Why Go
- Case Studies
  
  Common problems companies solve with Go
- Use Cases
  
  Stories about how and why companies use Go
- Security
  
  How Go can help keep you secure by default
Learn
Docs
- Effective Go
  
  Tips for writing clear, performant, and idiomatic Go code
- Go User Manual
  
  A complete introduction to building software with Go
- Standard library
  
  Reference documentation for Go's standard library
- Release Notes
  
  Learn what's new in each Go release
Packages
Community
- Recorded Talks
  
  Videos from prior events
- Meetups
  
  Meet other local Go developers
- Conferences
  
  Learn and network with Go developers from around the world
- Go blog
  
  The Go project's official blog.
- Go project
  
  Get help and stay informed from Go
- Get connected

coreauth

package

Go to main page

Versions in this module

v0

v0.2.0

Mar 8, 2026

Changes in this version

+ var ErrAuthCodeExpired = errors.New("coreauth: authorization code expired")

+ var ErrAuthCodeNotFound = errors.New("coreauth: authorization code not found")

+ var ErrAuthCodeUsed = errors.New("coreauth: authorization code already used")

+ var ErrClientExists = errors.New("coreauth: client already exists")

+ var ErrClientNotFound = errors.New("coreauth: client not found")

+ var ErrFederationConnectionFailed = errors.New("coreauth: failed to connect to CoreControl")

+ var ErrFederationNotConfigured = errors.New("coreauth: federation not configured")

+ var ErrInvalidClientType = errors.New("coreauth: invalid client type")

+ var ErrInvalidGlobalToken = errors.New("coreauth: invalid global identity token")

+ var ErrInvalidToken = errors.New("coreauth: invalid token")

+ var ErrKeyGenerationFailed = errors.New("coreauth: failed to generate signing key")

+ var ErrMissingIssuer = errors.New("coreauth: issuer is required")

+ var ErrPKCEVerificationFailed = errors.New("coreauth: PKCE verification failed")

+ var ErrStorageInitFailed = errors.New("coreauth: failed to initialize storage")

+ var ErrTokenExpired = errors.New("coreauth: token expired")

+ var ErrTokenNotFound = errors.New("coreauth: token not found")

+ var ErrTokenRevoked = errors.New("coreauth: token revoked")

+ var ErrUserExists = errors.New("coreauth: user already exists")

+ var ErrUserNotFound = errors.New("coreauth: user not found")

+ func AccessRequestFromContext(ctx context.Context) fosite.AccessRequester

+ func ContextWithOwnerID(ctx context.Context, ownerID uuid.UUID) context.Context

+ func LoggerFromContext(ctx context.Context) *slog.Logger

+ func SaveConfig(cfg *Config, path string) error

+ func WithAccessRequest(ctx context.Context, ar fosite.AccessRequester) context.Context

+ type AuthCodeData struct

+ ClientID string

+ CodeChallenge string

+ CodeChallengeMethod string

+ ExpiresAt int64

+ GrantedScopes []string

+ Nonce string

+ RedirectURI string

+ Scopes []string

+ Session *StoredSession

+ Signature string

+ State string

+ Subject string

+ Used bool

+ type AuthorizationSession struct

+ ClientID string

+ CodeChallenge string

+ CodeChallengeMethod string

+ ConsentGranted bool

+ CreatedAt time.Time

+ ExpiresAt time.Time

+ GrantedScopes []string

+ Nonce string

+ RedirectURI string

+ RequestID string

+ Scopes []string

+ State string

+ UserID string

+ func NewAuthorizationSession(ar fosite.AuthorizeRequester) *AuthorizationSession

+ func (s *AuthorizationSession) IsExpired() bool

+ type AuthorizeInput struct

+ ClientID string

+ CodeChallenge string

+ CodeChallengeMethod string

+ Nonce string

+ RedirectURI string

+ ResponseType string

+ Scope string

+ State string

+ type AuthorizeOutput struct

+ Location string

+ type Client struct

+ AccessTokenLifetime *time.Duration

+ Audience []string

+ CreatedAt time.Time

+ Description string

+ GrantTypes []string

+ ID string

+ Metadata map[string]any

+ Name string

+ RedirectURIs []string

+ RefreshTokenLifetime *time.Duration

+ ResponseTypes []string

+ Scopes []string

+ Secret string

+ SecretHash string

+ Type ClientType

+ UpdatedAt time.Time

+ func NewClientFromConfig(cfg ClientConfig) (*Client, error)

+ func (c *Client) GetAudience() fosite.Arguments

+ func (c *Client) GetGrantTypes() fosite.Arguments

+ func (c *Client) GetHashedSecret() []byte

+ func (c *Client) GetID() string

+ func (c *Client) GetRedirectURIs() []string

+ func (c *Client) GetResponseTypes() fosite.Arguments

+ func (c *Client) GetScopes() fosite.Arguments

+ func (c *Client) IsPublic() bool

+ func (c *Client) ValidateSecret(secret string) bool

+ type ClientConfig struct

+ AccessTokenLifetime *Duration

+ Audience []string

+ Description string

+ GrantTypes []string

+ ID string

+ Name string

+ RedirectURIs []string

+ RefreshTokenLifetime *Duration

+ ResponseTypes []string

+ Scopes []string

+ Secret string

+ Type string

+ type ClientManager interface

+ CreateClient func(ctx context.Context, client *Client) error

+ DeleteClient func(ctx context.Context, id string) error

+ GetClientByID func(ctx context.Context, id string) (*Client, error)

+ ListClients func(ctx context.Context) ([]*Client, error)

+ UpdateClient func(ctx context.Context, client *Client) error

+ type ClientType string

+ const ClientTypeConfidential

+ const ClientTypePublic

+ type Config struct

+ Clients []ClientConfig

+ Database *DatabaseConfig

+ Features FeatureConfig

+ Federation *FederationConfig

+ Issuer string

+ Keys KeyConfig

+ Tokens TokenConfig

+ func DefaultConfig(issuer string) *Config

+ func LoadConfig(path string) (*Config, error)

+ func ParseConfig(data []byte, format ConfigFormat) (*Config, error)

+ func (c *Config) ApplyDefaults()

+ func (c *Config) Validate() error

+ type ConfigFormat string

+ const FormatJSON

+ const FormatYAML

+ type CoreControlDiscovery struct

+ AuthorizationEndpoint string

+ IntrospectionEndpoint string

+ Issuer string

+ JwksURI string

+ RevocationEndpoint string

+ ScopesSupported []string

+ TokenEndpoint string

+ UserinfoEndpoint string

+ type DatabaseConfig struct

+ DSN string

+ Driver string

+ type DefaultIdentitySyncHandler struct

+ func NewDefaultIdentitySyncHandler(storage Storage) *DefaultIdentitySyncHandler

+ func (h *DefaultIdentitySyncHandler) SyncIdentity(ctx context.Context, req *IdentitySyncRequest) (*IdentitySyncResponse, error)

+ type DefaultSessionProvider struct

+ func NewDefaultSessionProvider(opts ...DefaultSessionProviderOption) *DefaultSessionProvider

+ func (p *DefaultSessionProvider) GetAuthenticatedUser(r *http.Request) string

+ func (p *DefaultSessionProvider) GetUserClaims(_ context.Context, userID string, _ []string) map[string]interface{}

+ func (p *DefaultSessionProvider) HasConsent(_ context.Context, _, _ string, _ []string) bool

+ func (p *DefaultSessionProvider) RedirectToConsent(returnURL string) string

+ func (p *DefaultSessionProvider) RedirectToLogin(returnURL string) string

+ func (p *DefaultSessionProvider) SaveConsent(_ context.Context, _, _ string, _ []string) error

+ type DefaultSessionProviderOption func(*DefaultSessionProvider)

+ func WithConsentURL(url string) DefaultSessionProviderOption

+ func WithLoginURL(url string) DefaultSessionProviderOption

+ func WithSkipConsent(skip bool) DefaultSessionProviderOption

+ func WithUserIDHeader(header string) DefaultSessionProviderOption

+ type Duration time.Duration

+ func (Duration) JSONSchema() *jsonschema.Schema

+ func (d *Duration) UnmarshalJSON(b []byte) error

+ func (d *Duration) UnmarshalYAML(unmarshal func(interface{}) error) error

+ func (d Duration) Duration() time.Duration

+ func (d Duration) MarshalJSON() ([]byte, error)

