oidc

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2026 License: Apache-2.0, Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Claims 

type Claims struct {
	// Identity is the user's identity, extracted from email claim (or sub if email not present)
	Identity string

	// Email is the user's email address (if present in token)
	Email string

	// Subject is the subject claim (unique user identifier)
	Subject string

	// Issuer is the issuer claim (should match configured issuer)
	Issuer string

	// Audience is the audience claim (who the token is intended for)
	Audience []string

	// ExpiresAt is when the token expires
	ExpiresAt time.Time

	// IssuedAt is when the token was issued
	IssuedAt time.Time
}

Claims represents the claims extracted from an OIDC token

type Config 

type Config struct {
	// Issuer is the OIDC provider issuer URL (e.g., "https://accounts.google.com")
	Issuer string

	// ClientID is the expected audience claim (optional, not always required)
	ClientID string

	// SkipExpiryCheck disables token expiration validation (not recommended for production)
	SkipExpiryCheck bool

	// TLSConfig configures TLS for OIDC provider connections
	TLSConfig tlsconfig.Config
}

Config configures the OIDC validator

type Validator 

type Validator struct {
	// contains filtered or unexported fields
}

Validator validates OIDC JWT tokens

Example

ExampleValidator is illustrative — it shows how the validator API is used but requires a real OIDC provider to actually run. 

package main

import (
	"context"

	"github.com/epithet-ssh/epithet/pkg/policyserver/oidc"
)

func main() {
	ctx := context.Background()

	// Create validator for Google.
	validator, err := oidc.NewValidator(ctx, oidc.Config{
		Issuer: "https://accounts.google.com",
	})
	if err != nil {
		panic(err)
	}

	// Validate a token (this would come from epithet auth oidc).
	claims, err := validator.Validate(ctx, "token-from-auth-command")
	if err != nil {
		panic(err)
	}

	// Use the claims.
	_ = claims.Identity // "user@example.com"
	_ = claims.Email    // "user@example.com"
	_ = claims.Subject  // "1234567890"
}

func NewValidator 

func NewValidator(ctx context.Context, config Config) (*Validator, error)

NewValidator creates a new OIDC token validator. It performs OIDC discovery to fetch the provider's JWKS (public keys).

func (*Validator) Validate 

func (v *Validator) Validate(ctx context.Context, tokenString string) (*Claims, error)

Validate validates an OIDC JWT token and extracts claims. Returns Claims if token is valid, error otherwise.

func (*Validator) ValidateAccessToken 

func (v *Validator) ValidateAccessToken(ctx context.Context, accessToken string) (*Claims, error)

ValidateAccessToken validates an OAuth2 access token. This is a convenience wrapper that handles both ID tokens and access tokens. For access tokens, it uses the UserInfo endpoint to get user information.

func (*Validator) ValidateAndExtractIdentity added in v0.3.0 

func (v *Validator) ValidateAndExtractIdentity(token string) (string, error)

ValidateAndExtractIdentity implements policyserver.TokenValidator. It validates the token and returns the identity.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.