthMethod = "client_secret_post" AuthMethodNone AuthMethod = "none" AuthMethodPrivateKeyJWT AuthMethod = "private_key_jwt" )
type AuthRequest ¶
type AuthRequest struct { Scopes SpaceDelimitedArray `json:"scope" schema:"scope"` ResponseType ResponseType `json:"response_type" schema:"response_type"` ClientID string `json:"client_id" schema:"client_id"` RedirectURI string `json:"redirect_uri" schema:"redirect_uri"` State string `json:"state" schema:"state"` Nonce string `json:"nonce" schema:"nonce"` ResponseMode ResponseMode `json:"response_mode" schema:"response_mode"` Display Display `json:"display" schema:"display"` Prompt SpaceDelimitedArray `json:"prompt" schema:"prompt"` MaxAge *uint `json:"max_age" schema:"max_age"` UILocales Locales `json:"ui_locales" schema:"ui_locales"` IDTokenHint string `json:"id_token_hint" schema:"id_token_hint"` LoginHint string `json:"login_hint" schema:"login_hint"` ACRValues SpaceDelimitedArray `json:"acr_values" schema:"acr_values"` CodeChallenge string `json:"code_challenge" schema:"code_challenge"` CodeChallengeMethod CodeChallengeMethod `json:"code_challenge_method" schema:"code_challenge_method"` // RequestParam enables OIDC requests to be passed in a single, self-contained parameter (as JWT, called Request Object) RequestParam string `schema:"request"` }
AuthRequest according to: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
func (*AuthRequest) GetRedirectURI ¶
func (a *AuthRequest) GetRedirectURI() string
GetRedirectURI returns the redirect_uri value for the ErrAuthRequest interface
func (*AuthRequest) GetResponseMode ¶
func (a *AuthRequest) GetResponseMode() ResponseMode
GetResponseMode returns the optional ResponseMode
func (*AuthRequest) GetResponseType ¶
func (a *AuthRequest) GetResponseType() ResponseType
GetResponseType returns the response_type value for the ErrAuthRequest interface
func (*AuthRequest) GetState ¶
func (a *AuthRequest) GetState() string
GetState returns the optional state value for the ErrAuthRequest interface
func (*AuthRequest) LogValue ¶
func (a *AuthRequest) LogValue() slog.Value
type ClaimsSignature ¶
type ClaimsSignature interface {
SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm)
}
type ClientAssertionParams ¶
type ClientCredentialsRequest ¶
type ClientCredentialsRequest struct { GrantType GrantType `schema:"grant_type,omitempty"` Scope SpaceDelimitedArray `schema:"scope"` ClientID string `schema:"client_id"` ClientSecret string `schema:"client_secret"` ClientAssertion string `schema:"client_assertion"` ClientAssertionType string `schema:"client_assertion_type"` }
type CodeChallenge ¶
type CodeChallenge struct { Challenge string Method CodeChallengeMethod }
type CodeChallengeMethod ¶
type CodeChallengeMethod string
const ( CodeChallengeMethodPlain CodeChallengeMethod = "plain" CodeChallengeMethodS256 CodeChallengeMethod = "S256" )
type DeviceAccessTokenRequest ¶
type DeviceAccessTokenRequest struct { GrantType GrantType `json:"grant_type" schema:"grant_type"` DeviceCode string `json:"device_code" schema:"device_code"` }
DeviceAccessTokenRequest implements https://www.rfc-editor.org/rfc/rfc8628#section-3.4, Device Access Token Request.
type DeviceAuthorizationRequest ¶
type DeviceAuthorizationRequest struct { Scopes SpaceDelimitedArray `schema:"scope"` ClientID string `schema:"client_id"` }
DeviceAuthorizationRequest implements https://www.rfc-editor.org/rfc/rfc8628#section-3.1, 3.1 Device Authorization Request.
type DeviceAuthorizationResponse ¶
type DeviceAuthorizationResponse struct { DeviceCode string `json:"device_code"` UserCode string `json:"user_code"` VerificationURI string `json:"verification_uri"` VerificationURIComplete string `json:"verification_uri_complete,omitempty"` ExpiresIn int `json:"expires_in"` Interval int `json:"interval,omitempty"` }
DeviceAuthorizationResponse implements https://www.rfc-editor.org/rfc/rfc8628#section-3.2 3.2. Device Authorization Response.
type DiscoveryConfiguration ¶
type DiscoveryConfiguration struct { // Issuer is the identifier of the OP and is used in the tokens as `iss` claim. Issuer string `json:"issuer,omitempty"` // AuthorizationEndpoint is the URL of the OAuth 2.0 Authorization Endpoint where all user interactive login start AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"` // TokenEndpoint is the URL of the OAuth 2.0 Token Endpoint where all tokens are issued, except when using Implicit Flow TokenEndpoint string `json:"token_endpoint,omitempty"` // IntrospectionEndpoint is the URL of the OAuth 2.0 Introspection Endpoint. IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` // UserinfoEndpoint is the URL where an access_token can be used to retrieve the Userinfo. UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"` // RevocationEndpoint is the URL of the OAuth 2.0 Revocation Endpoint. RevocationEndpoint string `json:"revocation_endpoint,omitempty"` // EndSessionEndpoint is a URL where the RP can perform a redirect to request that the End-User be logged out at the OP. EndSessionEndpoint string `json:"end_session_endpoint,omitempty"` DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"` // CheckSessionIframe is a URL where the OP provides an iframe that support cross-origin communications for session state information with the RP Client. CheckSessionIframe string `json:"check_session_iframe,omitempty"` // JwksURI is the URL of the JSON Web Key Set. This site contains the signing keys that RPs can use to validate the signature. // It may also contain the OP's encryption keys that RPs can use to encrypt request to the OP. JwksURI string `json:"jwks_uri,omitempty"` // RegistrationEndpoint is the URL for the Dynamic Client Registration. RegistrationEndpoint string `json:"registration_endpoint,omitempty"` // ScopesSupported lists an array of supported scopes. This list must not include every supported scope by the OP. ScopesSupported []string `json:"scopes_supported,omitempty"` // ResponseTypesSupported contains a list of the OAuth 2.0 response_type values that the OP supports (code, id_token, token id_token, ...). ResponseTypesSupported []string `json:"response_types_supported,omitempty"` // ResponseModesSupported contains a list of the OAuth 2.0 response_mode values that the OP supports. If omitted, the default value is ["query", "fragment"]. ResponseModesSupported []string `json:"response_modes_supported,omitempty"` // GrantTypesSupported contains a list of the OAuth 2.0 grant_type values that the OP supports. If omitted, the default value is ["authorization_code", "implicit"]. GrantTypesSupported []GrantType `json:"grant_types_supported,omitempty"` // ACRValuesSupported contains a list of Authentication Context Class References that the OP supports. ACRValuesSupported []string `json:"acr_values_supported,omitempty"` // SubjectTypesSupported contains a list of Subject Identifier types that the OP supports (pairwise, public). SubjectTypesSupported []string `json:"subject_types_supported,omitempty"` // IDTokenSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for the ID Token. IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"` // IDTokenEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the ID Token. IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"` // IDTokenEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the ID Token. IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"` // UserinfoSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for UserInfo Endpoint. UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"` // UserinfoEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the UserInfo Endpoint. UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"` // UserinfoEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the UserInfo Endpoint. UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"` // RequestObjectSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for Request Objects. // These algorithms are used both then the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"` // RequestObjectEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for Request Objects. // These algorithms are used both when the Request Object is passed by value and by reference. RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"` // RequestObjectEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for Request Objects. // These algorithms are used both when the Request Object is passed by value and by reference. RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"` // TokenEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Token Endpoint. If omitted, the default is client_secret_basic. TokenEndpointAuthMethodsSupported []AuthMethod `json:"token_endpoint_auth_methods_supported,omitempty"` // TokenEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Token Endpoint // for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt. TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` // RevocationEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Revocation Endpoint. If omitted, the default is client_secret_basic. RevocationEndpointAuthMethodsSupported []AuthMethod `json:"revocation_endpoint_auth_methods_supported,omitempty"` // RevocationEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint // for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt. RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` // IntrospectionEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Introspection Endpoint. IntrospectionEndpointAuthMethodsSupported []AuthMethod `json:"introspection_endpoint_auth_methods_supported,omitempty"` // IntrospectionEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint // for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt. IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` // DisplayValuesSupported contains a list of display parameter values that the OP supports (page, popup, touch, wap). DisplayValuesSupported []Display `json:"display_values_supported,omitempty"` // ClaimTypesSupported contains a list of Claim Types that the OP supports (normal, aggregated, distributed). If omitted, the default is normal Claims. ClaimTypesSupported []string `json:"claim_types_supported,omitempty"` // ClaimsSupported contains a list of Claim Names the OP may be able to supply values for. This list might not be exhaustive. ClaimsSupported []string `json:"claims_supported,omitempty"` // ClaimsParameterSupported specifies whether the OP supports use of the `claims` parameter. If omitted, the default is false. ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"` // CodeChallengeMethodsSupported contains a list of Proof Key for Code Exchange (PKCE) code challenge methods supported by the OP. CodeChallengeMethodsSupported []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"` // ServiceDocumentation is a URL where developers can get information about the OP and its usage. ServiceDocumentation string `json:"service_documentation,omitempty"` // ClaimsLocalesSupported contains a list of BCP47 language tag values that the OP supports for values of Claims returned. ClaimsLocalesSupported Locales `json:"claims_locales_supported,omitempty"` // UILocalesSupported contains a list of BCP47 language tag values that the OP supports for the user interface. UILocalesSupported Locales `json:"ui_locales_supported,omitempty"` // RequestParameterSupported specifies whether the OP supports use of the `request` parameter. If omitted, the default value is false. RequestParameterSupported bool `json:"request_parameter_supported,omitempty"` // RequestURIParameterSupported specifies whether the OP supports use of the `request_uri` parameter. If omitted, the default value is true. (therefore no omitempty) RequestURIParameterSupported bool `json:"request_uri_parameter_supported"` // RequireRequestURIRegistration specifies whether the OP requires any `request_uri` to be pre-registered using the request_uris registration parameter. If omitted, the default value is false. RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"` // OPPolicyURI is a URL the OP provides to the person registering the Client to read about the OP's requirements on how the RP can use the data provided by the OP. OPPolicyURI string `json:"op_policy_uri,omitempty"` // OPTermsOfServiceURI is a URL the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. OPTermsOfServiceURI string `json:"op_tos_uri,omitempty"` }
type EndSessionRequest ¶
type EndSessionRequest struct { IdTokenHint string `schema:"id_token_hint"` ClientID string `schema:"client_id"` PostLogoutRedirectURI string `schema:"post_logout_redirect_uri"` State string `schema:"state"` }
EndSessionRequest for the RP-Initiated Logout according to: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
type Error ¶
type Error struct { Parent error `json:"-" schema:"-"` ErrorType errorType `json:"error" schema:"error"` Description string `json:"error_description,omitempty" schema:"error_description,omitempty"` State string `json:"state,omitempty" schema:"state,omitempty"` // contains filtered or unexported fields }
func DefaultToServerError ¶