+ func (d Duration) MarshalYAML() (interface{}, error)

+ type EntStorage struct

+ func NewEntStorage(db *ent.Client, opts ...EntStorageOption) *EntStorage

+ func (s *EntStorage) ClientAssertionJWTValid(ctx context.Context, jti string) error

+ func (s *EntStorage) CreateAccessTokenSession(ctx context.Context, signature string, request fosite.Requester) error

+ func (s *EntStorage) CreateAuthorizeCodeSession(ctx context.Context, code string, request fosite.Requester) error

+ func (s *EntStorage) CreateClient(ctx context.Context, client *Client) error

+ func (s *EntStorage) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error

+ func (s *EntStorage) CreateRefreshTokenSession(ctx context.Context, signature string, accessSignature string, ...) error

+ func (s *EntStorage) CreateUser(ctx context.Context, user *User) error

+ func (s *EntStorage) DeleteAccessTokenSession(ctx context.Context, signature string) error

+ func (s *EntStorage) DeleteClient(ctx context.Context, id string) error

+ func (s *EntStorage) DeletePKCERequestSession(ctx context.Context, signature string) error

+ func (s *EntStorage) DeleteRefreshTokenSession(ctx context.Context, signature string) error

+ func (s *EntStorage) DeleteUser(ctx context.Context, id uuid.UUID) error

+ func (s *EntStorage) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ func (s *EntStorage) GetAuthorizeCodeSession(ctx context.Context, code string, session fosite.Session) (fosite.Requester, error)

+ func (s *EntStorage) GetClient(ctx context.Context, clientID string) (fosite.Client, error)

+ func (s *EntStorage) GetClientByID(ctx context.Context, id string) (*Client, error)

+ func (s *EntStorage) GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ func (s *EntStorage) GetRefreshTokenSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ func (s *EntStorage) GetUserByEmail(ctx context.Context, email string) (*User, error)

+ func (s *EntStorage) GetUserByFederationID(ctx context.Context, federationID uuid.UUID) (*User, error)

+ func (s *EntStorage) GetUserByID(ctx context.Context, id uuid.UUID) (*User, error)

+ func (s *EntStorage) InvalidateAuthorizeCodeSession(ctx context.Context, code string) error

+ func (s *EntStorage) ListClients(ctx context.Context) ([]*Client, error)

+ func (s *EntStorage) RevokeAccessToken(ctx context.Context, requestID string) error

+ func (s *EntStorage) RevokeRefreshToken(ctx context.Context, requestID string) error

+ func (s *EntStorage) RotateRefreshToken(ctx context.Context, requestID string, refreshTokenSignature string) error

+ func (s *EntStorage) SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) error

+ func (s *EntStorage) UpdateClient(ctx context.Context, client *Client) error

+ func (s *EntStorage) UpdateUser(ctx context.Context, user *User) error

+ func (s *EntStorage) ValidateSecretArgon2id(ctx context.Context, clientID, secret string) error

+ type EntStorageOption func(*EntStorage)

+ func WithDefaultOwner(ownerID uuid.UUID) EntStorageOption

+ type FeatureConfig struct

+ AllowDynamicRegistration bool

+ EnableDeviceFlow bool

+ EnableJWTAccessTokens bool

+ RequirePKCE bool

+ type FederationClient struct

+ func NewFederationClient(config *FederationConfig) (*FederationClient, error)

+ func (c *FederationClient) Config() *FederationConfig

+ func (c *FederationClient) Discovery() *CoreControlDiscovery

+ func (c *FederationClient) ExchangeCode(ctx context.Context, code, redirectURI string) (*SSOTokenResponse, error)

+ func (c *FederationClient) GetGlobalIdentity(ctx context.Context, globalID uuid.UUID) (*GlobalIdentity, error)

