oidc

package
v3.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 20, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package oidc provides supported provider-neutral OIDC/JWKS bearer-token middleware.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func HealthChecker 

func HealthChecker(cfg Config, client *http.Client) ports.HealthChecker

HealthChecker returns an OIDC JWKS health checker or nil when disabled.

func ResolveJWKSURL 

func ResolveJWKSURL(ctx context.Context, cfg Config, client *http.Client) (string, error)

ResolveJWKSURL returns the configured JWKS URL or discovers it from OIDC metadata.

func WithSubject 

func WithSubject(ctx context.Context, subj Subject) context.Context

WithSubject stores an authenticated OIDC subject in context.

Types

type ClaimRequirements 

type ClaimRequirements struct {
	RequireSubject    *bool
	RequireExpiration *bool
	RequireIssuedAt   *bool
	RequireNotBefore  *bool
}

ClaimRequirements configures required JWT claims (nil preserves defaults).

type Config 

type Config struct {
	Enabled      bool
	Issuer       string
	Audience     string
	DiscoveryURL string
	JWKSURL      string
	// TenantClaim maps the tenant/org claim into Subject.TenantID. Defaults to tenant_id.
	TenantClaim string
	// ScopeClaim maps the scope/permission claim into Subject.Scope. Defaults to scope.
	ScopeClaim string
	// DiscoveryHTTPClient overrides the HTTP client used for OIDC discovery.
	DiscoveryHTTPClient *http.Client
	// AllowedAlgorithms constrains JWT signing methods. Defaults to RS256.
	AllowedAlgorithms   []string
	AllowedClockSkew    time.Duration
	JWKSRefreshTimeout  time.Duration
	JWKSRefreshInterval time.Duration
	// RequiredClaims enforces presence of specific JWT claims. Defaults to sub + exp.
	RequiredClaims ClaimRequirements
	// AllowDangerousDevBypasses enables skip headers only from trusted proxies.
	AllowDangerousDevBypasses bool
	SkipHeaderEnabled         bool
	SkipHeaderName            string
	// SkipTrustedProxies configures trusted CIDRs for skip header usage.
	SkipTrustedProxies []string
}

Config controls provider-neutral OIDC token validation.

func LoadConfig 

func LoadConfig(loader *config.Loader) Config

LoadConfig reads OIDC configuration from environment.

type Middleware 

type Middleware struct {
	// contains filtered or unexported fields
}

Middleware validates OIDC bearer tokens and stores the subject.

func NewMiddleware 

func NewMiddleware(ctx context.Context, cfg Config, log ports.Logger) (*Middleware, error)

NewMiddleware creates an OIDC middleware instance. If JWKS refresh is enabled, Close must be called or the passed context canceled on shutdown.

func (*Middleware) Close 

func (m *Middleware) Close()

Close stops background JWKS refresh work, if enabled.

func (*Middleware) Handler 

func (m *Middleware) Handler(next http.Handler) http.Handler

Handler returns the HTTP middleware enforcing authentication.

func (*Middleware) OptionalHandler 

func (m *Middleware) OptionalHandler(next http.Handler) http.Handler

OptionalHandler attaches a subject when a valid token is present, but allows requests without authentication to continue.

type Subject 

type Subject struct {
	UserID   string
	Email    string
	TenantID string
	Scope    string
	Claims   map[string]any
}

Subject contains identity information extracted from a validated OIDC token.

func SubjectFromContext 

func SubjectFromContext(ctx context.Context) (Subject, bool)

SubjectFromContext retrieves the OIDC subject from context.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.