The highest tagged major version is
Documentation
¶
Index ¶
- Constants
- Variables
- func CheckAudience(claims Claims, clientID string) error
- func CheckAuthTime(claims Claims, maxAge time.Duration) error
- func CheckAuthorizationContextClassReference(claims Claims, acr ACRVerifier) error
- func CheckAuthorizedParty(claims Claims, clientID string) error
- func CheckExpiration(claims Claims, offset time.Duration) error
- func CheckIssuedAt(claims Claims, maxAgeIAT, offset time.Duration) error
- func CheckIssuer(claims Claims, issuer string) error
- func CheckKey(keyID string, jws *jose.JSONWebSignature, keys ...jose.JSONWebKey) ([]byte, error, bool)
- func CheckNonce(claims Claims, nonce string) error
- func CheckSignature(ctx context.Context, token string, payload []byte, claims Claims, ...) error
- func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, error)
- func DecryptToken(tokenString string) (string, error)
- func NewSHACodeChallenge(code string) string
- func ParseToken(tokenString string, claims interface{}) ([]byte, error)
- func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool
- type ACRVerifier
- type AccessTokenClaims
- type AccessTokenRequest
- type AccessTokenResponse
- type AuthRequest
- type Claims
- type CodeChallenge
- type CodeChallengeMethod
- type DiscoveryConfiguration
- type Display
- type EndSessionRequest
- type Gender
- type GrantType
- type IDTokenClaims
- func (t *IDTokenClaims) GetAudience() []string
- func (t *IDTokenClaims) GetAuthTime() time.Time
- func (t *IDTokenClaims) GetAuthenticationContextClassReference() string
- func (t *IDTokenClaims) GetAuthorizedParty() string
- func (t *IDTokenClaims) GetExpiration() time.Time
- func (t *IDTokenClaims) GetIssuedAt() time.Time
- func (t *IDTokenClaims) GetIssuer() string
- func (t *IDTokenClaims) GetNonce() string
- func (t *IDTokenClaims) MarshalJSON() ([]byte, error)
- func (t *IDTokenClaims) SetSignature(alg jose.SignatureAlgorithm)
- func (t *IDTokenClaims) UnmarshalJSON(b []byte) error
- type JWTProfileAssertion
- type JWTTokenRequest
- func (j *JWTTokenRequest) GetAudience() []string
- func (j *JWTTokenRequest) GetAuthTime() time.Time
- func (j *JWTTokenRequest) GetAuthenticationContextClassReference() string
- func (j *JWTTokenRequest) GetAuthorizedParty() string
- func (j *JWTTokenRequest) GetClientID() string
- func (j *JWTTokenRequest) GetExpiration() time.Time
- func (j *JWTTokenRequest) GetIssuedAt() time.Time
- func (j *JWTTokenRequest) GetIssuer() string
- func (j *JWTTokenRequest) GetNonce() string
- func (j *JWTTokenRequest) GetScopes() []string
- func (j *JWTTokenRequest) GetSubject() string
- func (j *JWTTokenRequest) SetSignature(algorithm jose.SignatureAlgorithm)
- type KeySet
- type Locales
- type Prompt
- type ResponseType
- type Scopes
- type Time
- type TokenExchangeRequest
- type TokenRequest
- type TokenRequestType
- type Tokens
- type UserInfoRequest
- type Userinfo
- type UserinfoAddress
- type UserinfoEmail
- type UserinfoPhone
- type UserinfoProfile
- type Verifier
Constants ¶
View Source
const ( //ScopeOpenID defines the scope `openid` //OpenID Connect requests MUST contain the `openid` scope value ScopeOpenID = "openid" //ScopeProfile defines the scope `profile` //This (optional) scope value requests access to the End-User's default profile Claims, //which are: name, family_name, given_name, middle_name, nickname, preferred_username, //profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at. ScopeProfile = "profile" //ScopeEmail defines the scope `email` //This (optional) scope value requests access to the email and email_verified Claims. ScopeEmail = "email" //ScopeAddress defines the scope `address` //This (optional) scope value requests access to the address Claim. ScopeAddress = "address" //ScopePhone defines the scope `phone` //This (optional) scope value requests access to the phone_number and phone_number_verified Claims. ScopePhone = "phone" //ScopeOfflineAccess defines the scope `offline_access` //This (optional) scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token //that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in). ScopeOfflineAccess = "offline_access" //ResponseTypeCode for the Authorization Code Flow returning a code from the Authorization Server ResponseTypeCode ResponseType = "code" //ResponseTypeIDToken for the Implicit Flow returning id and access tokens directly from the Authorization Server ResponseTypeIDToken ResponseType = "id_token token" //ResponseTypeIDTokenOnly for the Implicit Flow returning only id token directly from the Authorization Server ResponseTypeIDTokenOnly ResponseType = "id_token" DisplayPage Display = "page" DisplayPopup Display = "popup" DisplayTouch Display = "touch" DisplayWAP Display = "wap" //PromptNone (`none`) disallows the Authorization Server to display any authentication or consent user interface pages. //An error (login_required, interaction_required, ...) will be returned if the user is not already authenticated or consent is needed PromptNone Prompt = "none" //PromptLogin (`login`) directs the Authorization Server to prompt the End-User for reauthentication. PromptLogin Prompt = "login" //PromptConsent (`consent`) directs the Authorization Server to prompt the End-User for consent (of sharing information). PromptConsent Prompt = "consent" //PromptSelectAccount (`select_account `) directs the Authorization Server to prompt the End-User to select a user account (to enable multi user / session switching) PromptSelectAccount Prompt = "select_account" //GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow GrantTypeCode GrantType = "authorization_code" //GrantTypeBearer define the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer" //BearerToken defines the token_type `Bearer`, which is returned in a successful token response BearerToken = "Bearer" )
View Source
const (
DiscoveryEndpoint = "/.well-known/openid-configuration"
)
Variables ¶
View Source
var ( ErrParse = errors.New("parsing of request failed") ErrIssuerInvalid = errors.New("issuer does not match") ErrAudience = errors.New("audience is not valid") ErrAzpMissing = errors.New("authorized party is not set. If Token is valid for multiple audiences, azp must not be empty") ErrAzpInvalid = errors.New("authorized party is not valid") ErrSignatureMissing = errors.New("id_token does not contain a signature") ErrSignatureMultiple = errors.New("id_token contains multiple signatures") ErrSignatureUnsupportedAlg = errors.New("signature algorithm not supported") ErrSignatureInvalidPayload = errors.New("signature does not match Payload") ErrExpired = errors.New("token has expired") ErrIatInFuture = errors.New("issuedAt of token is in the future") ErrIatToOld = errors.New("issuedAt of token is to old") ErrNonceInvalid = errors.New("nonce does not match") ErrAcrInvalid = errors.New("acr is invalid") ErrAuthTimeNotPresent = errors.New("claim `auth_time` of token is missing") ErrAuthTimeToOld = errors.New("auth time of token is to old") ErrAtHash = errors.New("at_hash does not correspond to access token") )
Functions ¶
func CheckAudience ¶ added in v0.9.0
func CheckAuthorizationContextClassReference ¶ added in v0.9.0
func CheckAuthorizationContextClassReference(claims Claims, acr ACRVerifier) error
func CheckAuthorizedParty ¶ added in v0.9.0
func CheckExpiration ¶ added in v0.9.0
func CheckIssuedAt ¶ added in v0.9.0
func CheckIssuer ¶ added in v0.9.0
func CheckKey ¶ added in v0.9.0
func CheckKey(keyID string, jws *jose.JSONWebSignature, keys ...jose.JSONWebKey) ([]byte, error, bool)
func CheckNonce ¶ added in v0.9.0
func CheckSignature ¶ added in v0.9.0
func DecryptToken ¶ added in v0.9.0
func NewSHACodeChallenge ¶
func ParseToken ¶ added in v0.9.0
func VerifyCodeChallenge ¶
func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool
Types ¶
type ACRVerifier ¶ added in v0.9.0
ACRVerifier specifies the function to be used by the `DefaultVerifier` for validating the acr claim
func DefaultACRVerifier ¶ added in v0.9.0
func DefaultACRVerifier(possibleValues []string) ACRVerifier
DefaultACRVerifier implements `ACRVerifier` returning an error if non of the provided values matches the acr claim
type AccessTokenClaims ¶
type AccessTokenClaims struct {
Issuer string
Subject string
Audiences []string
Expiration time.Time
IssuedAt time.Time
NotBefore time.Time
JWTID string
AuthorizedParty string
Nonce string
AuthTime time.Time
CodeHash string
AuthenticationContextClassReference string
AuthenticationMethodsReferences []string
SessionID string
Scopes []string
ClientID string
AccessTokenUseNumber int
}
func (*AccessTokenClaims) MarshalJSON ¶
func (t *AccessTokenClaims) MarshalJSON() ([]byte, error)
func (*AccessTokenClaims) UnmarshalJSON ¶
func (t *AccessTokenClaims) UnmarshalJSON(b []byte) error
type AccessTokenRequest ¶
type AccessTokenRequest struct {
Code string `schema:"code"`
RedirectURI string `schema:"redirect_uri"`
ClientID string `schema:"client_id"`
ClientSecret string `schema:"client_secret"`
CodeVerifier string `schema:"code_verifier"`
}
func (*AccessTokenRequest) GrantType ¶
func (a *AccessTokenRequest) GrantType() GrantType
type AccessTokenResponse ¶
type AccessTokenResponse struct {
AccessToken string `json:"access_token,omitempty" schema:"access_token,omitempty"`
TokenType string `json:"token_type,omitempty" schema:"token_type,omitempty"`
RefreshToken string `json:"refresh_token,omitempty" schema:"refresh_token,omitempty"`
ExpiresIn uint64 `json:"expires_in,omitempty" schema:"expires_in,omitempty"`
IDToken string `json:"id_token,omitempty" schema:"id_token,omitempty"`
}
type AuthRequest ¶
type AuthRequest struct {
ID string
Scopes Scopes `schema:"scope"`
ResponseType ResponseType `schema:"response_type"`
ClientID string `schema:"client_id"`
RedirectURI string `schema:"redirect_uri"` //TODO: type
State string `schema:"state"`
Nonce string `schema:"nonce"`
Display Display `schema:"display"`
Prompt Prompt `schema:"prompt"`
MaxAge uint32 `schema:"max_age"`
UILocales Locales `schema:"ui_locales"`
IDTokenHint string `schema:"id_token_hint"`
LoginHint string `schema:"login_hint"`
ACRValues []string `schema:"acr_values"`
CodeChallenge string `schema:"code_challenge"`
CodeChallengeMethod CodeChallengeMethod `schema:"code_challenge_method"`
}
AuthRequest according to: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
func (*AuthRequest) GetRedirectURI ¶
func (a *AuthRequest) GetRedirectURI() string
GetRedirectURI returns the redirect_uri value for the ErrAuthRequest interface
func (*AuthRequest) GetResponseType ¶
func (a *AuthRequest) GetResponseType() ResponseType
GetResponseType returns the response_type value for the ErrAuthRequest interface
func (*AuthRequest) GetState ¶
func (a *AuthRequest) GetState() string
GetState returns the optional state value for the ErrAuthRequest interface
type CodeChallenge ¶
type CodeChallenge struct {
Challenge string
Method CodeChallengeMethod
}
type CodeChallengeMethod ¶
type CodeChallengeMethod string
const ( CodeChallengeMethodPlain CodeChallengeMethod = "plain" CodeChallengeMethodS256 CodeChallengeMethod = "S256" )
type DiscoveryConfiguration ¶
type DiscoveryConfiguration struct {
Issuer string `json:"issuer,omitempty"`
AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint,omitempty"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
CheckSessionIframe string `json:"check_session_iframe,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
ClaimsSupported []string `json:"claims_supported,omitempty"`
}
type EndSessionRequest ¶ added in v0.4.0
type IDTokenClaims ¶
type IDTokenClaims struct {
Issuer string
Audiences []string
Expiration time.Time
NotBefore time.Time
IssuedAt time.Time
JWTID string
UpdatedAt time.Time
AuthorizedParty string
Nonce string
AuthTime time.Time
AccessTokenHash string
CodeHash string
AuthenticationContextClassReference string
AuthenticationMethodsReferences []string
ClientID string
Userinfo
Signature jose.SignatureAlgorithm //TODO: ???
}
func (*IDTokenClaims) GetAudience ¶ added in v0.9.0
func (t *IDTokenClaims) GetAudience() []string
func (*IDTokenClaims) GetAuthTime ¶ added in v0.9.0
func (t *IDTokenClaims) GetAuthTime() time.Time
func (*IDTokenClaims) GetAuthenticationContextClassReference ¶ added in v0.9.0
func (t *IDTokenClaims) GetAuthenticationContextClassReference() string
func (*IDTokenClaims) GetAuthorizedParty ¶ added in v0.9.0
func (t *IDTokenClaims) GetAuthorizedParty() string
func (*IDTokenClaims) GetExpiration ¶ added in v0.9.0
func (t *IDTokenClaims) GetExpiration() time.Time
func (*IDTokenClaims) GetIssuedAt ¶ added in v0.9.0
func (t *IDTokenClaims) GetIssuedAt() time.Time
func (*IDTokenClaims) GetIssuer ¶ added in v0.9.0
func (t *IDTokenClaims) GetIssuer() string
func (*IDTokenClaims) GetNonce ¶ added in v0.9.0
func (t *IDTokenClaims) GetNonce() string
func (*IDTokenClaims) MarshalJSON ¶
func (t *IDTokenClaims) MarshalJSON() ([]byte, error)
func (*IDTokenClaims) SetSignature ¶ added in v0.9.0
func (t *IDTokenClaims) SetSignature(alg jose.SignatureAlgorithm)
func (*IDTokenClaims) UnmarshalJSON ¶
func (t *IDTokenClaims) UnmarshalJSON(b []byte) error
type JWTProfileAssertion ¶ added in v0.9.0
type JWTProfileAssertion struct {
PrivateKeyID string `json:"keyId"`
PrivateKey []byte `json:"key"`
Scopes []string `json:"-"`
Issuer string `json:"-"`
Subject string `json:"userId"`
Audience []string `json:"-"`
Expiration time.Time `json:"-"`
IssuedAt time.Time `json:"-"`
}
func NewJWTProfileAssertion ¶ added in v0.9.0
func NewJWTProfileAssertion(userID, keyID string, audience []string, key []byte) *JWTProfileAssertion
func NewJWTProfileAssertionFromKeyJSON ¶ added in v0.9.0
func NewJWTProfileAssertionFromKeyJSON(filename string, audience []string) (*JWTProfileAssertion, error)
func (*JWTProfileAssertion) MarshalJSON ¶ added in v0.9.0
func (t *JWTProfileAssertion) MarshalJSON() ([]byte, error)
func (*JWTProfileAssertion) UnmarshalJSON ¶ added in v0.9.0
func (t *JWTProfileAssertion) UnmarshalJSON(b []byte) error
type JWTTokenRequest ¶ added in v0.9.0
type JWTTokenRequest struct {
Issuer string `json:"iss"`
Subject string `json:"sub"`
Scopes Scopes `json:"scope"`
Audience interface{} `json:"aud"`
IssuedAt Time `json:"iat"`
ExpiresAt Time `json:"exp"`
}
func (*JWTTokenRequest) GetAudience ¶ added in v0.9.0
func (j *JWTTokenRequest) GetAudience() []string
func (*JWTTokenRequest) GetAuthTime ¶ added in v0.9.0
func (j *JWTTokenRequest) GetAuthTime() time.Time
func (*JWTTokenRequest) GetAuthenticationContextClassReference ¶ added in v0.9.0
func (j *JWTTokenRequest) GetAuthenticationContextClassReference() string
func (*JWTTokenRequest) GetAuthorizedParty ¶ added in v0.9.0
func (j *JWTTokenRequest) GetAuthorizedParty() string
func (*JWTTokenRequest) GetClientID ¶ added in v0.9.0
func (j *JWTTokenRequest) GetClientID() string
func (*JWTTokenRequest) GetExpiration ¶ added in v0.9.0
func (j *JWTTokenRequest) GetExpiration() time.Time
func (*JWTTokenRequest) GetIssuedAt ¶ added in v0.9.0
func (j *JWTTokenRequest) GetIssuedAt() time.Time
func (*JWTTokenRequest) GetIssuer ¶ added in v0.9.0
func (j *JWTTokenRequest) GetIssuer() string
func (*JWTTokenRequest) GetNonce ¶ added in v0.9.0
func (j *JWTTokenRequest) GetNonce() string
func (*JWTTokenRequest) GetScopes ¶ added in v0.9.0
func (j *JWTTokenRequest) GetScopes() []string
func (*JWTTokenRequest) GetSubject ¶ added in v0.9.0
func (j *JWTTokenRequest) GetSubject() string
func (*JWTTokenRequest) SetSignature ¶ added in v0.9.0
func (j *JWTTokenRequest) SetSignature(algorithm jose.SignatureAlgorithm)
type KeySet ¶
type KeySet interface {
// VerifySignature parses the JSON web token, verifies the signature, and returns
// the raw payload. Header and claim fields are validated by other parts of the
// package. For example, the KeySet does not need to check values such as signature
// algorithm, issuer, and audience since the IDTokenVerifier validates these values
// independently.
//
// If VerifySignature makes HTTP requests to verify the token, it's expected to
// use any HTTP client associated with the context through ClientContext.
VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error)
}
KeySet is a set of publc JSON Web Keys that can be used to validate the signature of JSON web tokens. This is expected to be backed by a remote key set through provider metadata discovery or an in-memory set of keys delivered out-of-band.
type Locales ¶
func (*Locales) UnmarshalText ¶
type ResponseType ¶
type ResponseType string
type Time ¶ added in v0.9.0
func (*Time) UnmarshalJSON ¶ added in v0.9.0
type TokenExchangeRequest ¶
type TokenExchangeRequest struct {
Scope []string `schema:"scope"`
// contains filtered or unexported fields
}
type TokenRequest ¶
type TokenRequest interface {
// GrantType GrantType `schema:"grant_type"`
GrantType() GrantType
}
type TokenRequestType ¶
type TokenRequestType GrantType
type UserInfoRequest ¶ added in v0.4.2
type UserInfoRequest struct {
AccessToken string `schema:"access_token"`
}
type Userinfo ¶
type Userinfo struct {
Subject string
UserinfoProfile
UserinfoEmail
UserinfoPhone
Address *UserinfoAddress
Authorizations []string
// contains filtered or unexported fields
}
func (*Userinfo) MarshalJSON ¶
func (*Userinfo) UnmmarshalJSON ¶
type UserinfoAddress ¶
type UserinfoEmail ¶
type UserinfoPhone ¶
type UserinfoProfile ¶
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.