Documentation
¶
Index ¶
- func CreateToken(token Token) error
- func GenerateIDToken(user user.User, sessionID string, nonce string, scope string, clientID string, ...) (string, error)
- func HandleRevoke(w http.ResponseWriter, r *http.Request)
- func HandleToken(w http.ResponseWriter, r *http.Request)
- func RevokeTokensByUserAndClient(userID, _ string) error
- func SetRefreshTokenCookie(w http.ResponseWriter, refreshToken string)
- func UserByAuthorizationCode(w http.ResponseWriter, request TokenRequest) (*user.User, *authcode.AuthCode, error)
- func UserByRefreshToken(w http.ResponseWriter, request TokenRequest) (*user.User, error)
- func ValidateTokenRequest(input TokenRequest) error
- func ValidateTokenRequestAuthorizationCode(input TokenRequest) error
- func ValidateTokenRequestPassword(input TokenRequest) error
- func ValidateTokenRequestRefresh(input TokenRequest) error
- type AuthToken
- type RefreshTokenClaims
- type Token
- type TokenRequest
- type TokenResponse
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateToken ¶
func GenerateIDToken ¶ added in v1.0.0
func GenerateIDToken(user user.User, sessionID string, nonce string, scope string, clientID string, authTime time.Time, accessToken string) (string, error)
GenerateIDToken creates an OIDC ID token JWT signed with RS256. OIDC Core §3.1.3.3: the ID token MUST contain iss, sub, aud, exp, iat. OIDC Core §3.1.3.3: nonce MUST be present if sent in the authorization request. OIDC Core §3.1.3.6: at_hash SHOULD be included when the ID token is issued from the token endpoint. The scope parameter controls which optional claims are included.
func HandleRevoke ¶
func HandleRevoke(w http.ResponseWriter, r *http.Request)
HandleRevoke godoc @Summary Revoke a token @Description Revokes an access or refresh token @Tags oauth2 @Accept application/x-www-form-urlencoded @Produce json @Param token formData string true "Token to revoke" @Success 200 {string} string "Token revoked successfully" @Failure 400 {object} model.ApiError @Failure 500 {object} model.ApiError @Router /oauth2/revoke [post]
func HandleToken ¶
func HandleToken(w http.ResponseWriter, r *http.Request)
HandleToken godoc @Summary Token endpoint @Description Exchanges authorization code or credentials for tokens @Tags oauth2 @Accept application/x-www-form-urlencoded @Produce json @Param grant_type formData string true "Grant type (authorization_code, password, refresh_token, client_credentials)" @Param code formData string false "Authorization code" @Param redirect_uri formData string false "Redirect URI" @Param client_id formData string false "Client ID" @Param username formData string false "Username" @Param password formData string false "Password" @Param scope formData string false "Requested scope" @Success 200 {object} TokenResponse @Failure 400 {object} model.ApiError @Failure 500 {object} model.ApiError @Router /oauth2/token [post]
func RevokeTokensByUserAndClient ¶ added in v1.5.4
RevokeTokensByUserAndClient sets revoked_at on all non-revoked authorization_code grant tokens for the given user. Called when auth code reuse is detected per RFC 6749 §4.1.2. clientID is accepted for logging context but the tokens table has no client_id column.
func SetRefreshTokenCookie ¶ added in v1.5.0
func SetRefreshTokenCookie(w http.ResponseWriter, refreshToken string)
func UserByAuthorizationCode ¶
func UserByAuthorizationCode(w http.ResponseWriter, request TokenRequest) (*user.User, *authcode.AuthCode, error)
func UserByRefreshToken ¶
func UserByRefreshToken(w http.ResponseWriter, request TokenRequest) (*user.User, error)
func ValidateTokenRequest ¶
func ValidateTokenRequest(input TokenRequest) error
func ValidateTokenRequestAuthorizationCode ¶
func ValidateTokenRequestAuthorizationCode(input TokenRequest) error
func ValidateTokenRequestPassword ¶
func ValidateTokenRequestPassword(input TokenRequest) error
func ValidateTokenRequestRefresh ¶
func ValidateTokenRequestRefresh(input TokenRequest) error
Types ¶
type AuthToken ¶
type AuthToken struct {
UserID string
AccessToken string
RefreshToken string
SessionID string
AccessExpiresAt time.Time
RefreshExpiresAt time.Time
}
func GenerateClientCredentialsToken ¶ added in v1.6.4
func GenerateClientCredentialsToken(clientID string, scope string, cfg *config.Config) (*AuthToken, error)
GenerateClientCredentialsToken creates a signed access token for a client_credentials grant. RFC 6749 §4.4: the client is the resource owner — sub is set to the client_id. No refresh token is generated (RFC 6749 §4.4.3).
func GenerateTokens ¶
func GenerateTokens(user user.User, clientID string, scope string, cfg *config.Config) (*AuthToken, error)
GenerateTokens creates a signed access token and refresh token for the given user. cfg should be the per-client resolved config (via config.GetForClient) so that per-client overrides for expiration and audience are applied. OIDC Core §5.4: scope values control which claims are embedded in the access token.
type RefreshTokenClaims ¶
type RefreshTokenClaims struct {
UserID string `json:"sub"` // The ID of the user associated with the refresh token
SessionID string `json:"sid"` // The session ID for which the refresh token is issued
ClientID string `json:"azp"` // The client the refresh token was issued to
IssuedAt int64 `json:"iat"` // The timestamp when the refresh token was issued
ExpiresAt int64 `json:"exp"` // The timestamp when the refresh token will expire
}
func DecodeRefreshToken ¶
func DecodeRefreshToken(tokenString string, secretKey string) (*RefreshTokenClaims, error)
func (*RefreshTokenClaims) Valid ¶
func (r *RefreshTokenClaims) Valid() error
type Token ¶
type Token struct {
ID string `db:"id"` // Unique token ID
UserID *string `db:"user_id"` // The user to whom the token belongs (NULL for client_credentials)
AccessToken string `db:"access_token"` // The actual access token (JWT or opaque token)
RefreshToken string `db:"refresh_token"` // The refresh token used for refreshing access tokens
AccessTokenType string `db:"access_token_type"` // Type of access token (e.g., 'Bearer', 'JWT')
RefreshTokenExpiresAt time.Time `db:"refresh_token_expires_at"` // Expiration time for the refresh token (if applicable)
RefreshTokenLastUsedAt *time.Time `db:"refresh_token_last_used_at"` // Tracks when the refresh token was last used
AccessTokenExpiresAt time.Time `db:"access_token_expires_at"` // Expiration time for the access token
IssuedAt time.Time `db:"issued_at"` // When the token was issued
Scope string `db:"scope"` // The scopes granted for this token (nullable)
GrantType string `db:"grant_type"` // The OAuth2 grant type (e.g., 'authorization_code', 'client_credentials')
RevokedAt *time.Time `db:"revoked_at"` // Timestamp for when the token was revoked (nullable)
}
Token represents a token record in the database
type TokenRequest ¶
type TokenRequest struct {
GrantType string `json:"grant_type"` // The OAuth2 grant type (e.g., 'authorization_code', 'refresh_token', 'password')
Code string `json:"code"` // The authorization code received from the authorization server
RedirectURI string `json:"redirect_uri"` // The redirect URI used in the authorization request
ClientID string `json:"client_id"` // The client ID of the application making the request
ClientSecret string `json:"client_secret,omitempty"` // The client secret (optional, depending on the grant type)
CodeVerifier string `json:"code_verifier,omitempty"` // The code verifier for PKCE (optional, depending on the grant type)
Username string `json:"username,omitempty"` // The username for the resource owner (used in password grant type)
Password string `json:"password,omitempty"` // The password for the resource owner (used in password grant type)
TotpCode string `json:"totp_code,omitempty"` // The TOTP code for MFA verification (used in password grant type)
RefreshToken string `json:"refresh_token,omitempty"` // The refresh token (used in refresh token grant type)
Scope string `json:"scope,omitempty"` // The requested scope (used in password grant type)
}
Source Files