README
¶
Hiro Oauth 2.0
This package provides a base OAuth 2.0 implementation for Model Rocket projects.
Pre-requisites
The comsumer only needs to implements the Controller and associated interfaces to provide backend storage for requests, tokens, and sessions.
Controller
Structs
Interfaces
Client
User
Flows
Hiro OAuth supports a limited set of authorization flows. This is due both to need, but also to avoid unecessary security risk.
Authorization Code
Unlike other OAuth libraries, for the authorization_code grant hiro does not provide any html forms, these are abstracted securly from the project and expected to be hosted externally. This allows for each application to have custom login interfaces.
hiro makes his process secure by generating a login request token in the authorize route handler and redirecting the browser to the app_uri specified in the query. The browser will then post the the login route, including this token and the PKCE code verifier to authenticate the user. The browser will then be redirected to the redirect_uri provided in the authorize call, which will have the standard code parameter that can be used to request a bearer token.
sequenceDiagram
browser->>hiro:GET /authroize?response_type=code...
hiro->>browser: 302 FOUND Location: {api_uri}
browser->>app: GET {app_uri}?request_token={request_token}
app->>browser: 200 OK
Note right of browser: User enters credentials into form
browser->>hiro: POST /oauth/login
hiro->>browser: 302 FOUND Location: {redirect_uri}?code={auth_code}
browser->>app: GET {redirect_uri}?code={auth_code}
app->>hiro: POST /oauth/token
hiro->>app: 200 OK
Client Credentials
Refresh Token
API
The API is informally defined in this OpenAPI 2.0 Spec. This spec is self-contained and is served in the /oauth/swagger.{json|yaml} route for clients to access.
Routes
The package provides a Routes set that is designed to be used with the api.Server package, which can extend another api service adding authentication support.
GET /authorize
POST /login
GET /token
Documentation
¶
Overview ¶
Package oauth provides the base auth interfaces
Index ¶
- Constants
- Variables
- func ApiSwaggerV1OauthSwaggerYaml() (*asset, error)
- func ApiSwaggerV1OauthSwaggerYamlBytes() ([]byte, error)
- func Asset(name string) ([]byte, error)
- func AssetDir(name string) ([]string, error)
- func AssetInfo(name string) (os.FileInfo, error)
- func AssetNames() []string
- func Authorizer(opts ...AuthorizerOption) api.Authorizer
- func ClientCredentials(config clientcredentials.Config, secure bool) (credentials.PerRPCCredentials, error)
- func MustAsset(name string) []byte
- func RestoreAsset(dir, name string) error
- func RestoreAssets(dir, name string) error
- func Routes() []api.Route
- type Audience
- type AuthorizeParams
- type AuthorizeRoute
- type AuthorizerOption
- type BearerToken
- type Claims
- func (c Claims) All() map[string]interface{}
- func (c Claims) Audience() string
- func (c Claims) ClientID() string
- func (c Claims) Delete(keys ...string) Claims
- func (c *Claims) Encode(v interface{}) Claims
- func (c Claims) ExpiresAt() time.Time
- func (c Claims) Get(key string) interface{}
- func (c Claims) ID() string
- func (c Claims) IssuedAt() time.Time
- func (c Claims) Merge(claims Claims) Claims
- func (c Claims) Scan(value interface{}) error
- func (c Claims) Scope() Scope
- func (c Claims) Set(key string, value interface{})
- func (c Claims) Sign(s TokenSecret) (string, error)
- func (c Claims) Subject() string
- func (c Claims) Use() string
- func (c Claims) Valid() error
- func (c Claims) Value() (driver.Value, error)
- type Client
- type ClientType
- type Controller
- type ControllerProxy
- type ErrTooManyLoginAttempts
- type GrantList
- type GrantType
- type Grants
- type ID
- type JWKSInput
- type JWKSRoute
- type LoginParams
- type LoginRoute
- type LogoutParams
- type LogoutRoute
- type Notification
- type NotificationChannel
- type NotificationType
- type OIDConfigInput
- type OpenIDConfigRoute
- type PKCEChallenge
- type PKCEChallengeMethod
- type PasswordCreateParams
- type PasswordCreateRoute
- type PasswordNotification
- type PasswordType
- type PasswordUpdateParams
- type PasswordUpdateRoute
- type RequestToken
- type RequestTokenType
- type Route
- type Scope
- func (s Scope) Append(e ...string) Scope
- func (s Scope) Contains(value string) bool
- func (s Scope) Every(elements ...string) bool
- func (s Scope) MarshalJSON() ([]byte, error)
- func (s *Scope) Scan(value interface{}) error
- func (s Scope) Some(elements ...string) bool
- func (s *Scope) String() string
- func (s Scope) Unique() Scope
- func (s *Scope) UnmarshalText(v []byte) error
- func (s Scope) Value() (driver.Value, error)
- func (s Scope) Without(elements ...string) Scope
- type ScopeList
- type ScopeSet
- type SessionParams
- type SessionRoute
- type SignupParams
- type SignupRoute
- type SpecGetInput
- type SpecRoute
- type Time
- type Token
- type TokenAlgorithm
- type TokenIntrospectParams
- type TokenIntrospectRoute
- type TokenParams
- type TokenRevokeParams
- type TokenRevokeRoute
- type TokenRoute
- type TokenSecret
- type TokenUse
- type URI
- type URIList
- type User
- type UserInfoParams
- type UserInfoRoute
- type UserInfoUpdateParams
- type UserInfoUpdateRoute
- type VerificationNotification
- type VerifyParams
- type VerifyRoute
- type VerifySendParams
- type VerifySendRoute
Constants ¶
const ( // NotificationTypeVerify are verification notifications NotificationTypeVerify NotificationType = "verify" // NotificationTypePassword are password notification NotificationTypePassword NotificationType = "password" // NotificationTypeInvite are invitation notification NotificationTypeInvite NotificationType = "invite" // NotificationChannelEmail is an email notification NotificationChannelEmail NotificationChannel = "email" // NotificationChannelPhone is an sms notification NotificationChannelPhone NotificationChannel = "phone" )
const ( // ScopeOpenID is the openid scope ScopeOpenID = "openid" // ScopeProfile is the scope required to query for a users profile ScopeProfile = "profile" // ScopeProfileWrite is the scope required to write to a users profile ScopeProfileWrite = "profile:write" // ScopeOfflineAccess is the scope necessary to request a refresh_token ScopeOfflineAccess = "offline_access" // ScopeAddress is required to read a user's physical address ScopeAddress = "address" // ScopeEmail is the scope require to get a user's email address ScopeEmail = "email" // ScopeEmailVerify is the scope required to verify a user's email address ScopeEmailVerify = "emai:verify" // ScopePhone is the scope required to verify the user's phone number ScopePhone = "phone" // ScopePhoneVerify is the scope required to verify a user's phone number ScopePhoneVerify = "phone:verify" // ScopeTokenRead is provided for token introspection ScopeTokenRead = "token:read" // ScopeTokenRevoke is required for token revocation ScopeTokenRevoke = "token:revoke" // ScopeSession creates a login session ScopeSession = "session" // ScopePassword allows a user to set their password ScopePassword = "password" )
const (
// RequestTokenParam is the name of the request token parameter passed on redirect from /authorize
RequestTokenParam = "request_token"
)
Variables ¶
var ( // ErrAccessDenied is returned when authentication has failed ErrAccessDenied = api.ErrUnauthorized // ErrClientNotFound is returned when the controller could not find the client ErrClientNotFound = api.ErrNotFound.WithMessage("client not found") // ErrAudienceNotFound is returned when the store could not find the audience ErrAudienceNotFound = api.ErrNotFound.WithMessage("audience not found") // ErrUserNotFound is returned when the store could not find the user ErrUserNotFound = api.ErrNotFound.WithMessage("user not found") // ErrSessionNotFound is returned when the session was not found by the controller ErrSessionNotFound = api.ErrNotFound.WithMessage("session not found") // ErrUnsupportedAlogrithm is returned when the Authorizer gets a bad token ErrUnsupportedAlogrithm = api.ErrBadRequest.WithDetail("unsupported signing algorithm") // ErrInvalidToken is returned when the token is not valid ErrInvalidToken = ErrAccessDenied.WithDetail("invalid token") // ErrKeyNotFound is returned when the authorizer can not find a good key ErrKeyNotFound = ErrAccessDenied.WithDetail("suitable verification key not found") // ErrRevokedToken is returned when the token is revoked ErrRevokedToken = ErrAccessDenied.WithDetail("revoked token") // ErrExpiredToken is returned when the token is expired ErrExpiredToken = ErrAccessDenied.WithDetail("expired token") // ErrPasswordLen is returned when a password does not meet length requirements ErrPasswordLen = api.ErrBadRequest.WithDetail("invalid password length") // ErrPasswordComplexity is returned if the password does not meet complexity requirements ErrPasswordComplexity = api.ErrBadRequest.WithDetail("password does not meet complexity requirements") // ErrPasswordResuse is returned if password does not meet the reuse constraints ErrPasswordResuse = api.ErrBadRequest.WithDetail("password has been used before") // ErrPasswordExpired is returned when the password has expired ErrPasswordExpired = api.ErrBadRequest.WithDetail("password has expired") // ErrInvalidInviteCode is returned when an invitation code is bad ErrInvalidInviteCode = api.ErrBadRequest.WithDetail("invite code is invalid") )
var (
// DefaultCodeChallengeMethod is the only challenge method
DefaultCodeChallengeMethod = "S256"
)
var ( // Scopes is the list of all oauth scopes // verify scopes have special use and should not be granted to users implicitly Scopes = Scope{ ScopeOpenID, ScopeProfile, ScopeProfileWrite, ScopeOfflineAccess, ScopeAddress, ScopeEmail, ScopeEmailVerify, ScopePhone, ScopePhoneVerify, ScopeTokenRead, ScopeTokenRevoke, } )
Functions ¶
func ApiSwaggerV1OauthSwaggerYaml ¶
func ApiSwaggerV1OauthSwaggerYaml() (*asset, error)
func Asset ¶
Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.
func AssetDir ¶
AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy:
data/
foo.txt
img/
a.png
b.png
then AssetDir("data") would return []string{"foo.txt", "img"} AssetDir("data/img") would return []string{"a.png", "b.png"} AssetDir("foo.txt") and AssetDir("notexist") would return an error AssetDir("") will return []string{"data"}.
func AssetInfo ¶
AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.
func Authorizer ¶
func Authorizer(opts ...AuthorizerOption) api.Authorizer
Authorizer returns a oauth api.Authorizer
func ClientCredentials ¶
func ClientCredentials(config clientcredentials.Config, secure bool) (credentials.PerRPCCredentials, error)
ClientCredentials returns the ClientCredentials for the hiro
func MustAsset ¶
MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.
func RestoreAsset ¶
RestoreAsset restores an asset under the given directory
func RestoreAssets ¶
RestoreAssets restores an asset under the given directory recursively
Types ¶
type Audience ¶
type Audience interface {
// ID returns the audience id as a string
ID() string
// Name returns the audience name
Name() string
// Secret returns a token secret from the audience, implementations should rotate the secrets
Secrets() []TokenSecret
// Permissions returns the fullset of audience permissions
Permissions() Scope
// RefreshTokenLifetime returns the duration a refreshtoken should last
RefreshTokenLifetime() time.Duration
}
Audience is the common oauth audience interface
type AuthorizeParams ¶
type AuthorizeParams struct {
AppURI URI `json:"app_uri"`
Audience string `json:"audience"`
ClientID string `json:"client_id"`
CodeChallenge PKCEChallenge `json:"code_challenge"`
CodeChallengeMethod *PKCEChallengeMethod `json:"code_challenge_method"`
RedirectURI *URI `json:"redirect_uri"`
ResponseType string `json:"response_type"`
Scope Scope `json:"scope"`
State *string `json:"state"`
}
AuthorizeParams contains all the bound params for the authorize operation
func (AuthorizeParams) Validate ¶
func (p AuthorizeParams) Validate() error
Validate validates the params
type AuthorizeRoute ¶
type AuthorizeRoute func(ctx context.Context, params *AuthorizeParams) api.Responder
AuthorizeRoute is the authorize route handler
func (AuthorizeRoute) Methods ¶
func (AuthorizeRoute) Methods() []string
Methods implements api.Route
func (AuthorizeRoute) Validate ¶
func (AuthorizeRoute) Validate(params validation.Validatable) error
Validate implements validation.Validatable
type AuthorizerOption ¶
type AuthorizerOption func(a *authorizer)
AuthorizerOption is an authorizer option
func WithPermitQueryBearer ¶
func WithPermitQueryBearer(permit bool) AuthorizerOption
WithPermitQueryBearer allows full bearer tokens to be passed in to the query
func WithPermitQueryToken ¶
func WithPermitQueryToken(permit bool) AuthorizerOption
WithPermitQueryToken allows token ids to be passed in the query supporting persistent tokens
type BearerToken ¶
type BearerToken struct {
// The token to be used for authorization
AccessToken string `json:"access_token"`
// The time from `now` that the token expires
ExpiresIn int64 `json:"expires_in"`
// The idenity token contains claims about the users identity. This token is
// returned if the `openid` scope was granted.
// If the `profile` scope was granted, this will contain the user profile.
// These scopes are outside of the context of this library, it is up to the
// provider to maintain these scopes.
IdentityToken string `json:"id_token,omitempty"`
// The refresh token maybe used to generate a new access token so client
// and user credentials do not have to traverse the wire again.
// The is provided if the `offline_access` scope is request.
// This scopes are outside of the context of this library, it is up to the
RefreshToken *string `json:"refresh_token,omitempty"`
// The token type, always Bearer
TokenType string `json:"token_type"`
}
BearerToken BearerTokens are returned by the `/token` method. These token always include an `access_token` which can be used to access api methods from a related service. These are the only objects managed by the api itself. The integration is expected to implement the `oauth.Controller` interface.
func NewBearer ¶
func NewBearer(secret TokenSecret, tokens ...Token) (*BearerToken, error)
NewBearer creates a bearer from the tokens
type Claims ¶
type Claims map[string]interface{}
Claims is generic map of token claims that may represent a jwt
type Client ¶
type Client interface {
// ClientID returns the client id
ClientID() string
// Type returns the client type
Type() ClientType
// Authorize authorizes the client for the specified grants, uris, and scopes
// Used for authorization_code flows
Authorize(ctx context.Context, aud Audience, grant GrantType, uris []URI, scopes ...Scope) error
}
Client is an oauth client interface
type ClientType ¶
type ClientType string
ClientType is an oauth client type
const ( // ClientTypeWeb defines a web based client type // Web based clients are restricted from passing client_secret values // and using password grants ClientTypeWeb ClientType = "web" // ClientTypeNative defines a native application client type ClientTypeNative ClientType = "native" // ClientTypeMachine defines a machine to machine client type ClientTypeMachine ClientType = "machine" )
func (ClientType) Validate ¶
func (c ClientType) Validate() error
Validate handles validation for ClientType
type Controller ¶
type Controller interface {
// AudienceGet returns an audience by id or name
AudienceGet(ctx context.Context, id string) (Audience, error)
// ClientGet gets the client from the controller and optionally verfies the secret
ClientGet(ctx context.Context, id string, secret ...string) (Client, error)
// RequestTokenCreate creates a new authentication request token using the controller
RequestTokenCreate(ctx context.Context, req RequestToken) (string, error)
// RequestTokenGet looks up a request by id from the controller
RequestTokenGet(ctx context.Context, id string, t ...RequestTokenType) (RequestToken, error)
// RequestTokenDelete deletes a request token by id
RequestTokenDelete(ctx context.Context, id string) error
// UserGet gets a user object by subject identifier or login
UserGet(ctx context.Context, sub string) (User, error)
// UserAuthenticate authenticates a user and returns a principal object
UserAuthenticate(ctx context.Context, login, password string) (User, error)
// UserSetPassword sets the users password
UserSetPassword(ctx context.Context, sub, password string) error
// UserCreate creates a user using the request which can either be the authorize or an invite token
UserCreate(ctx context.Context, login string, password *string, req RequestToken) (User, error)
// UserUpdate updates a user's profile
UserUpdate(ctx context.Context, sub string, profile *openid.Profile) error
// UserNotify should create an email or sms with the verification link or code for the user
UserNotify(ctx context.Context, note Notification) error
// UserLockout should lock a user for the specified time or default
UserLockout(ctx context.Context, sub string, until ...time.Time) (time.Time, error)
// TokenCreate creates a new token and allows the controller to add custom claims
TokenCreate(ctx context.Context, token Token) (Token, error)
// TokenGet gets a token by id
TokenGet(ctx context.Context, id string, use ...TokenUse) (Token, error)
// TokenRevoke revokes a token by id
TokenRevoke(ctx context.Context, id string) error
// TokenRevokeAll will remove all tokens for a subject
TokenRevokeAll(ctx context.Context, sub string, uses ...TokenUse) error
// TokenCleanup should remove any expired or revoked tokens from the store
TokenCleanup(ctx context.Context) error
}
Controller defines an oauth server controller interface
type ControllerProxy ¶ added in v0.1.1
type ControllerProxy interface {
OAuthController() Controller
}
ControllerProxy returns an oauth controller
type ErrTooManyLoginAttempts ¶
type ErrTooManyLoginAttempts struct {
api.ErrorResponse
Attempts int
}
ErrTooManyLoginAttempts is returned when too many login attempts have been exceeded
func NewErrTooManyLoginAttempts ¶
func NewErrTooManyLoginAttempts(attempts int) *ErrTooManyLoginAttempts
NewErrTooManyLoginAttempts creates a new too many login attempts error
func (ErrTooManyLoginAttempts) WithError ¶
