accesstokens

package
v1.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 30, 2025 License: MIT Imports: 23 Imported by: 0

Documentation

Overview

Package accesstokens exposes a REST client for querying backend systems to get various types of access tokens (oauth) for use in authentication.

These calls are of type "application/x-www-form-urlencoded". This means we use url.Values to represent arguments and then encode them into the POST body message. We receive JSON in return for the requests. The request definition is defined in https://tools.ietf.org/html/rfc7521#section-4.2 .

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AppendDefaultScopes added in v0.5.0 

func AppendDefaultScopes(authParameters authority.AuthParams) []string

Types

type AppType 

type AppType int8

AppType is whether the authorization code flow is for a public or confidential client. 

const (
	// ATUnknown is the zero value when the type hasn't been set.
	ATUnknown AppType = iota
	// ATPublic indicates this if for the Public.Client.
	ATPublic
	// ATConfidential indicates this if for the Confidential.Client.
	ATConfidential
)

func (AppType) String 

func (i AppType) String() string

type AuthCodeRequest 

type AuthCodeRequest struct {
	AuthParams    authority.AuthParams
	Code          string
	CodeChallenge string
	Credential    *Credential
	AppType       AppType
}

AuthCodeRequest stores the values required to request a token from the authority using an authorization code

func NewCodeChallengeRequest 

func NewCodeChallengeRequest(params authority.AuthParams, appType AppType, cc *Credential, code, challenge string) (AuthCodeRequest, error)

NewCodeChallengeRequest returns an AuthCodeRequest that uses a code challenge..

type Client 

type Client struct {
	// Comm provides the HTTP transport client.
	Comm urlFormCaller
	// contains filtered or unexported fields
}

Client represents the REST calls to get tokens from token generator backends.

func (Client) DeviceCodeResult 

func (c Client) DeviceCodeResult(ctx context.Context, authParameters authority.AuthParams) (DeviceCodeResult, error)

func (Client) FromAssertion 

func (c Client) FromAssertion(ctx context.Context, authParameters authority.AuthParams, assertion string) (TokenResponse, error)

func (Client) FromAuthCode 

func (c Client) FromAuthCode(ctx context.Context, req AuthCodeRequest) (TokenResponse, error)

FromAuthCode uses an authorization code to retrieve an access token.

func (Client) FromClientSecret 

func (c Client) FromClientSecret(ctx context.Context, authParameters authority.AuthParams, clientSecret string) (TokenResponse, error)

FromClientSecret uses a client's secret (aka password) to get a new token.

func (Client) FromDeviceCodeResult 

func (c Client) FromDeviceCodeResult(ctx context.Context, authParameters authority.AuthParams, deviceCodeResult DeviceCodeResult) (TokenResponse, error)

func (Client) FromRefreshToken 

func (c Client) FromRefreshToken(ctx context.Context, appType AppType, authParams authority.AuthParams, cc *Credential, refreshToken string) (TokenResponse, error)

FromRefreshToken uses a refresh token (for refreshing credentials) to get a new access token.

func (Client) FromSamlGrant 

func (c Client) FromSamlGrant(ctx context.Context, authParameters authority.AuthParams, samlGrant wstrust.SamlTokenInfo) (TokenResponse, error)

func (Client) FromUserAssertionClientCertificate added in v0.4.0 

func (c Client) FromUserAssertionClientCertificate(ctx context.Context, authParameters authority.AuthParams, userAssertion string, assertion string) (TokenResponse, error)

func (Client) FromUserAssertionClientSecret added in v0.4.0 

func (c Client) FromUserAssertionClientSecret(ctx context.Context, authParameters authority.AuthParams, userAssertion string, clientSecret string) (TokenResponse, error)

func (Client) FromUsernamePassword 

func (c Client) FromUsernamePassword(ctx context.Context, authParameters authority.AuthParams) (TokenResponse, error)

FromUsernamePassword uses a username and password to get an access token.

type ClientInfo 

type ClientInfo struct {
	UID  string `json:"uid"`
	UTID string `json:"utid"`

	AdditionalFields map[string]interface{}
}

ClientInfo is used to create a Home Account ID for an account.

func (*ClientInfo) UnmarshalJSON 

func (c *ClientInfo) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler.s

type Credential 

type Credential struct {
	// Secret contains the credential secret if we are doing auth by secret.
	Secret string

	// Cert is the public certificate, if we're authenticating by certificate.
	Cert *x509.Certificate
	// Key is the private key for signing, if we're authenticating by certificate.
	Key crypto.PrivateKey
	// X5c is the JWT assertion's x5c header value, required for SN/I authentication.
	X5c []string

	// AssertionCallback is a function provided by the application, if we're authenticating by assertion.
	AssertionCallback func(context.Context, exported.AssertionRequestOptions) (string, error)

	// TokenProvider is a function provided by the application that implements custom authentication
	// logic for a confidential client
	TokenProvider func(context.Context, exported.TokenProviderParameters) (exported.TokenProviderResult, error)
}

Credential represents the credential used in confidential client flows. This can be either a Secret or Cert/Key.

func (*Credential) JWT 

func (c *Credential) JWT(ctx context.Context, authParams authority.AuthParams) (string, error)

JWT gets the jwt assertion when the credential is not using a secret.

type DeviceCodeResponse 

type DeviceCodeResponse struct {
	authority.OAuthResponseBase

	UserCode        string `json:"user_code"`
	DeviceCode      string `json:"device_code"`
	VerificationURL string `json:"verification_uri"`
	ExpiresIn       int    `json:"expires_in"`
	Interval        int    `json:"interval"`
	Message         string `json:"message"`

	AdditionalFields map[string]interface{}
}

DeviceCodeResponse represents the HTTP response received from the device code endpoint

func (DeviceCodeResponse) Convert 

func (dcr DeviceCodeResponse) Convert(clientID string, scopes []string) DeviceCodeResult

Convert converts the DeviceCodeResponse to a DeviceCodeResult

type DeviceCodeResult 

type DeviceCodeResult struct {
	// UserCode is the code the user needs to provide when authentication at the verification URI.
	UserCode string
	// DeviceCode is the code used in the access token request.
	DeviceCode string
	// VerificationURL is the the URL where user can authenticate.
	VerificationURL string
	// ExpiresOn is the expiration time of device code in seconds.
	ExpiresOn time.Time
	// Interval is the interval at which the STS should be polled at.
	Interval int
	// Message is the message which should be displayed to the user.
	Message string
	// ClientID is the UUID issued by the authorization server for your application.
	ClientID string
	// Scopes is the OpenID scopes used to request access a protected API.
	Scopes []string
}

DeviceCodeResult stores the response from the STS device code endpoint.

func NewDeviceCodeResult 

func NewDeviceCodeResult(userCode, deviceCode, verificationURL string, expiresOn time.Time, interval int, message, clientID string, scopes []string) DeviceCodeResult

NewDeviceCodeResult creates a DeviceCodeResult instance.

func (DeviceCodeResult) String 

func (dcr DeviceCodeResult) String() string

type IDToken 

type IDToken struct {
	PreferredUsername string `json:"preferred_username,omitempty"`
	GivenName         string `json:"given_name,omitempty"`
	FamilyName        string `json:"family_name,omitempty"`
	MiddleName        string `json:"middle_name,omitempty"`
	Name              string `json:"name,omitempty"`
	Oid               string `json:"oid,omitempty"`
	TenantID          string `json:"tid,omitempty"`
	Subject           string `json:"sub,omitempty"`
	UPN               string `json:"upn,omitempty"`
	Email             string `json:"email,omitempty"`
	AlternativeID     string `json:"alternative_id,omitempty"`
	Issuer            string `json:"iss,omitempty"`
	Audience          string `json:"aud,omitempty"`
	ExpirationTime    int64  `json:"exp,omitempty"`
	IssuedAt          int64  `json:"iat,omitempty"`
	NotBefore         int64  `json:"nbf,omitempty"`
	RawToken          string

	AdditionalFields map[string]interface{}
}

IDToken consists of all the information used to validate a user. https://docs.microsoft.com/azure/active-directory/develop/id-tokens .

func (IDToken) IsZero 

func (i IDToken) IsZero() bool

IsZero indicates if the IDToken is the zero value.

func (IDToken) LocalAccountID 

func (i IDToken) LocalAccountID() string

LocalAccountID extracts an account's local account ID from an ID token.

func (*IDToken) UnmarshalJSON 

func (i *IDToken) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler.

type RefreshToken 

type RefreshToken struct {
	HomeAccountID     string `json:"home_account_id,omitempty"`
	Environment       string `json:"environment,omitempty"`
	CredentialType    string `json:"credential_type,omitempty"`
	ClientID          string `json:"client_id,omitempty"`
	FamilyID          string `json:"family_id,omitempty"`
	Secret            string `json:"secret,omitempty"`
	Realm             string `json:"realm,omitempty"`
	Target            string `json:"target,omitempty"`
	UserAssertionHash string `json:"user_assertion_hash,omitempty"`

	AdditionalFields map[string]interface{}
}

RefreshToken is the JSON representation of a MSAL refresh token for encoding to storage.

func NewRefreshToken 

func NewRefreshToken(homeID, env, clientID, refreshToken, familyID string) RefreshToken

NewRefreshToken is the constructor for RefreshToken.

func (RefreshToken) GetSecret 

func (rt RefreshToken) GetSecret() string

func (RefreshToken) Key 

func (rt RefreshToken) Key() string

Key outputs the key that can be used to uniquely look up this entry in a map.

type Scopes 

type Scopes struct {
	Slice []string
}

Scopes represents scopes in a TokenResponse.

func (*Scopes) UnmarshalJSON 

func (s *Scopes) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshal.

type TokenResponse 

type TokenResponse struct {
	authority.OAuthResponseBase

	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
	TokenType    string `json:"token_type"`

	FamilyID       string                    `json:"foci"`
	IDToken        IDToken                   `json:"id_token"`
	ClientInfo     ClientInfo                `json:"client_info"`
	RefreshOn      internalTime.DurationTime `json:"refresh_in,omitempty"`
	ExpiresOn      time.Time                 `json:"-"`
	ExtExpiresOn   internalTime.DurationTime `json:"ext_expires_in"`
	GrantedScopes  Scopes                    `json:"scope"`
	DeclinedScopes []string                  // This is derived

	AdditionalFields map[string]interface{}
	// contains filtered or unexported fields
}

TokenResponse is the information that is returned from a token endpoint during a token acquisition flow.

func (*TokenResponse) CacheKey 

func (tr *TokenResponse) CacheKey(authParams authority.AuthParams) string

func (*TokenResponse) ComputeScope 

func (tr *TokenResponse) ComputeScope(authParams authority.AuthParams)

ComputeScope computes the final scopes based on what was granted by the server and what our AuthParams were from the authority server. Per OAuth spec, if no scopes are returned, the response should be treated as if all scopes were granted This behavior can be observed in client assertion flows, but can happen at any time, this check ensures we treat those special responses properly Link to spec: https://tools.ietf.org/html/rfc6749#section-3.3

func (*TokenResponse) HomeAccountID added in v1.1.1 

func (tr *TokenResponse) HomeAccountID() string

HomeAccountID uniquely identifies the authenticated account, if any. It's "" when the token is an app token.

func (*TokenResponse) UnmarshalJSON added in v1.4.0 

func (tr *TokenResponse) UnmarshalJSON(data []byte) error

func (*TokenResponse) Validate 

func (tr *TokenResponse) Validate() error

Validate validates the TokenResponse has basic valid values. It must be called after ComputeScopes() is called.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.