Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var AllProviderTypes = []ProviderType{ ProviderTypeCustom, ProviderTypeFacebook, ProviderTypeGoogle, ProviderTypeLinkedIn, ProviderTypeMicrosoft, ProviderTypeNone, ProviderTypeUnsupported, }
AllProviderTypes is a slice of all ProviderType values
Functions ¶
This section is empty.
Types ¶
type ClientCredentialsTokenSource ¶
type ClientCredentialsTokenSource struct {
TokenURL string `json:"token_url" validate:"notempty"`
ClientID string `json:"client_id" validate:"notempty"`
ClientSecret string `json:"client_secret" validate:"notempty"` // TODO (sgarrity 6/24): should this be secret.String?
CustomAudiences []string `json:"custom_audiences"`
SubjectJWT string `json:"subject_jwt"` // optional, ID Token for a UC user if this access token is being created on their behalf
}
ClientCredentialsTokenSource encapsulates parameters required to issue a Client Credentials OIDC request and return a token
func (ClientCredentialsTokenSource) GetToken ¶
func (ccts ClientCredentialsTokenSource) GetToken() (string, error)
GetToken issues a request to an OIDC-compliant token endpoint to perform the Client Credentials flow in exchange for an access token.
func (ClientCredentialsTokenSource) Validate ¶ added in v1.1.0
func (o ClientCredentialsTokenSource) Validate() error
Validate implements Validateable
type MFAChannelType ¶ added in v0.6.4
type MFAChannelType string
MFAChannelType defines the types of channels supported for MFA
const ( MFAInvalidChannel MFAChannelType = "invalid" MFAEmailChannel MFAChannelType = "email" MFASMSChannel MFAChannelType = "sms" MFAAuthenticatorChannel MFAChannelType = "authenticator" MFAAuth0AuthenticatorChannel MFAChannelType = "auth0_authenticator" MFAAuth0EmailChannel MFAChannelType = "auth0_email" MFAAuth0SMSChannel MFAChannelType = "auth0_sms" MFARecoveryCodeChannel MFAChannelType = "recovery_code" )
MFAChannelType constants
type ProviderType ¶ added in v0.6.4
type ProviderType int
ProviderType is an OIDC provider type
const ( // when synching data from other IDPs, we may encounter OIDC providers that // are not supported, in which case we will store ProviderTypeUnsupported // in the DB ProviderTypeUnsupported ProviderType = -1 // not having an OIDC provider is the default ProviderTypeNone ProviderType = 0 // valid OIDC providers are numbered starting with 1 ProviderTypeGoogle ProviderType = 1 ProviderTypeFacebook ProviderType = 2 ProviderTypeLinkedIn ProviderType = 3 ProviderTypeCustom ProviderType = 4 ProviderTypeMicrosoft ProviderType = 5 )
Supported OIDC provider types
func (ProviderType) Enum ¶ added in v0.6.6
func (t ProviderType) Enum() []interface{}
Enum implements Enum
func (ProviderType) MarshalText ¶ added in v0.6.4
func (t ProviderType) MarshalText() ([]byte, error)
MarshalText implements encoding.TextMarshaler (for JSON)
func (ProviderType) String ¶ added in v0.6.4
func (t ProviderType) String() string
just here for easier debugging
func (*ProviderType) UnmarshalText ¶ added in v0.6.4
func (t *ProviderType) UnmarshalText(b []byte) error
UnmarshalText implements encoding.TextMarshaler (for JSON)
func (*ProviderType) Validate ¶ added in v0.6.4
func (t *ProviderType) Validate() error
Validate implements Validateable
type StandardClaims ¶
type StandardClaims struct {
Audience []string `json:"aud,omitempty"`
AuthorizedParty string `json:"azp,omitempty"`
ExpiresAt int64 `json:"exp,omitempty"`
ID string `json:"jti,omitempty"`
IssuedAt int64 `json:"iat,omitempty"`
Issuer string `json:"iss,omitempty"`
NotBefore int64 `json:"nbf,omitempty"`
Subject string `json:"sub,omitempty"`
}
StandardClaims is forked from golang-jwt/jwt.StandardClaims, except Audience is an array here per the actual spec:
In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL.
https://tools.ietf.org/html/rfc7519#section-4.1
AZP is also added here, per the OIDC spec, which is slightly ambiguous:
From 2 https://openid.net/specs/openid-connect-core-1_0.html#IDToken: OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
From 3.1.3.7 https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation 4. If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. 5. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
func (*StandardClaims) Valid ¶
func (c *StandardClaims) Valid() error
Valid implements jwt.Claims interface
type TokenResponse ¶
type TokenResponse struct {
AccessToken string `json:"access_token,omitempty"`
TokenType string `json:"token_type,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
ExpiresIn int `json:"expires_in,omitempty"`
IDToken string `json:"id_token,omitempty"`
ErrorType string `json:"error,omitempty"`
ErrorDesc string `json:"error_description,omitempty"`
}
TokenResponse is an OIDC-compliant response from a token endpoint. (either token exchange or resource owner password credential flow). See https://datatracker.ietf.org/doc/html/rfc6749#section-5.1. ErrorType will be non-empty if error.
type TokenSource ¶
TokenSource describes a source of JWTs for jsonclient etc
type UCTokenClaims ¶ added in v1.1.0
type UCTokenClaims struct {
StandardClaims
Name string `json:"name,omitempty"`
Nickname string `json:"nickname,omitempty"`
Email string `json:"email,omitempty"`
EmailVerified bool `json:"email_verified,omitempty"`
Picture string `json:"picture,omitempty"`
Nonce string `json:"nonce,omitempty"`
UpdatedAt int64 `json:"updated_at,omitempty"` // NOTE: Auth0 treats this as a string, but OIDC says this is seconds since the Unix Epoch
RefreshAudience []string `json:"refresh_aud,omitempty"`
SubjectType string `json:"subject_type,omitempty"`
OrganizationID string `json:"organization_id,omitempty"`
ImpersonatedBy string `json:"impersonated_by,omitempty"`
}
UCTokenClaims represents the UserClouds claims made by a token, and is also used by the UserInfo endpoint to return standard OIDC user claims.
func (*UCTokenClaims) UnmarshalJSON ¶ added in v1.1.0
func (t *UCTokenClaims) UnmarshalJSON(b []byte) error
UnmarshalJSON implements json.Unmarshaler, we need this to handle the audience field being either an array or a string
func (*UCTokenClaims) Valid ¶ added in v1.1.0
func (t *UCTokenClaims) Valid() error
Valid implements jwt.Claims interface
Source Files