Documentation
¶
Overview ¶
Package oidc wraps coreos/go-oidc to provide OIDC/OAuth2 authentication flows with PKCE. It imports the core auth package for types but never the reverse.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrOIDCDiscovery = errors.New("oidc: provider discovery failed") ErrOIDCExchange = errors.New("oidc: code exchange failed") ErrOIDCTokenInvalid = errors.New("oidc: ID token verification failed") ErrOIDCNonceMismatch = errors.New("oidc: nonce mismatch") ErrOIDCConfigInvalid = errors.New("oidc: invalid configuration") ErrOIDCNoUsername = errors.New("oidc: token has no preferred_username or email claim") )
Sentinel errors for OIDC operations.
Functions ¶
func GeneratePKCE ¶
GeneratePKCE generates a PKCE code verifier and S256 challenge.
func GenerateState ¶
GenerateState generates a random state string for OIDC flows.
func ResolveUser ¶
ResolveUser maps an OIDC identity to a user by (issuer, sub) only. For a new identity (existingBySub == nil) it provisions a user from the token claims; it returns ErrOIDCNoUsername if the token has neither preferred_username nor email, rather than provisioning an account with a blank username.
func ValidateConfig ¶
ValidateConfig checks that the required fields of a Config are set.
Types ¶
type Claims ¶
type Claims struct {
Subject string `json:"sub"`
Issuer string `json:"iss"`
Email string `json:"email"`
PreferredUsername string `json:"preferred_username"`
Name string `json:"name"`
EmailVerified bool `json:"email_verified"`
}
Claims holds the verified claims extracted from an OIDC ID token.
type Config ¶
type Config = auth.OIDCConfig
Config holds OIDC provider settings. It is an alias of auth.OIDCConfig (the canonical definition), so a consumer holding the core type passes it to NewProvider directly with no field-for-field conversion.
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
Provider wraps the coreos/go-oidc provider with PKCE support.
func NewProvider ¶
NewProvider creates an OIDC provider from config.
func (*Provider) AuthorizationURL ¶
AuthorizationURL generates the OIDC authorization URL with PKCE and state.
func (*Provider) Exchange ¶
func (p *Provider) Exchange(ctx context.Context, code, codeVerifier, nonce string) (*Claims, *time.Time, error)
Exchange exchanges an authorization code for tokens and validates the ID token.
nonce MUST be the non-empty, single-use, cryptographically random value that was bound into the matching AuthorizationURL call and stored server-side for this authorization request. Exchange requires the ID token's nonce claim to equal it, defending against ID-token replay and injection. Passing nonce == "" is rejected with ErrOIDCNonceMismatch (fail closed): a conformant authorization-code flow always supplies a non-empty nonce, so an empty value can never satisfy the check. PKCE and the state parameter remain in force regardless, but the nonce binding is a distinct protection.