DefaultToServerError checks if the error is an Error if not the provided error will be wrapped into a ServerError
func (*Error) IsRedirectDisabled ¶
func (*Error) WithParent ¶
type GrantType ¶
type GrantType string
const ( // GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow GrantTypeCode GrantType = "authorization_code" // GrantTypeRefreshToken defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow GrantTypeRefreshToken GrantType = "refresh_token" // GrantTypeClientCredentials defines the grant_type `client_credentials` used for the Token Request in the Client Credentials Token Flow GrantTypeClientCredentials GrantType = "client_credentials" // GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer" // GrantTypeTokenExchange defines the grant_type `urn:ietf:params:oauth:grant-type:token-exchange` used for the OAuth Token Exchange Grant GrantTypeTokenExchange GrantType = "urn:ietf:params:oauth:grant-type:token-exchange" // GrantTypeImplicit defines the grant type `implicit` used for implicit flows that skip the generation and exchange of an Authorization Code GrantTypeImplicit GrantType = "implicit" // GrantTypeDeviceCode GrantTypeDeviceCode GrantType = "urn:ietf:params:oauth:grant-type:device_code" // ClientAssertionTypeJWTAssertion defines the client_assertion_type `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` // used for the OAuth JWT Profile Client Authentication ClientAssertionTypeJWTAssertion = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" )
type IDClaims ¶
type IDClaims interface { Claims GetSignatureAlgorithm() jose.SignatureAlgorithm GetAccessTokenHash() string }
type IDTokenClaims ¶
type IDTokenClaims struct { TokenClaims NotBefore Time `json:"nbf,omitempty"` AccessTokenHash string `json:"at_hash,omitempty"` CodeHash string `json:"c_hash,omitempty"` SessionID string `json:"sid,omitempty"` UserInfoProfile UserInfoEmail UserInfoPhone Address *UserInfoAddress `json:"address,omitempty"` Claims map[string]any `json:"-"` }
IDTokenClaims extends TokenClaims by further implementing OpenID Connect Core 1.0, sections 3.1.3.6 (Code flow), 3.2.2.10 (implicit), 3.3.2.11 (Hybrid) and 5.1 (UserInfo). https://openid.net/specs/openid-connect-core-1_0.html#toc
func NewIDTokenClaims ¶
func (*IDTokenClaims) GetAccessTokenHash ¶
func (t *IDTokenClaims) GetAccessTokenHash() string
GetAccessTokenHash implements the IDTokenClaims interface
func (*IDTokenClaims) GetUserInfo ¶
func (t *IDTokenClaims) GetUserInfo() *UserInfo
func (*IDTokenClaims) MarshalJSON ¶
func (i *IDTokenClaims) MarshalJSON() ([]byte, error)
func (*IDTokenClaims) SetUserInfo ¶
func (t *IDTokenClaims) SetUserInfo(i *UserInfo)
func (*IDTokenClaims) UnmarshalJSON ¶
func (i *IDTokenClaims) UnmarshalJSON(data []byte) error
type IntrospectionRequest ¶
type IntrospectionRequest struct {
Token string `schema:"token"`
}
type IntrospectionResponse ¶
type IntrospectionResponse struct { Active bool `json:"active"` Scope SpaceDelimitedArray `json:"scope,omitempty"` ClientID string `json:"client_id,omitempty"` TokenType string `json:"token_type,omitempty"` Expiration Time `json:"exp,omitempty"` IssuedAt Time `json:"iat,omitempty"` NotBefore Time `json:"nbf,omitempty"` Subject string `json:"sub,omitempty"` Audience Audience `json:"aud,omitempty"` Issuer string `json:"iss,omitempty"` JWTID string `json:"jti,omitempty"` Username string `json:"username,omitempty"` UserInfoProfile UserInfoEmail UserInfoPhone Address *UserInfoAddress `json:"address,omitempty"` Claims map[string]any `json:"-"` }
IntrospectionResponse implements RFC 7662, section 2.2 and OpenID Connect Core 1.0, section 5.1 (UserInfo). https://www.rfc-editor.org/rfc/rfc7662.html#section-2.2. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.
func (*IntrospectionResponse) GetAddress ¶
func (i *IntrospectionResponse) GetAddress() *UserInfoAddress
GetAddress is a safe getter that takes care of a possible nil value.
func (*IntrospectionResponse) MarshalJSON ¶
func (i *IntrospectionResponse) MarshalJSON() ([]byte, error)
func (*IntrospectionResponse) SetUserInfo ¶
func (i *IntrospectionResponse) SetUserInfo(u *UserInfo)
SetUserInfo copies all relevant fields from UserInfo into the IntroSpectionResponse.
func (*IntrospectionResponse) UnmarshalJSON ¶
func (i *IntrospectionResponse) UnmarshalJSON(data []byte) error
type JWTProfileAssertionClaims ¶
type JWTProfileAssertionClaims struct { PrivateKeyID string `json:"-"` PrivateKey []byte `json:"-"` Issuer string `json:"iss"` Subject string `json:"sub"` Audience Audience `json:"aud"` Expiration Time `json:"exp"` IssuedAt Time `json:"iat"` Claims map[string]any `json:"-"` }
func NewJWTProfileAssertion ¶
func NewJWTProfileAssertion(userID, keyID string, audience []string, key []byte, opts ...AssertionOption) *JWTProfileAssertionClaims
func NewJWTProfileAssertionFromFileData ¶
func NewJWTProfileAssertionFromFileData(data []byte, audience []string, opts ...AssertionOption) (*JWTProfileAssertionClaims, error)
func NewJWTProfileAssertionFromKeyJSON ¶
func NewJWTProfileAssertionFromKeyJSON(filename string, audience []string, opts ...AssertionOption) (*JWTProfileAssertionClaims, error)
func (*JWTProfileAssertionClaims) MarshalJSON ¶
func (j *JWTProfileAssertionClaims) MarshalJSON() ([]byte, error)
func (*JWTProfileAssertionClaims) UnmarshalJSON ¶
func (j *JWTProfileAssertionClaims) UnmarshalJSON(data []byte) error
type JWTProfileGrantRequest ¶
type JWTProfileGrantRequest struct { Assertion string `schema:"assertion"` Scope SpaceDelimitedArray `schema:"scope"` GrantType GrantType `schema:"grant_type"` }
func NewJWTProfileGrantRequest ¶
func NewJWTProfileGrantRequest(assertion string, scopes ...string) *JWTProfileGrantRequest
NewJWTProfileGrantRequest creates an oauth2 `JSON Web Token (JWT) Profile` Grant `urn:ietf:params:oauth:grant-type:jwt-bearer` sending a self-signed jwt as assertion
type JWTTokenRequest ¶
type JWTTokenRequest struct { Issuer string `json:"iss"` Subject string `json:"sub"` Scopes SpaceDelimitedArray `json:"-"` Audience Audience `json:"aud"` IssuedAt Time `json:"iat"` ExpiresAt Time `json:"exp"` // contains filtered or unexported fields }
func (*JWTTokenRequest) GetAudience ¶
func (j *JWTTokenRequest) GetAudience() []string
GetAudience implements the Claims and TokenRequest interfaces
func (*JWTTokenRequest) GetAuthTime ¶
func (j *JWTTokenRequest) GetAuthTime() time.Time
GetAuthTime implements the Claims interface
func (*JWTTokenRequest) GetAuthenticationContextClassReference ¶
func (j *JWTTokenRequest) GetAuthenticationContextClassReference() string
GetAuthenticationContextClassReference implements the Claims interface
func (*JWTTokenRequest) GetAuthorizedParty ¶
func (j *JWTTokenRequest) GetAuthorizedParty() string
GetAuthorizedParty implements the Claims interface
func (*JWTTokenRequest) GetCustomClaim ¶
func (j *JWTTokenRequest) GetCustomClaim(key string) any
func (*JWTTokenRequest) GetExpiration ¶
func (j *JWTTokenRequest) GetExpiration() time.Time
GetExpiration implements the Claims interface
func (*JWTTokenRequest) GetIssuedAt ¶
func (j *JWTTokenRequest) GetIssuedAt() time.Time
GetIssuedAt implements the Claims interface
func (*JWTTokenRequest) GetIssuer ¶
func (j *JWTTokenRequest) GetIssuer() string
GetIssuer implements the Claims interface
func (*JWTTokenRequest) GetNonce ¶
func (j *JWTTokenRequest) GetNonce() string
GetNonce implements the Claims interface
func (*JWTTokenRequest) GetScopes ¶
func (j *JWTTokenRequest) GetScopes() []string
GetScopes implements the TokenRequest interface
func (*JWTTokenRequest) GetSubject ¶
func (j *JWTTokenRequest) GetSubject() string
GetSubject implements the TokenRequest interface
func (*JWTTokenRequest) MarshalJSON ¶
func (j *JWTTokenRequest) MarshalJSON() ([]byte, error)
func (*JWTTokenRequest) SetSignatureAlgorithm ¶
func (j *JWTTokenRequest) SetSignatureAlgorithm(_ jose.SignatureAlgorithm)
SetSignatureAlgorithm implements the Claims interface
func (*JWTTokenRequest) UnmarshalJSON ¶
func (j *JWTTokenRequest) UnmarshalJSON(data []byte) error
type KeySet ¶
type KeySet interface { // VerifySignature verifies the signature with the given keyset and returns the raw payload VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) }
KeySet represents a set of JSON Web Keys - remotely fetch via discovery and jwks_uri -> `remoteKeySet` - held by the OP itself in storage -> `openIDKeySet` - dynamically aggregated by request for OAuth JWT Profile Assertion -> `jwtProfileKeySet`
type Locale ¶
type Locale struct {
// contains filtered or unexported fields
}
func (*Locale) MarshalJSON ¶
func (*Locale) UnmarshalJSON ¶
UnmarshalJSON implements json.Unmarshaler. When language.ValueError is encountered, the containing tag will be set to an empty value (language "und") and no error will be returned. This state can be checked with the `l.Tag().IsRoot()` method.
type Locales ¶
func ParseLocales ¶
ParseLocales parses a slice of strings into Locales. If an entry causes a parse error or is undefined, it is ignored and not set to Locales.
func (*Locales) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaler interface. It decodes a json array or a space seperated string into Locales. Undefined language tags in the input are ignored and ommited from the resulting Locales.
func (*Locales) UnmarshalText ¶
UnmarshalText implements the encoding.TextUnmarshaler interface. It decodes an unquoted space seperated string into Locales. Undefined language tags in the input are ignored and ommited from the resulting Locales.
type Prompt ¶
type Prompt SpaceDelimitedArray
type RefreshTokenRequest ¶
type RefreshTokenRequest struct { RefreshToken string `schema:"refresh_token"` Scopes SpaceDelimitedArray `schema:"scope"` ClientID string `schema:"client_id"` ClientSecret string `schema:"client_secret"` ClientAssertion string `schema:"client_assertion"` ClientAssertionType string `schema:"client_assertion_type"` }
RefreshTokenRequest is not useful for making refresh requests because the grant_type is not included explicitly but rather implied.
func (*RefreshTokenRequest) GrantType ¶
func (a *RefreshTokenRequest) GrantType() GrantType
func (*RefreshTokenRequest) SetClientID ¶
func (a *RefreshTokenRequest) SetClientID(clientID string)
SetClientID implements op.AuthenticatedTokenRequest
func (*RefreshTokenRequest) SetClientSecret ¶
func (a *RefreshTokenRequest) SetClientSecret(clientSecret string)
SetClientSecret implements op.AuthenticatedTokenRequest
type RequestObject ¶
type RequestObject struct { Issuer string `json:"iss"` Audience Audience `json:"aud"` AuthRequest }
func (*RequestObject) GetIssuer ¶
func (r *RequestObject) GetIssuer() string
func (*RequestObject) SetSignatureAlgorithm ¶
func (*RequestObject) SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm)
type ResponseMode ¶
type ResponseMode string
type ResponseType ¶
type ResponseType string
type RevocationRequest ¶
type SpaceDelimitedArray ¶
type SpaceDelimitedArray []string
func (SpaceDelimitedArray) MarshalJSON ¶
func (s SpaceDelimitedArray) MarshalJSON() ([]byte, error)
func (SpaceDelimitedArray) MarshalText ¶
func (s SpaceDelimitedArray) MarshalText() ([]byte, error)
func (*SpaceDelimitedArray) Scan ¶
func (s *SpaceDelimitedArray) Scan(src any) error
func (SpaceDelimitedArray) String ¶
func (s SpaceDelimitedArray) String() string
func (*SpaceDelimitedArray) UnmarshalJSON ¶
func (s *SpaceDelimitedArray) UnmarshalJSON(data []byte) error
func (*SpaceDelimitedArray) UnmarshalText ¶
func (s *SpaceDelimitedArray) UnmarshalText(text []byte) error
type TokenClaims ¶
type TokenClaims struct { Issuer string `json:"iss,omitempty"` Subject string `json:"sub,omitempty"` Audience Audience `json:"aud,omitempty"` Expiration Time `json:"exp,omitempty"` IssuedAt Time `json:"iat,omitempty"` AuthTime Time `json:"auth_time,omitempty"` NotBefore Time `json:"nbf,omitempty"` Nonce string `json:"nonce,omitempty"` AuthenticationContextClassReference string `json:"acr,omitempty"` AuthenticationMethodsReferences []string `json:"amr,omitempty"` AuthorizedParty string `json:"azp,omitempty"` ClientID string `json:"client_id,omitempty"` JWTID string `json:"jti,omitempty"` // Additional information set by this framework SignatureAlg jose.SignatureAlgorithm `json:"-"` }
TokenClaims contains the base Claims used all tokens. It implements OpenID Connect Core 1.0, section 2. https://openid.net/specs/openid-connect-core-1_0.html#IDToken And RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens, section 2.2. https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure
TokenClaims implements the Claims interface, and can be used to extend larger claim types by embedding.
