Documentation ¶
Index ¶
- Constants
- type ConsentStrategy
- type DefaultConsentStrategy
- type FositeMemoryStore
- func (s *FositeMemoryStore) CreateAccessTokenSession(_ context.Context, signature string, req fosite.Requester) error
- func (s *FositeMemoryStore) CreateAuthorizeCodeSession(_ context.Context, code string, req fosite.Requester) error
- func (s *FositeMemoryStore) CreateImplicitAccessTokenSession(ctx context.Context, code string, req fosite.Requester) error
- func (s *FositeMemoryStore) CreateOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) error
- func (s *FositeMemoryStore) CreateRefreshTokenSession(_ context.Context, signature string, req fosite.Requester) error
- func (s *FositeMemoryStore) DeleteAccessTokenSession(_ context.Context, signature string) error
- func (s *FositeMemoryStore) DeleteAuthorizeCodeSession(_ context.Context, code string) error
- func (s *FositeMemoryStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error
- func (s *FositeMemoryStore) DeleteRefreshTokenSession(_ context.Context, signature string) error
- func (s *FositeMemoryStore) GetAccessTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error)
- func (s *FositeMemoryStore) GetAuthorizeCodeSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error)
- func (s *FositeMemoryStore) GetOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error)
- func (s *FositeMemoryStore) GetRefreshTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error)
- func (s *FositeMemoryStore) PersistAuthorizeCodeGrantSession(ctx context.Context, authorizeCode, accessSignature, refreshSignature string, ...) error
- func (s *FositeMemoryStore) PersistRefreshTokenGrantSession(ctx context.Context, ...) error
- func (s *FositeMemoryStore) RevokeAccessToken(ctx context.Context, id string) error
- func (s *FositeMemoryStore) RevokeRefreshToken(ctx context.Context, id string) error
- type FositeSQLStore
- func (s *FositeSQLStore) CreateAccessTokenSession(_ context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateAuthorizeCodeSession(_ context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateImplicitAccessTokenSession(ctx context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateOpenIDConnectSession(_ context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateRefreshTokenSession(_ context.Context, signature string, requester fosite.Requester) error
- func (s *FositeSQLStore) CreateSchemas() (int, error)
- func (s *FositeSQLStore) DeleteAccessTokenSession(_ context.Context, signature string) error
- func (s *FositeSQLStore) DeleteAuthorizeCodeSession(_ context.Context, signature string) error
- func (s *FositeSQLStore) DeleteOpenIDConnectSession(_ context.Context, signature string) error
- func (s *FositeSQLStore) DeleteRefreshTokenSession(_ context.Context, signature string) error
- func (s *FositeSQLStore) GetAccessTokenSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)
- func (s *FositeSQLStore) GetAuthorizeCodeSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)
- func (s *FositeSQLStore) GetOpenIDConnectSession(_ context.Context, signature string, requester fosite.Requester) (fosite.Requester, error)
- func (s *FositeSQLStore) GetRefreshTokenSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)
- func (s *FositeSQLStore) PersistAuthorizeCodeGrantSession(ctx context.Context, authorizeCode, accessSignature, refreshSignature string, ...) error
- func (s *FositeSQLStore) PersistRefreshTokenGrantSession(ctx context.Context, ...) error
- func (s *FositeSQLStore) RevokeAccessToken(ctx context.Context, id string) error
- func (s *FositeSQLStore) RevokeRefreshToken(ctx context.Context, id string) error
- type HTTPIntrospector
- type HTTPRecovator
- type Handler
- func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (o *Handler) DefaultConsentHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) SetRoutes(r *httprouter.Router)
- func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- type Introspection
- type Introspector
- type Revocator
- type Session
- type WellKnown
Constants ¶
const ( ConsentChallengeKey = "hydra.consent.challenge" ConsentEndpointKey = "hydra.consent.response" )
const ( OpenIDConnectKeyName = "hydra.openid.id-token" ConsentPath = "/oauth2/consent" TokenPath = "/oauth2/token" AuthPath = "/oauth2/auth" WellKnownPath = "/.well-known/openid-configuration" JWKPath = "/.well-known/jwks.json" // IntrospectPath points to the OAuth2 introspection endpoint. IntrospectPath = "/oauth2/introspect" RevocationPath = "/oauth2/revoke" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ConsentStrategy ¶
type DefaultConsentStrategy ¶
type DefaultConsentStrategy struct { Issuer string DefaultIDTokenLifespan time.Duration DefaultChallengeLifespan time.Duration KeyManager jwk.Manager }
func (*DefaultConsentStrategy) IssueChallenge ¶
func (s *DefaultConsentStrategy) IssueChallenge(authorizeRequest fosite.AuthorizeRequester, redirectURL string, session *sessions.Session) (string, error)
func (*DefaultConsentStrategy) ValidateResponse ¶
func (s *DefaultConsentStrategy) ValidateResponse(a fosite.AuthorizeRequester, token string, session *sessions.Session) (claims *Session, err error)
type FositeMemoryStore ¶ added in v0.6.0
type FositeMemoryStore struct { client.Manager AuthorizeCodes map[string]fosite.Requester IDSessions map[string]fosite.Requester AccessTokens map[string]fosite.Requester RefreshTokens map[string]fosite.Requester sync.RWMutex }
func (*FositeMemoryStore) CreateAccessTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) CreateAuthorizeCodeSession ¶ added in v0.6.0
func (*FositeMemoryStore) CreateImplicitAccessTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) CreateOpenIDConnectSession ¶ added in v0.6.0
func (*FositeMemoryStore) CreateRefreshTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) DeleteAccessTokenSession ¶ added in v0.6.0
func (s *FositeMemoryStore) DeleteAccessTokenSession(_ context.Context, signature string) error
func (*FositeMemoryStore) DeleteAuthorizeCodeSession ¶ added in v0.6.0
func (s *FositeMemoryStore) DeleteAuthorizeCodeSession(_ context.Context, code string) error
func (*FositeMemoryStore) DeleteOpenIDConnectSession ¶ added in v0.6.0
func (s *FositeMemoryStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error
func (*FositeMemoryStore) DeleteRefreshTokenSession ¶ added in v0.6.0
func (s *FositeMemoryStore) DeleteRefreshTokenSession(_ context.Context, signature string) error
func (*FositeMemoryStore) GetAccessTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) GetAuthorizeCodeSession ¶ added in v0.6.0
func (*FositeMemoryStore) GetOpenIDConnectSession ¶ added in v0.6.0
func (*FositeMemoryStore) GetRefreshTokenSession ¶ added in v0.6.0
func (*FositeMemoryStore) PersistAuthorizeCodeGrantSession ¶ added in v0.6.0
func (*FositeMemoryStore) PersistRefreshTokenGrantSession ¶ added in v0.6.0
func (*FositeMemoryStore) RevokeAccessToken ¶ added in v0.6.0
func (s *FositeMemoryStore) RevokeAccessToken(ctx context.Context, id string) error
func (*FositeMemoryStore) RevokeRefreshToken ¶ added in v0.6.0
func (s *FositeMemoryStore) RevokeRefreshToken(ctx context.Context, id string) error
type FositeSQLStore ¶ added in v0.6.0
func (*FositeSQLStore) CreateAccessTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateAuthorizeCodeSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateImplicitAccessTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateOpenIDConnectSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateRefreshTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) CreateSchemas ¶ added in v0.6.0
func (s *FositeSQLStore) CreateSchemas() (int, error)
func (*FositeSQLStore) DeleteAccessTokenSession ¶ added in v0.6.0
func (s *FositeSQLStore) DeleteAccessTokenSession(_ context.Context, signature string) error
func (*FositeSQLStore) DeleteAuthorizeCodeSession ¶ added in v0.6.0
func (s *FositeSQLStore) DeleteAuthorizeCodeSession(_ context.Context, signature string) error
func (*FositeSQLStore) DeleteOpenIDConnectSession ¶ added in v0.6.0
func (s *FositeSQLStore) DeleteOpenIDConnectSession(_ context.Context, signature string) error
func (*FositeSQLStore) DeleteRefreshTokenSession ¶ added in v0.6.0
func (s *FositeSQLStore) DeleteRefreshTokenSession(_ context.Context, signature string) error
func (*FositeSQLStore) GetAccessTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) GetAuthorizeCodeSession ¶ added in v0.6.0
func (*FositeSQLStore) GetOpenIDConnectSession ¶ added in v0.6.0
func (*FositeSQLStore) GetRefreshTokenSession ¶ added in v0.6.0
func (*FositeSQLStore) PersistAuthorizeCodeGrantSession ¶ added in v0.6.0
func (*FositeSQLStore) PersistRefreshTokenGrantSession ¶ added in v0.6.0
func (*FositeSQLStore) RevokeAccessToken ¶ added in v0.6.0
func (s *FositeSQLStore) RevokeAccessToken(ctx context.Context, id string) error
func (*FositeSQLStore) RevokeRefreshToken ¶ added in v0.6.0
func (s *FositeSQLStore) RevokeRefreshToken(ctx context.Context, id string) error
type HTTPIntrospector ¶ added in v0.4.0
func (*HTTPIntrospector) IntrospectToken ¶ added in v0.4.0
func (i *HTTPIntrospector) IntrospectToken(ctx context.Context, token string, scopes ...string) (*Introspection, error)
IntrospectToken is capable of introspecting tokens according to https://tools.ietf.org/html/rfc7662
The HTTP API is documented at http://docs.hydra13.apiary.io/#reference/oauth2/oauth2-token-introspection
func (*HTTPIntrospector) SetClient ¶ added in v0.4.0
func (i *HTTPIntrospector) SetClient(c *clientcredentials.Config)
func (*HTTPIntrospector) TokenFromRequest ¶ added in v0.4.0
func (i *HTTPIntrospector) TokenFromRequest(r *http.Request) string
type HTTPRecovator ¶ added in v0.6.0
type HTTPRecovator struct { Config *clientcredentials.Config Dry bool Endpoint *url.URL Client *http.Client }
func (*HTTPRecovator) RevokeToken ¶ added in v0.6.0
func (r *HTTPRecovator) RevokeToken(ctx context.Context, token string) error
type Handler ¶
type Handler struct { OAuth2 fosite.OAuth2Provider Consent ConsentStrategy H herodot.Writer ForcedHTTP bool ConsentURL url.URL AccessTokenLifespan time.Duration CookieStore sessions.Store L logrus.FieldLogger Issuer string }
func (*Handler) AuthHandler ¶
func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route GET /oauth2/auth oauth2 oauthAuth
The OAuth 2.0 Auth endpoint ¶
For more information, please refer to https://tools.ietf.org/html/rfc6749#section-4
Consumes: - application/x-www-form-urlencoded Schemes: http, https Responses: 302: 401: genericError 500: genericError
func (*Handler) DefaultConsentHandler ¶
func (o *Handler) DefaultConsentHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
func (*Handler) IntrospectHandler ¶ added in v0.6.0
func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /oauth2/introspect oauth2 introspectOAuthToken
Introspect an OAuth2 access token ¶
For more information, please refer to https://tools.ietf.org/html/rfc7662
Consumes: - application/x-www-form-urlencoded Produces: - application/json Schemes: http, https Security: oauth2: Responses: 200: introspectOAuthTokenResponse 401: genericError 500: genericError
func (*Handler) RevocationHandler ¶ added in v0.6.0
func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /oauth2/revoke oauth2 revokeOAuthToken
Revoke an OAuth2 access token ¶
For more information, please refer to https://tools.ietf.org/html/rfc7009
Consumes: - application/x-www-form-urlencoded Produces: - application/json Schemes: http, https Security: oauth2: Responses: 200: 401: genericError 500: genericError
func (*Handler) SetRoutes ¶
func (h *Handler) SetRoutes(r *httprouter.Router)
func (*Handler) TokenHandler ¶
func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /oauth2/token oauth2 oauthToken
The OAuth 2.0 Token endpoint ¶
For more information, please refer to https://tools.ietf.org/html/rfc6749#section-4
Consumes: - application/x-www-form-urlencoded Produces: - application/json Schemes: http, https Security: basic: Responses: 200: oauthTokenResponse 401: genericError 500: genericError
func (*Handler) WellKnownHandler ¶ added in v0.8.2
func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route GET /.well-known/openid-configuration oauth2 openid-connect WellKnownHandler
Server well known configuration ¶
For more information, please refer to https://openid.net/specs/openid-connect-discovery-1_0.html
Consumes: - application/x-www-form-urlencoded Produces: - application/json Schemes: http, https Security: oauth2: Responses: 200: WellKnown 401: genericError 500: genericError
type Introspection ¶ added in v0.4.0
type Introspection struct { // Active is a boolean indicator of whether or not the presented token // is currently active. The specifics of a token's "active" state // will vary depending on the implementation of the authorization // server and the information it keeps about its tokens, but a "true" // value return for the "active" property will generally indicate // that a given token has been issued by this authorization server, // has not been revoked by the resource owner, and is within its // given time window of validity (e.g., after its issuance time and // before its expiration time). Active bool `json:"active"` // Scope is a JSON string containing a space-separated list of // scopes associated with this token. Scope string `json:"scope,omitempty"` // ClientID is aclient identifier for the OAuth 2.0 client that // requested this token. ClientID string `json:"client_id,omitempty"` // Subject of the token, as defined in JWT [RFC7519]. // Usually a machine-readable identifier of the resource owner who // authorized this token. Subject string `json:"sub,omitempty"` // Expires at is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token will expire. ExpiresAt int64 `json:"exp,omitempty"` // Issued at is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token was // originally issued. IssuedAt int64 `json:"iat,omitempty"` // NotBefore is an integer timestamp, measured in the number of seconds // since January 1 1970 UTC, indicating when this token is not to be // used before. NotBefore int64 `json:"nbf,omitempty"` // Username is a human-readable identifier for the resource owner who // authorized this token. Username string `json:"username,omitempty"` // Audience is a service-specific string identifier or list of string // identifiers representing the intended audience for this token. Audience string `json:"aud,omitempty"` // Issuer is a string representing the issuer of this token Issuer string `json:"iss,omitempty"` // Extra is arbitrary data set by the session. Extra map[string]interface{} `json:"ext,omitempty"` }
Introspection contains an access token's session data as specified by IETF RFC 7662, see: https://tools.ietf.org/html/rfc7662
type Introspector ¶ added in v0.4.0
type Introspector interface { // IntrospectToken performs a token introspection according to IETF RFC 7662, see: https://tools.ietf.org/html/rfc7662 // // func anyHttpHandler(w http.ResponseWriter, r *http.Request) { // ctx, err := introspector.IntrospectToken(context.Background(), introspector.TokenFromRequest(r), "photos", "files") // fmt.Sprintf("%s", ctx.Subject) // } IntrospectToken(ctx context.Context, token string, scopes ...string) (*Introspection, error) }
Introspector is capable of introspecting an access token according to IETF RFC 7662, see: https://tools.ietf.org/html/rfc7662
type Session ¶
type Session struct { *openid.DefaultSession `json:"idToken"` Extra map[string]interface{} `json:"extra"` }
func NewSession ¶
type WellKnown ¶ added in v0.8.2
type WellKnown struct { // URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. // If Issuer discovery is supported , this value MUST be identical to the issuer value returned // by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. // // required: true Issuer string `json:"issuer"` // URL of the OP's OAuth 2.0 Authorization Endpoint // // required: true AuthURL string `json:"authorization_endpoint"` // URL of the OP's OAuth 2.0 Token Endpoint // // required: true TokenURL string `json:"token_endpoint"` // URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate // signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs // to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) // parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. // Although some algorithms allow the same key to be used for both signatures and encryption, doing so is // NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of // keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. // // required: true JWKsURI string `json:"jwks_uri"` // JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include // pairwise and public. // // required: true SubjectTypes []string `json:"subject_types_supported"` // JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token // to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, // but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint // (such as when using the Authorization Code Flow). // // required: true SigningAlgs []string `json:"id_token_signing_alg_values_supported"` // JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID // Providers MUST support the code, id_token, and the token id_token Response Type values. // // required: true ResponseTypes []string `json:"response_types_supported"` }
swagger:model WellKnown