+ func (c *FederationClient) GetIdentityMapping(ctx context.Context, globalID uuid.UUID) (*IdentityMapping, error)

+ func (c *FederationClient) GetSSOAuthorizationURL(ctx context.Context, state, redirectURI string) (string, error)

+ func (c *FederationClient) Initialize(ctx context.Context) error

+ func (c *FederationClient) NotifyAppAccess(ctx context.Context, sessionID uuid.UUID) error

+ func (c *FederationClient) RegisterWithCoreControl(ctx context.Context, federationID uuid.UUID, displayName, baseURL string, ...) error

+ func (c *FederationClient) ValidateSSOSession(ctx context.Context, sessionID uuid.UUID) (*SSOSession, error)

+ type FederationConfig struct

+ AppID string

+ ClientID string

+ ClientSecret string

+ CoreControlURL string

+ Enabled bool

+ type FederationEndpoints struct

+ func NewFederationEndpoints(server *Server, syncHandler IdentitySyncHandler) *FederationEndpoints

+ func (f *FederationEndpoints) RegisterRoutes()

+ type FederationHealthResponse struct

+ AppID string

+ Capabilities []string

+ Details map[string]string

+ Status string

+ Version string

+ type GlobalIdentity struct

+ Attributes map[string]interface{}

+ CreatedAt time.Time

+ DisplayName string

+ Email string

+ FederationID uuid.UUID

+ ID uuid.UUID

+ Status string

+ UpdatedAt time.Time

+ type IdentityMapping struct

+ AppID string

+ GlobalIdentityID uuid.UUID

+ ID uuid.UUID

+ LocalPrincipalID uuid.UUID

+ MappedAt time.Time

+ SyncStatus string

+ type IdentitySyncHandler interface

+ SyncIdentity func(ctx context.Context, req *IdentitySyncRequest) (*IdentitySyncResponse, error)

+ type IdentitySyncRequest struct

+ Action string

+ Identity *GlobalIdentity

+ type IdentitySyncResponse struct

+ Error string

+ LocalPrincipalID uuid.UUID

+ Status string

+ type IntrospectInput struct

+ Authorization string

+ Token string

+ TokenTypeHint string

+ type IntrospectOutput struct

+ Body IntrospectResponse

+ type IntrospectResponse struct

+ Active bool

+ Aud string

+ ClientID string

+ Exp int64

+ Iat int64

+ Iss string

+ Jti string

+ Nbf int64

+ Scope string

+ Sub string

+ TokenType string

+ Username string

+ type JWKSInput struct

+ type JWKSOutput struct

+ Body jose.JSONWebKeySet

+ type KeyConfig struct

+ Algorithm string

+ PrivateKey *rsa.PrivateKey

+ RotationDays int

+ type MemoryStorage struct

+ func NewMemoryStorage() *MemoryStorage

+ func (s *MemoryStorage) CleanupExpired(ctx context.Context) error

+ func (s *MemoryStorage) ClientAssertionJWTValid(ctx context.Context, jti string) error

+ func (s *MemoryStorage) CreateAccessTokenSession(ctx context.Context, signature string, request fosite.Requester) error

+ func (s *MemoryStorage) CreateAuthorizeCodeSession(ctx context.Context, code string, request fosite.Requester) error

+ func (s *MemoryStorage) CreateClient(ctx context.Context, client *Client) error

+ func (s *MemoryStorage) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error

+ func (s *MemoryStorage) CreateRefreshTokenSession(ctx context.Context, signature string, accessSignature string, ...) error

+ func (s *MemoryStorage) CreateUser(ctx context.Context, user *User) error

+ func (s *MemoryStorage) DeleteAccessTokenSession(ctx context.Context, signature string) error

+ func (s *MemoryStorage) DeleteClient(ctx context.Context, id string) error

+ func (s *MemoryStorage) DeletePKCERequestSession(ctx context.Context, signature string) error

+ func (s *MemoryStorage) DeleteRefreshTokenSession(ctx context.Context, signature string) error

+ func (s *MemoryStorage) DeleteUser(ctx context.Context, id uuid.UUID) error

+ func (s *MemoryStorage) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ func (s *MemoryStorage) GetAuthorizeCodeSession(ctx context.Context, code string, session fosite.Session) (fosite.Requester, error)

+ func (s *MemoryStorage) GetClient(ctx context.Context, id string) (fosite.Client, error)

+ func (s *MemoryStorage) GetClientByID(ctx context.Context, id string) (*Client, error)

+ func (s *MemoryStorage) GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ func (s *MemoryStorage) GetRefreshTokenSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ func (s *MemoryStorage) GetUserByEmail(ctx context.Context, email string) (*User, error)

+ func (s *MemoryStorage) GetUserByFederationID(ctx context.Context, federationID uuid.UUID) (*User, error)

+ func (s *MemoryStorage) GetUserByID(ctx context.Context, id uuid.UUID) (*User, error)

+ func (s *MemoryStorage) InvalidateAuthorizeCodeSession(ctx context.Context, code string) error

+ func (s *MemoryStorage) ListClients(ctx context.Context) ([]*Client, error)

+ func (s *MemoryStorage) RevokeAccessToken(ctx context.Context, requestID string) error

+ func (s *MemoryStorage) RevokeRefreshToken(ctx context.Context, requestID string) error

+ func (s *MemoryStorage) RotateRefreshToken(ctx context.Context, requestID string, refreshTokenSignature string) error

+ func (s *MemoryStorage) SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) error

+ func (s *MemoryStorage) UpdateClient(ctx context.Context, client *Client) error

+ func (s *MemoryStorage) UpdateUser(ctx context.Context, user *User) error

+ type OAuthError struct

+ Error string

+ ErrorDescription string

+ ErrorURI string

+ type OpenIDConfigInput struct

+ type OpenIDConfigOutput struct

+ Body OpenIDConfiguration

+ type OpenIDConfiguration struct

+ AuthorizationEndpoint string

+ ClaimsSupported []string

+ CodeChallengeMethodsSupported []string

+ GrantTypesSupported []string

+ IDTokenSigningAlgValuesSupported []string

+ IntrospectionEndpoint string

+ Issuer string

+ JwksURI string

+ RegistrationEndpoint string

+ ResponseModesSupported []string

+ ResponseTypesSupported []string

+ RevocationEndpoint string

+ ScopesSupported []string

+ SubjectTypesSupported []string

+ TokenEndpoint string

+ TokenEndpointAuthMethodsSupported []string

+ UserinfoEndpoint string

+ type Option func(*Server)

+ func WithLogger(logger *slog.Logger) Option

+ func WithSessionProvider(provider SessionProvider) Option

+ func WithStorage(storage Storage) Option

+ type RevokeInput struct

+ Authorization string

+ Token string

+ TokenTypeHint string

+ type RevokeOutput struct

+ type SSOSession struct

+ AppsAccessed []string

+ AuthTime time.Time

+ ExpiresAt time.Time

+ GlobalIdentityID uuid.UUID

+ ID uuid.UUID

+ type SSOTokenResponse struct

+ AccessToken string

+ ExpiresIn int

+ IDToken string

+ RefreshToken string

+ Scope string

+ TokenType string

+ type Server struct

+ func NewEmbedded(cfg Config, opts ...Option) (*Server, error)

+ func (s *Server) GetClient(id string) (*Client, error)

+ func (s *Server) Huma() huma.API

+ func (s *Server) Logger() *slog.Logger

+ func (s *Server) Middleware() func(http.Handler) http.Handler

+ func (s *Server) OAuth2Provider() fosite.OAuth2Provider

+ func (s *Server) OIDCSession(subject string, claims map[string]interface{}) *openid.DefaultSession

+ func (s *Server) PublicKey() *rsa.PublicKey

+ func (s *Server) RegisterClient(client *Client) error

+ func (s *Server) RequireScopes(scopes ...string) func(http.Handler) http.Handler

+ func (s *Server) Router() chi.Router

+ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)

+ func (s *Server) Session(subject string) *openid.DefaultSession

+ func (s *Server) SessionProvider() SessionProvider

+ func (s *Server) Storage() Storage

+ type SessionProvider interface

+ GetAuthenticatedUser func(r *http.Request) string

+ GetUserClaims func(ctx context.Context, userID string, scopes []string) map[string]interface{}

+ HasConsent func(ctx context.Context, userID, clientID string, scopes []string) bool

+ RedirectToConsent func(returnURL string) string

+ RedirectToLogin func(returnURL string) string

+ SaveConsent func(ctx context.Context, userID, clientID string, scopes []string) error

+ type Storage interface

+ ClientAssertionJWTValid func(ctx context.Context, jti string) error

+ CreateAccessTokenSession func(ctx context.Context, signature string, request fosite.Requester) error

+ CreateAuthorizeCodeSession func(ctx context.Context, code string, request fosite.Requester) error

+ CreateClient func(ctx context.Context, client *Client) error

+ CreatePKCERequestSession func(ctx context.Context, signature string, requester fosite.Requester) error

+ CreateRefreshTokenSession func(ctx context.Context, signature string, accessSignature string, ...) error

+ CreateUser func(ctx context.Context, user *User) error

+ DeleteAccessTokenSession func(ctx context.Context, signature string) error

+ DeleteClient func(ctx context.Context, id string) error

+ DeletePKCERequestSession func(ctx context.Context, signature string) error

+ DeleteRefreshTokenSession func(ctx context.Context, signature string) error

+ DeleteUser func(ctx context.Context, id uuid.UUID) error

+ GetAccessTokenSession func(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ GetAuthorizeCodeSession func(ctx context.Context, code string, session fosite.Session) (fosite.Requester, error)

+ GetClientByID func(ctx context.Context, id string) (*Client, error)

+ GetPKCERequestSession func(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ GetRefreshTokenSession func(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

+ GetUserByEmail func(ctx context.Context, email string) (*User, error)

+ GetUserByFederationID func(ctx context.Context, federationID uuid.UUID) (*User, error)

+ GetUserByID func(ctx context.Context, id uuid.UUID) (*User, error)

+ InvalidateAuthorizeCodeSession func(ctx context.Context, code string) error

+ ListClients func(ctx context.Context) ([]*Client, error)

+ RevokeAccessToken func(ctx context.Context, requestID string) error

+ RevokeRefreshToken func(ctx context.Context, requestID string) error

+ RotateRefreshToken func(ctx context.Context, requestID string, refreshTokenSignature string) error

+ SetClientAssertionJWT func(ctx context.Context, jti string, exp time.Time) error

+ UpdateClient func(ctx context.Context, client *Client) error

+ UpdateUser func(ctx context.Context, user *User) error

+ type StoredRequest struct

+ ClientID string

+ Form map[string][]string

+ GrantedScopes []string

+ ID string

+ RequestedAt time.Time

+ Scopes []string

+ Session *StoredSession

+ type StoredSession struct

+ Claims map[string]any

+ Email string

+ ExpiresAt map[string]int64

+ RequestedAt int64

+ Subject string

+ Username string

+ type TokenConfig struct

+ AccessTokenLifetime Duration

+ AuthCodeLifetime Duration

+ IDTokenLifetime Duration

+ RefreshTokenLifetime Duration

+ type TokenData struct

+ AccessExpiresAt int64

+ AccessTokenSignature string

+ ClientID string

+ RefreshExpiresAt int64

+ RefreshTokenSignature string

+ RequestID string

+ Revoked bool

+ Scopes []string

+ Session *StoredSession

+ Subject string

+ type TokenInput struct

+ Authorization string

+ ClientID string

+ ClientSecret string

+ Code string

+ CodeVerifier string

+ GrantType string

+ RedirectURI string

+ RefreshToken string

+ Scope string

+ type TokenOutput struct

+ Body TokenResponse

+ type TokenResponse struct

+ AccessToken string

+ ExpiresIn int

+ IDToken string

+ RefreshToken string

+ Scope string

+ TokenType string

+ type User struct

+ Active bool

+ Email string

+ Federated bool

+ FederationID *uuid.UUID

+ ID uuid.UUID

+ Name string