token

package
v1.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 12, 2026 License: MIT Imports: 22 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CreateToken 

func CreateToken(token Token) error

func GenerateIDToken added in v1.0.0 

func GenerateIDToken(user user.User, sessionID string, nonce string, scope string, clientID string) (string, error)

GenerateIDToken creates an OIDC ID token JWT signed with RS256. The nonce parameter is included in the token if non-empty (for authorization code flow replay protection). The scope parameter controls which claims are included (e.g. "profile" adds name claims, "email" adds email claims).

func HandleRevoke 

func HandleRevoke(w http.ResponseWriter, r *http.Request)

HandleRevoke godoc @Summary Revoke a token @Description Revokes an access or refresh token @Tags token @Accept application/x-www-form-urlencoded @Produce json @Param token formData string true "Token to revoke" @Success 200 {string} string "Token revoked successfully" @Failure 400 {object} model.ApiError @Failure 500 {object} model.ApiError @Router /oauth2/revoke [post]

func HandleToken 

func HandleToken(w http.ResponseWriter, r *http.Request)

HandleToken godoc @Summary Token endpoint @Description Exchanges authorization code or credentials for tokens @Tags token @Accept application/x-www-form-urlencoded @Produce json @Param grant_type formData string true "Grant type" @Param code formData string false "Authorization code" @Param redirect_uri formData string false "Redirect URI" @Param client_id formData string false "Client ID" @Param username formData string false "Username" @Param password formData string false "Password" @Success 200 {object} TokenResponse @Failure 400 {object} model.ApiError @Failure 500 {object} model.ApiError @Router /oauth2/token [post]

func SetRefreshTokenCookie added in v1.5.0 

func SetRefreshTokenCookie(w http.ResponseWriter, refreshToken string)

func UserByAuthorizationCode 

func UserByAuthorizationCode(w http.ResponseWriter, request TokenRequest) (*user.User, *authcode.AuthCode, error)

func UserByRefreshToken 

func UserByRefreshToken(w http.ResponseWriter, request TokenRequest) (*user.User, error)

func ValidateTokenRequest 

func ValidateTokenRequest(input TokenRequest) error

func ValidateTokenRequestAuthorizationCode 

func ValidateTokenRequestAuthorizationCode(input TokenRequest) error

func ValidateTokenRequestPassword 

func ValidateTokenRequestPassword(input TokenRequest) error

func ValidateTokenRequestRefresh 

func ValidateTokenRequestRefresh(input TokenRequest) error

Types

type AuthToken 

type AuthToken struct {
	UserID           string
	AccessToken      string
	RefreshToken     string
	SessionID        string
	AccessExpiresAt  time.Time
	RefreshExpiresAt time.Time
}

func GenerateTokens 

func GenerateTokens(user user.User, clientID string, cfg *config.Config) (*AuthToken, error)

GenerateTokens creates a signed access token and refresh token for the given user. cfg should be the per-client resolved config (via config.GetForClient) so that per-client overrides for expiration and audience are applied.

type RefreshTokenClaims 

type RefreshTokenClaims struct {
	UserID    string `json:"sub"` // The ID of the user associated with the refresh token
	SessionID string `json:"sid"` // The session ID for which the refresh token is issued
	IssuedAt  int64  `json:"iat"` // The timestamp when the refresh token was issued
	ExpiresAt int64  `json:"exp"` // The timestamp when the refresh token will expire
}

func DecodeRefreshToken 

func DecodeRefreshToken(tokenString string, secretKey string) (*RefreshTokenClaims, error)

func (*RefreshTokenClaims) Valid 

func (r *RefreshTokenClaims) Valid() error

type Token 

type Token struct {
	ID                     string     `db:"id"`                         // Unique token ID
	UserID                 string     `db:"user_id"`                    // The user to whom the token belongs
	AccessToken            string     `db:"access_token"`               // The actual access token (JWT or opaque token)
	RefreshToken           string     `db:"refresh_token"`              // The refresh token used for refreshing access tokens
	AccessTokenType        string     `db:"access_token_type"`          // Type of access token (e.g., 'Bearer', 'JWT')
	RefreshTokenExpiresAt  time.Time  `db:"refresh_token_expires_at"`   // Expiration time for the refresh token (if applicable)
	RefreshTokenLastUsedAt *time.Time `db:"refresh_token_last_used_at"` // Tracks when the refresh token was last used
	AccessTokenExpiresAt   time.Time  `db:"access_token_expires_at"`    // Expiration time for the access token
	IssuedAt               time.Time  `db:"issued_at"`                  // When the token was issued
	Scope                  string     `db:"scope"`                      // The scopes granted for this token (nullable)
	GrantType              string     `db:"grant_type"`                 // The OAuth2 grant type (e.g., 'authorization_code', 'client_credentials')
	RevokedAt              *time.Time `db:"revoked_at"`                 // Timestamp for when the token was revoked (nullable)
}

Token represents a token record in the database

type TokenRequest 

type TokenRequest struct {
	GrantType    string `json:"grant_type"`              // The OAuth2 grant type (e.g., 'authorization_code', 'refresh_token', 'password')
	Code         string `json:"code"`                    // The authorization code received from the authorization server
	RedirectURI  string `json:"redirect_uri"`            // The redirect URI used in the authorization request
	ClientID     string `json:"client_id"`               // The client ID of the application making the request
	ClientSecret string `json:"client_secret,omitempty"` // The client secret (optional, depending on the grant type)
	CodeVerifier string `json:"code_verifier,omitempty"` // The code verifier for PKCE (optional, depending on the grant type)
	Username     string `json:"username,omitempty"`      // The username for the resource owner (used in password grant type)
	Password     string `json:"password,omitempty"`      // The password for the resource owner (used in password grant type)
	RefreshToken string `json:"refresh_token,omitempty"` // The refresh token (used in refresh token grant type)
	Scope        string `json:"scope,omitempty"`         // The requested scope (used in password grant type)
}

type TokenResponse 

type TokenResponse struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int    `json:"expires_in"`
	RefreshToken string `json:"refresh_token,omitempty"`
	IDToken      string `json:"id_token,omitempty"`
	Scope        string `json:"scope"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.