oidc

package
v0.40.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 19, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DeviceCodeUIConsoleQR 

func DeviceCodeUIConsoleQR(deviceCode *oauth2.DeviceAuthResponse) error

func DeviceCodeUIConsoleText 

func DeviceCodeUIConsoleText(deviceCode *oauth2.DeviceAuthResponse) error

func ExtractClaims 

func ExtractClaims[T jwtvalidator.CustomClaims](claims interface{}) (jwtvalidator.RegisteredClaims, T, error)

func LoadTokenFromFile 

func LoadTokenFromFile(filePath string) (*oauth2.Token, error)

func NewGothProvider added in v0.40.0 

func NewGothProvider(c *Client, callbackURL *url.URL, scopes ...string) (*openidConnect.Provider, error)

func NewGothProviderFromConfig added in v0.40.0 

func NewGothProviderFromConfig(c *ClientConfig, callbackURL *url.URL, scopes ...string) (*openidConnect.Provider, error)

func NewHTTPClientFromConfig 

func NewHTTPClientFromConfig(config *ClientConfig) (*http.Client, error)

func NewValidatorFromConfig 

func NewValidatorFromConfig(config *ValidatorConfig, opts ...jwtvalidator.Option) (*jwtvalidator.Validator, error)

func NewValidatorsFromConfig 

func NewValidatorsFromConfig(configs []ValidatorConfig, opts ...jwtvalidator.Option) ([]*jwtvalidator.Validator, error)

func ResolveToken 

func ResolveToken(c ClientConfig) (*oauth2.Token, error)

func SaveTokenToFile 

func SaveTokenToFile(accessToken *oauth2.Token, authFilePath string) error

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

func NewClient 

func NewClient(endpoint Endpoint, opts ...ClientOpt) *Client

func NewClientFromConfig 

func NewClientFromConfig(config *ClientConfig) (*Client, error)

func (*Client) ClientCredentialsToken 

func (c *Client) ClientCredentialsToken(ctx context.Context, opts ...RequestOpt) (*oauth2.Token, error)

ClientCredentialsToken gets a token using the client_credentials grant It sends the client_id and client_secret to the token endpoint and gets a token in response

func (*Client) DeviceToken 

func (c *Client) DeviceToken(ctx context.Context, scopes ...string) (*oauth2.Token, error)

func (*Client) Endpoint 

func (c *Client) Endpoint() Endpoint

func (*Client) HTTPClient 

func (c *Client) HTTPClient(t *oauth2.Token) *http.Client

func (*Client) IntrospectToken 

func (c *Client) IntrospectToken(ctx context.Context, token string) (*IntrospectionResponse, error)

IntrospectToken introspects the token It sends the token to the introspection endpoint and gets the response

func (*Client) TokenSource added in v0.40.0 

func (c *Client) TokenSource(t *oauth2.Token) oauth2.TokenSource

func (*Client) ValidateToken 

func (c *Client) ValidateToken(ctx context.Context, token string, audiences []string) (*jwtvalidator.ValidatedClaims, error)

ValidateToken VerifyToke verifies the token and returns the claims It fetches the verification keys from the OIDC server and uses them to verify the token

type ClientConfig 

type ClientConfig struct {
	// Provider     EndpointConfig    `json:"provider"` // e.g. "github", "keycloak"
	EndpointConfig `mapstructure:",squash"`
	ClientID       string            `json:"client-id" mapstructure:"client-id"`
	ClientSecret   util.MaskedString `json:"client-secret,omitempty" mapstructure:"client-secret,omitempty"`

	Audience string `json:"audience,omitempty" mapstructure:"audience,omitempty"`

	// do these belong somewhere else?
	TokenFile string `json:"token-file" mapstructure:"token-file"`
}

type ClientOpt 

type ClientOpt func(c *Client)

func WithClientID 

func WithClientID(clientID string) ClientOpt

func WithClientIDAndSecret 

func WithClientIDAndSecret(clientID, clientSecret string) ClientOpt

func WithDeviceCodeUI 

func WithDeviceCodeUI(ui DeviceCodeUI) ClientOpt

func WithKeyCacheTTL 

func WithKeyCacheTTL(ttl time.Duration) ClientOpt

func WithValidatingSignatureAlgorithm 

func WithValidatingSignatureAlgorithm(algorithm jwtvalidator.SignatureAlgorithm) ClientOpt

type DeviceCodeUI 

type DeviceCodeUI func(deviceCode *oauth2.DeviceAuthResponse) error

type Endpoint 

type Endpoint interface {
	URL() *url.URL
	DiscoveryEndpoint() (*url.URL, error)
	DiscoveredConfiguration() (*OpenIDConfiguration, error)
	OAuth2Endpoint() (oauth2.Endpoint, error)
}

func NewEndpoint 

func NewEndpoint(baseURL string) (Endpoint, error)

func NewEndpointFromConfig 

func NewEndpointFromConfig(config *EndpointConfig) (Endpoint, error)

func NewGitHubEndpoint 

func NewGitHubEndpoint(baseURL string) (Endpoint, error)

func NewKeycloakRealmEndpoint 

func NewKeycloakRealmEndpoint(baseURLStr, realm string) (Endpoint, error)

type EndpointConfig 

type EndpointConfig struct {
	Type          string `json:"type,omitempty" mapstructure:"type,omitempty"`
	URL           string `json:"url" mapstructure:"url"`
	KeycloakRealm string `json:"keycloak-realm,omitempty" mapstructure:"keycloak-realm,omitempty"`
}

type GitHubEndpoint 

type GitHubEndpoint struct {
	// contains filtered or unexported fields
}

func (*GitHubEndpoint) DiscoveredConfiguration 

func (e *GitHubEndpoint) DiscoveredConfiguration() (*OpenIDConfiguration, error)

func (*GitHubEndpoint) DiscoveryEndpoint added in v0.40.0 

func (e *GitHubEndpoint) DiscoveryEndpoint() (*url.URL, error)

func (*GitHubEndpoint) OAuth2Endpoint 

func (e *GitHubEndpoint) OAuth2Endpoint() (oauth2.Endpoint, error)

func (*GitHubEndpoint) URL 

func (e *GitHubEndpoint) URL() *url.URL

type IntrospectionResponse 

type IntrospectionResponse struct {
	ExpiresAt                           int      `json:"exp"`
	IssuedAt                            int      `json:"iat"`
	AuthTime                            int      `json:"auth_time"`
	ID                                  string   `json:"jti"`
	Issuer                              string   `json:"iss"`
	Audience                            string   `json:"aud"`
	Subject                             string   `json:"sub"`
	Type                                string   `json:"typ"`
	AuthorizedParty                     string   `json:"azp"`
	SessionID                           string   `json:"sid"`
	AuthenticationContextClassReference string   `json:"acr"`
	AllowedOrigins                      []string `json:"allowed-origins"`
	RealmAccess                         struct {
		Roles []string `json:"roles"`
	} `json:"realm_access"`
	ResourceAccess struct {
		Account struct {
			Roles []string `json:"roles"`
		} `json:"account"`
	} `json:"resource_access"`
	Scope             string   `json:"scope"`
	UserPrincipalName string   `json:"upn"`
	EmailVerified     bool     `json:"email_verified"`
	Name              string   `json:"name"`
	Groups            []string `json:"groups"`
	PreferredUsername string   `json:"preferred_username"`
	GivenName         string   `json:"given_name"`
	FamilyName        string   `json:"family_name"`
	Email             string   `json:"email"`
	ClientId          string   `json:"client_id"`
	Username          string   `json:"username"`
	TokenType         string   `json:"token_type"`
	Active            bool     `json:"active"`
}

func (*IntrospectionResponse) Validate 

func (c *IntrospectionResponse) Validate(ctx context.Context) error

type KeycloakEndpoint 

type KeycloakEndpoint struct {
	// contains filtered or unexported fields
}

func NewKeycloakEndpoint 

func NewKeycloakEndpoint(baseURLStr string) (*KeycloakEndpoint, error)

func (*KeycloakEndpoint) RealmEndpoint 

func (e *KeycloakEndpoint) RealmEndpoint(realm string) Endpoint

type MultiValidator 

type MultiValidator struct {
	// contains filtered or unexported fields
}

func NewMultiValidator 

func NewMultiValidator(validators ...*jwtvalidator.Validator) *MultiValidator

func NewMultiValidatorFromConfig 

func NewMultiValidatorFromConfig(configs []ValidatorConfig, opts ...jwtvalidator.Option) (*MultiValidator, error)

func (*MultiValidator) ValidateToken 

func (v *MultiValidator) ValidateToken(ctx context.Context, tokenString string) (interface{}, error)

type OpenIDConfiguration 

type OpenIDConfiguration struct {
	Issuer                                                    string   `json:"issuer"`
	AuthorizationEndpoint                                     string   `json:"authorization_endpoint"`
	TokenEndpoint                                             string   `json:"token_endpoint"`
	UserinfoEndpoint                                          string   `json:"userinfo_endpoint"`
	JWKSURI                                                   string   `json:"jwks_uri"`
	RegistrationEndpoint                                      string   `json:"registration_endpoint"`
	ScopesSupported                                           []string `json:"scopes_supported"`
	ResponseTypesSupported                                    []string `json:"response_types_supported"`
	GrantTypesSupported                                       []string `json:"grant_types_supported"`
	SubjectTypesSupported                                     []string `json:"subject_types_supported"`
	IDTokenSigningAlgValuesSupported                          []string `json:"id_token_signing_alg_values_supported"`
	TokenEndpointAuthMethodsSupported                         []string `json:"token_endpoint_auth_methods_supported"`
	ClaimsSupported                                           []string `json:"claims_supported"`
	CodeChallengeMethodsSupported                             []string `json:"code_challenge_methods_supported"`
	IntrospectionEndpoint                                     string   `json:"introspection_endpoint"`
	EndSessionEndpoint                                        string   `json:"end_session_endpoint"`
	FrontchannelLogoutSessionSupported                        bool     `json:"frontchannel_logout_session_supported"`
	FrontchannelLogoutSupported                               bool     `json:"frontchannel_logout_supported"`
	CheckSessionIframe                                        string   `json:"check_session_iframe"`
	AcrValuesSupported                                        []string `json:"acr_values_supported"`
	IDTokenEncryptionAlgValuesSupported                       []string `json:"id_token_encryption_alg_values_supported"`
	IDTokenEncryptionEncValuesSupported                       []string `json:"id_token_encryption_enc_values_supported"`
	UserinfoSigningAlgValuesSupported                         []string `json:"userinfo_signing_alg_values_supported"`
	UserinfoEncryptionAlgValuesSupported                      []string `json:"userinfo_encryption_alg_values_supported"`
	UserinfoEncryptionEncValuesSupported                      []string `json:"userinfo_encryption_enc_values_supported"`
	RequestObjectSigningAlgValuesSupported                    []string `json:"request_object_signing_alg_values_supported"`
	RequestObjectEncryptionAlgValuesSupported                 []string `json:"request_object_encryption_alg_values_supported"`
	RequestObjectEncryptionEncValuesSupported                 []string `json:"request_object_encryption_enc_values_supported"`
	ResponseModesSupported                                    []string `json:"response_modes_supported"`
	TokenEndpointAuthSigningAlgValuesSupported                []string `json:"token_endpoint_auth_signing_alg_values_supported"`
	IntrospectionEndpointAuthMethodsSupported                 []string `json:"introspection_endpoint_auth_methods_supported"`
	IntrospectionEndpointAuthSigningAlgValuesSupported        []string `json:"introspection_endpoint_auth_signing_alg_values_supported"`
	AuthorizationSigningAlgValuesSupported                    []string `json:"authorization_signing_alg_values_supported"`
	AuthorizationEncryptionAlgValuesSupported                 []string `json:"authorization_encryption_alg_values_supported"`
	AuthorizationEncryptionEncValuesSupported                 []string `json:"authorization_encryption_enc_values_supported"`
	ClaimTypesSupported                                       []string `json:"claim_types_supported"`
	ClaimsParameterSupported                                  bool     `json:"claims_parameter_supported"`
	RequestParameterSupported                                 bool     `json:"request_parameter_supported"`
	RequestURIParameterSupported                              bool     `json:"request_uri_parameter_supported"`
	RequireRequestURIRegistration                             bool     `json:"require_request_uri_registration"`
	TLSClientCertificateBoundAccessTokens                     bool     `json:"tls_client_certificate_bound_access_tokens"`
	RevocationEndpoint                                        string   `json:"revocation_endpoint"`
	RevocationEndpointAuthMethodsSupported                    []string `json:"revocation_endpoint_auth_methods_supported"`
	RevocationEndpointAuthSigningAlgValuesSupported           []string `json:"revocation_endpoint_auth_signing_alg_values_supported"`
	BackchannelLogoutSupported                                bool     `json:"backchannel_logout_supported"`
	BackchannelLogoutSessionSupported                         bool     `json:"backchannel_logout_session_supported"`
	DeviceAuthorizationEndpoint                               string   `json:"device_authorization_endpoint"`
	BackchannelTokenDeliveryModesSupported                    []string `json:"backchannel_token_delivery_modes_supported"`
	BackchannelAuthenticationEndpoint                         string   `json:"backchannel_authentication_endpoint"`
	BackchannelAuthenticationRequestSigningAlgValuesSupported []string `json:"backchannel_authentication_request_signing_alg_values_supported"`
	RequirePushedAuthorizationRequests                        bool     `json:"require_pushed_authorization_requests"`
	PushedAuthorizationRequestEndpoint                        string   `json:"pushed_authorization_request_endpoint"`
	MTLSEndpointAliases                                       struct {
		TokenEndpoint                      string `json:"token_endpoint"`
		RevocationEndpoint                 string `json:"revocation_endpoint"`
		IntrospectionEndpoint              string `json:"introspection_endpoint"`
		DeviceAuthorizationEndpoint        string `json:"device_authorization_endpoint"`
		RegistrationEndpoint               string `json:"registration_endpoint"`
		UserinfoEndpoint                   string `json:"userinfo_endpoint"`
		PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"`
		BackchannelAuthenticationEndpoint  string `json:"backchannel_authentication_endpoint"`
	} `json:"mtls_endpoint_aliases"`
	AuthorizationResponseIssParameterSupported bool `json:"authorization_response_iss_parameter_supported"`
}

type RequestOpt 

type RequestOpt func(url.Values)

func WithAudience 

func WithAudience(audience string) RequestOpt

type TrustConfig 

type TrustConfig struct {
	Verifiers []ValidatorConfig `json:"verifiers" mapstructure:"verifiers"`
}

type ValidatorConfig added in v0.40.0 

type ValidatorConfig struct {
	EndpointConfig
	Audiences          []string `json:"audiences" mapstructure:"audiences"`
	Issuer             string   `json:"issuer" mapstructure:"issuer"`
	CacheTTL           int      `json:"cache_ttl_seconds" mapsstructure:"cache_ttl_seconds"`
	SignatureAlgorithm string   `json:"signature_algorithm" mapstructure:"signature_algorithm"`
	AllowedClockSkew   int      `json:"allowed_clock_skew_seconds" mapstructure:"allowed_clock_skew_seconds"`
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.