Documentation
¶
Index ¶
- Constants
- Variables
- func MustSerializeState(state State) string
- func SerializeState(state State) (output string, err error)
- type Config
- type Error
- type GoogleClaims
- type Manager
- func (m *Manager) CreateState(options ...StateOption) (state State)
- func (m *Manager) FetchProfile(ctx context.Context, accessToken string) (profile Profile, err error)
- func (m *Manager) Finish(r *http.Request) (result *Result, err error)
- func (m *Manager) OAuthURL(r *http.Request, stateOptions ...StateOption) (oauthURL string, err error)
- func (m *Manager) ValidateState(state State) error
- type Option
- func OptAllowedDomains(allowedDomains ...string) Option
- func OptClientID(cliendID string) Option
- func OptClientSecret(clientSecret string) Option
- func OptConfig(cfg Config) Option
- func OptHostedDomain(hostedDomain string) Option
- func OptRedirectURL(redirectURL string) Option
- func OptScopes(scopes ...string) Option
- func OptSecret(secret []byte) Option
- type Profile
- type Response
- type Result
- type State
- type StateOption
Constants ¶
View Source
const ( // GoogleKeysURL is the url we fetch google's public verification keys in JWK form. GoogleKeysURL = "https://www.googleapis.com/oauth2/v3/certs" // GoogleIssuer is the expected `iss` field on JWTs from google. GoogleIssuer = "https://accounts.google.com" // GoogleIssuerAlternate is the alternate expected `iss` field on JWTs from google. GoogleIssuerAlternate = "accounts.google.com" )
Variables ¶
View Source
var ( // DefaultScopes is the default oauth scopes. DefaultScopes = []string{ oidc.ScopeOpenID, "email", "profile", } )
Functions ¶
func MustSerializeState ¶
MustSerializeState serializes a state value but panics if there is an error.
func SerializeState ¶
SerializeState serializes the oauth state.
Types ¶
type Config ¶
type Config struct {
// ClientID is part of the oauth credential pair.
ClientID string `json:"clientID,omitempty" yaml:"clientID,omitempty"`
// ClientSecret is part of the oauth credential pair.
ClientSecret string `json:"clientSecret,omitempty" yaml:"clientSecret,omitempty"`
// Secret is an encryption key used to verify oauth state.
Secret string `json:"secret,omitempty" yaml:"secret,omitempty"`
// RedirectURL is the oauth return url.
RedirectURL string `json:"redirectURL,omitempty" yaml:"redirectURL,omitempty"`
// HostedDomain is a specific domain we want to filter identities to.
HostedDomain string `json:"hostedDomain,omitempty" yaml:"hostedDomain,omitempty"`
// AllowedDomains is a strict list of hosted domains to allow authenticated users from.
// If it is unset or empty, it will allow users from *any* hosted domain.
AllowedDomains []string `json:"allowedDomains,omitempty" yaml:"allowedDomains,omitempty"`
// Scopes are oauth scopes to request.
Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`
}
Config is the config options.
func (Config) DecodeSecret ¶
DecodeSecret decodes the secret if set from hex encoding.
func (Config) GenerateSecret ¶
GenerateSecret generates a secret.
func (Config) ScopesOrDefault ¶
ScopesOrDefault returns the scopes or a default set.
type Error ¶
type Error string
Error is an error string.
const ( // ErrCodeMissing is returned if the code was missing from an oauth return request. ErrCodeMissing Error = "state missing from request" // ErrStateMissing is returned if the state was missing from an oauth return request. ErrStateMissing Error = "state missing from request" // ErrInvalidHostedDomain is an error returned if the JWT hosted zone doesn't match any of the whitelisted domains. ErrInvalidHostedDomain Error = "hosted domain validation failed" // ErrInvalidAntiforgeryToken is an error returns on oauth finish that indicates we didn't originate the auth request. ErrInvalidAntiforgeryToken Error = "invalid anti-forgery token" // ErrInvalidJWTAudience is an error in validing the token jwt. ErrInvalidJWTAudience Error = "invalid jwt audience; should match clientID" // ErrInvalidJWTIssuer is an error in validing the token jwt. ErrInvalidJWTIssuer Error = "invalid jwt issuer; should be a valid google issuer" // ErrInvalidJWTHostedDomain is an error in validing the token jwt. ErrInvalidJWTHostedDomain Error = "invalid jwt hosted domain; must be in the allowed domain list" // ErrInvalidJWT is returned when we fail to decode or verify the token jwt. ErrInvalidJWT Error = "invalid jwt; failed to decode or verify" // ErrProfileJSONUnmarshal is an error returned if the json unmarshal failed. ErrProfileJSONUnmarshal Error = "profile json unmarshal failed" // ErrFailedCodeExchange happens if the code exchange for an access token fails. ErrFailedCodeExchange Error = "oauth code exchange failed" // ErrGoogleResponseStatus is an error that can occur when querying the google apis. ErrGoogleResponseStatus Error = "google returned a non 2xx response" // ErrSecretRequired is a configuration error indicating we did not provide a secret. ErrSecretRequired Error = "manager secret required" // ErrClientIDRequired is a self validation error. ErrClientIDRequired Error = "clientID is required" // ErrClientSecretRequired is a self validation error. ErrClientSecretRequired Error = "clientSecret is required" // ErrRedirectURIRequired is a self validation error. ErrRedirectURIRequired Error = "redirectURI is required" // ErrInvalidRedirectURI is an error in validating the redirect uri. ErrInvalidRedirectURI Error = "invalid redirectURI" )
type GoogleClaims ¶
type GoogleClaims struct {
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
HD string `json:"hd"`
Nonce string `json:"nonce"`
FamilyName string `json:"family_name"`
GivenName string `json:"given_name"`
Locale string `json:"locale"`
Picture string `json:"picture"`
Profile string `json:"profile"`
}
GoogleClaims are extensions to the jwt standard claims for google oauth.
See additional documentation here: https://developers.google.com/identity/sign-in/web/backend-auth
type Manager ¶
type Manager struct {
Secret []byte
HostedDomain string
AllowedDomains []string
// contains filtered or unexported fields
}
Manager is the oauth manager.
func MustNew ¶
MustNew returns a new manager mutated by a given set of options and will panic on error.
func (*Manager) CreateState ¶
func (m *Manager) CreateState(options ...StateOption) (state State)
CreateState creates auth state.
func (*Manager) FetchProfile ¶
func (m *Manager) FetchProfile(ctx context.Context, accessToken string) (profile Profile, err error)
FetchProfile gets a google profile for an access token.
func (*Manager) Finish ¶
Finish processes the returned code, exchanging for an access token, and fetches the user profile.
func (*Manager) OAuthURL ¶
func (m *Manager) OAuthURL(r *http.Request, stateOptions ...StateOption) (oauthURL string, err error)
OAuthURL is the auth url for google with a given clientID. This is typically the link that a user will click on to start the auth process.
func (*Manager) ValidateState ¶
ValidateState validates oauth state.
type Option ¶
Option is an option for oauth managers.
func OptAllowedDomains ¶
OptAllowedDomains sets the manager allowedDomains.
func OptClientSecret ¶
OptClientSecret sets the manager clientSecret.
func OptHostedDomain ¶
OptHostedDomain sets the manager hostedDomain.
func OptRedirectURL ¶
OptRedirectURL sets the manager redirectURI.
type Profile ¶
type Profile struct {
ID string `json:"id"`
Email string `json:"email"`
VerifiedEmail bool `json:"verified_email"`
Name string `json:"name"`
GivenName string `json:"given_name"`
FamilyName string `json:"family_name"`
Link string `json:"link"`
Gender string `json:"gender"`
Locale string `json:"locale"`
PictureURL string `json:"picture"`
}
Profile is a profile with google.
type Response ¶
type Response struct {
AccessToken string
TokenType string
RefreshToken string
Expiry time.Time
HostedDomain string
}
Response is the response details from the oauth exchange.
type Result ¶
Result is the final result of the oauth exchange. It is the user profile of the user and the state information.
type State ¶
type State struct {
// Token is a plaintext random token.
Token string
// SecureToken is the hashed version of the token.
// If a key is set, it validates that our app created the oauth state.
SecureToken string
// RedirectURI is the redirect uri.
RedirectURI string
// Extra includes other state you might need to encode.
Extra map[string]interface{}
}
State is the oauth state.
func DeserializeState ¶
DeserializeState deserializes the oauth state.
type StateOption ¶
type StateOption func(*State)
StateOption is an option for state objects
func OptStateExtra ¶
func OptStateExtra(key string, value interface{}) StateOption
OptStateExtra sets the redirect uri on the stae.
func OptStateRedirectURI ¶
func OptStateRedirectURI(redirectURI string) StateOption
OptStateRedirectURI sets the redirect uri on the stae.
func OptStateSecureToken ¶
func OptStateSecureToken(secureToken string) StateOption
OptStateSecureToken sets the secure token on the state.
Source Files
Click to show internal directories.
Click to hide internal directories.