Documentation
¶
Overview ¶
Package client provides an OAuth PKCE client for local authentication.
Index ¶
Constants ¶
const DefaultRefreshFraction = 0.5
DefaultRefreshFraction is the elapsed-lifetime fraction at which an access token is proactively refreshed: at 0.5 it refreshes once half its lifetime has passed (e.g. ~30 min into a 1h token), leaving a wide margin so a request never races a just-expired token.
Variables ¶
This section is empty.
Functions ¶
func ShouldRefresh ¶ added in v0.34.0
func ShouldRefresh(now, expiresAt time.Time, expiresIn int, buffer time.Duration, refreshFraction float64) bool
ShouldRefresh reports whether a token expiring at expiresAt (minted with an original lifetime of expiresIn seconds) should be proactively refreshed at the moment now.
It returns true once the token is within buffer of expiry, or — when the original lifetime is known — once it has passed refreshFraction of that lifetime. refreshFraction is the elapsed-life fraction at which to refresh (e.g. 0.5 refreshes at the halfway point, well before expiry, so a request never races a just-expired token). A zero expiresAt (unknown expiry) only triggers on the buffer check.
Types ¶
type Client ¶
type Client interface {
// Login performs the OAuth PKCE flow and returns tokens.
Login(ctx context.Context) (*Tokens, error)
// Refresh refreshes an access token using a refresh token.
Refresh(ctx context.Context, refreshToken string) (*Tokens, error)
// ClientCredentials mints an access token using the OAuth2
// client_credentials grant with Authentik's service-account form
// (client_id + username + password). No refresh token is issued;
// callers re-mint before expiry.
ClientCredentials(ctx context.Context) (*Tokens, error)
}
Client handles OAuth PKCE authentication flow.
type Config ¶
type Config struct {
// IssuerURL is the OIDC issuer URL (e.g., https://dex.example.com).
IssuerURL string
// ClientID is the OAuth client ID.
ClientID string
// Resource is the optional OAuth protected resource to request tokens for.
// Leave empty for standard OIDC providers that do not use RFC 8707 resource parameters.
Resource string
// BrandingURL is the URL to fetch branding config from (optional).
// When set, the client fetches SuccessPageConfig from this endpoint
// before login so it can resolve branding rules client-side in OIDC mode.
BrandingURL string
// RedirectPort is the local port for the callback server.
// When zero, a free loopback port is selected automatically.
RedirectPort int
// Scopes are the OAuth scopes to request.
Scopes []string
// Username is the service-account username for the client_credentials
// grant (Authentik service-account form). Unused by interactive flows.
Username string
// Password is the service-account app password for the
// client_credentials grant. Unused by interactive flows.
Password string
// Headless uses the device authorization flow (RFC 8628) instead of
// the local callback server. Use for SSH or headless environments.
Headless bool
}
Config configures the OAuth client.
type OIDCConfig ¶
type OIDCConfig struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"`
JwksURI string `json:"jwks_uri"`
ScopesSupported []string `json:"scopes_supported"`
}
OIDCConfig contains OIDC discovery configuration.
type Tokens ¶
type Tokens struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token,omitempty"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
ExpiresAt time.Time `json:"expires_at"`
RefreshTokenIssuedAt time.Time `json:"refresh_token_issued_at,omitempty"`
}
Tokens contains the authentication tokens.
Source Files