oidc

package
v2.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2026 License: GPL-2.0, GPL-3.0 Imports: 11 Imported by: 0

Documentation

Overview

Package oidc wraps coreos/go-oidc to provide OIDC/OAuth2 authentication flows with PKCE. It imports the core auth package for types but never the reverse.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrOIDCDiscovery     = errors.New("oidc: provider discovery failed")
	ErrOIDCExchange      = errors.New("oidc: code exchange failed")
	ErrOIDCTokenInvalid  = errors.New("oidc: ID token verification failed")
	ErrOIDCNonceMismatch = errors.New("oidc: nonce mismatch")
	ErrOIDCConfigInvalid = errors.New("oidc: invalid configuration")
	ErrOIDCNoUsername    = errors.New("oidc: token has no preferred_username or email claim")
)

Sentinel errors for OIDC operations.

Functions

func GeneratePKCE

func GeneratePKCE() (verifier, challenge string, err error)

GeneratePKCE generates a PKCE code verifier and S256 challenge.

func GenerateState

func GenerateState() (string, error)

GenerateState generates a random state string for OIDC flows.

func ResolveUser

func ResolveUser(claims *Claims, existingBySub *auth.User) (user *auth.User, isNew bool, err error)

ResolveUser maps an OIDC identity to a user by (issuer, sub) only. For a new identity (existingBySub == nil) it provisions a user from the token claims; it returns ErrOIDCNoUsername if the token has neither preferred_username nor email, rather than provisioning an account with a blank username.

func ValidateConfig

func ValidateConfig(cfg Config) error

ValidateConfig checks that the required fields of a Config are set.

Types

type Claims

type Claims struct {
	Subject           string `json:"sub"`
	Issuer            string `json:"iss"`
	Email             string `json:"email"`
	PreferredUsername string `json:"preferred_username"`
	Name              string `json:"name"`
	EmailVerified     bool   `json:"email_verified"`
}

Claims holds the verified claims extracted from an OIDC ID token.

type Config

type Config = auth.OIDCConfig

Config holds OIDC provider settings. It is an alias of auth.OIDCConfig (the canonical definition), so a consumer holding the core type passes it to NewProvider directly with no field-for-field conversion.

type Provider

type Provider struct {
	// contains filtered or unexported fields
}

Provider wraps the coreos/go-oidc provider with PKCE support.

func NewProvider

func NewProvider(ctx context.Context, cfg Config) (*Provider, error)

NewProvider creates an OIDC provider from config.

func (*Provider) AuthorizationURL

func (p *Provider) AuthorizationURL(state, nonce, codeChallenge string) string

AuthorizationURL generates the OIDC authorization URL with PKCE and state.

func (*Provider) Exchange

func (p *Provider) Exchange(ctx context.Context, code, codeVerifier, nonce string) (*Claims, *time.Time, error)

Exchange exchanges an authorization code for tokens and validates the ID token.

nonce MUST be the non-empty, single-use, cryptographically random value that was bound into the matching AuthorizationURL call and stored server-side for this authorization request. Exchange requires the ID token's nonce claim to equal it, defending against ID-token replay and injection. Passing nonce == "" is rejected with ErrOIDCNonceMismatch (fail closed): a conformant authorization-code flow always supplies a non-empty nonce, so an empty value can never satisfy the check. PKCE and the state parameter remain in force regardless, but the nonce binding is a distinct protection.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL