go-oidc

module
v3.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 8, 2026 License: Apache-2.0

README

go-oidc

Go Reference

OpenID Connect is a specification on top of OAuth 2.0 that adds a provider-agnostic API for user attributes. End users perform the regular OAuth 2.0 flow and the response includes a JWT signed by the identity provider with standard claims for a stable identifier, email, display name, and other attributes.

{
  "sub": "12345abcd",
  "email": "janedoe@example.com",
  "email_verified": true,
  "name": "Jane Doe"
}

This package can be used to identify users (and even workload identities) across a large number of identity providers:

go-oidc is a mature OpenID Connect client, and is imported by over 1000 open source projects.

OpenID Connect support for Go

This package enables OpenID Connect support for the golang.org/x/oauth2 package. The client can be initialized through OpenID Connect discovery with the issuer URL and a few additional scopes on the oauth2.Config.

provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
if err != nil {
    // handle error
}

// Configure an OpenID Connect aware OAuth2 client.
oauth2Config := oauth2.Config{
    ClientID:     clientID,
    ClientSecret: clientSecret,
    RedirectURL:  redirectURL,

    // Discovery returns the OAuth2 endpoints.
    Endpoint: provider.Endpoint(),

    // "openid" is a required scope for OpenID Connect flows.
    Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
}

// Create an ID Token verifier.
idTokenVerifier := provider.Verifier(&oidc.Config{ClientID: clientID})

OAuth2 redirects are unchanged.

func handleRedirect(w http.ResponseWriter, r *http.Request) {
    http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
}

Then, on the response, the ID Token verifier can be used to verify ID Tokens.

func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
    // Verify state and errors.

    oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
    if err != nil {
        // handle error
    }

    // Extract the ID Token from OAuth2 token.
    rawIDToken, ok := oauth2Token.Extra("id_token").(string)
    if !ok {
        // handle missing token
    }

    // Parse and verify ID Token payload.
    idToken, err := idTokenVerifier.Verify(ctx, rawIDToken)
    if err != nil {
        // handle error
    }

    // Extract custom claims
    var claims struct {
        Email         string `json:"email"`
        EmailVerified bool   `json:"email_verified"`
        Name          string `json:"name"`
        Picture       string `json:"picture"`
    }
    if err := idToken.Claims(&claims); err != nil {
        // handle error
    }
}

Directories

Path Synopsis
example
idtoken command
This is an example application to demonstrate parsing an ID Token.
This is an example application to demonstrate parsing an ID Token.
logout command
This is an example application to demonstrate parsing an ID Token.
This is an example application to demonstrate parsing an ID Token.
userinfo command
This is an example application to demonstrate querying the user info endpoint.
This is an example application to demonstrate querying the user info endpoint.
Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
oidctest
Package oidctest implements a test OpenID Connect server.
Package oidctest implements a test OpenID Connect server.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL