Documentation
¶
Index ¶
Constants ¶
View Source
const ( // ClientAssertionType is the OAuth client assertion type for JWT bearer (RFC 7523) ClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" // FormKeyClientAssertion is the form parameter name for the JWT assertion FormKeyClientAssertion = "client_assertion" // FormKeyClientAssertionType is the form parameter name for the assertion type FormKeyClientAssertionType = "client_assertion_type" // DefaultAssertionLifetime is the default validity period for assertions DefaultAssertionLifetime = 5 * time.Minute // AssertionRefreshMargin is how early to refresh before expiry AssertionRefreshMargin = 30 * time.Second )
View Source
const ( // AuthStyleParams sends client_id and client_secret in the request body AuthStyleParams = "params" // AuthStyleHeader sends client credentials as HTTP Basic Authentication header AuthStyleHeader = "header" // AuthStyleAssertion sends a signed JWT client assertion (RFC 7523) AuthStyleAssertion = "assertion" )
View Source
const ( StrategyEntraOBO = "entra-obo" // Entra ID OBO-specific constants GrantTypeJWTBearer = "urn:ietf:params:oauth:grant-type:jwt-bearer" FormKeyAssertion = "assertion" FormKeyRequestedUse = "requested_token_use" RequestedTokenUseOBO = "on_behalf_of" )
View Source
const ( GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" TokenTypeAccessToken = "urn:ietf:params:oauth:token-type:access_token" TokenTypeJWT = "urn:ietf:params:oauth:token-type:jwt" )
View Source
const ( FormKeyGrantType = "grant_type" FormKeySubjectToken = "subject_token" FormKeySubjectTokenType = "subject_token_type" FormKeySubjectIssuer = "subject_issuer" FormKeyAudience = "audience" FormKeyClientID = "client_id" FormKeyClientSecret = "client_secret" FormKeyScope = "scope" FormKeyRequestedTokenType = "requested_token_type" )
View Source
const ( HeaderContentType = "Content-Type" HeaderAuthorization = "Authorization" ContentTypeXWWWFormUrlEncoded = "application/x-www-form-urlencoded" )
View Source
const ( StrategyKeycloakV1 = "keycloak-v1" StrategyRFC8693 = "rfc8693" )
Variables ¶
This section is empty.
Functions ¶
func BuildClientAssertion ¶ added in v0.0.61
func BuildClientAssertion(clientID, tokenURL, certFile, keyFile string, lifetime time.Duration) (string, time.Time, error)
BuildClientAssertion creates a signed JWT assertion for client authentication
func GetRegisteredStrategies ¶ added in v0.0.61
func GetRegisteredStrategies() []string
GetRegisteredStrategies returns a sorted list of all registered token exchange strategy names. Useful for config validation and error messages.
func RegisterTokenExchanger ¶
func RegisterTokenExchanger(strategy string, exchanger TokenExchanger)
Types ¶
type TargetTokenExchangeConfig ¶
type TargetTokenExchangeConfig struct {
// TokenURL is the token endpoint for the target
TokenURL string `toml:"token_url"`
// ClientID is the OAuth client ID for the target
ClientID string `toml:"client_id"`
// ClientSecret is the OAuth client secret for the target
ClientSecret string `toml:"client_secret"`
// Audience is the target audience for the exchanged token
Audience string `toml:"audience"`
// SubjectTokenType specifies the token type for the subject token
// For same-realm: "urn:ietf:params:oauth:token-type:access_token"
// For cross-realm: "urn:ietf:params:oauth:token-type:jwt"
SubjectTokenType string `toml:"subject_token_type"`
// SubjectIssuer is the IDP alias for cross-realm token exchange
// Only required when exchanging tokens across Keycloak realms
SubjectIssuer string `toml:"subject_issuer,omitempty"`
// Scopes are optional scopes to request during token exchange
Scopes []string `toml:"scopes,omitempty"`
// CAFile is the path to a CA certificate file for TLS verification
// Used when the token endpoint uses a certificate signed by a private CA
CAFile string `toml:"ca_file,omitempty"`
// AuthStyle specifies how client credentials are sent to the token endpoint
// "params" (default): client_id/secret in request body
// "header": HTTP Basic Authentication header
// "assertion": JWT client assertion (RFC 7523)
AuthStyle string `toml:"auth_style,omitempty"`
// ClientCertFile is the path to the client certificate PEM file
// Used with AuthStyleAssertion for JWT client assertion authentication
ClientCertFile string `toml:"client_cert_file,omitempty"`
// ClientKeyFile is the path to the client private key PEM file
// Used with AuthStyleAssertion for JWT client assertion authentication
ClientKeyFile string `toml:"client_key_file,omitempty"`
// AssertionLifetime is the validity duration for generated JWT assertions
// Defaults to 5 minutes if not specified
AssertionLifetime time.Duration `toml:"assertion_lifetime,omitempty"`
// contains filtered or unexported fields
}
TargetTokenExchangeConfig holds per-target token exchange configuration This is used by providers that support per-target token exchange to keep configuration consistent between providers
func (*TargetTokenExchangeConfig) GetOrBuildAssertion ¶ added in v0.0.61
func (c *TargetTokenExchangeConfig) GetOrBuildAssertion() (string, error)
GetOrBuildAssertion returns a cached assertion or builds a new one
func (*TargetTokenExchangeConfig) HTTPClient ¶ added in v0.0.61
func (c *TargetTokenExchangeConfig) HTTPClient() (*http.Client, error)
func (*TargetTokenExchangeConfig) Validate ¶
func (c *TargetTokenExchangeConfig) Validate() error
Validate checks that the configuration values are valid
type TokenExchanger ¶
type TokenExchanger interface {
Exchange(ctx context.Context, cfg *TargetTokenExchangeConfig, subjectToken string) (*oauth2.Token, error)
}
func GetTokenExchanger ¶
func GetTokenExchanger(strategy string) (TokenExchanger, bool)
Source Files
Click to show internal directories.
Click to hide internal directories.