func (e ErrTooManyLoginAttempts) WithError(err error) api.ErrorResponse
WithError implements some of api.ErrorResponse interface
type GrantList ¶
type GrantList []GrantType
GrantList is a list of grants
type GrantType ¶
type GrantType string
GrantType is an oauth grant type
const ( // GrantTypeNone is used to filter Authorization parameters GrantTypeNone GrantType = "none" // GrantTypeAuthCode is the authorization_code grant type GrantTypeAuthCode GrantType = "authorization_code" // GrantTypeClientCredentials is the client_credentials grant type GrantTypeClientCredentials GrantType = "client_credentials" // GrantTypePassword is the password grant type GrantTypePassword GrantType = "password" // GrantTypeRefreshToken is the refresh_token grant type GrantTypeRefreshToken GrantType = "refresh_token" )
type Grants ¶
Grants is a mapping of grants to audiece
type ID ¶
type ID interface {
String() string
}
ID is a simple id interface used to abstract from the controller interfaces
type JWKSInput ¶
type JWKSInput struct {
Audience string `json:"audience_id"`
}
JWKSInput is the input for the jwks route
type LoginParams ¶
type LoginParams struct {
Login string `json:"login"`
Password string `json:"password"`
RequestToken string `json:"request_token"`
CodeVerifier string `json:"code_verifier"`
}
LoginParams contains all the bound params for the login operation
type LoginRoute ¶
type LoginRoute func(ctx context.Context, params *LoginParams) api.Responder
LoginRoute is the login route handler
type LogoutParams ¶
type LogoutParams struct {
Audience string `json:"audience"`
ClientID string `json:"client_id"`
RedirectURI *URI `json:"redirect_uri"`
PostLogoutRedirectURI *URI `json:"post_logout_redirect_uri,omitempty"`
State *string `json:"state"`
}
LogoutParams are the params to log a user out
type LogoutRoute ¶
type LogoutRoute func(ctx context.Context, params *LogoutParams) api.Responder
LogoutRoute is the logout route handler
type Notification ¶
type Notification interface {
Type() NotificationType
Subject() string
Channels() []NotificationChannel
URI() *URI
}
Notification is a simply a notification interface
type NotificationChannel ¶
type NotificationChannel string
NotificationChannel is the channel to notify
type OIDConfigInput ¶
type OIDConfigInput struct {
Audience string `json:"audience_id"`
}
OIDConfigInput is the input for the jwks route
type OpenIDConfigRoute ¶
type OpenIDConfigRoute func(ctx context.Context, params *OIDConfigInput) api.Responder
OpenIDConfigRoute is the openid-configuration route
func (OpenIDConfigRoute) Methods ¶
func (OpenIDConfigRoute) Methods() []string
Methods implements api.Route
type PKCEChallenge ¶
type PKCEChallenge string
PKCEChallenge is a PKCE challenge code
func (PKCEChallenge) Verify ¶
func (c PKCEChallenge) Verify(v string) error
Verify verifies the challenge against the base64 encoded verifier
type PKCEChallengeMethod ¶
type PKCEChallengeMethod string
PKCEChallengeMethod defines a code challenge method
const ( // PKCEChallengeMethodNone is used to specify no challenge PKCEChallengeMethodNone PKCEChallengeMethod = "none" // PKCEChallengeMethodS256 is a sha-256 code challenge method PKCEChallengeMethodS256 PKCEChallengeMethod = "S256" )
func (PKCEChallengeMethod) String ¶
func (c PKCEChallengeMethod) String() string
func (PKCEChallengeMethod) Validate ¶
func (c PKCEChallengeMethod) Validate() error
Validate validates the CodeChallengeMethod
type PasswordCreateParams ¶
type PasswordCreateParams struct {
Login string `json:"login"`
Notify []NotificationChannel `json:"notify"`
Type PasswordType `json:"type"`
RequestToken string `json:"request_token"`
RedirectURI *URI `json:"redirect_uri,omitempty"`
CodeVerifier string `json:"code_verifier"`
}
PasswordCreateParams is the input to the password get route
func (PasswordCreateParams) Validate ¶
func (p PasswordCreateParams) Validate() error
Validate validates PasswordGetInput
type PasswordCreateRoute ¶
type PasswordCreateRoute func(ctx context.Context, params *PasswordCreateParams) api.Responder
PasswordCreateRoute is the password create handler
func (PasswordCreateRoute) Methods ¶
func (PasswordCreateRoute) Methods() []string
Methods implements api.Route
func (PasswordCreateRoute) Name ¶
func (PasswordCreateRoute) Name() string
Name implements api.Route
func (PasswordCreateRoute) Path ¶
func (PasswordCreateRoute) Path() string
Path implements api.Route
type PasswordNotification ¶
type PasswordNotification interface {
Notification
PasswordType() PasswordType
Code() string
}
PasswordNotification is a password notification interface
type PasswordType ¶
type PasswordType string
PasswordType defines a password type
