oidc

package
v3.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 2, 2026 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	GrantTypeAuthorizationCode  = "authorization_code"
	GrantTypeImplicit           = "implicit"
	ResponseTypeCode            = "code"
	UserInfoResponseCachePrefix = "userinfo_response"
	AccessTokenCachePrefix      = "access_token"
	OidcTokenCachePrefix        = "oidc_token"
)

Variables

View Source 
var ErrInvalidRedirectURL = errors.New("invalid return URL")

Functions

func AppendClaimsAuthenticationRequestParameter 

func AppendClaimsAuthenticationRequestParameter(opts []oauth2.AuthCodeOption, requestedClaims map[string]*oidc.Claim) []oauth2.AuthCodeOption

AppendClaimsAuthenticationRequestParameter appends a OIDC claims authentication request parameter to `opts` with the `requestedClaims`

func FormatAccessTokenCacheKey added in v3.2.2 

func FormatAccessTokenCacheKey(sub string) string

FormatAccessTokenCacheKey returns the key which is used to store the accessToken of a user in cache

func FormatUserInfoResponseCacheKey added in v3.2.2 

func FormatUserInfoResponseCacheKey(sub string) string

FormatUserInfoResponseCacheKey returns the key which is used to store userinfo of user in cache

func GetScopesOrDefault 

func GetScopesOrDefault(scopes []string) []string

func GetTokenExpiration added in v3.3.0 

func GetTokenExpiration(claims jwt.MapClaims) time.Duration

GetTokenExpiration returns a time.Duration until the token expires

func ImplicitFlowURL 

func ImplicitFlowURL(c *oauth2.Config, state string, opts ...oauth2.AuthCodeOption) (string, error)

ImplicitFlowURL is an adaptation of oauth2.Config::AuthCodeURL() which returns a URL appropriate for an OAuth2 implicit login flow (as opposed to authorization code flow).

func InferGrantType 

func InferGrantType(oidcConf *OIDCConfiguration) string

InferGrantType infers the proper grant flow depending on the OAuth2 client config and OIDC configuration. Returns either: "authorization_code" or "implicit"

func OfflineAccess 

func OfflineAccess(scopes []string) bool

OfflineAccess returns whether or not 'offline_access' is a supported scope

Types

type ClaimsRequest 

type ClaimsRequest struct {
	IDToken map[string]*oidc.Claim `json:"id_token"`
}

type ClientApp 

type ClientApp struct {
	// contains filtered or unexported fields
}

func NewClientApp 

func NewClientApp(settings *settings.ArgoCDSettings, dexServerAddr string, dexTLSConfig *dex.DexTLSConfig, baseHRef string, cacheClient cache.CacheClient) (*ClientApp, error)

NewClientApp will register the Argo CD client app (either via Dex or external OIDC) and return an object which has HTTP handlers for handling the HTTP responses for login and callback

func (*ClientApp) CheckAndRefreshToken added in v3.3.0 

func (a *ClientApp) CheckAndRefreshToken(ctx context.Context, groupClaims jwt.MapClaims, refreshTokenThreshold time.Duration) (string, error)

func (*ClientApp) GetTokenSourceFromCache added in v3.3.0 

func (a *ClientApp) GetTokenSourceFromCache(ctx context.Context, oidcTokenCache *OidcTokenCache) (oauth2.TokenSource, error)

GetTokenSourceFromCache creates an oauth2 TokenSource from a cached oidc token. The TokenSource will be configured with an early expiration based on the refreshTokenThreshold.

func (*ClientApp) GetUpdatedOidcTokenFromCache added in v3.3.0 

func (a *ClientApp) GetUpdatedOidcTokenFromCache(ctx context.Context, subject string, sessionId string) (*oauth2.Token, error)

GetUpdatedOidcTokenFromCache fetches a token from cache and refreshes it if under the threshold for expiration. The cached token will also be updated if it is refreshed. Returns latest token or an error if the process fails.

func (*ClientApp) GetUserInfo 

func (a *ClientApp) GetUserInfo(ctx context.Context, actualClaims jwt.MapClaims, issuerURL, userInfoPath string) (jwt.MapClaims, bool, error)

GetUserInfo queries the IDP userinfo endpoint for claims

func (*ClientApp) GetValueFromEncryptedCache added in v3.3.0 

func (a *ClientApp) GetValueFromEncryptedCache(key string) (value []byte, err error)

GetValueFromEncryptedCache is a convenience method for retreiving a value from cache and decrypting it. If the cache does not contain a value for the given key, a nil value is returned. Return handling should check for error and then check for nil.

func (*ClientApp) HandleCallback 

func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request)

HandleCallback is the callback handler for an OAuth2 login flow

func (*ClientApp) HandleLogin 

func (a *ClientApp) HandleLogin(w http.ResponseWriter, r *http.Request)

HandleLogin formulates the proper OAuth2 URL (auth code or implicit) and redirects the user to the IDp login & consent page

func (*ClientApp) SetGroupsFromUserInfo added in v3.2.2 

func (a *ClientApp) SetGroupsFromUserInfo(ctx context.Context, claims jwt.Claims, sessionManagerClaimsIssuer string) (jwt.MapClaims, error)

SetGroupsFromUserInfo takes a claims object and adds groups claim from userinfo endpoint if available This is required by some SSO implementations as they don't provide the groups claim in the ID token If querying the UserInfo endpoint fails, we return an error to indicate the session is invalid we assume that everywhere in argocd jwt.MapClaims is used as type for interface jwt.Claims otherwise this would cause a panic

func (*ClientApp) SetValueInEncryptedCache added in v3.3.0 

func (a *ClientApp) SetValueInEncryptedCache(key string, value []byte, expiration time.Duration) error

SetValueFromEncyrptedCache is a convenience method for encrypting a value and storing it in the cache at a given key. Cache expiration is set based on input.

type OIDCConfiguration 

type OIDCConfiguration struct {
	Issuer                 string   `json:"issuer"`
	ScopesSupported        []string `json:"scopes_supported"`
	ResponseTypesSupported []string `json:"response_types_supported"`
	GrantTypesSupported    []string `json:"grant_types_supported,omitempty"`
}

OIDCConfiguration holds a subset of interested fields from the OIDC configuration spec

func ParseConfig 

func ParseConfig(provider *gooidc.Provider) (*OIDCConfiguration, error)

ParseConfig parses the OIDC Config into the concrete datastructure

type OidcTokenCache added in v3.3.0 

type OidcTokenCache struct {
	// Redirect URL is needed for oauth2 config initialization
	RedirectURL string `json:"redirect_url"`
	// oauth2 Token
	Token *oauth2.Token `json:"token"`
	// TokenExtraIdToken captures value of id_token
	TokenExtraIdToken string `json:"token_extra_id_token"`
}

OidcTokenCache is a serialization wrapper around oauth2 provider configuration needed to generate a TokenSource

func GetOidcTokenCacheFromJSON added in v3.3.0 

func GetOidcTokenCacheFromJSON(jsonBytes []byte) (*OidcTokenCache, error)

GetOidcTokenCacheFromJSON deserializes the json representation of OidcTokenCache. The Token extra map is updated from the serialization wrapper to propagate the id_token. This will ensure that the TokenSource always retrieves a usable token.

func NewOidcTokenCache added in v3.3.0 

func NewOidcTokenCache(redirectURL string, token *oauth2.Token) *OidcTokenCache

NewOidcTokenCache initializes the struct from a redirect URL and an existing token

type Provider 

type Provider interface {
	Endpoint() (*oauth2.Endpoint, error)

	ParseConfig() (*OIDCConfiguration, error)

	Verify(ctx context.Context, tokenString string, argoSettings *settings.ArgoCDSettings) (*gooidc.IDToken, error)
}

Provider is a wrapper around go-oidc provider to also provide the following features: 1. lazy initialization/querying of the provider 2. automatic detection of change in signing keys 3. convenience function for verifying tokens We have to initialize the provider lazily since Argo CD can be an OIDC client to itself (in the case of dex reverse proxy), which presents a chicken-and-egg problem of (1) serving dex over HTTP, and (2) querying the OIDC provider (ourself) to initialize the OIDC client.

func NewOIDCProvider 

func NewOIDCProvider(issuerURL string, client *http.Client) Provider

NewOIDCProvider initializes an OIDC provider

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.