Documentation
¶
Overview ¶
Package auth provides authentication utilities including IAM OAuth2/OIDC integration.
Index ¶
- Variables
- func DefaultScopes() []string
- func GetAuthorizationURL(config *IAMConfig, state, nonce string) (string, error)
- func GetCurrentUser(c *gin.Context) (*user.User, error)
- func GetCurrentUserId(c *gin.Context) (string, error)
- func IsLoggedIn(c *gin.Context) bool
- func Login(c *gin.Context, u *user.User) error
- func Logout(c *gin.Context) error
- type FlexAudience
- type IAMClaims
- type IAMClient
- func (c *IAMClient) ExchangeCode(ctx context.Context, code string) (*TokenResponse, error)
- func (c *IAMClient) GetAuthorizationURL(state string, nonce string) (string, error)
- func (c *IAMClient) GetUserInfo(ctx context.Context, accessToken string) (*IAMUserInfo, error)
- func (c *IAMClient) IntrospectToken(ctx context.Context, token string, tokenTypeHint string) (*IntrospectionResponse, error)
- func (c *IAMClient) RefreshToken(ctx context.Context, refreshToken string) (*TokenResponse, error)
- func (c *IAMClient) RevokeToken(ctx context.Context, token string, tokenTypeHint string) error
- func (c *IAMClient) ValidateToken(ctx context.Context, tokenString string) (*IAMClaims, error)
- type IAMConfig
- type IAMUserInfo
- type IntrospectionResponse
- type JWK
- type JWKS
- type LoginForm
- type OIDCDiscovery
- type TokenError
- type TokenResponse
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrInvalidToken = errors.New("iam: invalid token") ErrTokenExpired = errors.New("iam: token expired") ErrTokenNotYetValid = errors.New("iam: token not yet valid") ErrInvalidIssuer = errors.New("iam: invalid issuer") ErrInvalidAudience = errors.New("iam: invalid audience") ErrMissingPublicKey = errors.New("iam: missing public key") ErrTokenExchange = errors.New("iam: token exchange failed") ErrUserInfoFetch = errors.New("iam: failed to fetch user info") ErrOIDCDiscovery = errors.New("iam: OIDC discovery failed") ErrInvalidConfig = errors.New("iam: invalid configuration") )
Standard OAuth2/OIDC errors
View Source
var ErrorPasswordMismatch = errors.New("Passwords do not match.")
View Source
var ErrorUserExists = errors.New("User already exists.")
Functions ¶
func GetAuthorizationURL ¶
GetAuthorizationURL is a package-level convenience function.
func IsLoggedIn ¶
Types ¶
type FlexAudience ¶ added in v1.36.3
type FlexAudience string
FlexAudience handles JWT "aud" which can be either a string or array of strings.
func (*FlexAudience) UnmarshalJSON ¶ added in v1.36.3
func (a *FlexAudience) UnmarshalJSON(data []byte) error
type IAMClaims ¶
type IAMClaims struct {
jwt.StandardClaims
// Override Audience to handle both string and array formats from IAM.
Audience FlexAudience `json:"aud,omitempty"`
// User identification
Owner string `json:"owner,omitempty"`
Name string `json:"name,omitempty"`
DisplayName string `json:"displayName,omitempty"`
Avatar string `json:"avatar,omitempty"`
Email string `json:"email,omitempty"`
Phone string `json:"phone,omitempty"`
// Token metadata
TokenType string `json:"tokenType,omitempty"`
Nonce string `json:"nonce,omitempty"`
Scope string `json:"scope,omitempty"`
Azp string `json:"azp,omitempty"` // Authorized party
// Authorization
IsAdmin bool `json:"isAdmin,omitempty"`
Groups []string `json:"groups,omitempty"`
Roles []string `json:"roles,omitempty"`
Permissions []string `json:"permissions,omitempty"`
// User properties (arbitrary key-value pairs from IAM).
// The "tier" property is used for tiered billing (free/starter/pro/enterprise).
Properties map[string]string `json:"properties,omitempty"`
}
IAMClaims represents the JWT claims from Hanzo IAM tokens.
func ValidateToken ¶
ValidateToken is a package-level convenience function.
type IAMClient ¶
type IAMClient struct {
// contains filtered or unexported fields
}
IAMClient is an OAuth2/OIDC client for Hanzo IAM.
func NewIAMClient ¶
NewIAMClient creates a new IAM client with the given configuration.
func (*IAMClient) ExchangeCode ¶
ExchangeCode exchanges an authorization code for tokens.
func (*IAMClient) GetAuthorizationURL ¶
GetAuthorizationURL generates the OAuth2 authorization URL for login.
func (*IAMClient) GetUserInfo ¶
GetUserInfo fetches user information using an access token.
func (*IAMClient) IntrospectToken ¶
func (c *IAMClient) IntrospectToken(ctx context.Context, token string, tokenTypeHint string) (*IntrospectionResponse, error)
IntrospectToken introspects a token to check its validity.
func (*IAMClient) RefreshToken ¶
RefreshToken exchanges a refresh token for new tokens.
func (*IAMClient) RevokeToken ¶
RevokeToken revokes an access or refresh token.
type IAMConfig ¶
type IAMConfig struct {
// Issuer is the IAM server URL (e.g., "https://id.hanzo.ai")
Issuer string
// ClientID is the OAuth2 client identifier
ClientID string
// ClientSecret is the OAuth2 client secret
ClientSecret string
// AcceptedAudiences is a list of additional client IDs to accept when
// acting as a resource server. Tokens issued for any of these audiences
// (or for ClientID) will be accepted.
AcceptedAudiences []string
// RedirectURL is the callback URL for authorization code flow
RedirectURL string
// Scopes to request during authorization (defaults to "openid profile email")
Scopes []string
// HTTPClient allows custom HTTP client (for timeouts, proxies, etc.)
HTTPClient *http.Client
}
IAMConfig holds the OAuth2/OIDC configuration for Hanzo IAM (hanzo.id).
type IAMUserInfo ¶
type IAMUserInfo struct {
Sub string `json:"sub"`
Iss string `json:"iss,omitempty"`
Aud string `json:"aud,omitempty"`
Name string `json:"preferred_username,omitempty"`
DisplayName string `json:"name,omitempty"`
Email string `json:"email,omitempty"`
EmailVerified bool `json:"email_verified,omitempty"`
Picture string `json:"picture,omitempty"`
Address string `json:"address,omitempty"`
Phone string `json:"phone,omitempty"`
RealName string `json:"real_name,omitempty"`
IsVerified bool `json:"is_verified,omitempty"`
Groups []string `json:"groups,omitempty"`
Roles []string `json:"roles,omitempty"`
Permissions []string `json:"permissions,omitempty"`
}
IAMUserInfo represents the OIDC userinfo response from Hanzo IAM.
func GetUserInfoFromToken ¶
func GetUserInfoFromToken(ctx context.Context, config *IAMConfig, accessToken string) (*IAMUserInfo, error)
GetUserInfo is a package-level convenience function.
type IntrospectionResponse ¶
type IntrospectionResponse struct {
Active bool `json:"active"`
Scope string `json:"scope,omitempty"`
ClientID string `json:"client_id,omitempty"`
Username string `json:"username,omitempty"`
TokenType string `json:"token_type,omitempty"`
Exp int64 `json:"exp,omitempty"`
Iat int64 `json:"iat,omitempty"`
Nbf int64 `json:"nbf,omitempty"`
Sub string `json:"sub,omitempty"`
Aud string `json:"aud,omitempty"`
Iss string `json:"iss,omitempty"`
Jti string `json:"jti,omitempty"`
}
IntrospectionResponse represents the token introspection response.
type JWK ¶
type JWK struct {
Kty string `json:"kty"` // Key type (RSA, EC)
Kid string `json:"kid"` // Key ID
Use string `json:"use"` // Key use (sig, enc)
Alg string `json:"alg"` // Algorithm
N string `json:"n"` // RSA modulus
E string `json:"e"` // RSA exponent
X string `json:"x"` // EC X coordinate
Y string `json:"y"` // EC Y coordinate
Crv string `json:"crv"` // EC curve
}
JWK represents a JSON Web Key.
type OIDCDiscovery ¶
type OIDCDiscovery struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint"`
JwksURI string `json:"jwks_uri"`
IntrospectionEndpoint string `json:"introspection_endpoint"`
RevocationEndpoint string `json:"revocation_endpoint"`
ScopesSupported []string `json:"scopes_supported"`
ResponseTypesSupported []string `json:"response_types_supported"`
GrantTypesSupported []string `json:"grant_types_supported"`
}
OIDCDiscovery holds the OIDC well-known configuration.
type TokenError ¶
type TokenError struct {
Error string `json:"error"`
ErrorDescription string `json:"error_description,omitempty"`
}
TokenError represents an OAuth2 error response.
type TokenResponse ¶
type TokenResponse struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
RefreshToken string `json:"refresh_token,omitempty"`
IDToken string `json:"id_token,omitempty"`
Scope string `json:"scope,omitempty"`
}
TokenResponse represents the OAuth2 token response.
func ExchangeCode ¶
ExchangeCode is a package-level convenience function.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.