oidc

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 5, 2025 License: Apache-2.0, Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Claims 

type Claims struct {
	// Identity is the user's identity, extracted from email claim (or sub if email not present)
	Identity string

	// Email is the user's email address (if present in token)
	Email string

	// Subject is the subject claim (unique user identifier)
	Subject string

	// Issuer is the issuer claim (should match configured issuer)
	Issuer string

	// Audience is the audience claim (who the token is intended for)
	Audience []string

	// ExpiresAt is when the token expires
	ExpiresAt time.Time

	// IssuedAt is when the token was issued
	IssuedAt time.Time
}

Claims represents the claims extracted from an OIDC token

type Config 

type Config struct {
	// Issuer is the OIDC provider issuer URL (e.g., "https://accounts.google.com")
	Issuer string

	// ClientID is the expected audience claim (optional, not always required)
	ClientID string

	// SkipExpiryCheck disables token expiration validation (not recommended for production)
	SkipExpiryCheck bool

	// TLSConfig configures TLS for OIDC provider connections
	TLSConfig tlsconfig.Config
}

Config configures the OIDC validator

type Validator 

type Validator struct {
	// contains filtered or unexported fields
}

Validator validates OIDC JWT tokens

Example

Example test showing how to use the validator 

package main

import (
	"context"

	"github.com/epithet-ssh/epithet/pkg/policyserver/oidc"
)

func main() {
	ctx := context.Background()

	// Create validator for Google
	validator, err := oidc.NewValidator(ctx, oidc.Config{
		Issuer: "https://accounts.google.com",
	})
	if err != nil {
		panic(err)
	}

	// Validate a token (this would come from epithet auth oidc)
	claims, err := validator.Validate(ctx, "token-from-auth-command")
	if err != nil {
		panic(err)
	}

	// Use the claims
	_ = claims.Identity // "user@example.com"
	_ = claims.Email    // "user@example.com"
	_ = claims.Subject  // "1234567890"
}

func NewValidator 

func NewValidator(ctx context.Context, config Config) (*Validator, error)

NewValidator creates a new OIDC token validator. It performs OIDC discovery to fetch the provider's JWKS (public keys).

func (*Validator) Validate 

func (v *Validator) Validate(ctx context.Context, tokenString string) (*Claims, error)

Validate validates an OIDC JWT token and extracts claims. Returns Claims if token is valid, error otherwise.

func (*Validator) ValidateAccessToken 

func (v *Validator) ValidateAccessToken(ctx context.Context, accessToken string) (*Claims, error)

ValidateAccessToken validates an OAuth2 access token. This is a convenience wrapper that handles both ID tokens and access tokens. For access tokens, it uses the UserInfo endpoint to get user information.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.