Documentation ¶
Index ¶
- Constants
- Variables
- func AccessTokenTypeStrings() []string
- func ApplicationTypeStrings() []string
- func AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string
- func AuthMethodsIntrospectionEndpoint(c Configuration) []oidc.AuthMethod
- func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod
- func AuthMethodsTokenEndpoint(c Configuration) []oidc.AuthMethod
- func AuthRequestError(w http.ResponseWriter, r *http.Request, authReq ErrAuthRequest, err error, ...)
- func AuthResponse(authReq AuthRequest, authorizer Authorizer, w http.ResponseWriter, ...)
- func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthRequest, ...)
- func AuthResponseFormPost(res http.ResponseWriter, redirectURI string, response any, ...) error
- func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, ...)
- func AuthResponseURL(redirectURI string, responseType oidc.ResponseType, ...) (string, error)
- func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer)
- func AuthorizeCallback(w http.ResponseWriter, r *http.Request, authorizer Authorizer)
- func AuthorizeCallbackHandler(authorizer Authorizer) func(http.ResponseWriter, *http.Request)
- func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error
- func AuthorizeCodeChallenge(codeVerifier string, challenge *oidc.CodeChallenge) error
- func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error)
- func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (request RefreshTokenRequest, client Client, err error)
- func BuildAuthRequestCode(authReq AuthRequest, crypto Crypto) (string, error)
- func ClientBasicAuth(r *http.Request, storage Storage) (clientID string, err error)
- func ClientCredentialsExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func ClientIDFromRequest(r *http.Request, p ClientProvider) (clientID string, authenticated bool, err error)
- func ClientJWTAuth(ctx context.Context, ca oidc.ClientAssertionParams, verifier ClientJWTProfile) (clientID string, err error)
- func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod
- func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func ContainsResponseType(types []oidc.ResponseType, responseType oidc.ResponseType) bool
- func ContextWithIssuer(ctx context.Context, issuer string) context.Context
- func CopyRequestObjectToAuthRequest(authReq *oidc.AuthRequest, requestObject *oidc.RequestObject)
- func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, ...) (accessToken, newRefreshToken string, validity time.Duration, err error)
- func CreateAuthRequestCode(ctx context.Context, authReq AuthRequest, storage Storage, crypto Crypto) (string, error)
- func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error)
- func CreateClientCredentialsTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, ...) (*oidc.AccessTokenResponse, error)
- func CreateDeviceTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, ...) (*oidc.AccessTokenResponse, error)
- func CreateDiscoveryConfig(ctx context.Context, config Configuration, storage DiscoverStorage) *oidc.DiscoveryConfiguration
- func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, ...) (string, error)
- func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, ...) (string, error)
- func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error)
- func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) chi.Router
- func CreateTokenExchangeResponse(ctx context.Context, tokenExchangeRequest TokenExchangeRequest, client Client, ...) (_ *oidc.TokenExchangeResponse, err error)
- func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Client, ...) (*oidc.AccessTokenResponse, error)
- func DeviceAccessToken(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func DeviceAuthorization(w http.ResponseWriter, r *http.Request, o OpenIDProvider) error
- func DeviceAuthorizationHandler(o OpenIDProvider) func(http.ResponseWriter, *http.Request)
- func Discover(w http.ResponseWriter, config *oidc.DiscoveryConfiguration)
- func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder)
- func Exchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func GetTokenIDAndSubjectFromToken(ctx context.Context, exchanger Exchanger, token string, ...) (tokenIDOrToken, subject string, claims map[string]any, ok bool)
- func GrantTypes(c Configuration) []oidc.GrantType
- func HTTPLoopbackOrLocalhost(rawURL string) (*url.URL, bool)
- func Introspect(w http.ResponseWriter, r *http.Request, introspector Introspector)
- func IntrospectionSigAlgorithms(c Configuration) []string
- func IsConfidentialType(c Client) bool
- func IssuerFromContext(ctx context.Context) string
- func IssuerFromForwardedOrHost(path string, opts ...IssuerFromOption) func(bool) (IssuerFromRequest, error)
- func IssuerFromHost(path string) func(bool) (IssuerFromRequest, error)
- func JWTProfile(w http.ResponseWriter, r *http.Request, ...)
- func Keys(w http.ResponseWriter, r *http.Request, k KeyProvider)
- func NewDeviceCode(nBytes int) (string, error)
- func NewUserCode(charSet []rune, charAmount, dashInterval int) (string, error)
- func ParseAccessTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AccessTokenRequest, error)
- func ParseAuthenticatedTokenRequest(r *http.Request, decoder httphelper.Decoder, request AuthenticatedTokenRequest) error
- func ParseAuthorizeCallbackRequest(r *http.Request) (id string, err error)
- func ParseAuthorizeRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AuthRequest, error)
- func ParseClientCredentialsRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.ClientCredentialsRequest, error)
- func ParseDeviceAccessTokenRequest(r *http.Request, exchanger Exchanger) (*oidc.DeviceAccessTokenRequest, error)
- func ParseDeviceCodeRequest(r *http.Request, o OpenIDProvider) (*oidc.DeviceAuthorizationRequest, error)
- func ParseEndSessionRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.EndSessionRequest, error)
- func ParseJWTProfileGrantRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)
- func ParseJWTProfileRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)
- func ParseRefreshTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.RefreshTokenRequest, error)
- func ParseRequestObject(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, issuer string) error
- func ParseTokenExchangeRequest(r *http.Request, decoder httphelper.Decoder) (_ *oidc.TokenExchangeRequest, clientID, clientSecret string, err error)
- func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector) (token, clientID string, err error)
- func ParseTokenRevocationRequest(r *http.Request, revoker Revoker) (token, tokenTypeHint, clientID string, err error)
- func ParseUserinfoRequest(r *http.Request, decoder httphelper.Decoder) (string, error)
- func Readiness(w http.ResponseWriter, r *http.Request, probes ...ProbesFn)
- func RedirectToLogin(authReqID string, client Client, w http.ResponseWriter, r *http.Request)
- func RefreshTokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func RegisterLegacyServer(s ExtendedLegacyServer, authorizeCallbackHandler http.HandlerFunc, ...) http.Handler
- func RegisterServer(server Server, endpoints Endpoints, options ...ServerOption) http.Handler
- func RequestError(w http.ResponseWriter, r *http.Request, err error, logger *slog.Logger)
- func RequestObjectSigAlgorithms(c Configuration) []string
- func ResponseTypes(c Configuration) []string
- func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error)
- func RevocationSigAlgorithms(c Configuration) []string
- func Revoke(w http.ResponseWriter, r *http.Request, revoker Revoker)
- func Scopes(c Configuration) []string
- func SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string
- func SignerFromKey(key SigningKey) (jose.Signer, error)
- func StaticIssuer(issuer string) func(bool) (IssuerFromRequest, error)
- func SubjectIsIssuer(request *oidc.JWTTokenRequest) error
- func SubjectTypes(c Configuration) []string
- func SupportedClaims(c Configuration) []string
- func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func TokenSigAlgorithms(c Configuration) []string
- func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoProvider)
- func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error)
- func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifier *IDTokenHintVerifier) (string, error)
- func ValidateAuthReqPrompt(prompts []string, maxAge *uint) (_ *uint, err error)
- func ValidateAuthReqRedirectURI(client Client, uri string, responseType oidc.ResponseType) error
- func ValidateAuthReqResponseType(client Client, responseType oidc.ResponseType) error
- func ValidateAuthReqScopes(client Client, scopes []string) ([]string, error)
- func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, ...) (sub string, err error)
- func ValidateClientCredentialsRequest(ctx context.Context, request *oidc.ClientCredentialsRequest, ...) (TokenRequest, Client, error)
- func ValidateEndSessionPostLogoutRedirectURI(postLogoutRedirectURI string, client Client) error
- func ValidateGrantType(client interface{ ... }, grantType oidc.GrantType) bool
- func ValidateIssuer(issuer string, allowInsecure bool) error
- func ValidateIssuerPath(issuer *url.URL) error
- func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error)
- func ValidateRefreshTokenScopes(requestedScopes []string, authRequest RefreshTokenRequest) error
- func ValidateTokenExchangeRequest(ctx context.Context, oidcTokenExchangeRequest *oidc.TokenExchangeRequest, ...) (TokenExchangeRequest, Client, error)
- func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v *AccessTokenVerifier) (claims C, err error)
- func VerifyIDTokenHint[C oidc.Claims](ctx context.Context, token string, v *IDTokenHintVerifier) (claims C, err error)
- func VerifyJWTAssertion(ctx context.Context, assertion string, v *JWTProfileVerifier) (*oidc.JWTTokenRequest, error)
- func WriteError(w http.ResponseWriter, r *http.Request, err error, logger *slog.Logger)
- type AccessTokenClient
- type AccessTokenType
- func (i AccessTokenType) IsAAccessTokenType() bool
- func (i AccessTokenType) MarshalGQL(w io.Writer)
- func (i AccessTokenType) MarshalJSON() ([]byte, error)
- func (i AccessTokenType) MarshalText() ([]byte, error)
- func (i AccessTokenType) MarshalYAML() (interface{}, error)
- func (i *AccessTokenType) Scan(value interface{}) error
- func (i AccessTokenType) String() string
- func (i *AccessTokenType) UnmarshalGQL(value interface{}) error
- func (i *AccessTokenType) UnmarshalJSON(data []byte) error
- func (i *AccessTokenType) UnmarshalText(text []byte) error
- func (i *AccessTokenType) UnmarshalYAML(unmarshal func(interface{}) error) error
- func (i AccessTokenType) Value() (driver.Value, error)
- type AccessTokenVerifier
- type AccessTokenVerifierOpt
- type ApplicationType
- func (i ApplicationType) IsAApplicationType() bool
- func (i ApplicationType) MarshalGQL(w io.Writer)
- func (i ApplicationType) MarshalJSON() ([]byte, error)
- func (i ApplicationType) MarshalText() ([]byte, error)
- func (i ApplicationType) MarshalYAML() (interface{}, error)
- func (i *ApplicationType) Scan(value interface{}) error
- func (i ApplicationType) String() string
- func (i *ApplicationType) UnmarshalGQL(value interface{}) error
- func (i *ApplicationType) UnmarshalJSON(data []byte) error
- func (i *ApplicationType) UnmarshalText(text []byte) error
- func (i *ApplicationType) UnmarshalYAML(unmarshal func(interface{}) error) error
- func (i ApplicationType) Value() (driver.Value, error)
- type AuthMethod
- type AuthRequest
- type AuthStorage
- type AuthenticatedTokenRequest
- type AuthorizeValidator
- type Authorizer
- type CanSetUserinfoFromRequest
- type CanTerminateSessionFromRequest
- type Client
- func AuthorizeClientCredentialsClient(ctx context.Context, request *oidc.ClientCredentialsRequest, ...) (Client, error)
- func AuthorizePrivateJWTKey(ctx context.Context, clientAssertion string, ...) (Client, error)
- func AuthorizeTokenExchangeClient(ctx context.Context, clientID, clientSecret string, exchanger Exchanger) (client Client, err error)
- type ClientCredentials
- type ClientCredentialsStorage
- type ClientJWTProfile
- type ClientProvider
- type ClientRequest
- type Config
- type Configuration
- type Crypto
- type DeviceAuthorizationConfig
- type DeviceAuthorizationState
- func (r *DeviceAuthorizationState) GetAMR() []string
- func (r *DeviceAuthorizationState) GetAudience() []string
- func (r *DeviceAuthorizationState) GetAuthTime() time.Time
- func (r *DeviceAuthorizationState) GetClientID() string
- func (r *DeviceAuthorizationState) GetScopes() []string
- func (r *DeviceAuthorizationState) GetSubject() string
- type DeviceAuthorizationStorage
- type DiscoverStorage
- type EndSessionRequest
- type Endpoint
- type Endpoints
- type ErrAuthRequest
- type Exchanger
- type ExtendedLegacyServer
- type HasRedirectGlobs
- type HttpInterceptor
- type IDTokenHintExpiredError
- type IDTokenHintVerifier
- type IDTokenHintVerifierOpt
- type IDTokenRequest
- type IntrospectionRequest
- type Introspector
- type IntrospectorJWTProfile
- type IssuerFromOption
- type IssuerFromRequest
- type IssuerInterceptor
- type JWTAuthorizationGrantExchanger
- type JWTProfileKeyStorage
- type JWTProfileTokenStorage
- type JWTProfileVerifier
- type JWTProfileVerifierOption
- type Key
- type KeyProvider
- type LegacyServer
- func (s *LegacyServer) AuthCallbackURL() func(context.Context, string) string
- func (s *LegacyServer) Authorize(ctx context.Context, r *ClientRequest[oidc.AuthRequest]) (_ *Redirect, err error)
- func (s *LegacyServer) ClientCredentialsExchange(ctx context.Context, r *ClientRequest[oidc.ClientCredentialsRequest]) (*Response, error)
- func (s *LegacyServer) CodeExchange(ctx context.Context, r *ClientRequest[oidc.AccessTokenRequest]) (*Response, error)
- func (s *LegacyServer) DeviceAuthorization(ctx context.Context, r *ClientRequest[oidc.DeviceAuthorizationRequest]) (*Response, error)
- func (s *LegacyServer) DeviceToken(ctx context.Context, r *ClientRequest[oidc.DeviceAccessTokenRequest]) (*Response, error)
- func (s *LegacyServer) Discovery(ctx context.Context, r *Request[struct{}]) (*Response, error)
- func (s *LegacyServer) EndSession(ctx context.Context, r *Request[oidc.EndSessionRequest]) (*Redirect, error)
- func (s *LegacyServer) Endpoints() Endpoints
- func (s *LegacyServer) Health(_ context.Context, r *Request[struct{}]) (*Response, error)
- func (s *LegacyServer) Introspect(ctx context.Context, r *Request[IntrospectionRequest]) (*Response, error)
- func (s *LegacyServer) JWTProfile(ctx context.Context, r *Request[oidc.JWTProfileGrantRequest]) (*Response, error)
- func (s *LegacyServer) Keys(ctx context.Context, r *Request[struct{}]) (*Response, error)
- func (s *LegacyServer) Provider() OpenIDProvider
- func (s *LegacyServer) Ready(ctx context.Context, r *Request[struct{}]) (*Response, error)
- func (s *LegacyServer) RefreshToken(ctx context.Context, r *ClientRequest[oidc.RefreshTokenRequest]) (*Response, error)
- func (s *LegacyServer) Revocation(ctx context.Context, r *ClientRequest[oidc.RevocationRequest]) (*Response, error)
- func (s *LegacyServer) TokenExchange(ctx context.Context, r *ClientRequest[oidc.TokenExchangeRequest]) (*Response, error)
- func (s *LegacyServer) UserInfo(ctx context.Context, r *Request[oidc.UserInfoRequest]) (*Response, error)
- func (s *LegacyServer) VerifyAuthRequest(ctx context.Context, r *Request[oidc.AuthRequest]) (*ClientRequest[oidc.AuthRequest], error)
- func (s *LegacyServer) VerifyClient(ctx context.Context, r *Request[ClientCredentials]) (Client, error)
- type LogAuthRequest
- type OPStorage
- type OpenIDKeySet
- type OpenIDProvider
- type Option
- func WithAccessTokenKeySet(keySet oidc.KeySet) Option
- func WithAccessTokenVerifierOpts(opts ...AccessTokenVerifierOpt) Option
- func WithAllowInsecure() Option
- func WithCORSOptions(opts *cors.Options) Option
- func WithCustomAuthEndpoint(endpoint *Endpoint) Option
- func WithCustomDeviceAuthorizationEndpoint(endpoint *Endpoint) Option
- func WithCustomEndSessionEndpoint(endpoint *Endpoint) Option
- func WithCustomEndpoints(auth, token, userInfo, revocation, endSession, keys *Endpoint) Option
- func WithCustomIntrospectionEndpoint(endpoint *Endpoint) Option
- func WithCustomKeysEndpoint(endpoint *Endpoint) Option
- func WithCustomRevocationEndpoint(endpoint *Endpoint) Option
- func WithCustomTokenEndpoint(endpoint *Endpoint) Option
- func WithCustomUserinfoEndpoint(endpoint *Endpoint) Option
- func WithHttpInterceptors(interceptors ...HttpInterceptor) Option
- func WithIDTokenHintKeySet(keySet oidc.KeySet) Option
- func WithIDTokenHintVerifierOpts(opts ...IDTokenHintVerifierOpt) Option
- func WithLogger(logger *slog.Logger) Option
- type ProbesFn
- type Provider
- func NewDynamicOpenIDProvider(path string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)deprecated
- func NewForwardedOpenIDProvider(path string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)deprecated
- func NewOpenIDProvider(issuer string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)deprecated
- func NewProvider(config *Config, storage Storage, ...) (_ *Provider, err error)
- func (o *Provider) AccessTokenVerifier(ctx context.Context) *AccessTokenVerifier
- func (o *Provider) AuthMethodPostSupported() bool
- func (o *Provider) AuthMethodPrivateKeyJWTSupported() bool
- func (o *Provider) AuthorizationEndpoint() *Endpoint
- func (o *Provider) CORSOptions() *cors.Options
- func (o *Provider) CodeMethodS256Supported() bool
- func (o *Provider) Crypto() Crypto
- func (o *Provider) Decoder() httphelper.Decoder
- func (o *Provider) DefaultLogoutRedirectURI() string
- func (o *Provider) DeviceAuthorization() DeviceAuthorizationConfig
- func (o *Provider) DeviceAuthorizationEndpoint() *Endpoint
- func (o *Provider) Encoder() httphelper.Encoder
- func (o *Provider) EndSessionEndpoint() *Endpoint
- func (o *Provider) GrantTypeClientCredentialsSupported() bool
- func (o *Provider) GrantTypeDeviceCodeSupported() bool
- func (o *Provider) GrantTypeJWTAuthorizationSupported() bool
- func (o *Provider) GrantTypeRefreshTokenSupported() bool
- func (o *Provider) GrantTypeTokenExchangeSupported() bool
- func (o *Provider) HttpHandler() http.Handlerdeprecated
- func (o *Provider) IDTokenHintVerifier(ctx context.Context) *IDTokenHintVerifier
- func (o *Provider) Insecure() bool
- func (o *Provider) IntrospectionAuthMethodPrivateKeyJWTSupported() bool
- func (o *Provider) IntrospectionEndpoint() *Endpoint
- func (o *Provider) IntrospectionEndpointSigningAlgorithmsSupported() []string
- func (o *Provider) IssuerFromRequest(r *http.Request) string
- func (o *Provider) JWTProfileVerifier(ctx context.Context) *JWTProfileVerifier
- func (o *Provider) KeysEndpoint() *Endpoint
- func (o *Provider) Logger() *slog.Logger
- func (o *Provider) Probes() []ProbesFn
- func (o *Provider) RequestObjectSigningAlgorithmsSupported() []string
- func (o *Provider) RequestObjectSupported() bool
- func (o *Provider) RevocationAuthMethodPrivateKeyJWTSupported() bool
- func (o *Provider) RevocationEndpoint() *Endpoint
- func (o *Provider) RevocationEndpointSigningAlgorithmsSupported() []string
- func (o *Provider) Storage() Storage
- func (o *Provider) SupportedUILocales() []language.Tag
- func (o *Provider) TokenEndpoint() *Endpoint
- func (o *Provider) TokenEndpointSigningAlgorithmsSupported() []string
- func (o *Provider) UserinfoEndpoint() *Endpoint
- type Redirect
- type RefreshTokenRequest
- type Request
- type Response
- type Revoker
- type RevokerJWTProfile
- type Server
- type ServerOption
- func WithDecoder(decoder httphelper.Decoder) ServerOption
- func WithFallbackLogger(logger *slog.Logger) ServerOption
- func WithHTTPMiddleware(m ...func(http.Handler) http.Handler) ServerOption
- func WithServerCORSOptions(opts *cors.Options) ServerOption
- func WithSetRouter(set func(chi.Router)) ServerOption
- type SessionEnder
- type SigningKey
- type Status
- type StatusError
- type Storage
- type StorageNotFoundError
- type TokenActorRequest
- type TokenCreator
- type TokenExchangeRequest
- type TokenExchangeStorage
- type TokenExchangeTokensVerifierStorage
- type TokenRequest
- type UnimplementedServer
- func (UnimplementedServer) Authorize(ctx context.Context, r *ClientRequest[oidc.AuthRequest]) (*Redirect, error)
- func (UnimplementedServer) ClientCredentialsExchange(ctx context.Context, r *ClientRequest[oidc.ClientCredentialsRequest]) (*Response, error)
- func (UnimplementedServer) CodeExchange(ctx context.Context, r *ClientRequest[oidc.AccessTokenRequest]) (*Response, error)
- func (UnimplementedServer) DeviceAuthorization(ctx context.Context, r *ClientRequest[oidc.DeviceAuthorizationRequest]) (*Response, error)
- func (UnimplementedServer) DeviceToken(ctx context.Context, r *ClientRequest[oidc.DeviceAccessTokenRequest]) (*Response, error)
- func (UnimplementedServer) Discovery(ctx context.Context, r *Request[struct{}]) (*Response, error)
- func (UnimplementedServer) EndSession(ctx context.Context, r *Request[oidc.EndSessionRequest]) (*Redirect, error)
- func (UnimplementedServer) Health(ctx context.Context, r *Request[struct{}]) (*Response, error)
- func (UnimplementedServer) Introspect(ctx context.Context, r *Request[IntrospectionRequest]) (*Response, error)
- func (UnimplementedServer) JWTProfile(ctx context.Context, r *Request[oidc.JWTProfileGrantRequest]) (*Response, error)
- func (UnimplementedServer) Keys(ctx context.Context, r *Request[struct{}]) (*Response, error)
- func (UnimplementedServer) Ready(ctx context.Context, r *Request[struct{}]) (*Response, error)
- func (UnimplementedServer) RefreshToken(ctx context.Context, r *ClientRequest[oidc.RefreshTokenRequest]) (*Response, error)
- func (UnimplementedServer) Revocation(ctx context.Context, r *ClientRequest[oidc.RevocationRequest]) (*Response, error)
- func (UnimplementedServer) TokenExchange(ctx context.Context, r *ClientRequest[oidc.TokenExchangeRequest]) (*Response, error)
- func (UnimplementedServer) UserInfo(ctx context.Context, r *Request[oidc.UserInfoRequest]) (*Response, error)
- func (UnimplementedServer) VerifyAuthRequest(ctx context.Context, r *Request[oidc.AuthRequest]) (*ClientRequest[oidc.AuthRequest], error)
- func (UnimplementedServer) VerifyClient(ctx context.Context, r *Request[ClientCredentials]) (Client, error)
- type UserCodeConfig
- type UserinfoProvider
Examples ¶
Constants ¶
const ( CharSetBase20 = "BCDFGHJKLMNPQRSTVWXZ" CharSetDigits = "0123456789" )
const RecommendedDeviceCodeBytes = 16
16 bytes gives 128 bit of entropy. results in a 22 character base64 encoded string.
Variables ¶
var ( ErrInvalidAuthHeader = errors.New("invalid basic auth header") ErrNoClientCredentials = errors.New("no client credentials provided") ErrMissingClientID = errors.New("client_id missing from request") )
var ( ErrInvalidIssuerPath = errors.New("no fragments or query allowed for issuer") ErrInvalidIssuerNoIssuer = errors.New("missing issuer") ErrInvalidIssuerURL = errors.New("invalid url for issuer") ErrInvalidIssuerMissingHost = errors.New("host for issuer missing") ErrInvalidIssuerHTTPS = errors.New("scheme for issuer must be `https`") )
var ( UserCodeBase20 = UserCodeConfig{ CharSet: CharSetBase20, CharAmount: 8, DashInterval: 4, } UserCodeDigits = UserCodeConfig{ CharSet: CharSetDigits, CharAmount: 9, DashInterval: 3, } )
var ( DefaultEndpoints = &Endpoints{ Authorization: NewEndpoint(defaultAuthorizationEndpoint), Token: NewEndpoint(defaultTokenEndpoint), Introspection: NewEndpoint(defaultIntrospectEndpoint), Userinfo: NewEndpoint(defaultUserinfoEndpoint), Revocation: NewEndpoint(defaultRevocationEndpoint), EndSession: NewEndpoint(defaultEndSessionEndpoint), JwksURI: NewEndpoint(defaultKeysEndpoint), DeviceAuthorization: NewEndpoint(defaultDeviceAuthzEndpoint), } DefaultSupportedClaims = []string{ "sub", "aud", "exp", "iat", "iss", "auth_time", "nonce", "acr", "amr", "c_hash", "at_hash", "act", "scopes", "client_id", "azp", "preferred_username", "name", "family_name", "given_name", "locale", "email", "email_verified", "phone_number", "phone_number_verified", } )
var ( ErrAuthReqMissingClientID = errors.New("auth request is missing client_id") ErrAuthReqMissingRedirectURI = errors.New("auth request is missing redirect_uri") )
var DefaultSupportedScopes = []string{ oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone, oidc.ScopeAddress, oidc.ScopeOfflineAccess, }
var ErrDuplicateUserCode = errors.New("user code already exists")
var ErrInvalidRefreshToken = errors.New("invalid_refresh_token")
var ErrNilEndpoint = errors.New("nil endpoint")
var ErrSignerCreationFailed = errors.New("signer creation failed")
var UnimplementedStatusCode = http.StatusNotFound
UnimplementedStatusCode is the status code returned for methods that are not yet implemented. Note that this means methods in the sense of the Go interface, and not http methods covered by "501 Not Implemented".
Functions ¶
func AccessTokenTypeStrings ¶
func AccessTokenTypeStrings() []string
AccessTokenTypeStrings returns a slice of all String values of the enum
func ApplicationTypeStrings ¶
func ApplicationTypeStrings() []string
ApplicationTypeStrings returns a slice of all String values of the enum
func AuthCallbackURL ¶
func AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string
AuthCallbackURL builds the url for the redirect (with the requestID) after a successful login
func AuthMethodsIntrospectionEndpoint ¶
func AuthMethodsIntrospectionEndpoint(c Configuration) []oidc.AuthMethod
func AuthMethodsRevocationEndpoint ¶
func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod
func AuthMethodsTokenEndpoint ¶
func AuthMethodsTokenEndpoint(c Configuration) []oidc.AuthMethod
func AuthRequestError ¶
func AuthRequestError(w http.ResponseWriter, r *http.Request, authReq ErrAuthRequest, err error, authorizer Authorizer)
func AuthResponse ¶
func AuthResponse(authReq AuthRequest, authorizer Authorizer, w http.ResponseWriter, r *http.Request)
AuthResponse creates the successful authentication response (either code or tokens)
func AuthResponseCode ¶
func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer)
AuthResponseCode creates the successful code authentication response
func AuthResponseFormPost ¶ added in v3.14.0
func AuthResponseFormPost(res http.ResponseWriter, redirectURI string, response any, encoder httphelper.Encoder) error
AuthResponseFormPost responds a html page that automatically submits the form which contains the auth response parameters
func AuthResponseToken ¶
func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client)
AuthResponseToken creates the successful token(s) authentication response
func AuthResponseURL ¶
func AuthResponseURL(redirectURI string, responseType oidc.ResponseType, responseMode oidc.ResponseMode, response any, encoder httphelper.Encoder) (string, error)
AuthResponseURL encodes the authorization response (successful and error) and sets it as query or fragment values depending on the response_mode and response_type
func Authorize ¶
func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer)
Authorize handles the authorization request, including parsing, validating, storing and finally redirecting to the login handler
func AuthorizeCallback ¶
func AuthorizeCallback(w http.ResponseWriter, r *http.Request, authorizer Authorizer)
AuthorizeCallback handles the callback after authentication in the Login UI
func AuthorizeCallbackHandler ¶ added in v3.23.0
func AuthorizeCallbackHandler(authorizer Authorizer) func(http.ResponseWriter, *http.Request)
func AuthorizeClientIDSecret ¶
func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error
AuthorizeClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
func AuthorizeCodeChallenge ¶
func AuthorizeCodeChallenge(codeVerifier string, challenge *oidc.CodeChallenge) error
AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent code_challenge of the auth request (PKCE)
func AuthorizeCodeClient ¶
func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error)
AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. It than returns the auth request corresponding to the auth code
func AuthorizeRefreshClient ¶
func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (request RefreshTokenRequest, client Client, err error)
AuthorizeRefreshClient checks the authorization of the client and that the used method was the one previously registered. It than returns the data representing the original auth request corresponding to the refresh_token
func BuildAuthRequestCode ¶
func BuildAuthRequestCode(authReq AuthRequest, crypto Crypto) (string, error)
BuildAuthRequestCode builds the string representation of the auth code
func ClientBasicAuth ¶
func ClientCredentialsExchange ¶
func ClientCredentialsExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
ClientCredentialsExchange handles the OAuth 2.0 client_credentials grant, including parsing, validating, authorizing the client and finally returning a token
func ClientIDFromRequest ¶
func ClientIDFromRequest(r *http.Request, p ClientProvider) (clientID string, authenticated bool, err error)
ClientIDFromRequest parses the request form and tries to obtain the client ID and reports if it is authenticated, using a JWT or static client secrets over http basic auth.
If the Provider implements IntrospectorJWTProfile and "client_assertion" is present in the form data, JWT assertion will be verified and the client ID is taken from there. If any of them is absent, basic auth is attempted. In absence of basic auth data, the unauthenticated client id from the form data is returned.
If no client id can be obtained by any method, oidc.ErrInvalidClient is returned with ErrMissingClientID wrapped in it.
func ClientJWTAuth ¶
func ClientJWTAuth(ctx context.Context, ca oidc.ClientAssertionParams, verifier ClientJWTProfile) (clientID string, err error)
func CodeChallengeMethods ¶
func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod
func CodeExchange ¶
func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
CodeExchange handles the OAuth 2.0 authorization_code grant, including parsing, validating, authorizing the client and finally exchanging the code for tokens
func ContainsResponseType ¶
func ContainsResponseType(types []oidc.ResponseType, responseType oidc.ResponseType) bool
func ContextWithIssuer ¶
ContextWithIssuer returns a new context with issuer set to it.
func CopyRequestObjectToAuthRequest ¶
func CopyRequestObjectToAuthRequest(authReq *oidc.AuthRequest, requestObject *oidc.RequestObject)
CopyRequestObjectToAuthRequest overwrites present values from the Request Object into the auth request and clears the `RequestParam` of the auth request
func CreateAccessToken ¶
func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTokenType AccessTokenType, creator TokenCreator, client AccessTokenClient, refreshToken string) (accessToken, newRefreshToken string, validity time.Duration, err error)
func CreateAuthRequestCode ¶
func CreateAuthRequestCode(ctx context.Context, authReq AuthRequest, storage Storage, crypto Crypto) (string, error)
CreateAuthRequestCode creates and stores a code for the auth code response
func CreateBearerToken ¶
func CreateClientCredentialsTokenResponse ¶
func CreateClientCredentialsTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, client Client) (*oidc.AccessTokenResponse, error)
func CreateDeviceTokenResponse ¶
func CreateDeviceTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, client Client) (*oidc.AccessTokenResponse, error)
func CreateDiscoveryConfig ¶
func CreateDiscoveryConfig(ctx context.Context, config Configuration, storage DiscoverStorage) *oidc.DiscoveryConfiguration
func CreateIDToken ¶
func CreateJWTTokenResponse ¶
func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error)
CreateJWTTokenResponse creates an access_token response for a JWT Profile Grant request by default the access_token is an opaque string, but can be specified by implementing the JWTProfileTokenStorage interface
func CreateRouter ¶
func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) chi.Router
func CreateTokenExchangeResponse ¶
func CreateTokenExchangeResponse( ctx context.Context, tokenExchangeRequest TokenExchangeRequest, client Client, creator TokenCreator, ) (_ *oidc.TokenExchangeResponse, err error)
func CreateTokenResponse ¶
func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Client, creator TokenCreator, createAccessToken bool, code, refreshToken string) (*oidc.AccessTokenResponse, error)
func DeviceAccessToken ¶
func DeviceAccessToken(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
func DeviceAuthorization ¶
func DeviceAuthorization(w http.ResponseWriter, r *http.Request, o OpenIDProvider) error
func DeviceAuthorizationHandler ¶
func DeviceAuthorizationHandler(o OpenIDProvider) func(http.ResponseWriter, *http.Request)
func Discover ¶
func Discover(w http.ResponseWriter, config *oidc.DiscoveryConfiguration)
func EndSession ¶
func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder)
func Exchange ¶
func Exchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
Exchange performs a token exchange appropriate for the grant type
func GrantTypes ¶
func GrantTypes(c Configuration) []oidc.GrantType
func Introspect ¶
func Introspect(w http.ResponseWriter, r *http.Request, introspector Introspector)
func IntrospectionSigAlgorithms ¶
func IntrospectionSigAlgorithms(c Configuration) []string
func IsConfidentialType ¶
func IssuerFromContext ¶
IssuerFromContext reads the issuer from the context (set by an IssuerInterceptor) it will return an empty string if not found
func IssuerFromForwardedOrHost ¶
func IssuerFromForwardedOrHost(path string, opts ...IssuerFromOption) func(bool) (IssuerFromRequest, error)
IssuerFromForwardedOrHost tries to establish the Issuer based on the Forwarded header host field. If multiple Forwarded headers are present, the first mention of the host field will be used. If the Forwarded header is not present, no host field is found, or there is a parser error the Request Host will be used as a fallback. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
func IssuerFromHost ¶
func IssuerFromHost(path string) func(bool) (IssuerFromRequest, error)
func JWTProfile ¶
func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger)
JWTProfile handles the OAuth 2.0 JWT Profile Authorization Grant https://tools.ietf.org/html/rfc7523#section-2.1
func Keys ¶
func Keys(w http.ResponseWriter, r *http.Request, k KeyProvider)
func NewDeviceCode ¶
func ParseAccessTokenRequest ¶
func ParseAccessTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AccessTokenRequest, error)
ParseAccessTokenRequest parsed the http request into a oidc.AccessTokenRequest
func ParseAuthenticatedTokenRequest ¶
func ParseAuthenticatedTokenRequest(r *http.Request, decoder httphelper.Decoder, request AuthenticatedTokenRequest) error
ParseAuthenticatedTokenRequest parses the client_id and client_secret from the HTTP request from either HTTP Basic Auth header or form body and sets them into the provided authenticatedTokenRequest interface
func ParseAuthorizeRequest ¶
func ParseAuthorizeRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AuthRequest, error)
ParseAuthorizeRequest parsed the http request into an oidc.AuthRequest
func ParseClientCredentialsRequest ¶
func ParseClientCredentialsRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.ClientCredentialsRequest, error)
ParseClientCredentialsRequest parsed the http request into a oidc.ClientCredentialsRequest
func ParseDeviceCodeRequest ¶
func ParseDeviceCodeRequest(r *http.Request, o OpenIDProvider) (*oidc.DeviceAuthorizationRequest, error)
func ParseEndSessionRequest ¶
func ParseEndSessionRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.EndSessionRequest, error)
func ParseJWTProfileGrantRequest ¶
func ParseJWTProfileGrantRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)
func ParseJWTProfileRequest ¶
func ParseJWTProfileRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)
ParseJWTProfileRequest has been renamed to ParseJWTProfileGrantRequest
deprecated: use ParseJWTProfileGrantRequest
func ParseRefreshTokenRequest ¶
func ParseRefreshTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.RefreshTokenRequest, error)
ParseRefreshTokenRequest parsed the http request into a oidc.RefreshTokenRequest
func ParseRequestObject ¶
func ParseRequestObject(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, issuer string) error
ParseRequestObject parse the `request` parameter, validates the token including the signature and copies the token claims into the auth request
func ParseTokenExchangeRequest ¶
func ParseTokenExchangeRequest(r *http.Request, decoder httphelper.Decoder) (_ *oidc.TokenExchangeRequest, clientID, clientSecret string, err error)
ParseTokenExchangeRequest parses the http request into oidc.TokenExchangeRequest
func ParseTokenIntrospectionRequest ¶
func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector) (token, clientID string, err error)
func ParseUserinfoRequest ¶
func RedirectToLogin ¶
RedirectToLogin redirects the end user to the Login UI for authentication
func RefreshTokenExchange ¶
func RefreshTokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
RefreshTokenExchange handles the OAuth 2.0 refresh_token grant, including parsing, validating, authorizing the client and finally exchanging the refresh_token for new tokens
func RegisterLegacyServer ¶ added in v3.1.0
func RegisterLegacyServer(s ExtendedLegacyServer, authorizeCallbackHandler http.HandlerFunc, options ...ServerOption) http.Handler
RegisterLegacyServer registers a LegacyServer or an extension thereof. It takes care of registering the IssuerFromRequest middleware. The authorizeCallbackHandler is registered on `/callback` under the authorization endpoint. Neither are part of the bare Server interface.