const ( // PasswordTypeLink is a magic password link PasswordTypeLink PasswordType = "link" // PasswordTypeCode is a one-time use password code PasswordTypeCode PasswordType = "code" // PasswordTypeReset sends both a link with the password scope and a code PasswordTypeReset PasswordType = "reset" )
func (PasswordType) IsLink ¶
func (p PasswordType) IsLink() bool
IsLink returns true if its a link type
func (PasswordType) String ¶
func (p PasswordType) String() string
func (PasswordType) Validate ¶
func (p PasswordType) Validate() error
Validate validates the PasswordType
type PasswordUpdateParams ¶
type PasswordUpdateParams struct {
Password string `json:"password"`
ResetToken string `json:"reset_token"`
RedirectURI *URI `json:"redirect_uri"`
}
PasswordUpdateParams are used by the password update route
func (PasswordUpdateParams) Validate ¶
func (p PasswordUpdateParams) Validate() error
Validate validates PasswordGetInput
type PasswordUpdateRoute ¶
type PasswordUpdateRoute func(ctx context.Context, params *PasswordUpdateParams) api.Responder
PasswordUpdateRoute is the password update handler
func (PasswordUpdateRoute) Methods ¶
func (PasswordUpdateRoute) Methods() []string
Methods implements api.Route
func (PasswordUpdateRoute) Name ¶
func (PasswordUpdateRoute) Name() string
Name implements api.Route
func (PasswordUpdateRoute) Path ¶
func (PasswordUpdateRoute) Path() string
Path implements api.Route
func (PasswordUpdateRoute) RequireAuth ¶
func (PasswordUpdateRoute) RequireAuth() []api.CredentialType
RequireAuth implements the api.AuthorizedRoute
func (PasswordUpdateRoute) Scopes ¶
func (PasswordUpdateRoute) Scopes() ScopeList
Scopes implements oauth.Route
type RequestToken ¶
type RequestToken struct {
ID ID
Type RequestTokenType
CreatedAt Time
Audience string
ClientID string
Subject *string
Passcode *string
Uses int
Scope Scope
ExpiresAt Time
CodeChallenge PKCEChallenge
CodeChallengeMethod PKCEChallengeMethod
AppURI *URI
RedirectURI *URI
State *string
}
RequestToken represents an oauth request used for several different flows These tokens are generally single use and should not be exposed, other than their id
func (RequestToken) Validate ¶
func (r RequestToken) Validate() error
Validate validates the Request
type RequestTokenType ¶
type RequestTokenType string
RequestTokenType is the request token type
const ( // RequestTokenTypeLogin is used for login or signup routes RequestTokenTypeLogin RequestTokenType = "login" // RequestTokenTypeSession is used for sessions RequestTokenTypeSession RequestTokenType = "session" // RequestTokenTypeVerify is verification, i.e. password resets RequestTokenTypeVerify RequestTokenType = "verify" // RequestTokenTypeInvite is verification, i.e. password resets RequestTokenTypeInvite RequestTokenType = "invite" // RequestTokenTypeAuthCode is used to request token RequestTokenTypeAuthCode RequestTokenType = "auth_code" // RequestTokenTypeRefreshToken is used to request refresh token RequestTokenTypeRefreshToken RequestTokenType = "refresh_token" )
type Route ¶
type Route interface {
api.AuthorizedRoute
Scopes() ScopeList
}
Route defines an oauth route that has a scope
type Scope ¶
type Scope []string
Scope is an oauth scope
func (Scope) MarshalJSON ¶
MarshalJSON handles json marshaling of this type
func (*Scope) UnmarshalText ¶
UnmarshalText handles text unmarshaling
type ScopeList ¶
type ScopeList struct {
// contains filtered or unexported fields
}
ScopeList is used to build scopes
func BuildScope ¶
BuildScope returns a []Scope from the string scope values
type ScopeSet ¶
ScopeSet represents a map between an audiece and a scope
type SessionParams ¶
type SessionParams struct {
RequestToken string `json:"request_token"`
RedirectURI *URI `json:"redirect_ur"`
State *string `json:"state,omitempty"`
}
SessionParams is the session request parameters
func (SessionParams) Validate ¶
func (p SessionParams) Validate() error
Validate validates the SessionParams struct
type SessionRoute ¶
type SessionRoute func(ctx context.Context, params *SessionParams) api.Responder
SessionRoute is the session handler
func (SessionRoute) RequireAuth ¶
func (SessionRoute) RequireAuth() []api.CredentialType
RequireAuth implements the api.AuthorizedRoute
type SignupParams ¶
type SignupParams struct {
Login string `json:"login"`
Password *string `json:"password,omitempty"`
InviteToken *string `json:"invite_token,omitempty"`
RequestToken string `json:"request_token"`
CodeVerifier string `json:"code_verifier"`
}
SignupParams are used in the signup route
func (SignupParams) Validate ¶
func (p SignupParams) Validate() error
Validate validates SignupParams
type SignupRoute ¶
type SignupRoute func(ctx context.Context, params *SignupParams) api.Responder
SignupRoute is the signup handler
type SpecGetInput ¶
SpecGetInput is the input for spec get method
type SpecRoute ¶
type SpecRoute func(ctx context.Context, params *SpecGetInput) api.Responder
SpecRoute is the swagger spec route handler
type Time ¶
Time is a time structure used for tokens
func (Time) MarshalJSON ¶
MarshalJSON markshals the time to an epoch
type Token ¶
type Token struct {
ID string `json:"jti,omitempty"`
Issuer *URI `json:"iss,omitempty"`
Subject *string `json:"sub,omitempty"`
Audience string `json:"aud,omitempty"`
ClientID string `json:"azp,omitempty"`
Use TokenUse `json:"use,omitempty"`
AuthTime *Time `json:"auth_time,omitempty"`
Scope Scope `json:"scope,omitempty"`
IssuedAt Time `json:"iat,omitempty"`
ExpiresAt *Time `json:"exp,omitempty"`
Revokable bool `json:"-"`
RevokedAt *Time `json:"-"`
Claims Claims `json:"-"`
Bearer *string `json:"-"`
}
Token represents a revokable set of claims
func ParseBearer ¶
func ParseBearer(bearer string, keyFn func(kid string, c Claims) (TokenSecret, error)) (Token, error)
ParseBearer parses the jwt token into claims
func TokenFromClaims ¶
TokenFromClaims parse the claims into a Token
func (Token) AuthClaims ¶
AuthClaims implements the api.Principal interface
func (Token) CredentialType ¶
func (t Token) CredentialType() api.CredentialType
CredentialType implements the api.Principal interface
func (Token) Credentials ¶
Credentials implements the api.Principal interface
func (Token) Sign ¶
func (t Token) Sign(s TokenSecret) (string, error)
Sign generates an encoded and sign token using the secret
func (Token) Type ¶
func (t Token) Type() api.PrincipalType
Type implements the api.Principal interface
type TokenAlgorithm ¶
type TokenAlgorithm string
TokenAlgorithm is a token algorithm type
const ( // TokenLifetimeMinimum is the minimum token lifetime TokenLifetimeMinimum = time.Minute // TokenAlgorithmRS256 is the RSA 256 token algorithm TokenAlgorithmRS256 TokenAlgorithm = "RS256" // TokenAlgorithmHS256 is the HMAC with SHA-256 token algorithm TokenAlgorithmHS256 TokenAlgorithm = "HS256" // TokenAlgorithmNone is used for updating other parameters TokenAlgorithmNone TokenAlgorithm = "" )
func (TokenAlgorithm) Ptr ¶
func (a TokenAlgorithm) Ptr() *TokenAlgorithm
Ptr returns a pointer to the algorithm
func (TokenAlgorithm) String ¶
func (a TokenAlgorithm) String() string
func (TokenAlgorithm) Validate ¶
func (a TokenAlgorithm) Validate() error
Validate handles validation for TokenAlgorithm types
type TokenIntrospectParams ¶
type TokenIntrospectParams struct {
Token string `json:"token"`
}
TokenIntrospectParams is the parameters for token introspect
func (TokenIntrospectParams) Validate ¶
func (p TokenIntrospectParams) Validate() error
Validate handles the validation for the TokenParams struct
type TokenIntrospectRoute ¶
type TokenIntrospectRoute func(ctx context.Context, params *TokenIntrospectParams) api.Responder
TokenIntrospectRoute is the openid token introspection route
func (TokenIntrospectRoute) Methods ¶
func (TokenIntrospectRoute) Methods() []string
Methods implements api.Route
func (TokenIntrospectRoute) Name ¶
func (TokenIntrospectRoute) Name() string
Name implements api.Route
func (TokenIntrospectRoute) Path ¶
func (TokenIntrospectRoute) Path() string
Path implements api.Route
func (TokenIntrospectRoute) RequireAuth ¶
func (TokenIntrospectRoute) RequireAuth() []api.CredentialType
RequireAuth implements the api.AuthorizedRoute
func (TokenIntrospectRoute) Scopes ¶
func (TokenIntrospectRoute) Scopes() ScopeList
Scopes implements oauth.Route
type TokenParams ¶
type TokenParams struct {
ClientID string `json:"client_id"`
Audience *string `json:"audience,omitempty"`
ClientSecret *string `json:"client_secret"`
GrantType GrantType `json:"grant_type"`
Code *string `json:"code,omitempty"`
RefreshToken *string `json:"refresh_token,omitempty"`
Scope Scope `json:"scope,omitempty"`
RedirectURI *URI `json:"redirect_uri,omitempty"`
CodeVerifier *string `json:"code_verifier,omitempty"`
}
TokenParams is the parameters for the token request
func (TokenParams) Validate ¶
func (p TokenParams) Validate() error
Validate handles the validation for the TokenParams struct
type TokenRevokeParams ¶
type TokenRevokeParams struct {
Token string `json:"token"`
}
TokenRevokeParams is the parameters for token revoke
func (TokenRevokeParams) Validate ¶
func (p TokenRevokeParams) Validate() error
Validate handles the validation for the TokenParams struct
type TokenRevokeRoute ¶