func (*TokenClaims) GetAudience ¶
func (c *TokenClaims) GetAudience() []string
func (*TokenClaims) GetAuthTime ¶
func (c *TokenClaims) GetAuthTime() time.Time
func (*TokenClaims) GetAuthenticationContextClassReference ¶
func (c *TokenClaims) GetAuthenticationContextClassReference() string
func (*TokenClaims) GetAuthorizedParty ¶
func (c *TokenClaims) GetAuthorizedParty() string
func (*TokenClaims) GetExpiration ¶
func (c *TokenClaims) GetExpiration() time.Time
func (*TokenClaims) GetIssuedAt ¶
func (c *TokenClaims) GetIssuedAt() time.Time
func (*TokenClaims) GetIssuer ¶
func (c *TokenClaims) GetIssuer() string
func (*TokenClaims) GetNonce ¶
func (c *TokenClaims) GetNonce() string
func (*TokenClaims) GetSignatureAlgorithm ¶
func (c *TokenClaims) GetSignatureAlgorithm() jose.SignatureAlgorithm
func (*TokenClaims) GetSubject ¶
func (c *TokenClaims) GetSubject() string
func (*TokenClaims) SetSignatureAlgorithm ¶
func (c *TokenClaims) SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm)
type TokenExchangeRequest ¶
type TokenExchangeRequest struct { GrantType GrantType `schema:"grant_type"` SubjectToken string `schema:"subject_token"` SubjectTokenType TokenType `schema:"subject_token_type"` ActorToken string `schema:"actor_token"` ActorTokenType TokenType `schema:"actor_token_type"` Resource []string `schema:"resource"` Audience Audience `schema:"audience"` Scopes SpaceDelimitedArray `schema:"scope"` RequestedTokenType TokenType `schema:"requested_token_type"` }
type TokenExchangeResponse ¶
type TokenExchangeResponse struct { AccessToken string `json:"access_token"` // Can be access token or ID token IssuedTokenType TokenType `json:"issued_token_type"` TokenType string `json:"token_type"` ExpiresIn uint64 `json:"expires_in,omitempty"` Scopes SpaceDelimitedArray `json:"scope,omitempty"` RefreshToken string `json:"refresh_token,omitempty"` }
type TokenRequest ¶
type TokenRequest interface { // GrantType GrantType `schema:"grant_type"` GrantType() GrantType }
type TokenRequestType ¶
type TokenRequestType GrantType
type UserInfo ¶
type UserInfo struct { Subject string `json:"sub,omitempty"` UserInfoProfile UserInfoEmail UserInfoPhone Address *UserInfoAddress `json:"address,omitempty"` Claims map[string]any `json:"-"` }
UserInfo implements OpenID Connect Core 1.0, section 5.1. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.
func (*UserInfo) AppendClaims ¶
func (*UserInfo) GetAddress ¶
func (u *UserInfo) GetAddress() *UserInfoAddress
GetAddress is a safe getter that takes care of a possible nil value.
func (*UserInfo) GetSubject ¶
GetSubject implements [rp.SubjectGetter]
func (*UserInfo) MarshalJSON ¶
func (*UserInfo) UnmarshalJSON ¶
type UserInfoAddress ¶
type UserInfoAddress struct { Formatted string `json:"formatted,omitempty"` StreetAddress string `json:"street_address,omitempty"` Locality string `json:"locality,omitempty"` Region string `json:"region,omitempty"` PostalCode string `json:"postal_code,omitempty"` Country string `json:"country,omitempty"` }
type UserInfoEmail ¶
type UserInfoEmail struct { Email string `json:"email,omitempty"` // Handle providers that return email_verified as a string // https://forums.aws.amazon.com/thread.jspa?messageID=949441󧳁 // https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11 EmailVerified Bool `json:"email_verified,omitempty"` }
type UserInfoPhone ¶
type UserInfoProfile ¶
type UserInfoProfile struct { Name string `json:"name,omitempty"` GivenName string `json:"given_name,omitempty"` FamilyName string `json:"family_name,omitempty"` MiddleName string `json:"middle_name,omitempty"` Nickname string `json:"nickname,omitempty"` Profile string `json:"profile,omitempty"` Picture string `json:"picture,omitempty"` Website string `json:"website,omitempty"` Gender Gender `json:"gender,omitempty"` Birthdate string `json:"birthdate,omitempty"` Zoneinfo string `json:"zoneinfo,omitempty"` Locale *Locale `json:"locale,omitempty"` UpdatedAt Time `json:"updated_at,omitempty"` PreferredUsername string `json:"preferred_username,omitempty"` }
type UserInfoRequest ¶
type UserInfoRequest struct {
AccessToken string `schema:"access_token"`
}
type Verifier ¶
type Verifier struct { Issuer string MaxAgeIAT time.Duration Offset time.Duration ClientID string SupportedSignAlgs []string MaxAge time.Duration ACR ACRVerifier KeySet KeySet Nonce func(ctx context.Context) string }
Verifier caries configuration for the various token verification functions. Use package specific constructor functions to know which values need to be set.