EXPERIMENTAL: may change until v4
func RegisterServer ¶
func RegisterServer(server Server, endpoints Endpoints, options ...ServerOption) http.Handler
RegisterServer registers an implementation of Server. The resulting handler takes care of routing and request parsing, with some basic validation of required fields. The routes can be customized with [WithEndpoints].
EXPERIMENTAL: may change until v4
func RequestError ¶
func RequestObjectSigAlgorithms ¶
func RequestObjectSigAlgorithms(c Configuration) []string
func ResponseTypes ¶
func ResponseTypes(c Configuration) []string
func RevocationRequestError ¶
func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error)
func RevocationSigAlgorithms ¶
func RevocationSigAlgorithms(c Configuration) []string
func Scopes ¶
func Scopes(c Configuration) []string
func SigAlgorithms ¶
func SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string
func SignerFromKey ¶
func SignerFromKey(key SigningKey) (jose.Signer, error)
func StaticIssuer ¶
func StaticIssuer(issuer string) func(bool) (IssuerFromRequest, error)
func SubjectTypes ¶
func SubjectTypes(c Configuration) []string
func SupportedClaims ¶
func SupportedClaims(c Configuration) []string
func TokenExchange ¶
func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
TokenExchange handles the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange")
func TokenSigAlgorithms ¶
func TokenSigAlgorithms(c Configuration) []string
func Userinfo ¶
func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoProvider)
func ValidateAccessTokenRequest ¶
func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error)
ValidateAccessTokenRequest validates the token request parameters including authorization check of the client and returns the previous created auth request corresponding to the auth code
func ValidateAuthReqIDTokenHint ¶
func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifier *IDTokenHintVerifier) (string, error)
ValidateAuthReqIDTokenHint validates the id_token_hint (if passed as parameter in the request) and returns the `sub` claim
func ValidateAuthReqPrompt ¶
ValidateAuthReqPrompt validates the passed prompt values and sets max_age to 0 if prompt login is present
func ValidateAuthReqRedirectURI ¶
func ValidateAuthReqRedirectURI(client Client, uri string, responseType oidc.ResponseType) error
ValidateAuthReqRedirectURI validates the passed redirect_uri and response_type to the registered uris and client type
func ValidateAuthReqResponseType ¶
func ValidateAuthReqResponseType(client Client, responseType oidc.ResponseType) error
ValidateAuthReqResponseType validates the passed response_type to the registered response types
func ValidateAuthReqScopes ¶
ValidateAuthReqScopes validates the passed scopes
func ValidateAuthRequest ¶
func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, verifier *IDTokenHintVerifier) (sub string, err error)
ValidateAuthRequest validates the authorize parameters and returns the userID of the id_token_hint if passed
func ValidateClientCredentialsRequest ¶
func ValidateClientCredentialsRequest(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (TokenRequest, Client, error)
ValidateClientCredentialsRequest validates the client_credentials request parameters including authorization check of the client and returns a TokenRequest and Client implementation to be used in the client_credentials response, resp. creation of the corresponding access_token.
func ValidateGrantType ¶
func ValidateGrantType(client interface{ GrantTypes() []oidc.GrantType }, grantType oidc.GrantType) bool
ValidateGrantType ensures that the requested grant_type is allowed by the client
func ValidateIssuer ¶
func ValidateIssuerPath ¶
func ValidateRefreshTokenRequest ¶
func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error)
ValidateRefreshTokenRequest validates the refresh_token request parameters including authorization check of the client and returns the data representing the original auth request corresponding to the refresh_token
func ValidateRefreshTokenScopes ¶
func ValidateRefreshTokenScopes(requestedScopes []string, authRequest RefreshTokenRequest) error
ValidateRefreshTokenScopes validates that the requested scope is a subset of the original auth request scope it will set the requested scopes as current scopes onto RefreshTokenRequest if empty the original scopes will be used
func ValidateTokenExchangeRequest ¶
func ValidateTokenExchangeRequest( ctx context.Context, oidcTokenExchangeRequest *oidc.TokenExchangeRequest, clientID, clientSecret string, exchanger Exchanger, ) (TokenExchangeRequest, Client, error)
ValidateTokenExchangeRequest validates the token exchange request parameters including authorization check of the client, subject_token and actor_token
func VerifyAccessToken ¶
func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v *AccessTokenVerifier) (claims C, err error)
VerifyAccessToken validates the access token (issuer, signature and expiration).
Example (CustomClaims) ¶
package main import ( "context" "fmt" tu "github.com/zitadel/oidc/v3/internal/testutil" "github.com/zitadel/oidc/v3/pkg/oidc" "github.com/zitadel/oidc/v3/pkg/op" ) // MyCustomClaims extends the TokenClaims base, // so it implements the oidc.Claims interface. // Instead of carrying a map, we add needed fields// to the struct for type safe access. type MyCustomClaims struct { oidc.TokenClaims NotBefore oidc.Time `json:"nbf,omitempty"` CodeHash string `json:"c_hash,omitempty"` SessionID string `json:"sid,omitempty"` Scopes []string `json:"scope,omitempty"` AccessTokenUseNumber int `json:"at_use_nbr,omitempty"` Foo string `json:"foo,omitempty"` Bar *Nested `json:"bar,omitempty"` } // Nested struct types are also possible. type Nested struct { Count int `json:"count,omitempty"` Tags []string `json:"tags,omitempty"` } /* accessToken carries the following claims. foo and bar are custom claims { "aud": [ "unit", "test" ], "bar": { "count": 22, "tags": [ "some", "tags" ] }, "exp": 4802234675, "foo": "Hello, World!", "iat": 1678097014, "iss": "local.com", "jti": "9876", "nbf": 1678097014, "sub": "tim@local.com" } */ const accessToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhdWQiOlsidW5pdCIsInRlc3QiXSwiYmFyIjp7ImNvdW50IjoyMiwidGFncyI6WyJzb21lIiwidGFncyJdfSwiZXhwIjo0ODAyMjM0Njc1LCJmb28iOiJIZWxsbywgV29ybGQhIiwiaWF0IjoxNjc4MDk3MDE0LCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc4MDk3MDE0LCJzdWIiOiJ0aW1AbG9jYWwuY29tIn0.OUgk-B7OXjYlYFj-nogqSDJiQE19tPrbzqUHEAjcEiJkaWo6-IpGVfDiGKm-TxjXQsNScxpaY0Pg3XIh1xK6TgtfYtoLQm-5RYw_mXgb9xqZB2VgPs6nNEYFUDM513MOU0EBc0QMyqAEGzW-HiSPAb4ugCvkLtM1yo11Xyy6vksAdZNs_mJDT4X3vFXnr0jk0ugnAW6fTN3_voC0F_9HQUAkmd750OIxkAHxAMvEPQcpbLHenVvX_Q0QMrzClVrxehn5TVMfmkYYg7ocr876Bq9xQGPNHAcrwvVIJqdg5uMUA38L3HC2BEueG6furZGvc7-qDWAT1VR9liM5ieKpPg` func main() { v := op.NewAccessTokenVerifier("local.com", tu.KeySet{}) // VerifyAccessToken can be called with the *MyCustomClaims. claims, err := op.VerifyAccessToken[*MyCustomClaims](context.TODO(), accessToken, v) if err != nil { panic(err) } // Here we have typesafe access to the custom claims fmt.Println(claims.Foo, claims.Bar.Count, claims.Bar.Tags) }
Output: Hello, World! 22 [some tags]
func VerifyIDTokenHint ¶
func VerifyIDTokenHint[C oidc.Claims](ctx context.Context, token string, v *IDTokenHintVerifier) (claims C, err error)
VerifyIDTokenHint validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. In case of an expired token both the Claims and first encountered expiry related error is returned of type IDTokenHintExpiredError. In that case the caller can choose to still trust the token for cases like logout, as signature and other verifications succeeded.
func VerifyJWTAssertion ¶
func VerifyJWTAssertion(ctx context.Context, assertion string, v *JWTProfileVerifier) (*oidc.JWTTokenRequest, error)
VerifyJWTAssertion verifies the assertion string from JWT Profile (authorization grant and client authentication)
checks audience, exp, iat, signature and that issuer and sub are the same
func WriteError ¶
WriteError asserts for a StatusError containing an oidc.Error. If no `StatusError` is found, the status code will default to http.StatusBadRequest. If no `oidc.Error` was found in the parent, the error type defaults to oidc.ServerError. When there was no `StatusError` and the `oidc.Error` is of type `oidc.ServerError`, the status code will be set to http.StatusInternalServerError
Types ¶
type AccessTokenClient ¶
type AccessTokenType ¶
type AccessTokenType int
const ( AccessTokenTypeBearer AccessTokenType = iota // bearer AccessTokenTypeJWT // JWT )
func AccessTokenTypeString ¶
func AccessTokenTypeString(s string) (AccessTokenType, error)
AccessTokenTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func AccessTokenTypeValues ¶
func AccessTokenTypeValues() []AccessTokenType
AccessTokenTypeValues returns all values of the enum
func (AccessTokenType) IsAAccessTokenType ¶
func (i AccessTokenType) IsAAccessTokenType() bool
IsAAccessTokenType returns "true" if the value is listed in the enum definition. "false" otherwise
func (AccessTokenType) MarshalGQL ¶
func (i AccessTokenType) MarshalGQL(w io.Writer)
MarshalGQL implements the graphql.Marshaler interface for AccessTokenType
func (AccessTokenType) MarshalJSON ¶
func (i AccessTokenType) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface for AccessTokenType
func (AccessTokenType) MarshalText ¶
func (i AccessTokenType) MarshalText() ([]byte, error)
MarshalText implements the encoding.TextMarshaler interface for AccessTokenType
func (AccessTokenType) MarshalYAML ¶
func (i AccessTokenType) MarshalYAML() (interface{}, error)
MarshalYAML implements a YAML Marshaler for AccessTokenType
func (*AccessTokenType) Scan ¶
func (i *AccessTokenType) Scan(value interface{}) error
func (AccessTokenType) String ¶
func (i AccessTokenType) String() string
func (*AccessTokenType) UnmarshalGQL ¶
func (i *AccessTokenType) UnmarshalGQL(value interface{}) error
UnmarshalGQL implements the graphql.Unmarshaler interface for AccessTokenType
func (*AccessTokenType) UnmarshalJSON ¶
func (i *AccessTokenType) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface for AccessTokenType
func (*AccessTokenType) UnmarshalText ¶
func (i *AccessTokenType) UnmarshalText(text []byte) error
UnmarshalText implements the encoding.TextUnmarshaler interface for AccessTokenType
func (*AccessTokenType) UnmarshalYAML ¶
func (i *AccessTokenType) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements a YAML Unmarshaler for AccessTokenType
type AccessTokenVerifier ¶
func NewAccessTokenVerifier ¶
func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) *AccessTokenVerifier
NewAccessTokenVerifier returns a AccessTokenVerifier suitable for access token verification.
type AccessTokenVerifierOpt ¶
type AccessTokenVerifierOpt func(*AccessTokenVerifier)
func WithSupportedAccessTokenSigningAlgorithms ¶
func WithSupportedAccessTokenSigningAlgorithms(algs ...string) AccessTokenVerifierOpt
type ApplicationType ¶
type ApplicationType int
const ( ApplicationTypeWeb ApplicationType = iota // web ApplicationTypeUserAgent // user_agent ApplicationTypeNative // native )
func ApplicationTypeString ¶
func ApplicationTypeString(s string) (ApplicationType, error)
ApplicationTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func ApplicationTypeValues ¶
func ApplicationTypeValues() []ApplicationType
ApplicationTypeValues returns all values of the enum
func (ApplicationType) IsAApplicationType ¶
func (i ApplicationType) IsAApplicationType() bool
IsAApplicationType returns "true" if the value is listed in the enum definition. "false" otherwise
func (ApplicationType) MarshalGQL ¶
func (i ApplicationType) MarshalGQL(w io.Writer)
MarshalGQL implements the graphql.Marshaler interface for ApplicationType
func (ApplicationType) MarshalJSON ¶
func (i ApplicationType) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface for ApplicationType
func (ApplicationType) MarshalText ¶
func (i ApplicationType) MarshalText() ([]byte, error)
MarshalText implements the encoding.TextMarshaler interface for ApplicationType
func (ApplicationType) MarshalYAML ¶
func (i ApplicationType) MarshalYAML() (interface{}, error)
MarshalYAML implements a YAML Marshaler for ApplicationType
func (*ApplicationType) Scan ¶
func (i *ApplicationType) Scan(value interface{}) error
func (ApplicationType) String ¶
func (i ApplicationType) String() string
func (*ApplicationType) UnmarshalGQL ¶
func (i *ApplicationType) UnmarshalGQL(value interface{}) error
UnmarshalGQL implements the graphql.Unmarshaler interface for ApplicationType
func (*ApplicationType) UnmarshalJSON ¶
func (i *ApplicationType) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface for ApplicationType
func (*ApplicationType) UnmarshalText ¶
func (i *ApplicationType) UnmarshalText(text []byte) error
UnmarshalText implements the encoding.TextUnmarshaler interface for ApplicationType
func (*ApplicationType) UnmarshalYAML ¶
func (i *ApplicationType) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements a YAML Unmarshaler for ApplicationType
type AuthMethod ¶
type AuthMethod string
type AuthRequest ¶
type AuthRequest interface { GetID() string GetACR() string GetAMR() []string GetAudience() []string GetAuthTime() time.Time GetClientID() string GetCodeChallenge() *oidc.CodeChallenge GetNonce() string GetRedirectURI() string GetResponseType() oidc.ResponseType GetResponseMode() oidc.ResponseMode GetScopes() []string GetState() string GetSubject() string Done() bool }
func AuthRequestByCode ¶
AuthRequestByCode returns the AuthRequest previously created from Storage corresponding to the auth code or an error
type AuthStorage ¶
type AuthStorage interface { CreateAuthRequest(context.Context, *oidc.AuthRequest, string) (AuthRequest, error) AuthRequestByID(context.Context, string) (AuthRequest, error) AuthRequestByCode(context.Context, string) (AuthRequest, error) SaveAuthCode(context.Context, string, string) error DeleteAuthRequest(context.Context, string) error // The TokenRequest parameter of CreateAccessToken can be any of: // // * TokenRequest as returned by ClientCredentialsStorage.ClientCredentialsTokenRequest, // // * AuthRequest as returned by AuthRequestByID or AuthRequestByCode (above) // // * *oidc.JWTTokenRequest from a JWT that is the assertion value of a JWT Profile // Grant: https://datatracker.ietf.org/doc/html/rfc7523#section-2.1 // // * TokenExchangeRequest as returned by ValidateTokenExchangeRequest CreateAccessToken(context.Context, TokenRequest) (accessTokenID string, expiration time.Time, err error) // The TokenRequest parameter of CreateAccessAndRefreshTokens can be any of: // // * TokenRequest as returned by ClientCredentialsStorage.ClientCredentialsTokenRequest // // * RefreshTokenRequest as returned by AuthStorage.TokenRequestByRefreshToken // // * AuthRequest as by returned by the AuthRequestByID or AuthRequestByCode (above). // Used for the authorization code flow which requested offline_access scope and // registered the refresh_token grant type in advance // // * TokenExchangeRequest as returned by ValidateTokenExchangeRequest CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshTokenID string, expiration time.Time, err error) TokenRequestByRefreshToken(ctx context.Context, refreshTokenID string) (RefreshTokenRequest, error) TerminateSession(ctx context.Context, userID string, clientID string) error // RevokeToken should revoke a token. In the situation that the original request was to // revoke an access token, then tokenOrTokenID will be a tokenID and userID will be set // but if the original request was for a refresh token, then userID will be empty and // tokenOrTokenID will be the refresh token, not its ID. RevokeToken depends upon GetRefreshTokenInfo // to get information from refresh tokens that are not either "<tokenID>:<userID>" strings // nor JWTs. RevokeToken(ctx context.Context, tokenOrTokenID string, userID string, clientID string) *oidc.Error // GetRefreshTokenInfo must return ErrInvalidRefreshToken when presented // with a token that is not a refresh token. GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error) SigningKey(context.Context) (SigningKey, error) SignatureAlgorithms(context.Context) ([]jose.SignatureAlgorithm, error) KeySet(context.Context) ([]Key, error) }
type AuthenticatedTokenRequest ¶
AuthenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest
type AuthorizeValidator ¶
type AuthorizeValidator interface { Authorizer ValidateAuthRequest(context.Context, *oidc.AuthRequest, Storage, *IDTokenHintVerifier) (string, error) }
AuthorizeValidator is an extension of Authorizer interface implementing its own validation mechanism for the auth request
type Authorizer ¶
type Authorizer interface { Storage() Storage Decoder() httphelper.Decoder Encoder() httphelper.Encoder IDTokenHintVerifier(context.Context) *IDTokenHintVerifier Crypto() Crypto RequestObjectSupported() bool Logger() *slog.Logger }
type CanSetUserinfoFromRequest ¶
type CanSetUserinfoFromRequest interface {
SetUserinfoFromRequest(ctx context.Context, userinfo *oidc.UserInfo, request IDTokenRequest, scopes []string) error
}
CanSetUserinfoFromRequest is an optional additional interface that may be implemented by implementors of Storage. It allows additional data to be set in id_tokens based on the request.
type CanTerminateSessionFromRequest ¶
type CanTerminateSessionFromRequest interface {
TerminateSessionFromRequest(ctx context.Context, endSessionRequest *EndSessionRequest) (string, error)
}
CanTerminateSessionFromRequest is an optional additional interface that may be implemented by implementors of Storage as an alternative to TerminateSession of the AuthStorage. It passes the complete parsed EndSessionRequest to the implementation, which allows access to additional data. It also allows to modify the uri, which will be used for redirection, (e.g. a UI where the user can consent to the logout)
type Client ¶
type Client interface { GetID() string RedirectURIs() []string PostLogoutRedirectURIs() []string ApplicationType() ApplicationType AuthMethod() oidc.AuthMethod ResponseTypes() []oidc.ResponseType GrantTypes() []oidc.GrantType LoginURL(string) string AccessTokenType() AccessTokenType IDTokenLifetime() time.Duration DevMode() bool RestrictAdditionalIdTokenScopes() func(scopes []string) []string RestrictAdditionalAccessTokenScopes() func(scopes []string) []string IsScopeAllowed(scope string) bool IDTokenUserinfoClaimsAssertion() bool ClockSkew() time.Duration }
func AuthorizeClientCredentialsClient ¶
func AuthorizeClientCredentialsClient(ctx context.Context, request *oidc.ClientCredentialsRequest, storage ClientCredentialsStorage) (Client, error)
func AuthorizePrivateJWTKey ¶
func AuthorizePrivateJWTKey(ctx context.Context, clientAssertion string, exchanger JWTAuthorizationGrantExchanger) (Client, error)
AuthorizePrivateJWTKey authorizes a client by validating the client_assertion's signature with a previously registered public key (JWT Profile)
type ClientCredentials ¶
type ClientJWTProfile ¶
type ClientJWTProfile interface {
JWTProfileVerifier(context.Context) *JWTProfileVerifier
}
type ClientProvider ¶
type ClientProvider interface { Decoder() httphelper.Decoder Storage() Storage }
type ClientRequest ¶
ClientRequest is a Request with a verified client attached to it. Methods that receive this argument may assume the client was authenticated, or verified to be a public client.
EXPERIMENTAL: may change until v4
type Config ¶
type Config struct { CryptoKey [32]byte DefaultLogoutRedirectURI string CodeMethodS256 bool AuthMethodPost bool AuthMethodPrivateKeyJWT bool GrantTypeRefreshToken bool RequestObjectSupported bool SupportedUILocales []language.Tag SupportedClaims []string DeviceAuthorization DeviceAuthorizationConfig }
type Configuration ¶
type Configuration interface { IssuerFromRequest(r *http.Request) string Insecure() bool AuthorizationEndpoint() *Endpoint TokenEndpoint() *Endpoint IntrospectionEndpoint() *Endpoint UserinfoEndpoint() *Endpoint RevocationEndpoint() *Endpoint EndSessionEndpoint() *Endpoint KeysEndpoint() *Endpoint DeviceAuthorizationEndpoint() *Endpoint AuthMethodPostSupported() bool CodeMethodS256Supported() bool AuthMethodPrivateKeyJWTSupported() bool TokenEndpointSigningAlgorithmsSupported() []string GrantTypeRefreshTokenSupported() bool GrantTypeTokenExchangeSupported() bool GrantTypeJWTAuthorizationSupported() bool GrantTypeClientCredentialsSupported() bool GrantTypeDeviceCodeSupported() bool IntrospectionAuthMethodPrivateKeyJWTSupported() bool IntrospectionEndpointSigningAlgorithmsSupported() []string RevocationAuthMethodPrivateKeyJWTSupported() bool RevocationEndpointSigningAlgorithmsSupported() []string RequestObjectSupported() bool RequestObjectSigningAlgorithmsSupported() []string SupportedUILocales() []language.Tag DeviceAuthorization() DeviceAuthorizationConfig }
type Crypto ¶
func NewAESCrypto ¶
type DeviceAuthorizationConfig ¶
type DeviceAuthorizationConfig struct { Lifetime time.Duration PollInterval time.Duration // UserFormURL is the complete URL where the user must go to authorize the device. // Deprecated: use UserFormPath instead. UserFormURL string // UserFormPath is the path where the user must go to authorize the device. // The hostname for the URL is taken from the request by IssuerFromContext. UserFormPath string UserCode UserCodeConfig }
type DeviceAuthorizationState ¶
type DeviceAuthorizationState struct { ClientID string Audience []string Scopes []string Expires time.Time // The time after we consider the authorization request timed-out Done bool // The user authenticated and approved the authorization request Denied bool // The user authenticated and denied the authorization request // The following fields are populated after Done == true Subject string AMR []string AuthTime time.Time }
DeviceAuthorizationState describes the current state of the device authorization flow. It implements the IDTokenRequest interface.
func (*DeviceAuthorizationState) GetAMR ¶ added in v3.8.0
func (r *DeviceAuthorizationState) GetAMR() []string
func (*DeviceAuthorizationState) GetAudience ¶ added in v3.8.0
func (r *DeviceAuthorizationState) GetAudience() []string
func (*DeviceAuthorizationState) GetAuthTime ¶ added in v3.8.0
func (r *DeviceAuthorizationState) GetAuthTime() time.Time
func (*DeviceAuthorizationState) GetClientID ¶ added in v3.8.0
func (r *DeviceAuthorizationState) GetClientID() string
func (*DeviceAuthorizationState) GetScopes ¶ added in v3.8.0
func (r *DeviceAuthorizationState) GetScopes() []string
func (*DeviceAuthorizationState) GetSubject ¶ added in v3.8.0
func (r *DeviceAuthorizationState) GetSubject() string
type DeviceAuthorizationStorage ¶
type DeviceAuthorizationStorage interface { // StoreDeviceAuthorizationRequest stores a new device authorization request in the database. // User code will be used by the user to complete the login flow and must be unique. // ErrDuplicateUserCode signals the caller should try again with a new code. // // Note that user codes are low entropy keys and when many exist in the // database, the change for collisions increases. Therefore implementers // of this interface must make sure that user codes of expired authentication flows are purged, // after some time. StoreDeviceAuthorization(ctx context.Context, clientID, deviceCode, userCode string, expires time.Time, scopes []string) error // GetDeviceAuthorizatonState returns the current state of the device authorization flow in the database. // The method is polled untill the the authorization is eighter Completed, Expired or Denied. GetDeviceAuthorizatonState(ctx context.Context, clientID, deviceCode string) (*DeviceAuthorizationState, error) }
type DiscoverStorage ¶
type DiscoverStorage interface {
SignatureAlgorithms(context.Context) ([]jose.SignatureAlgorithm, error)
}
type EndSessionRequest ¶
type EndSessionRequest struct { UserID string ClientID string IDTokenHintClaims *oidc.IDTokenClaims RedirectURI string }
func ValidateEndSessionRequest ¶
func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest, ender SessionEnder) (*EndSessionRequest, error)
type Endpoint ¶
type Endpoint struct {
// contains filtered or unexported fields
}
func NewEndpoint ¶
func NewEndpointWithURL ¶
type Endpoints ¶
type Endpoints struct { Authorization *Endpoint Token *Endpoint Introspection *Endpoint Userinfo *Endpoint Revocation *Endpoint EndSession *Endpoint CheckSessionIframe *Endpoint JwksURI *Endpoint DeviceAuthorization *Endpoint }
Endpoints defines endpoint routes.
type ErrAuthRequest ¶
type ErrAuthRequest interface { GetRedirectURI() string GetResponseType() oidc.ResponseType GetState() string }
type Exchanger ¶
type Exchanger interface { Storage() Storage Decoder() httphelper.Decoder Crypto() Crypto AuthMethodPostSupported() bool AuthMethodPrivateKeyJWTSupported() bool GrantTypeRefreshTokenSupported() bool GrantTypeTokenExchangeSupported() bool GrantTypeJWTAuthorizationSupported() bool GrantTypeClientCredentialsSupported() bool GrantTypeDeviceCodeSupported() bool AccessTokenVerifier(context.Context) *AccessTokenVerifier IDTokenHintVerifier(context.Context) *IDTokenHintVerifier Logger() *slog.Logger }
type ExtendedLegacyServer ¶ added in v3.1.0
type ExtendedLegacyServer interface { Server Provider() OpenIDProvider Endpoints() Endpoints AuthCallbackURL() func(context.Context, string) string }
ExtendedLegacyServer allows embedding LegacyServer in a struct, so that its methods can be individually overridden.
EXPERIMENTAL: may change until v4
type HasRedirectGlobs ¶
type HasRedirectGlobs interface { Client RedirectURIGlobs() []string PostLogoutRedirectURIGlobs() []string }
HasRedirectGlobs is an optional interface that can be implemented by implementors of Client. See https://pkg.go.dev/path#Match for glob interpretation. Redirect URIs that match either the non-glob version or the glob version will be accepted. Glob URIs are only partially supported for native clients: "http://" is not allowed except for loopback or in dev mode.
Note that globbing / wildcards are not permitted by the OIDC standard and implementing this interface can have security implications. It is advised to only return a client of this type in rare cases, such as DevMode for the client being enabled. https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
type IDTokenHintExpiredError ¶ added in v3.10.3
type IDTokenHintExpiredError struct {
// contains filtered or unexported fields
}
func (IDTokenHintExpiredError) Is ¶ added in v3.10.3
func (e IDTokenHintExpiredError) Is(err error) bool
func (IDTokenHintExpiredError) Unwrap ¶ added in v3.10.3
func (e IDTokenHintExpiredError) Unwrap() error
type IDTokenHintVerifier ¶
func NewIDTokenHintVerifier ¶
func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) *IDTokenHintVerifier
type IDTokenHintVerifierOpt ¶
type IDTokenHintVerifierOpt func(*IDTokenHintVerifier)
func WithSupportedIDTokenHintSigningAlgorithms ¶
func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifierOpt
type IDTokenRequest ¶
type IntrospectionRequest ¶ added in v3.1.1
type IntrospectionRequest struct { *ClientCredentials *oidc.IntrospectionRequest }
type Introspector ¶
type Introspector interface { Decoder() httphelper.Decoder Crypto() Crypto Storage() Storage AccessTokenVerifier(context.Context) *AccessTokenVerifier }
type IntrospectorJWTProfile ¶
type IntrospectorJWTProfile interface { Introspector JWTProfileVerifier(context.Context) JWTProfileVerifier }
type IssuerFromOption ¶ added in v3.2.0
type IssuerFromOption func(c *issuerConfig)
func WithIssuerFromCustomHeaders ¶ added in v3.2.0
func WithIssuerFromCustomHeaders(headers ...string) IssuerFromOption
WithIssuerFromCustomHeaders can be used to customize the header names used. The same rules apply where the first successful host is returned.
type IssuerFromRequest ¶
type IssuerInterceptor ¶
type IssuerInterceptor struct {
// contains filtered or unexported fields
}
func NewIssuerInterceptor ¶
func NewIssuerInterceptor(issuerFromRequest IssuerFromRequest) *IssuerInterceptor
NewIssuerInterceptor will set the issuer into the context by the provided IssuerFromRequest (e.g. returned from StaticIssuer or IssuerFromHost)
func (*IssuerInterceptor) Handler ¶
func (i *IssuerInterceptor) Handler(next http.Handler) http.Handler
func (*IssuerInterceptor) HandlerFunc ¶
func (i *IssuerInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc
type JWTAuthorizationGrantExchanger ¶
type JWTAuthorizationGrantExchanger interface { Exchanger JWTProfileVerifier(context.Context) *JWTProfileVerifier }
type JWTProfileKeyStorage ¶
type JWTProfileTokenStorage ¶
type JWTProfileTokenStorage interface {
JWTProfileTokenType(ctx context.Context, request TokenRequest) (AccessTokenType, error)
}
JWTProfileTokenStorage is an additional, optional storage to implement implementing it, allows specifying the AccessTokenType of the access_token returned form the JWT Profile TokenRequest
type JWTProfileVerifier ¶
type JWTProfileVerifier struct { oidc.Verifier Storage JWTProfileKeyStorage CheckSubject func(request *oidc.JWTTokenRequest) error // contains filtered or unexported fields }
JWTProfileVerfiier extends oidc.Verifier with a jwtProfileKeyStorage and a function to check the subject in a token.
func NewJWTProfileVerifier ¶
func NewJWTProfileVerifier(storage JWTProfileKeyStorage, issuer string, maxAgeIAT, offset time.Duration, opts ...JWTProfileVerifierOption) *JWTProfileVerifier
NewJWTProfileVerifier creates a oidc.Verifier for JWT Profile assertions (authorization grant and client authentication)
func NewJWTProfileVerifierKeySet ¶ added in v3.4.0
func NewJWTProfileVerifierKeySet(keySet oidc.KeySet, issuer string, maxAgeIAT, offset time.Duration, opts ...JWTProfileVerifierOption) *JWTProfileVerifier
NewJWTProfileVerifierKeySet creates a oidc.Verifier for JWT Profile assertions (authorization grant and client authentication)
type JWTProfileVerifierOption ¶
type JWTProfileVerifierOption func(*JWTProfileVerifier)
func SubjectCheck ¶
func SubjectCheck(check func(request *oidc.JWTTokenRequest) error) JWTProfileVerifierOption
SubjectCheck sets a custom function to check the subject. Defaults to SubjectIsIssuer()
type Key ¶
type Key interface { ID() string Algorithm() jose.SignatureAlgorithm Use() string Key() any }
type LegacyServer ¶
type LegacyServer struct { UnimplementedServer // contains filtered or unexported fields }
LegacyServer is an implementation of Server that simply wraps an OpenIDProvider. It can be used to transition from the former Provider/Storage interfaces to the new Server interface.
EXPERIMENTAL: may change until v4
func NewLegacyServer ¶
func NewLegacyServer(provider OpenIDProvider, endpoints Endpoints) *LegacyServer
NewLegacyServer wraps provider in a `Server` implementation
Only non-nil endpoints will be registered on the router. Nil endpoints are disabled.
The passed endpoints is also used for the discovery config, and endpoints already set to the provider are ignored. Any `With*Endpoint()` option used on the provider is therefore ineffective.
EXPERIMENTAL: may change until v4
func (*LegacyServer) AuthCallbackURL ¶ added in v3.1.1
func (s *LegacyServer) AuthCallbackURL() func(context.Context, string) string
AuthCallbackURL builds the url for the redirect (with the requestID) after a successful login
func (*LegacyServer) Authorize ¶
func (s *LegacyServer) Authorize(ctx context.Context, r *ClientRequest[oidc.AuthRequest]) (_ *Redirect, err error)
func (*LegacyServer) ClientCredentialsExchange ¶
func (s *LegacyServer) ClientCredentialsExchange(ctx context.Context, r *ClientRequest[oidc.ClientCredentialsRequest]) (*Response, error)
func (*LegacyServer) CodeExchange ¶
func (s *LegacyServer) CodeExchange(ctx context.Context, r *ClientRequest[oidc.AccessTokenRequest]) (*Response, error)
func (*LegacyServer) DeviceAuthorization ¶
func (s *LegacyServer) DeviceAuthorization(ctx context.Context, r *ClientRequest[oidc.DeviceAuthorizationRequest]) (*Response, error)
func (*LegacyServer) DeviceToken ¶
func (s *LegacyServer) DeviceToken(ctx context.Context, r *ClientRequest[oidc.DeviceAccessTokenRequest]) (*Response, error)
func (*LegacyServer) EndSession ¶
func (s *LegacyServer) EndSession(ctx context.Context, r *Request[oidc.EndSessionRequest]) (*Redirect, error)
func (*LegacyServer) Endpoints ¶ added in v3.1.0
func (s *LegacyServer) Endpoints() Endpoints
func (*LegacyServer) Introspect ¶
func (s *LegacyServer) Introspect(ctx context.Context, r *Request[IntrospectionRequest]) (*Response, error)
func (*LegacyServer) JWTProfile ¶
func (s *LegacyServer) JWTProfile(ctx context.Context, r *Request[oidc.JWTProfileGrantRequest]) (*Response, error)
func (*LegacyServer) Provider ¶ added in v3.1.0
func (s *LegacyServer) Provider() OpenIDProvider
func (*LegacyServer) RefreshToken ¶
func (s *LegacyServer) RefreshToken(ctx context.Context, r *ClientRequest[oidc.RefreshTokenRequest]) (*Response, error)
func (*LegacyServer) Revocation ¶
func (s *LegacyServer) Revocation(ctx context.Context, r *ClientRequest[oidc.RevocationRequest]) (*Response, error)
func (*LegacyServer) TokenExchange ¶
func (s *LegacyServer) TokenExchange(ctx context.Context, r *ClientRequest[oidc.TokenExchangeRequest]) (*Response, error)
func (*LegacyServer) UserInfo ¶
func (s *LegacyServer) UserInfo(ctx context.Context, r *Request[oidc.UserInfoRequest]) (*Response, error)
func (*LegacyServer) VerifyAuthRequest ¶
func (s *LegacyServer) VerifyAuthRequest(ctx context.Context, r *Request[oidc.AuthRequest]) (*ClientRequest[oidc.AuthRequest], error)
func (*LegacyServer) VerifyClient ¶
func (s *LegacyServer) VerifyClient(ctx context.Context, r *Request[ClientCredentials]) (Client, error)
type LogAuthRequest ¶
type LogAuthRequest interface { ErrAuthRequest slog.LogValuer }
LogAuthRequest is an optional interface, that allows logging AuthRequest fields. If the AuthRequest does not implement this interface, no details shall be printed to the logs.
type OPStorage ¶
type OPStorage interface { // GetClientByClientID loads a Client. The returned Client is never cached and is only used to // handle the current request. GetClientByClientID(ctx context.Context, clientID string) (Client, error) AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error // SetUserinfoFromScopes is deprecated and should have an empty implementation for now. // Implement SetUserinfoFromRequest instead. SetUserinfoFromScopes(ctx context.Context, userinfo *oidc.UserInfo, userID, clientID string, scopes []string) error SetUserinfoFromToken(ctx context.Context, userinfo *oidc.UserInfo, tokenID, subject, origin string) error SetIntrospectionFromToken(ctx context.Context, userinfo *oidc.IntrospectionResponse, tokenID, subject, clientID string) error GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (map[string]any, error) GetKeyByIDAndClientID(ctx context.Context, keyID, clientID string) (*jose.JSONWebKey, error) ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error) }
type OpenIDKeySet ¶ added in v3.11.0
type OpenIDKeySet struct {
Storage
}
func (*OpenIDKeySet) VerifySignature ¶ added in v3.11.0
func (o *OpenIDKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error)
VerifySignature implements the oidc.KeySet interface providing an implementation for the keys stored in the OP Storage interface
type OpenIDProvider ¶
type OpenIDProvider interface { http.Handler Configuration Storage() Storage Decoder() httphelper.Decoder Encoder() httphelper.Encoder IDTokenHintVerifier(context.Context) *IDTokenHintVerifier AccessTokenVerifier(context.Context) *AccessTokenVerifier Crypto() Crypto DefaultLogoutRedirectURI() string Probes() []ProbesFn Logger() *slog.Logger // Deprecated: Provider now implements http.Handler directly. HttpHandler() http.Handler }
type Option ¶
func WithAccessTokenKeySet ¶ added in v3.11.0
WithAccessTokenKeySet allows passing a KeySet with public keys for Access Token verification. The default KeySet uses the Storage interface
func WithAccessTokenVerifierOpts ¶
func WithAccessTokenVerifierOpts(opts ...AccessTokenVerifierOpt) Option
func WithAllowInsecure ¶
func WithAllowInsecure() Option
WithAllowInsecure allows the use of http (instead of https) for issuers this is not recommended for production use and violates the OIDC specification
func WithCORSOptions ¶ added in v3.3.0
func WithCustomAuthEndpoint ¶
func WithCustomEndpoints ¶
WithCustomEndpoints sets multiple endpoints at once. Non of the endpoints may be nil, or an error will be returned when the Option used by the Provider.
func WithCustomKeysEndpoint ¶
func WithCustomTokenEndpoint ¶
func WithHttpInterceptors ¶
func WithHttpInterceptors(interceptors ...HttpInterceptor) Option
func WithIDTokenHintKeySet ¶ added in v3.11.0
WithIDTokenHintKeySet allows passing a KeySet with public keys for ID Token Hint verification. The default KeySet uses the Storage interface.
func WithIDTokenHintVerifierOpts ¶
func WithIDTokenHintVerifierOpts(opts ...IDTokenHintVerifierOpt) Option
func WithLogger ¶
WithLogger lets a logger other than slog.Default().
type ProbesFn ¶
func ReadyStorage ¶
type Provider ¶
func NewDynamicOpenIDProvider
deprecated
func NewForwardedOpenIDProvider
deprecated
func NewForwardedOpenIDProvider(path string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)
NewForwardedOpenIDProvider tries to establish the Issuer from a Forwarded request header, if it is set. See IssuerFromForwardedOrHost for details.
Deprecated: use NewProvider with an issuer function direct.
func NewOpenIDProvider
deprecated
func NewOpenIDProvider(issuer string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)
NewOpenIDProvider creates a provider. The provider provides (with HttpHandler()) a http.Router that handles a suite of endpoints (some paths can be overridden):
/healthz /ready /.well-known/openid-configuration /oauth/token /oauth/introspect /callback /authorize /userinfo /revoke /end_session /keys /device_authorization
This does not include login. Login is handled with a redirect that includes the request ID. The redirect for logins is specified per-client by Client.LoginURL(). Successful logins should mark the request as authorized and redirect back to to op.AuthCallbackURL(provider) which is probably /callback. On the redirect back to the AuthCallbackURL, the request id should be passed as the "id" parameter.
Deprecated: use NewProvider with an issuer function direct.
func NewProvider ¶ added in v3.2.1
func NewProvider(config *Config, storage Storage, issuer func(insecure bool) (IssuerFromRequest, error), opOpts ...Option) (_ *Provider, err error)
NewProvider creates a provider with a router on it's embedded http.Handler. Issuer is a function that must return the issuer on every request. Typically StaticIssuer, IssuerFromHost or IssuerFromForwardedOrHost can be used.
The router handles a suite of endpoints (some paths can be overridden):
/healthz /ready /.well-known/openid-configuration /oauth/token /oauth/introspect /callback /authorize /userinfo /revoke /end_session /keys /device_authorization
This does not include login. Login is handled with a redirect that includes the request ID. The redirect for logins is specified per-client by Client.LoginURL(). Successful logins should mark the request as authorized and redirect back to to op.AuthCallbackURL(provider) which is probably /callback. On the redirect back to the AuthCallbackURL, the request id should be passed as the "id" parameter.
func (*Provider) AccessTokenVerifier ¶
func (o *Provider) AccessTokenVerifier(ctx context.Context) *AccessTokenVerifier
func (*Provider) AuthMethodPostSupported ¶
func (*Provider) AuthMethodPrivateKeyJWTSupported ¶
func (*Provider) AuthorizationEndpoint ¶
func (*Provider) CORSOptions ¶ added in v3.3.0
func (*Provider) CodeMethodS256Supported ¶
func (*Provider) Decoder ¶
func (o *Provider) Decoder() httphelper.Decoder
func (*Provider) DefaultLogoutRedirectURI ¶
func (*Provider) DeviceAuthorization ¶
func (o *Provider) DeviceAuthorization() DeviceAuthorizationConfig
func (*Provider) DeviceAuthorizationEndpoint ¶
func (*Provider) Encoder ¶
func (o *Provider) Encoder() httphelper.Encoder
func (*Provider) EndSessionEndpoint ¶
func (*Provider) GrantTypeClientCredentialsSupported ¶
func (*Provider) GrantTypeDeviceCodeSupported ¶
func (*Provider) GrantTypeJWTAuthorizationSupported ¶
func (*Provider) GrantTypeRefreshTokenSupported ¶
func (*Provider) GrantTypeTokenExchangeSupported ¶
func (*Provider) HttpHandler
deprecated
func (*Provider) IDTokenHintVerifier ¶
func (o *Provider) IDTokenHintVerifier(ctx context.Context) *IDTokenHintVerifier
func (*Provider) IntrospectionAuthMethodPrivateKeyJWTSupported ¶
func (*Provider) IntrospectionEndpoint ¶
func (*Provider) IntrospectionEndpointSigningAlgorithmsSupported ¶
func (*Provider) JWTProfileVerifier ¶
func (o *Provider) JWTProfileVerifier(ctx context.Context) *JWTProfileVerifier
func (*Provider) KeysEndpoint ¶
func (*Provider) RequestObjectSigningAlgorithmsSupported ¶
func (*Provider) RequestObjectSupported ¶
func (*Provider) RevocationAuthMethodPrivateKeyJWTSupported ¶
func (*Provider) RevocationEndpoint ¶
func (*Provider) RevocationEndpointSigningAlgorithmsSupported ¶
func (*Provider) SupportedUILocales ¶
func (*Provider) TokenEndpoint ¶
func (*Provider) TokenEndpointSigningAlgorithmsSupported ¶
func (*Provider) UserinfoEndpoint ¶
type Redirect ¶
type Redirect struct { // Header map will be merged with the // header on the [http.ResponseWriter]. Header http.Header URL string }
Redirect is a special response type which will initiate a http.StatusFound redirect. The Params field will be encoded and set to the URL's RawQuery field before building the URL.
EXPERIMENTAL: may change until v4
func NewRedirect ¶
func TryErrorRedirect ¶
func TryErrorRedirect(ctx context.Context, authReq ErrAuthRequest, parent error, encoder httphelper.Encoder, logger *slog.Logger) (*Redirect, error)
TryErrorRedirect tries to handle an error by redirecting a client. If this attempt fails, an error is returned that must be returned to the client instead.
type RefreshTokenRequest ¶
type RefreshTokenRequest interface { GetAMR() []string GetAudience() []string GetAuthTime() time.Time GetClientID() string GetScopes() []string GetSubject() string SetCurrentScopes(scopes []string) }
func RefreshTokenRequestByRefreshToken ¶
func RefreshTokenRequestByRefreshToken(ctx context.Context, storage Storage, refreshToken string) (RefreshTokenRequest, error)
RefreshTokenRequestByRefreshToken returns the RefreshTokenRequest (data representing the original auth request) corresponding to the refresh_token from Storage or an error
type Request ¶
type Request[T any] struct { Method string URL *url.URL Header http.Header Form url.Values PostForm url.Values Data *T }
Request contains the http.Request informational fields and parsed Data from the request body (POST) or URL parameters (GET). Data can be assumed to be validated according to the applicable standard for the specific endpoints.
EXPERIMENTAL: may change until v4
type Response ¶
type Response struct { // Header map will be merged with the // header on the [http.ResponseWriter]. Header http.Header // Data will be JSON marshaled to // the response body. // We allow any type, so that implementations // can extend the standard types as they wish. // However, each method will recommend which // (base) type to use as model, in order to // be compliant with the standards. Data any }
Response object for most Server methods.
EXPERIMENTAL: may change until v4
func NewResponse ¶
NewResponse creates a new response for data, without custom headers.
type Revoker ¶
type Revoker interface { Decoder() httphelper.Decoder Crypto() Crypto Storage() Storage AccessTokenVerifier(context.Context) *AccessTokenVerifier AuthMethodPrivateKeyJWTSupported() bool AuthMethodPostSupported() bool }
type RevokerJWTProfile ¶
type RevokerJWTProfile interface { Revoker JWTProfileVerifier(context.Context) *JWTProfileVerifier }
type Server ¶
type Server interface { // Health returns a status of "ok" once the Server is listening. // The recommended Response Data type is [Status]. Health(context.Context, *Request[struct{}]) (*Response, error) // Ready returns a status of "ok" once all dependencies, // such as database storage, are ready. // An error can be returned to explain what is not ready. // The recommended Response Data type is [Status]. Ready(context.Context, *Request[struct{}]) (*Response, error) // Discovery returns the OpenID Provider Configuration Information for this server. // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig // The recommended Response Data type is [oidc.DiscoveryConfiguration]. Discovery(context.Context, *Request[struct{}]) (*Response, error) // Keys serves the JWK set which the client can use verify signatures from the op. // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata `jwks_uri` key. // The recommended Response Data type is [jose.JSONWebKeySet]. Keys(context.Context, *Request[struct{}]) (*Response, error) // VerifyAuthRequest verifies the Auth Request and // adds the Client to the request. // // When the `request` field is populated with a // "Request Object" JWT, it needs to be Validated // and its claims overwrite any fields in the AuthRequest. // If the implementation does not support "Request Object", // it MUST return an [oidc.ErrRequestNotSupported]. // https://openid.net/specs/openid-connect-core-1_0.html#RequestObject VerifyAuthRequest(context.Context, *Request[oidc.AuthRequest]) (*ClientRequest[oidc.AuthRequest], error) // Authorize initiates the authorization flow and redirects to a login page. // See the various https://openid.net/specs/openid-connect-core-1_0.html // authorize endpoint sections (one for each type of flow). Authorize(context.Context, *ClientRequest[oidc.AuthRequest]) (*Redirect, error) // DeviceAuthorization initiates the device authorization flow. // https://datatracker.ietf.org/doc/html/rfc8628#section-3.1 // The recommended Response Data type is [oidc.DeviceAuthorizationResponse]. DeviceAuthorization(context.Context, *ClientRequest[oidc.DeviceAuthorizationRequest]) (*Response, error) // VerifyClient is called on most oauth/token handlers to authenticate, // using either a secret (POST, Basic) or assertion (JWT). // If no secrets are provided, the client must be public. // This method is called before each method that takes a // [ClientRequest] argument. VerifyClient(context.Context, *Request[ClientCredentials]) (Client, error) // CodeExchange returns Tokens after an authorization code // is obtained in a successful Authorize flow. // It is called by the Token endpoint handler when // grant_type has the value authorization_code // https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint // The recommended Response Data type is [oidc.AccessTokenResponse]. CodeExchange(context.Context, *ClientRequest[oidc.AccessTokenRequest]) (*Response, error) // RefreshToken returns new Tokens after verifying a Refresh token. // It is called by the Token endpoint handler when // grant_type has the value refresh_token // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens // The recommended Response Data type is [oidc.AccessTokenResponse]. RefreshToken(context.Context, *ClientRequest[oidc.RefreshTokenRequest]) (*Response, error) // JWTProfile handles the OAuth 2.0 JWT Profile Authorization Grant // It is called by the Token endpoint handler when // grant_type has the value urn:ietf:params:oauth:grant-type:jwt-bearer // https://datatracker.ietf.org/doc/html/rfc7523#section-2.1 // The recommended Response Data type is [oidc.AccessTokenResponse]. JWTProfile(context.Context, *Request[oidc.JWTProfileGrantRequest]) (*Response, error) // TokenExchange handles the OAuth 2.0 token exchange grant // It is called by the Token endpoint handler when // grant_type has the value urn:ietf:params:oauth:grant-type:token-exchange // https://datatracker.ietf.org/doc/html/rfc8693 // The recommended Response Data type is [oidc.AccessTokenResponse]. TokenExchange(context.Context, *ClientRequest[oidc.TokenExchangeRequest]) (*Response, error) // ClientCredentialsExchange handles the OAuth 2.0 client credentials grant // It is called by the Token endpoint handler when // grant_type has the value client_credentials // https://datatracker.ietf.org/doc/html/rfc6749#section-4.4 // The recommended Response Data type is [oidc.AccessTokenResponse]. ClientCredentialsExchange(context.Context, *ClientRequest[oidc.ClientCredentialsRequest]) (*Response, error) // DeviceToken handles the OAuth 2.0 Device Authorization Grant // It is called by the Token endpoint handler when // grant_type has the value urn:ietf:params:oauth:grant-type:device_code. // It is typically called in a polling fashion and appropriate errors // should be returned to signal authorization_pending or access_denied etc. // https://datatracker.ietf.org/doc/html/rfc8628#section-3.4, // https://datatracker.ietf.org/doc/html/rfc8628#section-3.5. // The recommended Response Data type is [oidc.AccessTokenResponse]. DeviceToken(context.Context, *ClientRequest[oidc.DeviceAccessTokenRequest]) (*Response, error) // Introspect handles the OAuth 2.0 Token Introspection endpoint. // https://datatracker.ietf.org/doc/html/rfc7662 // The recommended Response Data type is [oidc.IntrospectionResponse]. Introspect(context.Context, *Request[IntrospectionRequest]) (*Response, error) // UserInfo handles the UserInfo endpoint and returns Claims about the authenticated End-User. // https://openid.net/specs/openid-connect-core-1_0.html#UserInfo // The recommended Response Data type is [oidc.UserInfo]. UserInfo(context.Context, *Request[oidc.UserInfoRequest]) (*Response, error) // Revocation handles token revocation using an access or refresh token. // https://datatracker.ietf.org/doc/html/rfc7009 // There are no response requirements. Data may remain empty. Revocation(context.Context, *ClientRequest[oidc.RevocationRequest]) (*Response, error) // EndSession handles the OpenID Connect RP-Initiated Logout. // https://openid.net/specs/openid-connect-rpinitiated-1_0.html // There are no response requirements. Data may remain empty. EndSession(context.Context, *Request[oidc.EndSessionRequest]) (*Redirect, error) // contains filtered or unexported methods }
Server describes the interface that needs to be implemented to serve OpenID Connect and Oauth2 standard requests.
Methods are called after the HTTP route is resolved and the request body is parsed into the Request's Data field. When a method is called, it can be assumed that required fields, as described in their relevant standard, are validated already. The Response Data field may be of any type to allow flexibility to extend responses with custom fields. There are however requirements in the standards regarding the response models. Where applicable the method documentation gives a recommended type which can be used directly or extended upon.
The addition of new methods is not considered a breaking change as defined by semver rules. Implementations MUST embed UnimplementedServer to maintain forward compatibility.
EXPERIMENTAL: may change until v4
type ServerOption ¶
type ServerOption func(s *webServer)
func WithDecoder ¶
func WithDecoder(decoder httphelper.Decoder) ServerOption
WithDecoder overrides the default decoder, which is a schema.Decoder with IgnoreUnknownKeys set to true.
func WithFallbackLogger ¶
func WithFallbackLogger(logger *slog.Logger) ServerOption
WithFallbackLogger overrides the fallback logger, which is used when no logger was found in the context. Defaults to slog.Default.
func WithHTTPMiddleware ¶
func WithHTTPMiddleware(m ...func(http.Handler) http.Handler) ServerOption
WithHTTPMiddleware sets the passed middleware chain to the root of the Server's router.
func WithServerCORSOptions ¶ added in v3.3.0
func WithServerCORSOptions(opts *cors.Options) ServerOption
WithServerCORSOptions sets the CORS policy for the Server's router.
func WithSetRouter ¶ added in v3.1.0
func WithSetRouter(set func(chi.Router)) ServerOption
WithSetRouter allows customization or the Server's router.
type SessionEnder ¶
type SessionEnder interface { Decoder() httphelper.Decoder Storage() Storage IDTokenHintVerifier(context.Context) *IDTokenHintVerifier DefaultLogoutRedirectURI() string Logger() *slog.Logger }
type SigningKey ¶
type SigningKey interface { SignatureAlgorithm() jose.SignatureAlgorithm Key() any ID() string }
type StatusError ¶
type StatusError struct {
// contains filtered or unexported fields
}
StatusError wraps an error with a HTTP status code. The status code is passed to the handler's writer.
func AsStatusError ¶
func AsStatusError(err error, statusCode int) (target StatusError)
AsStatusError unwraps a StatusError from err and returns it unmodified if found. If no StatuError was found, a new one is returned with statusCode set to it as a default.
func NewStatusError ¶
func NewStatusError(parent error, statusCode int) StatusError
NewStatusError sets the parent and statusCode to a new StatusError. It is recommended for parent to be an oidc.Error.
Typically implementations should only use this to signal something very specific, like an internal server error. If a returned error is not a StatusError, the framework will set a statusCode based on what the standard specifies, which is http.StatusBadRequest for most of the time. If the error encountered can described clearly with a oidc.Error, do not use this function, as it might break standard rules!
func RevocationError ¶
func RevocationError(err error) StatusError
func (StatusError) Error ¶
func (e StatusError) Error() string
func (StatusError) Is ¶
func (e StatusError) Is(err error) bool
func (StatusError) Unwrap ¶
func (e StatusError) Unwrap() error
type Storage ¶
type Storage interface { AuthStorage OPStorage Health(context.Context) error }
Storage is a required parameter for NewOpenIDProvider(). In addition to the embedded interfaces below, if the passed Storage implements ClientCredentialsStorage then the grant type "client_credentials" will be supported. In that case, the access token returned by CreateAccessToken should be a JWT. See https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4 for context.
type StorageNotFoundError ¶
type StorageNotFoundError interface {
IsNotFound()
}
type TokenActorRequest ¶ added in v3.17.0
type TokenActorRequest interface {
GetActor() *oidc.ActorClaims
}
type TokenCreator ¶
type TokenExchangeRequest ¶
type TokenExchangeRequest interface { GetAMR() []string GetAudience() []string GetResourses() []string GetAuthTime() time.Time GetClientID() string GetScopes() []string GetSubject() string GetRequestedTokenType() oidc.TokenType GetExchangeSubject() string GetExchangeSubjectTokenType() oidc.TokenType GetExchangeSubjectTokenIDOrToken() string GetExchangeSubjectTokenClaims() map[string]any GetExchangeActor() string GetExchangeActorTokenType() oidc.TokenType GetExchangeActorTokenIDOrToken() string GetExchangeActorTokenClaims() map[string]any SetCurrentScopes(scopes []string) SetRequestedTokenType(tt oidc.TokenType) SetSubject(subject string) }
func CreateTokenExchangeRequest ¶
func CreateTokenExchangeRequest( ctx context.Context, oidcTokenExchangeRequest *oidc.TokenExchangeRequest, client Client, exchanger Exchanger, ) (TokenExchangeRequest, error)
type TokenExchangeStorage ¶
type TokenExchangeStorage interface { // ValidateTokenExchangeRequest will be called to validate parsed (including tokens) Token Exchange Grant request. // // Important validations can include: // - permissions // - set requested token type to some default value if it is empty (rfc 8693 allows it) using SetRequestedTokenType method. // Depending on RequestedTokenType - the following tokens will be issued: // - RefreshTokenType - both access and refresh tokens // - AccessTokenType - only access token // - IDTokenType - only id token // - validation of subject's token type on possibility to be exchanged to the requested token type (according to your requirements) // - scopes (and update them using SetCurrentScopes method) // - set new subject if it differs from exchange subject (impersonation flow) // // Request will include subject's and/or actor's token claims if correspinding tokens are access/id_token issued by op // or third party tokens parsed by TokenExchangeTokensVerifierStorage interface methods. ValidateTokenExchangeRequest(ctx context.Context, request TokenExchangeRequest) error // CreateTokenExchangeRequest will be called after parsing and validating token exchange request. // Stored request is not accessed later by op - so it is up to implementer to decide // should this method actually store the request or not (common use case - store for it for audit purposes) CreateTokenExchangeRequest(ctx context.Context, request TokenExchangeRequest) error // GetPrivateClaimsFromTokenExchangeRequest will be called during access token creation. // Claims evaluation can be based on all validated request data available, including: scopes, resource, audience, etc. GetPrivateClaimsFromTokenExchangeRequest(ctx context.Context, request TokenExchangeRequest) (claims map[string]any, err error) // SetUserinfoFromTokenExchangeRequest will be called during id token creation. // Claims evaluation can be based on all validated request data available, including: scopes, resource, audience, etc. SetUserinfoFromTokenExchangeRequest(ctx context.Context, userinfo *oidc.UserInfo, request TokenExchangeRequest) error }
type TokenExchangeTokensVerifierStorage ¶
type TokenExchangeTokensVerifierStorage interface { VerifyExchangeSubjectToken(ctx context.Context, token string, tokenType oidc.TokenType) (tokenIDOrToken string, subject string, tokenClaims map[string]any, err error) VerifyExchangeActorToken(ctx context.Context, token string, tokenType oidc.TokenType) (tokenIDOrToken string, actor string, tokenClaims map[string]any, err error) }
TokenExchangeTokensVerifierStorage is an optional interface used in token exchange process to verify tokens issued by third-party applications. If interface is not implemented - only tokens issued by op will be exchanged.
type TokenRequest ¶
type UnimplementedServer ¶
type UnimplementedServer struct{}
func (UnimplementedServer) Authorize ¶
func (UnimplementedServer) Authorize(ctx context.Context, r *ClientRequest[oidc.AuthRequest]) (*Redirect, error)
func (UnimplementedServer) ClientCredentialsExchange ¶
func (UnimplementedServer) ClientCredentialsExchange(ctx context.Context, r *ClientRequest[oidc.ClientCredentialsRequest]) (*Response, error)
func (UnimplementedServer) CodeExchange ¶
func (UnimplementedServer) CodeExchange(ctx context.Context, r *ClientRequest[oidc.AccessTokenRequest]) (*Response, error)
func (UnimplementedServer) DeviceAuthorization ¶
func (UnimplementedServer) DeviceAuthorization(ctx context.Context, r *ClientRequest[oidc.DeviceAuthorizationRequest]) (*Response, error)
func (UnimplementedServer) DeviceToken ¶
func (UnimplementedServer) DeviceToken(ctx context.Context, r *ClientRequest[oidc.DeviceAccessTokenRequest]) (*Response, error)
func (UnimplementedServer) EndSession ¶
func (UnimplementedServer) EndSession(ctx context.Context, r *Request[oidc.EndSessionRequest]) (*Redirect, error)
func (UnimplementedServer) Introspect ¶
func (UnimplementedServer) Introspect(ctx context.Context, r *Request[IntrospectionRequest]) (*Response, error)
func (UnimplementedServer) JWTProfile ¶
func (UnimplementedServer) JWTProfile(ctx context.Context, r *Request[oidc.JWTProfileGrantRequest]) (*Response, error)
func (UnimplementedServer) RefreshToken ¶
func (UnimplementedServer) RefreshToken(ctx context.Context, r *ClientRequest[oidc.RefreshTokenRequest]) (*Response, error)
func (UnimplementedServer) Revocation ¶
func (UnimplementedServer) Revocation(ctx context.Context, r *ClientRequest[oidc.RevocationRequest]) (*Response, error)
func (UnimplementedServer) TokenExchange ¶
func (UnimplementedServer) TokenExchange(ctx context.Context, r *ClientRequest[oidc.TokenExchangeRequest]) (*Response, error)
func (UnimplementedServer) UserInfo ¶
func (UnimplementedServer) UserInfo(ctx context.Context, r *Request[oidc.UserInfoRequest]) (*Response, error)
func (UnimplementedServer) VerifyAuthRequest ¶
func (UnimplementedServer) VerifyAuthRequest(ctx context.Context, r *Request[oidc.AuthRequest]) (*ClientRequest[oidc.AuthRequest], error)
func (UnimplementedServer) VerifyClient ¶
func (UnimplementedServer) VerifyClient(ctx context.Context, r *Request[ClientCredentials]) (Client, error)
type UserCodeConfig ¶
type UserinfoProvider ¶
type UserinfoProvider interface { Decoder() httphelper.Decoder Crypto() Crypto Storage() Storage AccessTokenVerifier(context.Context) *AccessTokenVerifier }
Source Files ¶
- applicationtype_enumer.go
- auth_request.go
- client.go
- config.go
- context.go
- crypto.go
- device.go
- discovery.go
- endpoint.go
- error.go
- keys.go
- op.go
- probes.go
- server.go
- server_http.go
- server_legacy.go
- session.go
- signer.go
- storage.go
- token.go
- token_client_credentials.go
- token_code.go
- token_exchange.go
- token_intospection.go
- token_jwt_profile.go
- token_refresh.go
- token_request.go
- token_revocation.go
- userinfo.go
- verifier_access_token.go
- verifier_id_token_hint.go
- verifier_jwt_profile.go