oidc

package
v3.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 26, 2024 License: Apache-2.0 Imports: 23 Imported by: 69

Documentation

Index

Constants

View Source
const (
	// ScopeOpenID defines the scope `openid`
	// OpenID Connect requests MUST contain the `openid` scope value
	ScopeOpenID = "openid"

	// ScopeProfile defines the scope `profile`
	// This (optional) scope value requests access to the End-User's default profile Claims,
	// which are: name, family_name, given_name, middle_name, nickname, preferred_username,
	// profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
	ScopeProfile = "profile"

	// ScopeEmail defines the scope `email`
	// This (optional) scope value requests access to the email and email_verified Claims.
	ScopeEmail = "email"

	// ScopeAddress defines the scope `address`
	// This (optional) scope value requests access to the address Claim.
	ScopeAddress = "address"

	// ScopePhone defines the scope `phone`
	// This (optional) scope value requests access to the phone_number and phone_number_verified Claims.
	ScopePhone = "phone"

	// ScopeOfflineAccess defines the scope `offline_access`
	// This (optional) scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token
	// that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in).
	ScopeOfflineAccess = "offline_access"

	// ResponseTypeCode for the Authorization Code Flow returning a code from the Authorization Server
	ResponseTypeCode ResponseType = "code"

	// ResponseTypeIDToken for the Implicit Flow returning id and access tokens directly from the Authorization Server
	ResponseTypeIDToken ResponseType = "id_token token"

	// ResponseTypeIDTokenOnly for the Implicit Flow returning only id token directly from the Authorization Server
	ResponseTypeIDTokenOnly ResponseType = "id_token"

	DisplayPage  Display = "page"
	DisplayPopup Display = "popup"
	DisplayTouch Display = "touch"
	DisplayWAP   Display = "wap"

	ResponseModeQuery    ResponseMode = "query"
	ResponseModeFragment ResponseMode = "fragment"

	// PromptNone (`none`) disallows the Authorization Server to display any authentication or consent user interface pages.
	// An error (login_required, interaction_required, ...) will be returned if the user is not already authenticated or consent is needed
	PromptNone = "none"

	// PromptLogin (`login`) directs the Authorization Server to prompt the End-User for reauthentication.
	PromptLogin = "login"

	// PromptConsent (`consent`) directs the Authorization Server to prompt the End-User for consent (of sharing information).
	PromptConsent = "consent"

	// PromptSelectAccount (`select_account `) directs the Authorization Server to prompt the End-User to select a user account (to enable multi user / session switching)
	PromptSelectAccount = "select_account"
)
View Source
const (
	InvalidRequest       errorType = "invalid_request"
	InvalidScope         errorType = "invalid_scope"
	InvalidClient        errorType = "invalid_client"
	InvalidGrant         errorType = "invalid_grant"
	UnauthorizedClient   errorType = "unauthorized_client"
	UnsupportedGrantType errorType = "unsupported_grant_type"
	ServerError          errorType = "server_error"
	InteractionRequired  errorType = "interaction_required"
	LoginRequired        errorType = "login_required"
	RequestNotSupported  errorType = "request_not_supported"

	// Additional error codes as defined in
	// https://www.rfc-editor.org/rfc/rfc8628#section-3.5
	// Device Access Token Response
	AuthorizationPending errorType = "authorization_pending"
	SlowDown             errorType = "slow_down"
	AccessDenied         errorType = "access_denied"
	ExpiredToken         errorType = "expired_token"
)
View Source
const (
	// BearerToken defines the token_type `Bearer`, which is returned in a successful token response
	BearerToken = "Bearer"

	PrefixBearer = BearerToken + " "
)
View Source
const (
	DiscoveryEndpoint = "/.well-known/openid-configuration"
)
View Source
const (
	KeyUseSignature = "sig"
)

Variables

View Source
var (
	ErrInvalidRequest = func() *Error {
		return &Error{
			ErrorType: InvalidRequest,
		}
	}
	ErrInvalidRequestRedirectURI = func() *Error {
		return &Error{
			ErrorType:        InvalidRequest,
			redirectDisabled: true,
		}
	}
	ErrInvalidScope = func() *Error {
		return &Error{
			ErrorType: InvalidScope,
		}
	}
	ErrInvalidClient = func() *Error {
		return &Error{
			ErrorType: InvalidClient,
		}
	}
	ErrInvalidGrant = func() *Error {
		return &Error{
			ErrorType: InvalidGrant,
		}
	}
	ErrUnauthorizedClient = func() *Error {
		return &Error{
			ErrorType: UnauthorizedClient,
		}
	}
	ErrUnsupportedGrantType = func() *Error {
		return &Error{
			ErrorType: UnsupportedGrantType,
		}
	}
	ErrServerError = func() *Error {
		return &Error{
			ErrorType: ServerError,
		}
	}
	ErrInteractionRequired = func() *Error {
		return &Error{
			ErrorType: InteractionRequired,
		}
	}
	ErrLoginRequired = func() *Error {
		return &Error{
			ErrorType: LoginRequired,
		}
	}
	ErrRequestNotSupported = func() *Error {
		return &Error{
			ErrorType: RequestNotSupported,
		}
	}

	// Device Access Token errors:
	ErrAuthorizationPending = func() *Error {
		return &Error{
			ErrorType:   AuthorizationPending,
			Description: "The client SHOULD repeat the access token request to the token endpoint, after interval from device authorization response.",
		}
	}
	ErrSlowDown = func() *Error {
		return &Error{
			ErrorType:   SlowDown,
			Description: "Polling should continue, but the interval MUST be increased by 5 seconds for this and all subsequent requests.",
		}
	}
	ErrAccessDenied = func() *Error {
		return &Error{
			ErrorType:   AccessDenied,
			Description: "The authorization request was denied.",
		}
	}
	ErrExpiredDeviceCode = func() *Error {
		return &Error{
			ErrorType:   ExpiredToken,
			Description: "The \"device_code\" has expired.",
		}
	}
)
View Source
var (
	ErrKeyMultiple = errors.New("multiple possible keys match")
	ErrKeyNone     = errors.New("no possible keys matches")
)
View Source
var (
	ErrParse                   = errors.New("parsing of request failed")
	ErrIssuerInvalid           = errors.New("issuer does not match")
	ErrSubjectMissing          = errors.New("subject missing")
	ErrAudience                = errors.New("audience is not valid")
	ErrAzpMissing              = errors.New("authorized party is not set. If Token is valid for multiple audiences, azp must not be empty")
	ErrAzpInvalid              = errors.New("authorized party is not valid")
	ErrSignatureMissing        = errors.New("id_token does not contain a signature")
	ErrSignatureMultiple       = errors.New("id_token contains multiple signatures")
	ErrSignatureUnsupportedAlg = errors.New("signature algorithm not supported")
	ErrSignatureInvalidPayload = errors.New("signature does not match Payload")
	ErrSignatureInvalid        = errors.New("invalid signature")
	ErrExpired                 = errors.New("token has expired")
	ErrIatMissing              = errors.New("issuedAt of token is missing")
	ErrIatInFuture             = errors.New("issuedAt of token is in the future")
	ErrIatToOld                = errors.New("issuedAt of token is to old")
	ErrNonceInvalid            = errors.New("nonce does not match")
	ErrAcrInvalid              = errors.New("acr is invalid")
	ErrAuthTimeNotPresent      = errors.New("claim `auth_time` of token is missing")
	ErrAuthTimeToOld           = errors.New("auth time of token is too old")
	ErrAtHash                  = errors.New("at_hash does not correspond to access token")
)

Functions

func AppendClientIDToAudience

func AppendClientIDToAudience(clientID string, audience []string) []string

func CheckAudience

func CheckAudience(claims Claims, clientID string) error

func CheckAuthTime

func CheckAuthTime(claims Claims, maxAge time.Duration) error

func CheckAuthorizationContextClassReference

func CheckAuthorizationContextClassReference(claims Claims, acr ACRVerifier) error

func CheckAuthorizedParty

func CheckAuthorizedParty(claims Claims, clientID string) error

CheckAuthorizedParty checks azp (authorized party) claim requirements.

If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. If an azp Claim is present, the Client SHOULD verify that its client_id is the Claim Value. https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

func CheckExpiration

func CheckExpiration(claims Claims, offset time.Duration) error

func CheckIssuedAt

func CheckIssuedAt(claims Claims, maxAgeIAT, offset time.Duration) error

func CheckIssuer

func CheckIssuer(claims Claims, issuer string) error

func CheckNonce

func CheckNonce(claims Claims, nonce string) error

func CheckSignature

func CheckSignature(ctx context.Context, token string, payload []byte, claims ClaimsSignature, supportedSigAlgs []string, set KeySet) error

func CheckSubject

func CheckSubject(claims Claims) error

func ClaimHash

func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, error)

func DecryptToken

func DecryptToken(tokenString string) (string, error)

func FindKey

func FindKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (jose.JSONWebKey, bool)

FindKey searches the given JSON Web Keys for the requested key ID, usage and key type

will return the key immediately if matches exact (id, usage, type)

will return false none or multiple match

deprecated: use FindMatchingKey which will return an error (more specific) instead of just a bool moved implementation already to FindMatchingKey

func FindMatchingKey

func FindMatchingKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (key jose.JSONWebKey, err error)

FindMatchingKey searches the given JSON Web Keys for the requested key ID, usage and alg type

will return the key immediately if matches exact (id, usage, type)

will return a specific error if none (ErrKeyNone) or multiple (ErrKeyMultiple) match

func GenerateJWTProfileToken

func GenerateJWTProfileToken(assertion *JWTProfileAssertionClaims) (string, error)

func GetKeyIDAndAlg

func GetKeyIDAndAlg(jws *jose.JSONWebSignature) (string, string)

GetKeyIDAndAlg returns the `kid` and `alg` claim from the JWS header

func JWTProfileCustomClaim

func JWTProfileCustomClaim(key string, value any) func(*JWTProfileAssertionClaims)

func JWTProfileDelegatedSubject

func JWTProfileDelegatedSubject(sub string) func(*JWTProfileAssertionClaims)

func NewEncoder

func NewEncoder() *schema.Encoder

NewEncoder returns a schema Encoder with a registered encoder for SpaceDelimitedArray.

func NewJWTProfileAssertionStringFromFileData

func NewJWTProfileAssertionStringFromFileData(data []byte, audience []string, opts ...AssertionOption) (string, error)

func NewSHACodeChallenge

func NewSHACodeChallenge(code string) string

func ParseToken

func ParseToken(tokenString string, claims any) ([]byte, error)

func VerifyCodeChallenge

func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool

Types

type ACRVerifier

type ACRVerifier func(string) error

ACRVerifier specifies the function to be used by the `DefaultVerifier` for validating the acr claim

func DefaultACRVerifier

func DefaultACRVerifier(possibleValues []string) ACRVerifier

DefaultACRVerifier implements `ACRVerifier` returning an error if none of the provided values matches the acr claim

type AccessTokenClaims

type AccessTokenClaims struct {
	TokenClaims
	Scopes SpaceDelimitedArray `json:"scope,omitempty"`
	Claims map[string]any      `json:"-"`
}

func NewAccessTokenClaims

func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, jwtid, clientID string, skew time.Duration) *AccessTokenClaims

func (*AccessTokenClaims) MarshalJSON

func (a *AccessTokenClaims) MarshalJSON() ([]byte, error)

func (*AccessTokenClaims) UnmarshalJSON

func (a *AccessTokenClaims) UnmarshalJSON(data []byte) error

type AccessTokenRequest

type AccessTokenRequest struct {
	Code                string `schema:"code"`
	RedirectURI         string `schema:"redirect_uri"`
	ClientID            string `schema:"client_id"`
	ClientSecret        string `schema:"client_secret"`
	CodeVerifier        string `schema:"code_verifier"`
	ClientAssertion     string `schema:"client_assertion"`
	ClientAssertionType string `schema:"client_assertion_type"`
}

func (*AccessTokenRequest) GrantType

func (a *AccessTokenRequest) GrantType() GrantType

func (*AccessTokenRequest) SetClientID

func (a *AccessTokenRequest) SetClientID(clientID string)

SetClientID implements op.AuthenticatedTokenRequest

func (*AccessTokenRequest) SetClientSecret

func (a *AccessTokenRequest) SetClientSecret(clientSecret string)

SetClientSecret implements op.AuthenticatedTokenRequest

type AccessTokenResponse

type AccessTokenResponse struct {
	AccessToken  string `json:"access_token,omitempty" schema:"access_token,omitempty"`
	TokenType    string `json:"token_type,omitempty" schema:"token_type,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty" schema:"refresh_token,omitempty"`
	ExpiresIn    uint64 `json:"expires_in,omitempty" schema:"expires_in,omitempty"`
	IDToken      string `json:"id_token,omitempty" schema:"id_token,omitempty"`
	State        string `json:"state,omitempty" schema:"state,omitempty"`
}

type AssertionOption

type AssertionOption func(*JWTProfileAssertionClaims)

type Audience

type Audience []string

func (*Audience) UnmarshalJSON

func (a *Audience) UnmarshalJSON(text []byte) error

type AuthMethod

type AuthMethod string
const (
	AuthMethodBasic         AuthMethod = "client_secret_basic"
	AuthMethodPost          AuthMethod = "client_secret_post"
	AuthMethodNone          AuthMethod = "none"
	AuthMethodPrivateKeyJWT AuthMethod = "private_key_jwt"
)

type AuthRequest

type AuthRequest struct {
	Scopes       SpaceDelimitedArray `json:"scope" schema:"scope"`
	ResponseType ResponseType        `json:"response_type" schema:"response_type"`
	ClientID     string              `json:"client_id" schema:"client_id"`
	RedirectURI  string              `json:"redirect_uri" schema:"redirect_uri"`

	State string `json:"state" schema:"state"`
	Nonce string `json:"nonce" schema:"nonce"`

	ResponseMode ResponseMode        `json:"response_mode" schema:"response_mode"`
	Display      Display             `json:"display" schema:"display"`
	Prompt       SpaceDelimitedArray `json:"prompt" schema:"prompt"`
	MaxAge       *uint               `json:"max_age" schema:"max_age"`
	UILocales    Locales             `json:"ui_locales" schema:"ui_locales"`
	IDTokenHint  string              `json:"id_token_hint" schema:"id_token_hint"`
	LoginHint    string              `json:"login_hint" schema:"login_hint"`
	ACRValues    SpaceDelimitedArray `json:"acr_values" schema:"acr_values"`

	CodeChallenge       string              `json:"code_challenge" schema:"code_challenge"`
	CodeChallengeMethod CodeChallengeMethod `json:"code_challenge_method" schema:"code_challenge_method"`

	// RequestParam enables OIDC requests to be passed in a single, self-contained parameter (as JWT, called Request Object)
	RequestParam string `schema:"request"`
}

AuthRequest according to: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func (*AuthRequest) GetRedirectURI

func (a *AuthRequest) GetRedirectURI() string

GetRedirectURI returns the redirect_uri value for the ErrAuthRequest interface

func (*AuthRequest) GetResponseMode

func (a *AuthRequest) GetResponseMode() ResponseMode

GetResponseMode returns the optional ResponseMode

func (*AuthRequest) GetResponseType

func (a *AuthRequest) GetResponseType() ResponseType

GetResponseType returns the response_type value for the ErrAuthRequest interface

func (*AuthRequest) GetState

func (a *AuthRequest) GetState() string

GetState returns the optional state value for the ErrAuthRequest interface

func (*AuthRequest) LogValue

func (a *AuthRequest) LogValue() slog.Value

type Bool

type Bool bool

func (*Bool) UnmarshalJSON

func (bs *Bool) UnmarshalJSON(data []byte) error

type Claims

type Claims interface {
	GetIssuer() string
	GetSubject() string
	GetAudience() []string
	GetExpiration() time.Time
	GetIssuedAt() time.Time
	GetNonce() string
	GetAuthenticationContextClassReference() string
	GetAuthTime() time.Time
	GetAuthorizedParty() string
	ClaimsSignature
}

type ClaimsSignature

type ClaimsSignature interface {
	SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm)
}

type ClientAssertionParams

type ClientAssertionParams struct {
	ClientAssertion     string `schema:"client_assertion"`
	ClientAssertionType string `schema:"client_assertion_type"`
}

type ClientCredentialsRequest

type ClientCredentialsRequest struct {
	GrantType           GrantType           `schema:"grant_type,omitempty"`
	Scope               SpaceDelimitedArray `schema:"scope"`
	ClientID            string              `schema:"client_id"`
	ClientSecret        string              `schema:"client_secret"`
	ClientAssertion     string              `schema:"client_assertion"`
	ClientAssertionType string              `schema:"client_assertion_type"`
}

type CodeChallenge

type CodeChallenge struct {
	Challenge string
	Method    CodeChallengeMethod
}

type CodeChallengeMethod

type CodeChallengeMethod string
const (
	CodeChallengeMethodPlain CodeChallengeMethod = "plain"
	CodeChallengeMethodS256  CodeChallengeMethod = "S256"
)

type DeviceAccessTokenRequest

type DeviceAccessTokenRequest struct {
	GrantType  GrantType `json:"grant_type" schema:"grant_type"`
	DeviceCode string    `json:"device_code" schema:"device_code"`
}

DeviceAccessTokenRequest implements https://www.rfc-editor.org/rfc/rfc8628#section-3.4, Device Access Token Request.

type DeviceAuthorizationRequest

type DeviceAuthorizationRequest struct {
	Scopes   SpaceDelimitedArray `schema:"scope"`
	ClientID string              `schema:"client_id"`
}

DeviceAuthorizationRequest implements https://www.rfc-editor.org/rfc/rfc8628#section-3.1, 3.1 Device Authorization Request.

type DeviceAuthorizationResponse

type DeviceAuthorizationResponse struct {
	DeviceCode              string `json:"device_code"`
	UserCode                string `json:"user_code"`
	VerificationURI         string `json:"verification_uri"`
	VerificationURIComplete string `json:"verification_uri_complete,omitempty"`
	ExpiresIn               int    `json:"expires_in"`
	Interval                int    `json:"interval,omitempty"`
}

DeviceAuthorizationResponse implements https://www.rfc-editor.org/rfc/rfc8628#section-3.2 3.2. Device Authorization Response.

type DiscoveryConfiguration

type DiscoveryConfiguration struct {
	// Issuer is the identifier of the OP and is used in the tokens as `iss` claim.
	Issuer string `json:"issuer,omitempty"`

	// AuthorizationEndpoint is the URL of the OAuth 2.0 Authorization Endpoint where all user interactive login start
	AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`

	// TokenEndpoint is the URL of the OAuth 2.0 Token Endpoint where all tokens are issued, except when using Implicit Flow
	TokenEndpoint string `json:"token_endpoint,omitempty"`

	// IntrospectionEndpoint is the URL of the OAuth 2.0 Introspection Endpoint.
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`

	// UserinfoEndpoint is the URL where an access_token can be used to retrieve the Userinfo.
	UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`

	// RevocationEndpoint is the URL of the OAuth 2.0 Revocation Endpoint.
	RevocationEndpoint string `json:"revocation_endpoint,omitempty"`

	// EndSessionEndpoint is a URL where the RP can perform a redirect to request that the End-User be logged out at the OP.
	EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`

	DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"`

	// CheckSessionIframe is a URL where the OP provides an iframe that support cross-origin communications for session state information with the RP Client.
	CheckSessionIframe string `json:"check_session_iframe,omitempty"`

	// JwksURI is the URL of the JSON Web Key Set. This site contains the signing keys that RPs can use to validate the signature.
	// It may also contain the OP's encryption keys that RPs can use to encrypt request to the OP.
	JwksURI string `json:"jwks_uri,omitempty"`

	// RegistrationEndpoint is the URL for the Dynamic Client Registration.
	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`

	// ScopesSupported lists an array of supported scopes. This list must not include every supported scope by the OP.
	ScopesSupported []string `json:"scopes_supported,omitempty"`

	// ResponseTypesSupported contains a list of the OAuth 2.0 response_type values that the OP supports (code, id_token, token id_token, ...).
	ResponseTypesSupported []string `json:"response_types_supported,omitempty"`

	// ResponseModesSupported contains a list of the OAuth 2.0 response_mode values that the OP supports. If omitted, the default value is ["query", "fragment"].
	ResponseModesSupported []string `json:"response_modes_supported,omitempty"`

	// GrantTypesSupported contains a list of the OAuth 2.0 grant_type values that the OP supports. If omitted, the default value is ["authorization_code", "implicit"].
	GrantTypesSupported []GrantType `json:"grant_types_supported,omitempty"`

	// ACRValuesSupported contains a list of Authentication Context Class References that the OP supports.
	ACRValuesSupported []string `json:"acr_values_supported,omitempty"`

	// SubjectTypesSupported contains a list of Subject Identifier types that the OP supports (pairwise, public).
	SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`

	// IDTokenSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for the ID Token.
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`

	// IDTokenEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the ID Token.
	IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"`

	// IDTokenEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the ID Token.
	IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"`

	// UserinfoSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for UserInfo Endpoint.
	UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"`

	// UserinfoEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the UserInfo Endpoint.
	UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"`

	// UserinfoEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the UserInfo Endpoint.
	UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"`

	// RequestObjectSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for Request Objects.
	// These algorithms are used both then the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter).
	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`

	// RequestObjectEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for Request Objects.
	// These algorithms are used both when the Request Object is passed by value and by reference.
	RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"`

	// RequestObjectEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for Request Objects.
	// These algorithms are used both when the Request Object is passed by value and by reference.
	RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"`

	// TokenEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Token Endpoint. If omitted, the default is client_secret_basic.
	TokenEndpointAuthMethodsSupported []AuthMethod `json:"token_endpoint_auth_methods_supported,omitempty"`

	// TokenEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Token Endpoint
	// for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`

	// RevocationEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Revocation Endpoint. If omitted, the default is client_secret_basic.
	RevocationEndpointAuthMethodsSupported []AuthMethod `json:"revocation_endpoint_auth_methods_supported,omitempty"`

	// RevocationEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint
	// for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
	RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`

	// IntrospectionEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Introspection Endpoint.
	IntrospectionEndpointAuthMethodsSupported []AuthMethod `json:"introspection_endpoint_auth_methods_supported,omitempty"`

	// IntrospectionEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint
	// for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
	IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`

	// DisplayValuesSupported contains a list of display parameter values that the OP supports (page, popup, touch, wap).
	DisplayValuesSupported []Display `json:"display_values_supported,omitempty"`

	// ClaimTypesSupported contains a list of Claim Types that the OP supports (normal, aggregated, distributed). If omitted, the default is normal Claims.
	ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`

	// ClaimsSupported contains a list of Claim Names the OP may be able to supply values for. This list might not be exhaustive.
	ClaimsSupported []string `json:"claims_supported,omitempty"`

	// ClaimsParameterSupported specifies whether the OP supports use of the `claims` parameter. If omitted, the default is false.
	ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"`

	// CodeChallengeMethodsSupported contains a list of Proof Key for Code Exchange (PKCE) code challenge methods supported by the OP.
	CodeChallengeMethodsSupported []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"`

	// ServiceDocumentation is a URL where developers can get information about the OP and its usage.
	ServiceDocumentation string `json:"service_documentation,omitempty"`

	// ClaimsLocalesSupported contains a list of BCP47 language tag values that the OP supports for values of Claims returned.
	ClaimsLocalesSupported Locales `json:"claims_locales_supported,omitempty"`

	// UILocalesSupported contains a list of BCP47 language tag values that the OP supports for the user interface.
	UILocalesSupported Locales `json:"ui_locales_supported,omitempty"`

	// RequestParameterSupported specifies whether the OP supports use of the `request` parameter. If omitted, the default value is false.
	RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`

	// RequestURIParameterSupported specifies whether the OP supports use of the `request_uri` parameter. If omitted, the default value is true. (therefore no omitempty)
	RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`

	// RequireRequestURIRegistration specifies whether the OP requires any `request_uri` to be pre-registered using the request_uris registration parameter. If omitted, the default value is false.
	RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"`

	// OPPolicyURI is a URL the OP provides to the person registering the Client to read about the OP's requirements on how the RP can use the data provided by the OP.
	OPPolicyURI string `json:"op_policy_uri,omitempty"`

	// OPTermsOfServiceURI is a URL the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service.
	OPTermsOfServiceURI string `json:"op_tos_uri,omitempty"`
}

type Display

type Display string

func (*Display) UnmarshalText

func (d *Display) UnmarshalText(text []byte) error

type EndSessionRequest

type EndSessionRequest struct {
	IdTokenHint           string `schema:"id_token_hint"`
	ClientID              string `schema:"client_id"`
	PostLogoutRedirectURI string `schema:"post_logout_redirect_uri"`
	State                 string `schema:"state"`
}

EndSessionRequest for the RP-Initiated Logout according to: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout

type Error

type Error struct {
	Parent      error     `json:"-" schema:"-"`
	ErrorType   errorType `json:"error" schema:"error"`
	Description string    `json:"error_description,omitempty" schema:"error_description,omitempty"`
	State       string    `json:"state,omitempty" schema:"state,omitempty"`
	// contains filtered or unexported fields
}

func DefaultToServerError

func DefaultToServerError(err error, description string) *Error

DefaultToServerError checks if the error is an Error if not the provided error will be wrapped into a ServerError

func (*Error) Error

func (e *Error) Error() string

func (*Error) Is

func (e *Error) Is(target error) bool

func (*Error) IsRedirectDisabled

func (e *Error) IsRedirectDisabled() bool

func (*Error) LogLevel

func (e *Error) LogLevel() slog.Level

func (*Error) LogValue

func (e *Error) LogValue() slog.Value

func (*Error) Unwrap

func (e *Error) Unwrap() error

func (*Error) WithDescription

func (e *Error) WithDescription(desc string, args ...any) *Error

func (*Error) WithParent

func (e *Error) WithParent(err error) *Error

type Gender

type Gender string

type GrantType

type GrantType string
const (
	// GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow
	GrantTypeCode GrantType = "authorization_code"

	// GrantTypeRefreshToken defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow
	GrantTypeRefreshToken GrantType = "refresh_token"

	// GrantTypeClientCredentials defines the grant_type `client_credentials` used for the Token Request in the Client Credentials Token Flow
	GrantTypeClientCredentials GrantType = "client_credentials"

	// GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant
	GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"

	// GrantTypeTokenExchange defines the grant_type `urn:ietf:params:oauth:grant-type:token-exchange` used for the OAuth Token Exchange Grant
	GrantTypeTokenExchange GrantType = "urn:ietf:params:oauth:grant-type:token-exchange"

	// GrantTypeImplicit defines the grant type `implicit` used for implicit flows that skip the generation and exchange of an Authorization Code
	GrantTypeImplicit GrantType = "implicit"

	// GrantTypeDeviceCode
	GrantTypeDeviceCode GrantType = "urn:ietf:params:oauth:grant-type:device_code"

	// ClientAssertionTypeJWTAssertion defines the client_assertion_type `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
	// used for the OAuth JWT Profile Client Authentication
	ClientAssertionTypeJWTAssertion = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
)

type IDClaims

type IDClaims interface {
	Claims
	GetSignatureAlgorithm() jose.SignatureAlgorithm
	GetAccessTokenHash() string
}

type IDTokenClaims

type IDTokenClaims struct {
	TokenClaims
	NotBefore       Time   `json:"nbf,omitempty"`
	AccessTokenHash string `json:"at_hash,omitempty"`
	CodeHash        string `json:"c_hash,omitempty"`
	SessionID       string `json:"sid,omitempty"`
	UserInfoProfile
	UserInfoEmail
	UserInfoPhone
	Address *UserInfoAddress `json:"address,omitempty"`
	Claims  map[string]any   `json:"-"`
}

IDTokenClaims extends TokenClaims by further implementing OpenID Connect Core 1.0, sections 3.1.3.6 (Code flow), 3.2.2.10 (implicit), 3.3.2.11 (Hybrid) and 5.1 (UserInfo). https://openid.net/specs/openid-connect-core-1_0.html#toc

func NewIDTokenClaims

func NewIDTokenClaims(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string, skew time.Duration) *IDTokenClaims

func (*IDTokenClaims) GetAccessTokenHash

func (t *IDTokenClaims) GetAccessTokenHash() string

GetAccessTokenHash implements the IDTokenClaims interface

func (*IDTokenClaims) GetUserInfo

func (t *IDTokenClaims) GetUserInfo() *UserInfo

func (*IDTokenClaims) MarshalJSON

func (i *IDTokenClaims) MarshalJSON() ([]byte, error)

func (*IDTokenClaims) SetUserInfo

func (t *IDTokenClaims) SetUserInfo(i *UserInfo)

func (*IDTokenClaims) UnmarshalJSON

func (i *IDTokenClaims) UnmarshalJSON(data []byte) error

type IntrospectionRequest

type IntrospectionRequest struct {
	Token string `schema:"token"`
}

type IntrospectionResponse

type IntrospectionResponse struct {
	Active     bool                `json:"active"`
	Scope      SpaceDelimitedArray `json:"scope,omitempty"`
	ClientID   string              `json:"client_id,omitempty"`
	TokenType  string              `json:"token_type,omitempty"`
	Expiration Time                `json:"exp,omitempty"`
	IssuedAt   Time                `json:"iat,omitempty"`
	NotBefore  Time                `json:"nbf,omitempty"`
	Subject    string              `json:"sub,omitempty"`
	Audience   Audience            `json:"aud,omitempty"`
	Issuer     string              `json:"iss,omitempty"`
	JWTID      string              `json:"jti,omitempty"`
	Username   string              `json:"username,omitempty"`
	UserInfoProfile
	UserInfoEmail
	UserInfoPhone