type TokenRevokeRoute func(ctx context.Context, params *TokenRevokeParams) api.Responder
TokenRevokeRoute is the openid token revoke route
func (TokenRevokeRoute) Methods ¶
func (TokenRevokeRoute) Methods() []string
Methods implements api.Route
func (TokenRevokeRoute) RequireAuth ¶
func (TokenRevokeRoute) RequireAuth() []api.CredentialType
RequireAuth implements the api.AuthorizedRoute
func (TokenRevokeRoute) Scopes ¶
func (TokenRevokeRoute) Scopes() ScopeList
Scopes implements oauth.Route
type TokenRoute ¶
type TokenRoute func(ctx context.Context, params *TokenParams) api.Responder
TokenRoute is the token route
type TokenSecret ¶
type TokenSecret interface {
ID() string
Algorithm() TokenAlgorithm
Key() interface{}
VerifyKey() interface{}
ExpiresAt() *time.Time
}
TokenSecret is a token secret interface
type URIList ¶
type URIList []URI
URIList is a list of uris
func MakeURIList ¶
MakeURIList returns a Scope from the string scopes
func (URIList) MarshalJSON ¶
MarshalJSON handles json marshaling of this type
type User ¶
type User interface {
// Subject is the user subject identifier
Subject() string
// Profile returns the users openid profile claims, filtering on the provided scope
Profile() *openid.Profile
// Permissions returns the users permissions for the specified audience
Permissions(aud Audience) Scope
}
User is an oauth user interface
type UserInfoParams ¶
type UserInfoParams struct{}
UserInfoParams are the params for user info
func (UserInfoParams) Validate ¶
func (p UserInfoParams) Validate() error
Validate validates the params
type UserInfoRoute ¶
type UserInfoRoute func(ctx context.Context, params *UserInfoParams) api.Responder
UserInfoRoute is the user info route
func (UserInfoRoute) RequireAuth ¶
func (UserInfoRoute) RequireAuth() []api.CredentialType
RequireAuth implements the api.AuthorizedRoute
type UserInfoUpdateParams ¶
UserInfoUpdateParams are the params to update the user profile
func (UserInfoUpdateParams) Validate ¶
func (p UserInfoUpdateParams) Validate() error
Validate validates the params
type UserInfoUpdateRoute ¶
type UserInfoUpdateRoute func(ctx context.Context, params *UserInfoUpdateParams) api.Responder
UserInfoUpdateRoute is the user info update route
func (UserInfoUpdateRoute) Methods ¶
func (UserInfoUpdateRoute) Methods() []string
Methods implements api.Route
func (UserInfoUpdateRoute) Name ¶
func (UserInfoUpdateRoute) Name() string
Name implements api.Route
func (UserInfoUpdateRoute) Path ¶
func (UserInfoUpdateRoute) Path() string
Path implements api.Route
func (UserInfoUpdateRoute) RequireAuth ¶
func (UserInfoUpdateRoute) RequireAuth() []api.CredentialType
RequireAuth implements the api.AuthorizedRoute
func (UserInfoUpdateRoute) Scopes ¶
func (UserInfoUpdateRoute) Scopes() ScopeList
Scopes implements oauth.Route
type VerificationNotification ¶
type VerificationNotification interface {
Notification
}
VerificationNotification is a user verification notification
type VerifyParams ¶
type VerifyParams struct {
RedirectURI *URI `json:"redirect_uri"`
State *string `json:"state,omitempty"`
}
VerifyParams are the params for user verify
type VerifyRoute ¶
type VerifyRoute func(ctx context.Context, params *VerifyParams) api.Responder
VerifyRoute is the verify route
func (VerifyRoute) RequireAuth ¶
func (VerifyRoute) RequireAuth() []api.CredentialType
RequireAuth implements the api.AuthorizedRoute
type VerifySendParams ¶
type VerifySendParams struct {
Method NotificationChannel `json:"method"`
}
VerifySendParams are the params for the verification send method
func (VerifySendParams) Validate ¶
func (p VerifySendParams) Validate() error
Validate validates the params
type VerifySendRoute ¶
type VerifySendRoute func(ctx context.Context, params *VerifySendParams) api.Responder
VerifySendRoute is the verify send route
func (VerifySendRoute) Methods ¶
func (VerifySendRoute) Methods() []string
Methods implements api.Route
func (VerifySendRoute) RequireAuth ¶
func (VerifySendRoute) RequireAuth() []api.CredentialType
RequireAuth implements the api.AuthorizedRoute
func (VerifySendRoute) Scopes ¶
func (VerifySendRoute) Scopes() ScopeList
Scopes implements oauth.Route
Source Files
¶
- assets.go
- audience.go
- authorizer.go
- bearer_token.go
- claims.go
- client.go
- controller.go
- errors.go
- grant.go
- id.go
- notification.go
- oauth.go
- pkce.go
- request_token.go
- route.go
- route_authorize.go
- route_login.go
- route_logout.go
- route_openid.go
- route_password.go
- route_session.go
- route_signup.go
- route_swagger.go
- route_token.go
- route_userinfo.go
- route_verify.go
- routes.go
- rpc.go
- scope.go
- time.go
- token.go
- token_secret.go
- uri.go
- user.go
Directories