oidc

package
v0.8.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 1, 2024 License: MIT Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

AllProviderTypes is a slice of all ProviderType values

Functions

This section is empty.

Types

type ClientCredentialsTokenSource

type ClientCredentialsTokenSource struct {
	TokenURL        string   `json:"token_url"`
	ClientID        string   `json:"client_id"`
	ClientSecret    string   `json:"client_secret"`
	CustomAudiences []string `json:"custom_audiences"`
	SubjectJWT      string   `json:"subject_jwt"` // optional, ID Token for a UC user if this access token is being created on their behalf
}

ClientCredentialsTokenSource encapsulates parameters required to issue a Client Credentials OIDC request and return a token

func (ClientCredentialsTokenSource) GetToken

func (ccts ClientCredentialsTokenSource) GetToken() (string, error)

GetToken issues a request to an OIDC-compliant token endpoint to perform the Client Credentials flow in exchange for an access token.

type MFAChannelType added in v0.6.4

type MFAChannelType string

MFAChannelType defines the types of channels supported for MFA

const (
	MFAInvalidChannel            MFAChannelType = "invalid"
	MFAEmailChannel              MFAChannelType = "email"
	MFASMSChannel                MFAChannelType = "sms"
	MFAAuthenticatorChannel      MFAChannelType = "authenticator"
	MFAAuth0AuthenticatorChannel MFAChannelType = "auth0_authenticator"
	MFAAuth0EmailChannel         MFAChannelType = "auth0_email"
	MFAAuth0SMSChannel           MFAChannelType = "auth0_sms"
	MFARecoveryCodeChannel       MFAChannelType = "recovery_code"
)

MFAChannelType constants

type ProviderType added in v0.6.4

type ProviderType int

ProviderType is an OIDC provider type

const (
	// when synching data from other IDPs, we may encounter OIDC providers that
	// are not supported, in which case we will store ProviderTypeUnsupported
	// in the DB
	ProviderTypeUnsupported ProviderType = -1

	// not having an OIDC provider is the default
	ProviderTypeNone ProviderType = 0

	// valid OIDC providers are numbered starting with 1
	ProviderTypeGoogle    ProviderType = 1
	ProviderTypeFacebook  ProviderType = 2
	ProviderTypeLinkedIn  ProviderType = 3
	ProviderTypeCustom    ProviderType = 4
	ProviderTypeMicrosoft ProviderType = 5
)

Supported OIDC provider types

func (ProviderType) Enum added in v0.6.6

func (t ProviderType) Enum() []interface{}

Enum implements Enum

func (ProviderType) MarshalText added in v0.6.4

func (t ProviderType) MarshalText() ([]byte, error)

MarshalText implements encoding.TextMarshaler (for JSON)

func (ProviderType) String added in v0.6.4

func (t ProviderType) String() string

just here for easier debugging

func (*ProviderType) UnmarshalText added in v0.6.4

func (t *ProviderType) UnmarshalText(b []byte) error

UnmarshalText implements encoding.TextMarshaler (for JSON)

func (*ProviderType) Validate added in v0.6.4

func (t *ProviderType) Validate() error

Validate implements Validateable

type StandardClaims

type StandardClaims struct {
	Audience        []string `json:"aud,omitempty"`
	AuthorizedParty string   `json:"azp,omitempty"`
	ExpiresAt       int64    `json:"exp,omitempty"`
	ID              string   `json:"jti,omitempty"`
	IssuedAt        int64    `json:"iat,omitempty"`
	Issuer          string   `json:"iss,omitempty"`
	NotBefore       int64    `json:"nbf,omitempty"`
	Subject         string   `json:"sub,omitempty"`
}

StandardClaims is forked from golang-jwt/jwt.StandardClaims, except Audience is an array here per the actual spec:

In the general case, the "aud" value is an array of case-sensitive strings, each containing
a StringOrURI value.  In the special case when the JWT has one audience, the "aud" value MAY
be a single case-sensitive string containing a StringOrURI value.  The interpretation of
audience values is generally application specific. Use of this claim is OPTIONAL.

https://tools.ietf.org/html/rfc7519#section-4.1

AZP is also added here, per the OIDC spec, which is slightly ambiguous:

From 2 https://openid.net/specs/openid-connect-core-1_0.html#IDToken: OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.

From 3.1.3.7 https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation 4. If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. 5. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.

func (StandardClaims) Valid

func (c StandardClaims) Valid() error

Valid implements jwt.Claims interface

type TokenClaims

type TokenClaims struct {
	StandardClaims

	Name            string   `json:"name,omitempty"`
	Nickname        string   `json:"nickname,omitempty"`
	Email           string   `json:"email,omitempty"`
	EmailVerified   bool     `json:"email_verified,omitempty"`
	Picture         string   `json:"picture,omitempty"`
	Nonce           string   `json:"nonce,omitempty"`
	UpdatedAt       int64    `json:"updated_at,omitempty"` // NOTE: Auth0 treats this as a string, but OIDC says this is seconds since the Unix Epoch
	RefreshAudience []string `json:"refresh_aud,omitempty"`
	SubjectType     string   `json:"subject_type,omitempty"`
	OrganizationID  string   `json:"organization_id,omitempty"`
	ImpersonatedBy  string   `json:"impersonated_by,omitempty"`
}

TokenClaims represents the claims made by a token, and is also used by the UserInfo endpoint to return standard OIDC user claims.

func (TokenClaims) Valid

func (t TokenClaims) Valid() error

Valid implements jwt.Claims interface

type TokenResponse

type TokenResponse struct {
	AccessToken  string `json:"access_token,omitempty"`
	TokenType    string `json:"token_type,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
	ExpiresIn    int    `json:"expires_in,omitempty"`
	IDToken      string `json:"id_token,omitempty"`

	ErrorType string `json:"error,omitempty"`
	ErrorDesc string `json:"error_description,omitempty"`
}

TokenResponse is an OIDC-compliant response from a token endpoint. (either token exchange or resource owner password credential flow). See https://datatracker.ietf.org/doc/html/rfc6749#section-5.1. ErrorType will be non-empty if error.

type TokenSource

type TokenSource interface {
	GetToken() (string, error)
}

TokenSource describes a source of JWTs for jsonclient etc

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL