oauth2

package

v0.8.0 Latest Latest Go to latest Published: Jan 26, 2026 License: MIT Imports: 30 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cwkr/authd

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func AddAddressClaims(claims map[string]any, user User)
func AddEmailClaims(claims map[string]any, user User)
func AddExtraClaims(claims map[string]any, extraClaims map[string]string, user User, ...)
func AddPhoneClaims(claims map[string]any, user User)
func AddProfileClaims(claims map[string]any, user User)
func AuthorizeHandler(basePath string, tokenService TokenCreator, ...) http.Handler
func DiscoveryDocumentHandler(issuer, scope string, tokenRevocationSupported bool) http.Handler
func Error(w http.ResponseWriter, error string, description string, code int)
func IntersectScope(availableScope, requestedScope string) string
func JwksHandler(keySetProvider keyset.Provider) http.Handler
func NewTokenID(timestamp time.Time) string
func RevokeHandler(tokenCreator TokenCreator, clientStore clients.Store, ...) http.Handler
func ToJwks(publicKeys map[string]any) []jose.JSONWebKey
func TokenHandler(tokenService TokenCreator, peopleStore people.Store, clientStore clients.Store, ...) http.Handler
func UserinfoHandler(peopleStore people.Store, extraClaims map[string]string, ...) http.Handler
type DiscoveryDocument
type ErrorResponse
type RoleMapping
type RoleMappings
- func (c RoleMappings) ClientRoles(clientID string) []string
- func (c RoleMappings) Roles(user User) []string
type TokenCreator
- func NewTokenCreator(privateKey *rsa.PrivateKey, keyID, issuer, scope string, ...) (TokenCreator, error)
type TokenResponse
type User
type VerifiedClaims

Constants ¶

View Source

const (
	ClaimClientID        = "cid"
	ClaimExpiryTime      = "exp"
	ClaimIssuer          = "iss"
	ClaimIssuedAtTime    = "iat"
	ClaimNotBeforeTime   = "nbf"
	ClaimUserID          = "user_id"
	ClaimScope           = "scope"
	ClaimSubject         = "sub"
	ClaimType            = "typ"
	ClaimAudience        = "aud"
	ClaimAccessTokenHash = "at_hash"
	ClaimNonce           = "nonce"
	ClaimTokenID         = "jti"
)

View Source

const (
	// ErrorInvalidRequest - The request is missing a parameter so the server
	// can't proceed with the request. This may also be returned if the
	// request includes an unsupported parameter or repeats a parameter.
	ErrorInvalidRequest = "invalid_request"

	// ErrorInvalidClient – Client authentication failed, such as if the
	// request contains an invalid client ID or secret. Send an HTTP 401
	// response in this case.
	ErrorInvalidClient = "invalid_client"

	// ErrorInvalidGrant – The authorization code (or user's password for the
	// password grant type) is invalid or expired. This is also the error you
	// would return if the redirect URL given in the authorization grant does
	// not match the URL provided in this access token request.
	ErrorInvalidGrant = "invalid_grant"

	// ErrorRedirectURIMismatch - The redirect URI is invalid for the
	// requested client id
	ErrorRedirectURIMismatch = "redirect_uri_mismatch"

	ErrorUnauthorizedClient = "unauthorized_client"

	// ErrorUnsupportedGrantType – If a grant type is requested that the
	// authorization server doesn't recognize, use this code. Note that
	// unknown grant types also use this specific error code rather than using
	// the ErrorInvalidRequest above.
	ErrorUnsupportedGrantType = "unsupported_grant_type"

	ErrorInternal = "internal_server_error"
	ErrorNotFound = "not_found"
)

View Source

const (
	GrantTypeAuthorizationCode = "authorization_code"
	GrantTypeClientCredentials = "client_credentials"
	GrantTypeRefreshToken      = "refresh_token"
	GrantTypePassword          = "password"

	TokenTypeCode         = "code"
	TokenTypeRefreshToken = "refresh_token"
	ResponseTypeCode      = "code"
	ResponseTypeToken     = "token"
)

View Source

const OIDCDefaultScope = "openid profile email phone address offline_access"

Variables ¶

View Source

var (
	ErrInvalidTokenType     = errors.New("invalid token type (typ)")
	ErrUnsupportedAlgorithm = errors.New("unsupported token signing algorithm")
)

View Source

var OIDCSupportedAlgorithms = []string{
	string(jose.PS256),
	string(jose.PS384),
	string(jose.PS512),
	string(jose.RS256),
	string(jose.RS384),
	string(jose.RS512),
}

Functions ¶

func AddAddressClaims ¶

func AddAddressClaims(claims map[string]any, user User)

func AddEmailClaims ¶

func AddEmailClaims(claims map[string]any, user User)

func AddExtraClaims ¶

func AddExtraClaims(claims map[string]any, extraClaims map[string]string, user User, subject, clientID string, roleMappings RoleMappings)

func AddPhoneClaims ¶

func AddPhoneClaims(claims map[string]any, user User)

func AddProfileClaims ¶

func AddProfileClaims(claims map[string]any, user User)

func AuthorizeHandler ¶

func AuthorizeHandler(basePath string, tokenService TokenCreator, sessionManager sessions.SessionManager, peopleStore people.Store, clientStore clients.Store, presets presets.Presets, scope string) http.Handler

func DiscoveryDocumentHandler ¶

func DiscoveryDocumentHandler(issuer, scope string, tokenRevocationSupported bool) http.Handler

func Error ¶

func Error(w http.ResponseWriter, error string, description string, code int)

func IntersectScope ¶

func IntersectScope(availableScope, requestedScope string) string

func JwksHandler ¶

func JwksHandler(keySetProvider keyset.Provider) http.Handler

func NewTokenID ¶

func NewTokenID(timestamp time.Time) string

func RevokeHandler ¶

func RevokeHandler(tokenCreator TokenCreator, clientStore clients.Store, revocationStore revocation.Store) http.Handler

func ToJwks ¶

func ToJwks(publicKeys map[string]any) []jose.JSONWebKey

ToJwks creates JSON Web Keys from multiple public keys

func TokenHandler ¶

func TokenHandler(tokenService TokenCreator, peopleStore people.Store, clientStore clients.Store, revocationStore revocation.Store, presets presets.Presets, scope string) http.Handler

func UserinfoHandler ¶ added in v0.8.0

func UserinfoHandler(peopleStore people.Store, extraClaims map[string]string, roleMappings RoleMappings) http.Handler

Types ¶

type DiscoveryDocument ¶

type DiscoveryDocument struct {
	Issuer                                     string   `json:"issuer"`
	AuthorizationEndpoint                      string   `json:"authorization_endpoint"`
	JwksURI                                    string   `json:"jwks_uri"`
	ResponseTypesSupported                     []string `json:"response_types_supported"`
	GrantTypesSupported                        []string `json:"grant_types_supported"`
	TokenEndpoint                              string   `json:"token_endpoint"`
	UserinfoEndpoint                           string   `json:"userinfo_endpoint"`
	EndSessionEndpoint                         string   `json:"end_session_endpoint"`
	ScopesSupported                            []string `json:"scopes_supported"`
	TokenEndpointAuthMethodsSupported          []string `json:"token_endpoint_auth_methods_supported"`
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`
	CodeChallengeMethodsSupported              []string `json:"code_challenge_methods_supported,omitempty"`
	IDTokenSigningAlgValuesSupported           []string `json:"id_token_signing_alg_values_supported"`
	RevocationEndpoint                         string   `json:"revocation_endpoint,omitempty"`
	RevocationEndpointAuthMethodsSupported     []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
}

type ErrorResponse ¶

type ErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
}

type RoleMapping ¶

type RoleMapping struct {
	ByGroup    []string `json:"by_group,omitempty"`
	ByGroupDN  []string `json:"by_group_dn,omitempty"`
	ByUserID   []string `json:"by_user_id,omitempty"`
	ByClientID []string `json:"by_client_id,omitempty"`
}

type RoleMappings ¶

type RoleMappings map[string]RoleMapping

func (RoleMappings) ClientRoles ¶ added in v0.8.0

func (c RoleMappings) ClientRoles(clientID string) []string

func (RoleMappings) Roles ¶

func (c RoleMappings) Roles(user User) []string

type TokenCreator ¶

type TokenCreator interface {
	GenerateAccessToken(user User, algorithm, subject, clientID, scope string) (string, error)
	GenerateIDToken(user User, algorithm, clientID, scope, accessTokenHash, nonce string) (string, error)
	GenerateAuthCode(algorithm, userID, clientID, scope, challenge, nonce string) (string, error)
	GenerateRefreshToken(algorithm, userID, clientID, scope, nonce string) (string, error)
	Verify(rawToken, tokenType string) (*VerifiedClaims, error)
	Issuer() string
}

func NewTokenCreator ¶

func NewTokenCreator(privateKey *rsa.PrivateKey, keyID, issuer, scope string, presets presets.Presets, roleMappings RoleMappings) (TokenCreator, error)

type TokenResponse ¶

type TokenResponse struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int    `json:"expires_in"`
	RefreshToken string `json:"refresh_token,omitempty"`
	IDToken      string `json:"id_token,omitempty"`
}

type User ¶

type User struct {
	people.Person
	UserID string `json:"user_id"`
}

type VerifiedClaims ¶

type VerifiedClaims struct {
	UserID    string           `json:"user_id"`
	ClientID  string           `json:"cid"`
	TokenID   string           `json:"jti"`
	Type      string           `json:"typ"`
	Scope     string           `json:"scope"`
	Challenge string           `json:"challenge"`
	Nonce     string           `json:"nonce"`
	Expiry    *jwt.NumericDate `json:"exp"`
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
clients
pkce
presets
revocation

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL