verifier

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2025 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ExpirationPolicies = struct {
	OIDC            ExpirationPolicy // This uses the OpenID Connect expiration claim
	OIDC_REFRESHED  ExpirationPolicy // This uses the OpenID Connect expiration claim on the ID Token, if that has expired. It checks the expiration on the refreshed ID Token, a.k.a., the fresh ID Token
	MAX_AGE_24HOURS ExpirationPolicy // This replaces the OpenID Connect expiration claim with OpenPubkey 24 expiration
	MAX_AGE_48HOURS ExpirationPolicy
	MAX_AGE_1WEEK   ExpirationPolicy
	NEVER_EXPIRE    ExpirationPolicy // ID Token will never expire until the OpenID Provider rotates the ID Token
}{
	OIDC:            ExpirationPolicy{/* contains filtered or unexported fields */},
	OIDC_REFRESHED:  ExpirationPolicy{/* contains filtered or unexported fields */},
	MAX_AGE_24HOURS: ExpirationPolicy{/* contains filtered or unexported fields */},
	MAX_AGE_48HOURS: ExpirationPolicy{/* contains filtered or unexported fields */},
	MAX_AGE_1WEEK:   ExpirationPolicy{/* contains filtered or unexported fields */},
	NEVER_EXPIRE:    ExpirationPolicy{/* contains filtered or unexported fields */},
}

Functions

This section is empty.

Types

type Check 

type Check func(*Verifier, *pktoken.PKToken) error

func GQOnly 

func GQOnly() Check

type CosignerVerifier 

type CosignerVerifier interface {
	Issuer() string
	Strict() bool // Whether or not a given cosigner MUST be present for successful verification
	VerifyCosigner(ctx context.Context, pkt *pktoken.PKToken) error
}

type ExpirationPolicy 

type ExpirationPolicy struct {
	// contains filtered or unexported fields
}

func (ExpirationPolicy) CheckExpiration 

func (ep ExpirationPolicy) CheckExpiration(pkt *pktoken.PKToken) error

CheckExpiration checks the expiration of the PK Token against the expiration policy.

type ProviderVerifier 

type ProviderVerifier interface {
	// Returns the OpenID provider issuer as seen in ID token e.g. "https://accounts.google.com"
	Issuer() string
	VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error
}

type ProviderVerifierExpires 

type ProviderVerifierExpires struct {
	ProviderVerifier
	Expiration ExpirationPolicy
}

func (ProviderVerifierExpires) ExpirationPolicy 

func (p ProviderVerifierExpires) ExpirationPolicy() ExpirationPolicy

type RefreshableProviderVerifier 

type RefreshableProviderVerifier interface {
	VerifyRefreshedIDToken(ctx context.Context, origIdt []byte, reIdt []byte) error
}

type Verifier 

type Verifier struct {
	// contains filtered or unexported fields
}

func New 

func New(verifier ProviderVerifier, options ...VerifierOpts) (*Verifier, error)

func NewFromMany 

func NewFromMany(verifiers []ProviderVerifier, options ...VerifierOpts) (*Verifier, error)

func (*Verifier) VerifyPKToken 

func (v *Verifier) VerifyPKToken(
	ctx context.Context,
	pkt *pktoken.PKToken,
	extraChecks ...Check,
) error

Verifies whether a PK token is valid and matches all expected claims.

extraChecks: Allows for optional specification of additional checks

type VerifierOpts 

type VerifierOpts func(*Verifier) error

func RequireRefreshedIDToken 

func RequireRefreshedIDToken() VerifierOpts

RequireRefreshedIDToken instructs the verifier to check that an unexpired, refreshed ID token is set on the PKToken.

func WithCosignerVerifiers 

func WithCosignerVerifiers(verifiers ...*cosigner.DefaultCosignerVerifier) VerifierOpts

func WithExpirationPolicy 

func WithExpirationPolicy(expirationPolicy ExpirationPolicy) VerifierOpts

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.