	Address *UserInfoAddress `json:"address,omitempty"`
	Claims  map[string]any   `json:"-"`
}

IntrospectionResponse implements RFC 7662, section 2.2 and OpenID Connect Core 1.0, section 5.1 (UserInfo). https://www.rfc-editor.org/rfc/rfc7662.html#section-2.2. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.

func (*IntrospectionResponse) GetAddress

func (i *IntrospectionResponse) GetAddress() *UserInfoAddress

GetAddress is a safe getter that takes care of a possible nil value.

func (*IntrospectionResponse) MarshalJSON

func (i *IntrospectionResponse) MarshalJSON() ([]byte, error)

func (*IntrospectionResponse) SetUserInfo

func (i *IntrospectionResponse) SetUserInfo(u *UserInfo)

SetUserInfo copies all relevant fields from UserInfo into the IntroSpectionResponse.

func (*IntrospectionResponse) UnmarshalJSON

func (i *IntrospectionResponse) UnmarshalJSON(data []byte) error

type JWTProfileAssertionClaims

type JWTProfileAssertionClaims struct {
	PrivateKeyID string   `json:"-"`
	PrivateKey   []byte   `json:"-"`
	Issuer       string   `json:"iss"`
	Subject      string   `json:"sub"`
	Audience     Audience `json:"aud"`
	Expiration   Time     `json:"exp"`
	IssuedAt     Time     `json:"iat"`

	Claims map[string]any `json:"-"`
}

func NewJWTProfileAssertion

func NewJWTProfileAssertion(userID, keyID string, audience []string, key []byte, opts ...AssertionOption) *JWTProfileAssertionClaims

func NewJWTProfileAssertionFromFileData

func NewJWTProfileAssertionFromFileData(data []byte, audience []string, opts ...AssertionOption) (*JWTProfileAssertionClaims, error)

func NewJWTProfileAssertionFromKeyJSON

func NewJWTProfileAssertionFromKeyJSON(filename string, audience []string, opts ...AssertionOption) (*JWTProfileAssertionClaims, error)

func (*JWTProfileAssertionClaims) MarshalJSON

func (j *JWTProfileAssertionClaims) MarshalJSON() ([]byte, error)

func (*JWTProfileAssertionClaims) UnmarshalJSON

func (j *JWTProfileAssertionClaims) UnmarshalJSON(data []byte) error

type JWTProfileGrantRequest

type JWTProfileGrantRequest struct {
	Assertion string              `schema:"assertion"`
	Scope     SpaceDelimitedArray `schema:"scope"`
	GrantType GrantType           `schema:"grant_type"`
}

func NewJWTProfileGrantRequest

func NewJWTProfileGrantRequest(assertion string, scopes ...string) *JWTProfileGrantRequest

NewJWTProfileGrantRequest creates an oauth2 `JSON Web Token (JWT) Profile` Grant `urn:ietf:params:oauth:grant-type:jwt-bearer` sending a self-signed jwt as assertion

type JWTTokenRequest

type JWTTokenRequest struct {
	Issuer    string              `json:"iss"`
	Subject   string              `json:"sub"`
	Scopes    SpaceDelimitedArray `json:"-"`
	Audience  Audience            `json:"aud"`
	IssuedAt  Time                `json:"iat"`
	ExpiresAt Time                `json:"exp"`
	// contains filtered or unexported fields
}

func (*JWTTokenRequest) GetAudience

func (j *JWTTokenRequest) GetAudience() []string

GetAudience implements the Claims and TokenRequest interfaces

func (*JWTTokenRequest) GetAuthTime

func (j *JWTTokenRequest) GetAuthTime() time.Time

GetAuthTime implements the Claims interface

func (*JWTTokenRequest) GetAuthenticationContextClassReference

func (j *JWTTokenRequest) GetAuthenticationContextClassReference() string

GetAuthenticationContextClassReference implements the Claims interface

func (*JWTTokenRequest) GetAuthorizedParty

func (j *JWTTokenRequest) GetAuthorizedParty() string

GetAuthorizedParty implements the Claims interface

func (*JWTTokenRequest) GetCustomClaim

func (j *JWTTokenRequest) GetCustomClaim(key string) any

func (*JWTTokenRequest) GetExpiration

func (j *JWTTokenRequest) GetExpiration() time.Time

GetExpiration implements the Claims interface

func (*JWTTokenRequest) GetIssuedAt

func (j *JWTTokenRequest) GetIssuedAt() time.Time

GetIssuedAt implements the Claims interface

func (*JWTTokenRequest) GetIssuer

func (j *JWTTokenRequest) GetIssuer() string

GetIssuer implements the Claims interface

func (*JWTTokenRequest) GetNonce

func (j *JWTTokenRequest) GetNonce() string

GetNonce implements the Claims interface

func (*JWTTokenRequest) GetScopes

func (j *JWTTokenRequest) GetScopes() []string

GetScopes implements the TokenRequest interface

func (*JWTTokenRequest) GetSubject

func (j *JWTTokenRequest) GetSubject() string

GetSubject implements the TokenRequest interface

func (*JWTTokenRequest) MarshalJSON

func (j *JWTTokenRequest) MarshalJSON() ([]byte, error)

func (*JWTTokenRequest) SetSignatureAlgorithm

func (j *JWTTokenRequest) SetSignatureAlgorithm(_ jose.SignatureAlgorithm)

SetSignatureAlgorithm implements the Claims interface

func (*JWTTokenRequest) UnmarshalJSON

func (j *JWTTokenRequest) UnmarshalJSON(data []byte) error

type KeySet

type KeySet interface {
	// VerifySignature verifies the signature with the given keyset and returns the raw payload
	VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error)
}

KeySet represents a set of JSON Web Keys - remotely fetch via discovery and jwks_uri -> `remoteKeySet` - held by the OP itself in storage -> `openIDKeySet` - dynamically aggregated by request for OAuth JWT Profile Assertion -> `jwtProfileKeySet`

type Locale

type Locale struct {
	// contains filtered or unexported fields
}

func NewLocale

func NewLocale(tag language.Tag) *Locale

func (*Locale) MarshalJSON

func (l *Locale) MarshalJSON() ([]byte, error)

func (*Locale) String

func (l *Locale) String() string

func (*Locale) Tag

func (l *Locale) Tag() language.Tag

func (*Locale) UnmarshalJSON

func (l *Locale) UnmarshalJSON(data []byte) error

UnmarshalJSON implements json.Unmarshaler. When language.ValueError is encountered, the containing tag will be set to an empty value (language "und") and no error will be returned. This state can be checked with the `l.Tag().IsRoot()` method.

type Locales

type Locales []language.Tag

func ParseLocales

func ParseLocales(locales []string) Locales

ParseLocales parses a slice of strings into Locales. If an entry causes a parse error or is undefined, it is ignored and not set to Locales.

func (*Locales) UnmarshalJSON

func (l *Locales) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It decodes a json array or a space seperated string into Locales. Undefined language tags in the input are ignored and ommited from the resulting Locales.

func (*Locales) UnmarshalText

func (l *Locales) UnmarshalText(text []byte) error

UnmarshalText implements the encoding.TextUnmarshaler interface. It decodes an unquoted space seperated string into Locales. Undefined language tags in the input are ignored and ommited from the resulting Locales.

type MaxAge

type MaxAge *uint

func NewMaxAge

func NewMaxAge(i uint) MaxAge

type Prompt

type Prompt SpaceDelimitedArray

type RefreshTokenRequest

type RefreshTokenRequest struct {
	RefreshToken        string              `schema:"refresh_token"`
	Scopes              SpaceDelimitedArray `schema:"scope"`
	ClientID            string              `schema:"client_id"`
	ClientSecret        string              `schema:"client_secret"`
	ClientAssertion     string              `schema:"client_assertion"`
	ClientAssertionType string              `schema:"client_assertion_type"`
}

RefreshTokenRequest is not useful for making refresh requests because the grant_type is not included explicitly but rather implied.

func (*RefreshTokenRequest) GrantType

func (a *RefreshTokenRequest) GrantType() GrantType

func (*RefreshTokenRequest) SetClientID

func (a *RefreshTokenRequest) SetClientID(clientID string)

SetClientID implements op.AuthenticatedTokenRequest

func (*RefreshTokenRequest) SetClientSecret

func (a *RefreshTokenRequest) SetClientSecret(clientSecret string)

SetClientSecret implements op.AuthenticatedTokenRequest

type RequestObject

type RequestObject struct {
	Issuer   string   `json:"iss"`
	Audience Audience `json:"aud"`
	AuthRequest
}

func (*RequestObject) GetIssuer

func (r *RequestObject) GetIssuer() string

func (*RequestObject) SetSignatureAlgorithm

func (*RequestObject) SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm)

type ResponseMode

type ResponseMode string

type ResponseType

type ResponseType string

type RevocationRequest

type RevocationRequest struct {
	Token         string `schema:"token"`
	TokenTypeHint string `schema:"token_type_hint"`
}

type SpaceDelimitedArray

type SpaceDelimitedArray []string

func (SpaceDelimitedArray) MarshalJSON

func (s SpaceDelimitedArray) MarshalJSON() ([]byte, error)

func (SpaceDelimitedArray) MarshalText

func (s SpaceDelimitedArray) MarshalText() ([]byte, error)

func (*SpaceDelimitedArray) Scan

func (s *SpaceDelimitedArray) Scan(src any) error

func (SpaceDelimitedArray) String

func (s SpaceDelimitedArray) String() string

func (*SpaceDelimitedArray) UnmarshalJSON

func (s *SpaceDelimitedArray) UnmarshalJSON(data []byte) error

func (*SpaceDelimitedArray) UnmarshalText

func (s *SpaceDelimitedArray) UnmarshalText(text []byte) error

func (SpaceDelimitedArray) Value

func (s SpaceDelimitedArray) Value() (driver.Value, error)

type Time

type Time int64

func FromTime

func FromTime(tt time.Time) Time

func NowTime

func NowTime() Time

func (Time) AsTime

func (ts Time) AsTime() time.Time

func (*Time) UnmarshalJSON

func (ts *Time) UnmarshalJSON(data []byte) error

type TokenClaims

type TokenClaims struct {
	Issuer                              string   `json:"iss,omitempty"`
	Subject                             string   `json:"sub,omitempty"`
	Audience                            Audience `json:"aud,omitempty"`
	Expiration                          Time     `json:"exp,omitempty"`
	IssuedAt                            Time     `json:"iat,omitempty"`
	AuthTime                            Time     `json:"auth_time,omitempty"`
	NotBefore                           Time     `json:"nbf,omitempty"`
	Nonce                               string   `json:"nonce,omitempty"`
	AuthenticationContextClassReference string   `json:"acr,omitempty"`
	AuthenticationMethodsReferences     []string `json:"amr,omitempty"`
	AuthorizedParty                     string   `json:"azp,omitempty"`
	ClientID                            string   `json:"client_id,omitempty"`
	JWTID                               string   `json:"jti,omitempty"`

	// Additional information set by this framework
	SignatureAlg jose.SignatureAlgorithm `json:"-"`
}

TokenClaims contains the base Claims used all tokens. It implements OpenID Connect Core 1.0, section 2. https://openid.net/specs/openid-connect-core-1_0.html#IDToken And RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens, section 2.2. https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure

TokenClaims implements the Claims interface, and can be used to extend larger claim types by embedding.

func (*TokenClaims) GetAudience

func (c *TokenClaims) GetAudience() []string

func (*TokenClaims) GetAuthTime

func (c *TokenClaims) GetAuthTime() time.Time

func (*TokenClaims) GetAuthenticationContextClassReference

func (c *TokenClaims) GetAuthenticationContextClassReference() string

func (*TokenClaims) GetAuthorizedParty

func (c *TokenClaims) GetAuthorizedParty() string

func (*TokenClaims) GetExpiration

func (c *TokenClaims) GetExpiration() time.Time

func (*TokenClaims) GetIssuedAt

func (c *TokenClaims) GetIssuedAt() time.Time

func (*TokenClaims) GetIssuer

func (c *TokenClaims) GetIssuer() string

func (*TokenClaims) GetNonce

func (c *TokenClaims) GetNonce() string

func (*TokenClaims) GetSignatureAlgorithm

func (c *TokenClaims) GetSignatureAlgorithm() jose.SignatureAlgorithm

func (*TokenClaims) GetSubject

func (c *TokenClaims) GetSubject() string

func (*TokenClaims) SetSignatureAlgorithm

func (c *TokenClaims) SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm)

type TokenExchangeRequest

type TokenExchangeRequest struct {
	GrantType          GrantType           `schema:"grant_type"`
	SubjectToken       string              `schema:"subject_token"`
	SubjectTokenType   TokenType           `schema:"subject_token_type"`
	ActorToken         string              `schema:"actor_token"`
	ActorTokenType     TokenType           `schema:"actor_token_type"`
	Resource           []string            `schema:"resource"`
	Audience           Audience            `schema:"audience"`
	Scopes             SpaceDelimitedArray `schema:"scope"`
	RequestedTokenType TokenType           `schema:"requested_token_type"`
}

type TokenExchangeResponse

type TokenExchangeResponse struct {
	AccessToken     string              `json:"access_token"` // Can be access token or ID token
	IssuedTokenType TokenType           `json:"issued_token_type"`
	TokenType       string              `json:"token_type"`
	ExpiresIn       uint64              `json:"expires_in,omitempty"`
	Scopes          SpaceDelimitedArray `json:"scope,omitempty"`
	RefreshToken    string              `json:"refresh_token,omitempty"`
}

type TokenRequest

type TokenRequest interface {
	// GrantType GrantType `schema:"grant_type"`
	GrantType() GrantType
}

type TokenRequestType

type TokenRequestType GrantType

type TokenType

type TokenType string
const (
	AccessTokenType  TokenType = "urn:ietf:params:oauth:token-type:access_token"
	RefreshTokenType TokenType = "urn:ietf:params:oauth:token-type:refresh_token"
	IDTokenType      TokenType = "urn:ietf:params:oauth:token-type:id_token"
	JWTTokenType     TokenType = "urn:ietf:params:oauth:token-type:jwt"
)

func (TokenType) IsSupported

func (t TokenType) IsSupported() bool

type Tokens

type Tokens[C IDClaims] struct {
	*oauth2.Token
	IDTokenClaims C
	IDToken       string
}

type UserInfo

type UserInfo struct {
	Subject string `json:"sub,omitempty"`
	UserInfoProfile
	UserInfoEmail
	UserInfoPhone
	Address *UserInfoAddress `json:"address,omitempty"`

	Claims map[string]any `json:"-"`
}

UserInfo implements OpenID Connect Core 1.0, section 5.1. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.

func (*UserInfo) AppendClaims

func (u *UserInfo) AppendClaims(k string, v any)

func (*UserInfo) GetAddress

func (u *UserInfo) GetAddress() *UserInfoAddress

GetAddress is a safe getter that takes care of a possible nil value.

func (*UserInfo) GetSubject

func (u *UserInfo) GetSubject() string

GetSubject implements [rp.SubjectGetter]

func (*UserInfo) MarshalJSON

func (u *UserInfo) MarshalJSON() ([]byte, error)

func (*UserInfo) UnmarshalJSON

func (u *UserInfo) UnmarshalJSON(data []byte) error

type UserInfoAddress

type UserInfoAddress struct {
	Formatted     string `json:"formatted,omitempty"`
	StreetAddress string `json:"street_address,omitempty"`
	Locality      string `json:"locality,omitempty"`
	Region        string `json:"region,omitempty"`
	PostalCode    string `json:"postal_code,omitempty"`
	Country       string `json:"country,omitempty"`
}

type UserInfoEmail

type UserInfoEmail struct {
	Email string `json:"email,omitempty"`

	// Handle providers that return email_verified as a string
	// https://forums.aws.amazon.com/thread.jspa?messageID=949441&#949441
	// https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11
	EmailVerified Bool `json:"email_verified,omitempty"`
}

type UserInfoPhone

type UserInfoPhone struct {
	PhoneNumber         string `json:"phone_number,omitempty"`
	PhoneNumberVerified bool   `json:"phone_number_verified,omitempty"`
}

type UserInfoProfile

type UserInfoProfile struct {
	Name              string  `json:"name,omitempty"`
	GivenName         string  `json:"given_name,omitempty"`
	FamilyName        string  `json:"family_name,omitempty"`
	MiddleName        string  `json:"middle_name,omitempty"`
	Nickname          string  `json:"nickname,omitempty"`
	Profile           string  `json:"profile,omitempty"`
	Picture           string  `json:"picture,omitempty"`
	Website           string  `json:"website,omitempty"`
	Gender            Gender  `json:"gender,omitempty"`
	Birthdate         string  `json:"birthdate,omitempty"`
	Zoneinfo          string  `json:"zoneinfo,omitempty"`
	Locale            *Locale `json:"locale,omitempty"`
	UpdatedAt         Time    `json:"updated_at,omitempty"`
	PreferredUsername string  `json:"preferred_username,omitempty"`
}

type UserInfoRequest

type UserInfoRequest struct {
	AccessToken string `schema:"access_token"`
}

type Verifier

type Verifier struct {
	Issuer            string
	MaxAgeIAT         time.Duration
	Offset            time.Duration
	ClientID          string
	SupportedSignAlgs []string
	MaxAge            time.Duration
	ACR               ACRVerifier
	KeySet            KeySet
	Nonce             func(ctx context.Context) string
}

Verifier caries configuration for the various token verification functions. Use package specific constructor functions to know which values need to be set.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL