Documentation ¶
Index ¶
- Constants
- Variables
- func AccessTokenTypeStrings() []string
- func ApplicationTypeStrings() []string
- func AuthCallbackURL(o OpenIDProvider) func(string) string
- func AuthMethodsIntrospectionEndpoint(c Configuration) []oidc.AuthMethod
- func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod
- func AuthMethodsTokenEndpoint(c Configuration) []oidc.AuthMethod
- func AuthRequestError(w http.ResponseWriter, r *http.Request, authReq ErrAuthRequest, err error, ...)
- func AuthResponse(authReq AuthRequest, authorizer Authorizer, w http.ResponseWriter, ...)
- func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthRequest, ...)
- func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, ...)
- func AuthResponseURL(redirectURI string, responseType oidc.ResponseType, ...) (string, error)
- func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer)
- func AuthorizeCallback(w http.ResponseWriter, r *http.Request, authorizer Authorizer)
- func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error
- func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error
- func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error)
- func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (request RefreshTokenRequest, client Client, err error)
- func BuildAuthRequestCode(authReq AuthRequest, crypto Crypto) (string, error)
- func ClientCredentialsExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod
- func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func ContainsResponseType(types []oidc.ResponseType, responseType oidc.ResponseType) bool
- func CopyRequestObjectToAuthRequest(authReq *oidc.AuthRequest, requestObject *oidc.RequestObject)
- func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, ...) (accessToken, newRefreshToken string, validity time.Duration, err error)
- func CreateAuthRequestCode(ctx context.Context, authReq AuthRequest, storage Storage, crypto Crypto) (string, error)
- func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error)
- func CreateClientCredentialsTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, ...) (*oidc.AccessTokenResponse, error)
- func CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfiguration
- func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, ...) (string, error)
- func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, ...) (string, error)
- func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error)
- func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router
- func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Client, ...) (*oidc.AccessTokenResponse, error)
- func Discover(w http.ResponseWriter, config *oidc.DiscoveryConfiguration)
- func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder)
- func Exchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func GrantTypes(c Configuration) []oidc.GrantType
- func HTTPLoopbackOrLocalhost(rawurl string) (*url.URL, bool)
- func Introspect(w http.ResponseWriter, r *http.Request, introspector Introspector)
- func IntrospectionSigAlgorithms(c Configuration) []string
- func IsConfidentialType(c Client) bool
- func JWTProfile(w http.ResponseWriter, r *http.Request, ...)
- func Keys(w http.ResponseWriter, r *http.Request, k KeyProvider)
- func ParseAccessTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AccessTokenRequest, error)
- func ParseAuthenticatedTokenRequest(r *http.Request, decoder httphelper.Decoder, request AuthenticatedTokenRequest) error
- func ParseAuthorizeRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AuthRequest, error)
- func ParseClientCredentialsRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.ClientCredentialsRequest, error)
- func ParseEndSessionRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.EndSessionRequest, error)
- func ParseJWTProfileGrantRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)
- func ParseJWTProfileRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)
- func ParseRefreshTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.RefreshTokenRequest, error)
- func ParseRequestObject(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, issuer string) (*oidc.AuthRequest, error)
- func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector) (token, clientID string, err error)
- func ParseTokenRevocationRequest(r *http.Request, revoker Revoker) (token, tokenTypeHint, clientID string, err error)
- func ParseUserinfoRequest(r *http.Request, decoder httphelper.Decoder) (string, error)
- func Readiness(w http.ResponseWriter, r *http.Request, probes ...ProbesFn)
- func RedirectToLogin(authReqID string, client Client, w http.ResponseWriter, r *http.Request)
- func RefreshTokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func RequestError(w http.ResponseWriter, r *http.Request, err error)
- func RequestObjectSigAlgorithms(c Configuration) []string
- func ResponseTypes(c Configuration) []string
- func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error)
- func RevocationSigAlgorithms(c Configuration) []string
- func Revoke(w http.ResponseWriter, r *http.Request, revoker Revoker)
- func Scopes(c Configuration) []string
- func SigAlgorithms(s Signer) []string
- func SubjectIsIssuer(request *oidc.JWTTokenRequest) error
- func SubjectTypes(c Configuration) []string
- func SupportedClaims(c Configuration) []string
- func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
- func TokenSigAlgorithms(c Configuration) []string
- func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoProvider)
- func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error)
- func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifier IDTokenHintVerifier) (string, error)
- func ValidateAuthReqPrompt(prompts []string, maxAge *uint) (_ *uint, err error)
- func ValidateAuthReqRedirectURI(client Client, uri string, responseType oidc.ResponseType) error
- func ValidateAuthReqResponseType(client Client, responseType oidc.ResponseType) error
- func ValidateAuthReqScopes(client Client, scopes []string) ([]string, error)
- func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, ...) (sub string, err error)
- func ValidateClientCredentialsRequest(ctx context.Context, request *oidc.ClientCredentialsRequest, ...) (TokenRequest, Client, error)
- func ValidateEndSessionPostLogoutRedirectURI(postLogoutRedirectURI string, client Client) error
- func ValidateGrantType(client Client, grantType oidc.GrantType) bool
- func ValidateIssuer(issuer string) error
- func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error)
- func ValidateRefreshTokenScopes(requestedScopes []string, authRequest RefreshTokenRequest) error
- func VerifyAccessToken(ctx context.Context, token string, v AccessTokenVerifier) (oidc.AccessTokenClaims, error)
- func VerifyIDTokenHint(ctx context.Context, token string, v IDTokenHintVerifier) (oidc.IDTokenClaims, error)
- func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTProfileVerifier) (*oidc.JWTTokenRequest, error)
- type AccessTokenType
- func (i AccessTokenType) IsAAccessTokenType() bool
- func (i AccessTokenType) MarshalGQL(w io.Writer)
- func (i AccessTokenType) MarshalJSON() ([]byte, error)
- func (i AccessTokenType) MarshalText() ([]byte, error)
- func (i AccessTokenType) MarshalYAML() (interface{}, error)
- func (i *AccessTokenType) Scan(value interface{}) error
- func (i AccessTokenType) String() string
- func (i *AccessTokenType) UnmarshalGQL(value interface{}) error
- func (i *AccessTokenType) UnmarshalJSON(data []byte) error
- func (i *AccessTokenType) UnmarshalText(text []byte) error
- func (i *AccessTokenType) UnmarshalYAML(unmarshal func(interface{}) error) error
- func (i AccessTokenType) Value() (driver.Value, error)
- type AccessTokenVerifier
- type AccessTokenVerifierOpt
- type ApplicationType
- func (i ApplicationType) IsAApplicationType() bool
- func (i ApplicationType) MarshalGQL(w io.Writer)
- func (i ApplicationType) MarshalJSON() ([]byte, error)
- func (i ApplicationType) MarshalText() ([]byte, error)
- func (i ApplicationType) MarshalYAML() (interface{}, error)
- func (i *ApplicationType) Scan(value interface{}) error
- func (i ApplicationType) String() string
- func (i *ApplicationType) UnmarshalGQL(value interface{}) error
- func (i *ApplicationType) UnmarshalJSON(data []byte) error
- func (i *ApplicationType) UnmarshalText(text []byte) error
- func (i *ApplicationType) UnmarshalYAML(unmarshal func(interface{}) error) error
- func (i ApplicationType) Value() (driver.Value, error)
- type AuthMethod
- type AuthRequest
- type AuthStorage
- type AuthenticatedTokenRequest
- type AuthorizeValidator
- type Authorizer
- type Client
- type ClientCredentialsStorage
- type Config
- type Configuration
- type Crypto
- type EndSessionRequest
- type Endpoint
- type ErrAuthRequest
- type Exchanger
- type HttpInterceptor
- type IDTokenHintVerifier
- type IDTokenHintVerifierOpt
- type IDTokenRequest
- type Introspector
- type IntrospectorJWTProfile
- type JWTAuthorizationGrantExchanger
- type JWTProfileVerifier
- type JWTProfileVerifierOption
- type KeyProvider
- type OPStorage
- type OpenIDProvider
- type Option
- func WithAccessTokenVerifierOpts(opts ...AccessTokenVerifierOpt) Option
- func WithCustomAuthEndpoint(endpoint Endpoint) Option
- func WithCustomEndSessionEndpoint(endpoint Endpoint) Option
- func WithCustomEndpoints(auth, token, userInfo, revocation, endSession, keys Endpoint) Option
- func WithCustomIntrospectionEndpoint(endpoint Endpoint) Option
- func WithCustomKeysEndpoint(endpoint Endpoint) Option
- func WithCustomRevocationEndpoint(endpoint Endpoint) Option
- func WithCustomTokenEndpoint(endpoint Endpoint) Option
- func WithCustomUserinfoEndpoint(endpoint Endpoint) Option
- func WithHttpInterceptors(interceptors ...HttpInterceptor) Option
- func WithIDTokenHintVerifierOpts(opts ...IDTokenHintVerifierOpt) Option
- type ProbesFn
- type RefreshTokenRequest
- type Revoker
- type RevokerJWTProfile
- type SessionEnder
- type Signer
- type Storage
- type StorageNotFoundError
- type TokenCreator
- type TokenRequest
- type UserinfoProvider
Constants ¶
const (
OidcDevMode = "ZITADEL_OIDC_DEV"
)
Variables ¶
var DefaultEndpoints = &endpoints{ Authorization: NewEndpoint(defaultAuthorizationEndpoint), Token: NewEndpoint(defaultTokenEndpoint), Introspection: NewEndpoint(defaultIntrospectEndpoint), Userinfo: NewEndpoint(defaultUserinfoEndpoint), Revocation: NewEndpoint(defaultRevocationEndpoint), EndSession: NewEndpoint(defaultEndSessionEndpoint), JwksURI: NewEndpoint(defaultKeysEndpoint), }
var DefaultSupportedScopes = []string{ oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone, oidc.ScopeAddress, oidc.ScopeOfflineAccess, }
Functions ¶
func AccessTokenTypeStrings ¶ added in v1.6.1
func AccessTokenTypeStrings() []string
AccessTokenTypeStrings returns a slice of all String values of the enum
func ApplicationTypeStrings ¶ added in v1.6.1
func ApplicationTypeStrings() []string
ApplicationTypeStrings returns a slice of all String values of the enum
func AuthCallbackURL ¶
func AuthCallbackURL(o OpenIDProvider) func(string) string
AuthCallbackURL builds the url for the redirect (with the requestID) after a successful login
func AuthMethodsIntrospectionEndpoint ¶
func AuthMethodsIntrospectionEndpoint(c Configuration) []oidc.AuthMethod
func AuthMethodsRevocationEndpoint ¶
func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod
func AuthMethodsTokenEndpoint ¶
func AuthMethodsTokenEndpoint(c Configuration) []oidc.AuthMethod
func AuthRequestError ¶
func AuthRequestError(w http.ResponseWriter, r *http.Request, authReq ErrAuthRequest, err error, encoder httphelper.Encoder)
func AuthResponse ¶
func AuthResponse(authReq AuthRequest, authorizer Authorizer, w http.ResponseWriter, r *http.Request)
AuthResponse creates the successful authentication response (either code or tokens)
func AuthResponseCode ¶
func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer)
AuthResponseCode creates the successful code authentication response
func AuthResponseToken ¶
func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client)
AuthResponseToken creates the successful token(s) authentication response
func AuthResponseURL ¶
func AuthResponseURL(redirectURI string, responseType oidc.ResponseType, responseMode oidc.ResponseMode, response interface{}, encoder httphelper.Encoder) (string, error)
AuthResponseURL encodes the authorization response (successful and error) and sets it as query or fragment values depending on the response_mode and response_type
func Authorize ¶
func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer)
Authorize handles the authorization request, including parsing, validating, storing and finally redirecting to the login handler
func AuthorizeCallback ¶
func AuthorizeCallback(w http.ResponseWriter, r *http.Request, authorizer Authorizer)
AuthorizeCallback handles the callback after authentication in the Login UI
func AuthorizeClientIDSecret ¶
func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error
AuthorizeClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
func AuthorizeCodeChallenge ¶
func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error
AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent code_challenge of the auth request (PKCE)
func AuthorizeCodeClient ¶
func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error)
AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. It than returns the auth request corresponding to the auth code
func AuthorizeRefreshClient ¶
func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (request RefreshTokenRequest, client Client, err error)
AuthorizeRefreshClient checks the authorization of the client and that the used method was the one previously registered. It than returns the data representing the original auth request corresponding to the refresh_token
func BuildAuthRequestCode ¶
func BuildAuthRequestCode(authReq AuthRequest, crypto Crypto) (string, error)
BuildAuthRequestCode builds the string representation of the auth code
func ClientCredentialsExchange ¶ added in v1.4.0
func ClientCredentialsExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
ClientCredentialsExchange handles the OAuth 2.0 client_credentials grant, including parsing, validating, authorizing the client and finally returning a token
func CodeChallengeMethods ¶
func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod
func CodeExchange ¶
func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
CodeExchange handles the OAuth 2.0 authorization_code grant, including parsing, validating, authorizing the client and finally exchanging the code for tokens
func ContainsResponseType ¶
func ContainsResponseType(types []oidc.ResponseType, responseType oidc.ResponseType) bool
func CopyRequestObjectToAuthRequest ¶
func CopyRequestObjectToAuthRequest(authReq *oidc.AuthRequest, requestObject *oidc.RequestObject)
CopyRequestObjectToAuthRequest overwrites present values from the Request Object into the auth request and clears the `RequestParam` of the auth request
func CreateAccessToken ¶
func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTokenType AccessTokenType, creator TokenCreator, client Client, refreshToken string) (accessToken, newRefreshToken string, validity time.Duration, err error)
func CreateAuthRequestCode ¶
func CreateAuthRequestCode(ctx context.Context, authReq AuthRequest, storage Storage, crypto Crypto) (string, error)
CreateAuthRequestCode creates and stores a code for the auth code response
func CreateBearerToken ¶
func CreateClientCredentialsTokenResponse ¶ added in v1.4.0
func CreateClientCredentialsTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, client Client) (*oidc.AccessTokenResponse, error)
func CreateDiscoveryConfig ¶
func CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfiguration
func CreateIDToken ¶
func CreateJWTTokenResponse ¶
func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error)
CreateJWTTokenResponse creates
func CreateRouter ¶
func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router
func CreateTokenResponse ¶
func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Client, creator TokenCreator, createAccessToken bool, code, refreshToken string) (*oidc.AccessTokenResponse, error)
func Discover ¶
func Discover(w http.ResponseWriter, config *oidc.DiscoveryConfiguration)
func EndSession ¶
func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder)
func Exchange ¶ added in v1.9.0
func Exchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
Exchange performs a token exchange appropriate for the grant type
func GrantTypes ¶
func GrantTypes(c Configuration) []oidc.GrantType
func Introspect ¶
func Introspect(w http.ResponseWriter, r *http.Request, introspector Introspector)
func IntrospectionSigAlgorithms ¶
func IntrospectionSigAlgorithms(c Configuration) []string
func IsConfidentialType ¶
func JWTProfile ¶
func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger)
JWTProfile handles the OAuth 2.0 JWT Profile Authorization Grant https://tools.ietf.org/html/rfc7523#section-2.1
func Keys ¶
func Keys(w http.ResponseWriter, r *http.Request, k KeyProvider)
func ParseAccessTokenRequest ¶
func ParseAccessTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AccessTokenRequest, error)
ParseAccessTokenRequest parsed the http request into a oidc.AccessTokenRequest
func ParseAuthenticatedTokenRequest ¶
func ParseAuthenticatedTokenRequest(r *http.Request, decoder httphelper.Decoder, request AuthenticatedTokenRequest) error
ParseAuthenticatedTokenRequest parses the client_id and client_secret from the HTTP request from either HTTP Basic Auth header or form body and sets them into the provided authenticatedTokenRequest interface
func ParseAuthorizeRequest ¶
func ParseAuthorizeRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AuthRequest, error)
ParseAuthorizeRequest parsed the http request into an oidc.AuthRequest
func ParseClientCredentialsRequest ¶ added in v1.4.0
func ParseClientCredentialsRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.ClientCredentialsRequest, error)
ParseClientCredentialsRequest parsed the http request into a oidc.ClientCredentialsRequest
func ParseEndSessionRequest ¶
func ParseEndSessionRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.EndSessionRequest, error)
func ParseJWTProfileGrantRequest ¶
func ParseJWTProfileGrantRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)
func ParseJWTProfileRequest ¶
func ParseJWTProfileRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)
ParseJWTProfileRequest has been renamed to ParseJWTProfileGrantRequest
deprecated: use ParseJWTProfileGrantRequest
func ParseRefreshTokenRequest ¶
func ParseRefreshTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.RefreshTokenRequest, error)
ParseRefreshTokenRequest parsed the http request into a oidc.RefreshTokenRequest
func ParseRequestObject ¶
func ParseRequestObject(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, issuer string) (*oidc.AuthRequest, error)
ParseRequestObject parse the `request` parameter, validates the token including the signature and copies the token claims into the auth request
func ParseTokenIntrospectionRequest ¶
func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector) (token, clientID string, err error)
func ParseUserinfoRequest ¶
func RedirectToLogin ¶
RedirectToLogin redirects the end user to the Login UI for authentication
func RefreshTokenExchange ¶
func RefreshTokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
RefreshTokenExchange handles the OAuth 2.0 refresh_token grant, including parsing, validating, authorizing the client and finally exchanging the refresh_token for new tokens
func RequestError ¶
func RequestError(w http.ResponseWriter, r *http.Request, err error)
func RequestObjectSigAlgorithms ¶
func RequestObjectSigAlgorithms(c Configuration) []string
func ResponseTypes ¶
func ResponseTypes(c Configuration) []string
func RevocationRequestError ¶
func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error)
func RevocationSigAlgorithms ¶
func RevocationSigAlgorithms(c Configuration) []string
func Scopes ¶
func Scopes(c Configuration) []string
func SigAlgorithms ¶
func SubjectIsIssuer ¶
func SubjectIsIssuer(request *oidc.JWTTokenRequest) error
func SubjectTypes ¶
func SubjectTypes(c Configuration) []string
func SupportedClaims ¶
func SupportedClaims(c Configuration) []string
func TokenExchange ¶
func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)
TokenExchange will handle the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange")
func TokenSigAlgorithms ¶
func TokenSigAlgorithms(c Configuration) []string
func Userinfo ¶
func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoProvider)
func ValidateAccessTokenRequest ¶
func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error)
ValidateAccessTokenRequest validates the token request parameters including authorization check of the client and returns the previous created auth request corresponding to the auth code
func ValidateAuthReqIDTokenHint ¶
func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifier IDTokenHintVerifier) (string, error)
ValidateAuthReqIDTokenHint validates the id_token_hint (if passed as parameter in the request) and returns the `sub` claim
func ValidateAuthReqPrompt ¶
ValidateAuthReqPrompt validates the passed prompt values and sets max_age to 0 if prompt login is present
func ValidateAuthReqRedirectURI ¶
func ValidateAuthReqRedirectURI(client Client, uri string, responseType oidc.ResponseType) error
ValidateAuthReqRedirectURI validates the passed redirect_uri and response_type to the registered uris and client type
func ValidateAuthReqResponseType ¶
func ValidateAuthReqResponseType(client Client, responseType oidc.ResponseType) error
ValidateAuthReqResponseType validates the passed response_type to the registered response types
func ValidateAuthReqScopes ¶
ValidateAuthReqScopes validates the passed scopes
func ValidateAuthRequest ¶
func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, verifier IDTokenHintVerifier) (sub string, err error)
ValidateAuthRequest validates the authorize parameters and returns the userID of the id_token_hint if passed
func ValidateClientCredentialsRequest ¶ added in v1.4.0
func ValidateClientCredentialsRequest(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (TokenRequest, Client, error)
ValidateClientCredentialsRequest validates the refresh_token request parameters including authorization check of the client and returns the data representing the original auth request corresponding to the refresh_token
func ValidateEndSessionPostLogoutRedirectURI ¶ added in v1.6.1
func ValidateGrantType ¶
ValidateGrantType ensures that the requested grant_type is allowed by the Client
func ValidateIssuer ¶
func ValidateRefreshTokenRequest ¶
func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error)
ValidateRefreshTokenRequest validates the refresh_token request parameters including authorization check of the client and returns the data representing the original auth request corresponding to the refresh_token
func ValidateRefreshTokenScopes ¶
func ValidateRefreshTokenScopes(requestedScopes []string, authRequest RefreshTokenRequest) error
ValidateRefreshTokenScopes validates that the requested scope is a subset of the original auth request scope it will set the requested scopes as current scopes onto RefreshTokenRequest if empty the original scopes will be used
func VerifyAccessToken ¶
func VerifyAccessToken(ctx context.Context, token string, v AccessTokenVerifier) (oidc.AccessTokenClaims, error)
VerifyAccessToken validates the access token (issuer, signature and expiration)
func VerifyIDTokenHint ¶
func VerifyIDTokenHint(ctx context.Context, token string, v IDTokenHintVerifier) (oidc.IDTokenClaims, error)
VerifyIDTokenHint validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func VerifyJWTAssertion ¶
func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTProfileVerifier) (*oidc.JWTTokenRequest, error)
VerifyJWTAssertion verifies the assertion string from JWT Profile (authorization grant and client authentication)
checks audience, exp, iat, signature and that issuer and sub are the same
Types ¶
type AccessTokenType ¶
type AccessTokenType int
const ( AccessTokenTypeBearer AccessTokenType = iota // bearer AccessTokenTypeJWT // JWT )
func AccessTokenTypeString ¶ added in v1.6.1
func AccessTokenTypeString(s string) (AccessTokenType, error)
AccessTokenTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func AccessTokenTypeValues ¶ added in v1.6.1
func AccessTokenTypeValues() []AccessTokenType
AccessTokenTypeValues returns all values of the enum
func (AccessTokenType) IsAAccessTokenType ¶ added in v1.6.1
func (i AccessTokenType) IsAAccessTokenType() bool
IsAAccessTokenType returns "true" if the value is listed in the enum definition. "false" otherwise
func (AccessTokenType) MarshalGQL ¶ added in v1.6.1
func (i AccessTokenType) MarshalGQL(w io.Writer)
MarshalGQL implements the graphql.Marshaler interface for AccessTokenType
func (AccessTokenType) MarshalJSON ¶ added in v1.6.1
func (i AccessTokenType) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface for AccessTokenType
func (AccessTokenType) MarshalText ¶ added in v1.6.1
func (i AccessTokenType) MarshalText() ([]byte, error)
MarshalText implements the encoding.TextMarshaler interface for AccessTokenType
func (AccessTokenType) MarshalYAML ¶ added in v1.6.1
func (i AccessTokenType) MarshalYAML() (interface{}, error)
MarshalYAML implements a YAML Marshaler for AccessTokenType
func (*AccessTokenType) Scan ¶ added in v1.6.1
func (i *AccessTokenType) Scan(value interface{}) error
func (AccessTokenType) String ¶ added in v1.6.1
func (i AccessTokenType) String() string
func (*AccessTokenType) UnmarshalGQL ¶ added in v1.6.1
func (i *AccessTokenType) UnmarshalGQL(value interface{}) error
UnmarshalGQL implements the graphql.Unmarshaler interface for AccessTokenType
func (*AccessTokenType) UnmarshalJSON ¶ added in v1.6.1
func (i *AccessTokenType) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface for AccessTokenType
func (*AccessTokenType) UnmarshalText ¶ added in v1.6.1
func (i *AccessTokenType) UnmarshalText(text []byte) error
UnmarshalText implements the encoding.TextUnmarshaler interface for AccessTokenType
func (*AccessTokenType) UnmarshalYAML ¶ added in v1.6.1
func (i *AccessTokenType) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements a YAML Unmarshaler for AccessTokenType
type AccessTokenVerifier ¶
type AccessTokenVerifier interface { oidc.Verifier SupportedSignAlgs() []string KeySet() oidc.KeySet }
func NewAccessTokenVerifier ¶
func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) AccessTokenVerifier
type AccessTokenVerifierOpt ¶ added in v1.9.0
type AccessTokenVerifierOpt func(*accessTokenVerifier)
func WithSupportedAccessTokenSigningAlgorithms ¶ added in v1.9.0
func WithSupportedAccessTokenSigningAlgorithms(algs ...string) AccessTokenVerifierOpt
type ApplicationType ¶
type ApplicationType int
const ( ApplicationTypeWeb ApplicationType = iota // web ApplicationTypeUserAgent // user_agent ApplicationTypeNative // native )
func ApplicationTypeString ¶ added in v1.6.1
func ApplicationTypeString(s string) (ApplicationType, error)
ApplicationTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func ApplicationTypeValues ¶ added in v1.6.1
func ApplicationTypeValues() []ApplicationType
ApplicationTypeValues returns all values of the enum
func (ApplicationType) IsAApplicationType ¶ added in v1.6.1
func (i ApplicationType) IsAApplicationType() bool
IsAApplicationType returns "true" if the value is listed in the enum definition. "false" otherwise
func (ApplicationType) MarshalGQL ¶ added in v1.6.1
func (i ApplicationType) MarshalGQL(w io.Writer)
MarshalGQL implements the graphql.Marshaler interface for ApplicationType
func (ApplicationType) MarshalJSON ¶ added in v1.6.1
func (i ApplicationType) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface for ApplicationType
func (ApplicationType) MarshalText ¶ added in v1.6.1
func (i ApplicationType) MarshalText() ([]byte, error)
MarshalText implements the encoding.TextMarshaler interface for ApplicationType
func (ApplicationType) MarshalYAML ¶ added in v1.6.1
func (i ApplicationType) MarshalYAML() (interface{}, error)
MarshalYAML implements a YAML Marshaler for ApplicationType
func (*ApplicationType) Scan ¶ added in v1.6.1
func (i *ApplicationType) Scan(value interface{}) error
func (ApplicationType) String ¶ added in v1.6.1
func (i ApplicationType) String() string
func (*ApplicationType) UnmarshalGQL ¶ added in v1.6.1
func (i *ApplicationType) UnmarshalGQL(value interface{}) error
UnmarshalGQL implements the graphql.Unmarshaler interface for ApplicationType
func (*ApplicationType) UnmarshalJSON ¶ added in v1.6.1
func (i *ApplicationType) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface for ApplicationType
func (*ApplicationType) UnmarshalText ¶ added in v1.6.1
func (i *ApplicationType) UnmarshalText(text []byte) error
UnmarshalText implements the encoding.TextUnmarshaler interface for ApplicationType
func (*ApplicationType) UnmarshalYAML ¶ added in v1.6.1
func (i *ApplicationType) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements a YAML Unmarshaler for ApplicationType
type AuthMethod ¶
type AuthMethod string
type AuthRequest ¶
type AuthRequest interface { GetID() string GetACR() string GetAMR() []string GetAudience() []string GetAuthTime() time.Time GetClientID() string GetCodeChallenge() *oidc.CodeChallenge GetNonce() string GetRedirectURI() string GetResponseType() oidc.ResponseType GetResponseMode() oidc.ResponseMode GetScopes() []string GetState() string GetSubject() string Done() bool }
func AuthRequestByCode ¶
AuthRequestByCode returns the AuthRequest previously created from Storage corresponding to the auth code or an error
type AuthStorage ¶
type AuthStorage interface { CreateAuthRequest(context.Context, *oidc.AuthRequest, string) (AuthRequest, error) AuthRequestByID(context.Context, string) (AuthRequest, error) AuthRequestByCode(context.Context, string) (AuthRequest, error) SaveAuthCode(context.Context, string, string) error DeleteAuthRequest(context.Context, string) error // The TokenRequest parameter of CreateAccessToken can be any of: // // * TokenRequest as returned by ClientCredentialsStorage.ClientCredentialsTokenRequest, // // * AuthRequest as returned by AuthRequestByID or AuthRequestByCode (above) // // * *oidc.JWTTokenRequest from a JWT that is the assertion value of a JWT Profile // Grant: https://datatracker.ietf.org/doc/html/rfc7523#section-2.1 CreateAccessToken(context.Context, TokenRequest) (accessTokenID string, expiration time.Time, err error) // The TokenRequest parameter of CreateAccessAndRefreshTokens can be any of: // // * TokenRequest as returned by ClientCredentialsStorage.ClientCredentialsTokenRequest // // * RefreshTokenRequest as returned by AuthStorage.TokenRequestByRefreshToken // // * AuthRequest as by returned by the AuthRequestByID or AuthRequestByCode (above). // Used for the authorization code flow which requested offline_access scope and // registered the refresh_token grant type in advance CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshTokenID string, expiration time.Time, err error) TokenRequestByRefreshToken(ctx context.Context, refreshTokenID string) (RefreshTokenRequest, error) TerminateSession(ctx context.Context, userID string, clientID string) error RevokeToken(ctx context.Context, tokenID string, userID string, clientID string) *oidc.Error GetSigningKey(context.Context, chan<- jose.SigningKey) GetKeySet(context.Context) (*jose.JSONWebKeySet, error) }
type AuthenticatedTokenRequest ¶
AuthenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest
type AuthorizeValidator ¶
type AuthorizeValidator interface { Authorizer ValidateAuthRequest(context.Context, *oidc.AuthRequest, Storage, IDTokenHintVerifier) (string, error) }
AuthorizeValidator is an extension of Authorizer interface implementing its own validation mechanism for the auth request
type Authorizer ¶
type Authorizer interface { Storage() Storage Decoder() httphelper.Decoder Encoder() httphelper.Encoder Signer() Signer IDTokenHintVerifier() IDTokenHintVerifier Crypto() Crypto Issuer() string RequestObjectSupported() bool }
type Client ¶
type Client interface { GetID() string RedirectURIs() []string PostLogoutRedirectURIs() []string ApplicationType() ApplicationType AuthMethod() oidc.AuthMethod ResponseTypes() []oidc.ResponseType GrantTypes() []oidc.GrantType LoginURL(string) string AccessTokenType() AccessTokenType IDTokenLifetime() time.Duration DevMode() bool RestrictAdditionalIdTokenScopes() func(scopes []string) []string RestrictAdditionalAccessTokenScopes() func(scopes []string) []string IsScopeAllowed(scope string) bool IDTokenUserinfoClaimsAssertion() bool ClockSkew() time.Duration }
func AuthorizeClientCredentialsClient ¶ added in v1.4.0
func AuthorizePrivateJWTKey ¶
func AuthorizePrivateJWTKey(ctx context.Context, clientAssertion string, exchanger JWTAuthorizationGrantExchanger) (Client, error)
AuthorizePrivateJWTKey authorizes a client by validating the client_assertion's signature with a previously registered public key (JWT Profile)
type ClientCredentialsStorage ¶ added in v1.4.0
type Configuration ¶
type Configuration interface { Issuer() string AuthorizationEndpoint() Endpoint TokenEndpoint() Endpoint IntrospectionEndpoint() Endpoint UserinfoEndpoint() Endpoint RevocationEndpoint() Endpoint EndSessionEndpoint() Endpoint KeysEndpoint() Endpoint AuthMethodPostSupported() bool CodeMethodS256Supported() bool AuthMethodPrivateKeyJWTSupported() bool TokenEndpointSigningAlgorithmsSupported() []string GrantTypeRefreshTokenSupported() bool GrantTypeTokenExchangeSupported() bool GrantTypeJWTAuthorizationSupported() bool GrantTypeClientCredentialsSupported() bool IntrospectionAuthMethodPrivateKeyJWTSupported() bool IntrospectionEndpointSigningAlgorithmsSupported() []string RevocationAuthMethodPrivateKeyJWTSupported() bool RevocationEndpointSigningAlgorithmsSupported() []string RequestObjectSupported() bool RequestObjectSigningAlgorithmsSupported() []string SupportedUILocales() []language.Tag }
type Crypto ¶
func NewAESCrypto ¶
type EndSessionRequest ¶
func ValidateEndSessionRequest ¶
func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest, ender SessionEnder) (*EndSessionRequest, error)
type Endpoint ¶
type Endpoint struct {
// contains filtered or unexported fields
}
func NewEndpoint ¶
func NewEndpointWithURL ¶
type ErrAuthRequest ¶
type ErrAuthRequest interface { GetRedirectURI() string GetResponseType() oidc.ResponseType GetState() string }
type Exchanger ¶
type Exchanger interface { Issuer() string Storage() Storage Decoder() httphelper.Decoder Signer() Signer Crypto() Crypto AuthMethodPostSupported() bool AuthMethodPrivateKeyJWTSupported() bool GrantTypeRefreshTokenSupported() bool GrantTypeTokenExchangeSupported() bool GrantTypeJWTAuthorizationSupported() bool GrantTypeClientCredentialsSupported() bool }
type IDTokenHintVerifier ¶
type IDTokenHintVerifier interface { oidc.Verifier SupportedSignAlgs() []string KeySet() oidc.KeySet ACR() oidc.ACRVerifier MaxAge() time.Duration }
func NewIDTokenHintVerifier ¶
func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) IDTokenHintVerifier
type IDTokenHintVerifierOpt ¶ added in v1.10.0
type IDTokenHintVerifierOpt func(*idTokenHintVerifier)
func WithSupportedIDTokenHintSigningAlgorithms ¶ added in v1.10.0
func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifierOpt
type IDTokenRequest ¶
type Introspector ¶
type Introspector interface { Decoder() httphelper.Decoder Crypto() Crypto Storage() Storage AccessTokenVerifier() AccessTokenVerifier }
type IntrospectorJWTProfile ¶
type IntrospectorJWTProfile interface { Introspector JWTProfileVerifier() JWTProfileVerifier }
type JWTAuthorizationGrantExchanger ¶
type JWTAuthorizationGrantExchanger interface { Exchanger JWTProfileVerifier() JWTProfileVerifier }
type JWTProfileVerifier ¶
type JWTProfileVerifier interface { oidc.Verifier Storage() jwtProfileKeyStorage CheckSubject(request *oidc.JWTTokenRequest) error }
func NewJWTProfileVerifier ¶
func NewJWTProfileVerifier(storage jwtProfileKeyStorage, issuer string, maxAgeIAT, offset time.Duration, opts ...JWTProfileVerifierOption) JWTProfileVerifier
NewJWTProfileVerifier creates a oidc.Verifier for JWT Profile assertions (authorization grant and client authentication)
type JWTProfileVerifierOption ¶
type JWTProfileVerifierOption func(*jwtProfileVerifier)
func SubjectCheck ¶
func SubjectCheck(check func(request *oidc.JWTTokenRequest) error) JWTProfileVerifierOption
type KeyProvider ¶
type OPStorage ¶
type OPStorage interface { GetClientByClientID(ctx context.Context, clientID string) (Client, error) AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error SetUserinfoFromScopes(ctx context.Context, userinfo oidc.UserInfoSetter, userID, clientID string, scopes []string) error SetUserinfoFromToken(ctx context.Context, userinfo oidc.UserInfoSetter, tokenID, subject, origin string) error SetIntrospectionFromToken(ctx context.Context, userinfo oidc.IntrospectionResponse, tokenID, subject, clientID string) error GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (map[string]interface{}, error) // GetKeyByIDAndUserID is mis-named. It does not pass userID. Instead // it passes the clientID. GetKeyByIDAndUserID(ctx context.Context, keyID, clientID string) (*jose.JSONWebKey, error) ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error) }
type OpenIDProvider ¶
type OpenIDProvider interface { Configuration Storage() Storage Decoder() httphelper.Decoder Encoder() httphelper.Encoder IDTokenHintVerifier() IDTokenHintVerifier AccessTokenVerifier() AccessTokenVerifier Crypto() Crypto DefaultLogoutRedirectURI() string Signer() Signer Probes() []ProbesFn HttpHandler() http.Handler }
func NewOpenIDProvider ¶
func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opOpts ...Option) (OpenIDProvider, error)
NewOpenIDProvider creates a provider. The provider provides (with HttpHandler()) a http.Router that handles a suite of endpoints (some paths can be overridden):
/healthz /ready /.well-known/openid-configuration /oauth/token /oauth/introspect /callback /authorize /userinfo /revoke /end_session /keys
This does not include login. Login is handled with a redirect that includes the request ID. The redirect for logins is specified per-client by Client.LoginURL(). Successful logins should mark the request as authorized and redirect back to to op.AuthCallbackURL(provider) which is probably /callback. On the redirect back to the AuthCallbackURL, the request id should be passed as the "id" parameter.
type Option ¶
type Option func(o *openidProvider) error
func WithAccessTokenVerifierOpts ¶ added in v1.9.0
func WithAccessTokenVerifierOpts(opts ...AccessTokenVerifierOpt) Option
func WithCustomAuthEndpoint ¶
func WithCustomEndpoints ¶
func WithCustomKeysEndpoint ¶
func WithCustomTokenEndpoint ¶
func WithHttpInterceptors ¶
func WithHttpInterceptors(interceptors ...HttpInterceptor) Option
func WithIDTokenHintVerifierOpts ¶ added in v1.10.0
func WithIDTokenHintVerifierOpts(opts ...IDTokenHintVerifierOpt) Option
type RefreshTokenRequest ¶
type RefreshTokenRequest interface { GetAMR() []string GetAudience() []string GetAuthTime() time.Time GetClientID() string GetScopes() []string GetSubject() string SetCurrentScopes(scopes []string) }
func RefreshTokenRequestByRefreshToken ¶
func RefreshTokenRequestByRefreshToken(ctx context.Context, storage Storage, refreshToken string) (RefreshTokenRequest, error)
RefreshTokenRequestByRefreshToken returns the RefreshTokenRequest (data representing the original auth request) corresponding to the refresh_token from Storage or an error
type Revoker ¶
type Revoker interface { Decoder() httphelper.Decoder Crypto() Crypto Storage() Storage AccessTokenVerifier() AccessTokenVerifier AuthMethodPrivateKeyJWTSupported() bool AuthMethodPostSupported() bool }
type RevokerJWTProfile ¶
type RevokerJWTProfile interface { Revoker JWTProfileVerifier() JWTProfileVerifier }
type SessionEnder ¶
type SessionEnder interface { Decoder() httphelper.Decoder Storage() Storage IDTokenHintVerifier() IDTokenHintVerifier DefaultLogoutRedirectURI() string }
type Signer ¶
type Storage ¶
type Storage interface { AuthStorage OPStorage Health(context.Context) error }
Storage is a required parameter for NewOpenIDProvider(). In addition to the embedded interfaces below, if the passed Storage implements ClientCredentialsStorage then the grant type "client_credentials" will be supported. In that case, the access token returned by CreateAccessToken should be a JWT. See https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4 for context.
type StorageNotFoundError ¶
type StorageNotFoundError interface {
IsNotFound()
}
type TokenCreator ¶
type TokenRequest ¶
type UserinfoProvider ¶
type UserinfoProvider interface { Decoder() httphelper.Decoder Crypto() Crypto Storage() Storage AccessTokenVerifier() AccessTokenVerifier }
Source Files ¶
- applicationtype_enumer.go
- auth_request.go
- client.go
- config.go
- crypto.go
- discovery.go
- endpoint.go
- error.go
- keys.go
- op.go
- probes.go
- session.go
- signer.go
- storage.go
- token.go
- token_client_credentials.go
- token_code.go
- token_exchange.go
- token_intospection.go
- token_jwt_profile.go
- token_refresh.go
- token_request.go
- token_revocation.go
- userinfo.go
- verifier_access_token.go
- verifier_id_token_hint.go
- verifier_jwt_profile.go