oidc

package

v0.22.0 Latest Latest Go to latest Published: Sep 19, 2025 License: MIT Imports: 24 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/c2FmZQ/tlsproxy

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Client
type Config
type CookieManager
type EventRecorder
type ProviderClient
- func New(cfg Config, er EventRecorder, cm CookieManager) (*ProviderClient, error)
- func (p *ProviderClient) HandleCallback(w http.ResponseWriter, req *http.Request)
- func (p *ProviderClient) RequestLogin(w http.ResponseWriter, req *http.Request, originalURL string, ...)
type ProviderServer
- func NewServer(opts ServerOptions) *ProviderServer
type RewriteRule
type ServerOptions

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	AutoApproveForTests = false
)

Functions ¶

This section is empty.

Types ¶

type Client ¶ added in v0.0.29

type Client struct {
	ID          string
	Secret      string
	RedirectURI []string
	ACL         *[]string
}

type Config ¶

type Config struct {
	// DiscoveryURL is the discovery URL of the OIDC provider. If set, it
	// is used to discover the values of AuthEndpoint and TokenEndpoint.
	DiscoveryURL string
	// AuthEndpoint is the authorization endpoint. It must be set only if
	// DiscoveryURL is not set.
	AuthEndpoint string
	// Scopes is the list of scopes to request. The default list is:
	// openid, email.
	Scopes []string
	// TokenEndpoint is the token endpoint. It must be set only if
	// DiscoveryURL is not set.
	TokenEndpoint string
	// UserinfoEndpoint is the userinfo endpoint. It must be set only if
	// DiscoveryURL is not set and the token endpoint doesn't return an
	// ID token.
	UserinfoEndpoint string
	// RedirectURL is the OAUTH2 redirect URL. It must be managed by the
	// proxy.
	RedirectURL string
	// ClientID is the Client ID.
	ClientID string
	// ClientSecret is the Client Secret.
	ClientSecret string
	// HostedDomain specifies that the HD param should be used.
	// https://developers.google.com/identity/openid-connect/openid-connect#hd-param
	HostedDomain string
}

Config contains the parameters of an OIDC provider.

type CookieManager ¶

type CookieManager interface {
	SetAuthTokenCookie(w http.ResponseWriter, req *http.Request, userID, email, sessionID, host string, extraClaims map[string]any) error
	SetNonce(w http.ResponseWriter, nonce string)
	Nonce(w http.ResponseWriter, req *http.Request) string
	ClearCookies(w http.ResponseWriter) error
}

CookieManager is the interface to set and clear the auth token.

type EventRecorder ¶

type EventRecorder interface {
	Record(string)
}

EventRecorder is used to record events.

type ProviderClient ¶ added in v0.0.29

type ProviderClient struct {
	// contains filtered or unexported fields
}

ProviderClient handles the OIDC authentication code flow based on information from https://developers.google.com/identity/openid-connect/openid-connect and https://developers.facebook.com/docs/facebook-login/guides/advanced/oidc-token/

func New ¶

func New(cfg Config, er EventRecorder, cm CookieManager) (*ProviderClient, error)

New returns a new ProviderClient.

func (*ProviderClient) HandleCallback ¶ added in v0.0.29

func (p *ProviderClient) HandleCallback(w http.ResponseWriter, req *http.Request)

func (*ProviderClient) RequestLogin ¶ added in v0.0.29

func (p *ProviderClient) RequestLogin(w http.ResponseWriter, req *http.Request, originalURL string, opts ...idp.Option)

type ProviderServer ¶ added in v0.0.29

type ProviderServer struct {
	// contains filtered or unexported fields
}

ProviderServer is a OpenID Connect server implementation. https://openid.net/specs/openid-connect-discovery-1_0.html https://openid.net/specs/openid-connect-basic-1_0.html

func NewServer ¶ added in v0.0.29

func NewServer(opts ServerOptions) *ProviderServer

NewServer returns a new ProviderServer.

func (*ProviderServer) AuthorizeClient ¶ added in v0.20.0

func (s *ProviderServer) AuthorizeClient(clientID, email string) bool

func (*ProviderServer) ServeAuthorization ¶ added in v0.0.29

func (s *ProviderServer) ServeAuthorization(w http.ResponseWriter, req *http.Request)

func (*ProviderServer) ServeConfig ¶ added in v0.0.29

func (s *ProviderServer) ServeConfig(w http.ResponseWriter, req *http.Request)

func (*ProviderServer) ServeDeviceAuthorization ¶ added in v0.20.0

func (s *ProviderServer) ServeDeviceAuthorization(w http.ResponseWriter, req *http.Request)

func (*ProviderServer) ServeDeviceVerification ¶ added in v0.20.0

func (s *ProviderServer) ServeDeviceVerification(w http.ResponseWriter, req *http.Request)

func (*ProviderServer) ServeToken ¶ added in v0.0.29

func (s *ProviderServer) ServeToken(w http.ResponseWriter, req *http.Request)

func (*ProviderServer) ServeUserInfo ¶ added in v0.0.29

func (s *ProviderServer) ServeUserInfo(w http.ResponseWriter, req *http.Request)

type RewriteRule ¶ added in v0.0.29

type RewriteRule struct {
	InputClaim  string
	OutputClaim string
	Regex       string
	Value       string
}

RewriteRule is used to apply a regular expression on an existing JWT claim to create or overwrite another claim, or possibly the same claim.

type ServerOptions ¶ added in v0.0.29

type ServerOptions struct {
	CookieManager  *cookiemanager.CookieManager
	PathPrefix     string
	TokenLifetime  time.Duration
	ACLMatcher     func(acl []string, email string) bool
	GroupsForEmail func(string) []string
	Clients        []Client
	Scopes         []string
	RewriteRules   []RewriteRule

	EventRecorder EventRecorder
	Logger        interface {
		Errorf(string, ...any)
	}
}

ServerOptions contains the parameters needed to configure a ProviderServer.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL