oidc

package

v3.18.31 Latest Latest Go to latest Published: May 31, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/dosco/graphjin

Links

Open Source Insights

Documentation ¶

Overview ¶

Package oidc provides a minimal OpenID Connect client used by GraphJin's built-in login flow. It performs OIDC discovery, exchanges an authorization code for tokens via golang.org/x/oauth2, and verifies the ID token using the JWKS from the discovery document.

It intentionally does not depend on github.com/coreos/go-oidc to keep the module's transitive dependency set small — JWKS verification reuses the lestrrat-go/jwx library already pulled in by auth/provider.

Index ¶

type Config
type Identity
- func (i Identity) NamespacedSubject() string
type Provider
- func NewProvider(ctx context.Context, cfg Config) (*Provider, error)
- func (p *Provider) AuthCodeURL(state, redirectURI string) string
- func (p *Provider) Exchange(ctx context.Context, code, redirectURI string) (*Identity, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	// IssuerURL is the OIDC issuer — discovery happens at
	// <IssuerURL>/.well-known/openid-configuration.
	IssuerURL string

	// ClientID / ClientSecret are the registered OAuth client credentials.
	ClientID     string
	ClientSecret string

	// RedirectURI registered with the IdP. If empty, the caller is expected to
	// override it per-request (useful when the server listens on multiple
	// hostnames).
	RedirectURI string

	// Scopes requested. Defaults to ["openid", "email", "profile"] when empty.
	Scopes []string

	// AllowedEmails / AllowedDomains are optional allow-lists applied after a
	// successful OIDC sign-in. If both are empty, any verified identity is
	// accepted.
	AllowedEmails  []string
	AllowedDomains []string
}

Config describes a single OIDC identity provider. It works for any OIDC-compliant issuer (Google, Okta, Keycloak, Azure AD, Auth0-as-IdP, ...).

type Identity ¶

type Identity struct {
	Subject       string
	Email         string
	EmailVerified bool
	Name          string
	Issuer        string
	Raw           jwt.MapClaims
}

Identity is the minimum user info extracted from a verified ID token.

func (Identity) NamespacedSubject ¶

func (i Identity) NamespacedSubject() string

NamespacedSubject returns a stable identifier combining issuer and subject, safe to use as the `sub` claim of a locally-minted JWT when multiple IdPs share the same subject namespace.

type Provider ¶

type Provider struct {
	// contains filtered or unexported fields
}

Provider is a configured OIDC client.

func NewProvider ¶

func NewProvider(ctx context.Context, cfg Config) (*Provider, error)

NewProvider fetches the OIDC discovery document and returns a ready-to-use Provider.

func (*Provider) AuthCodeURL ¶

func (p *Provider) AuthCodeURL(state, redirectURI string) string

AuthCodeURL returns the IdP URL the browser should be redirected to. `state` must be opaque and verified on the callback. `redirectURI` overrides the configured one if non-empty (useful when the callback host is derived from the request).

func (*Provider) Exchange ¶

func (p *Provider) Exchange(ctx context.Context, code, redirectURI string) (*Identity, error)

Exchange swaps an authorization code for an ID token and verifies it, returning the resulting Identity.

Source Files ¶

View all Source files

oidc.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL