oidc

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package oidc is a minimal OIDC *client*: discovery, an authorization-code + PKCE redirect, code→token exchange, and ID-token verification. It is the shared client used when a forge service signs users in via an external IdP (or another forge service acting as the IdP).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Challenge 

func Challenge(verifier string) string

Challenge is the S256 code_challenge for a verifier.

func NewVerifier 

func NewVerifier() (string, error)

NewVerifier returns a high-entropy PKCE code_verifier.

func RandomState 

func RandomState() (string, error)

RandomState returns an opaque CSRF state value.

Types

type Claims 

type Claims struct {
	Subject       string
	Email         string
	EmailVerified bool
	Name          string
}

Claims is the identity extracted from a verified ID token.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is an OIDC relying-party for one Provider, caching discovery + JWKS.

func NewClient 

func NewClient(p Provider, h HTTPDoer) *Client

func (*Client) AuthCodeURL 

func (c *Client) AuthCodeURL(ctx context.Context, redirectURI, state, codeChallenge string) (string, error)

AuthCodeURL builds the authorization-code + PKCE redirect to the IdP.

func (*Client) Exchange 

func (c *Client) Exchange(ctx context.Context, redirectURI, code, codeVerifier string) (Tokens, error)

Exchange swaps an authorization code for tokens (PKCE; public or confidential).

func (*Client) VerifyIDToken 

func (c *Client) VerifyIDToken(ctx context.Context, rawIDToken string) (Claims, error)

VerifyIDToken validates the ID token's signature against the IdP's JWKS and its issuer/audience, returning the identity claims.

type HTTPDoer 

type HTTPDoer interface {
	Do(*http.Request) (*http.Response, error)
}

HTTPDoer is the request surface (so tests can stub it).

type Provider 

type Provider struct {
	Issuer       string // base issuer URL; discovery is issuer + /.well-known/openid-configuration
	ClientID     string
	ClientSecret string // empty for a public client (PKCE only)
	Scopes       []string
}

Provider is the static config for one IdP.

type Tokens 

type Tokens struct {
	AccessToken  string `json:"access_token"`
	IDToken      string `json:"id_token"`
	RefreshToken string `json:"refresh_token"`
	TokenType    string `json:"token_type"`
}

Tokens is the token endpoint response we care about.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.