auth

package
v1.40.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2026 License: MIT Imports: 21 Imported by: 0

Documentation

Overview

Package auth provides authentication utilities including IAM OAuth2/OIDC integration.

iam_admin.go — admin-scope IAM helpers used by the commerce-grant CLI to resolve an IAM user by email. These helpers call Casdoor-compatible admin endpoints (hanzo.id) using client-credentials (clientId/clientSecret) query auth — the same mechanism Cloud-API uses for /api/add-usage-record.

These are kept separate from the OIDC-focused IAMClient so that ordinary request-path code does not accidentally depend on admin surface area.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidToken     = errors.New("iam: invalid token")
	ErrTokenExpired     = errors.New("iam: token expired")
	ErrTokenNotYetValid = errors.New("iam: token not yet valid")
	ErrInvalidIssuer    = errors.New("iam: invalid issuer")
	ErrInvalidAudience  = errors.New("iam: invalid audience")
	ErrMissingPublicKey = errors.New("iam: missing public key")
	ErrTokenExchange    = errors.New("iam: token exchange failed")
	ErrUserInfoFetch    = errors.New("iam: failed to fetch user info")
	ErrOIDCDiscovery    = errors.New("iam: OIDC discovery failed")
	ErrInvalidConfig    = errors.New("iam: invalid configuration")
)

Standard OAuth2/OIDC errors

View Source 
var ErrorPasswordMismatch = errors.New("Passwords do not match.")
View Source 
var ErrorUserExists = errors.New("User already exists.")

Functions

func DefaultScopes 

func DefaultScopes() []string

DefaultScopes returns the default OIDC scopes

func GetAuthorizationURL 

func GetAuthorizationURL(config *IAMConfig, state, nonce string) (string, error)

GetAuthorizationURL is a package-level convenience function.

func GetCurrentUser 

func GetCurrentUser(c *gin.Context) (*user.User, error)

func GetCurrentUserId 

func GetCurrentUserId(c *gin.Context) (string, error)

func IsLoggedIn 

func IsLoggedIn(c *gin.Context) bool

func Login 

func Login(c *gin.Context, u *user.User) error

func Logout 

func Logout(c *gin.Context) error

Types

type AdminUser added in v1.37.0 

type AdminUser struct {
	Owner       string `json:"owner"`
	Name        string `json:"name"`
	Email       string `json:"email"`
	DisplayName string `json:"displayName,omitempty"`
	ID          string `json:"id,omitempty"`
}

AdminUser is the subset of Casdoor's user record we care about.

func (AdminUser) Subject added in v1.37.0 

func (u AdminUser) Subject() string

Subject returns the canonical "owner/name" identifier.

type FlexAudience added in v1.36.3 

type FlexAudience string

FlexAudience handles JWT "aud" which can be either a string or array of strings.

func (*FlexAudience) UnmarshalJSON added in v1.36.3 

func (a *FlexAudience) UnmarshalJSON(data []byte) error

type FlexRoles added in v1.37.0 

type FlexRoles []string

FlexRoles handles JWT "roles" which can be either an array of strings (e.g. ["admin"]) or an array of role objects (e.g. [{"name":"admin",...}]). When role objects are encountered, only the "name" field is kept.

func (*FlexRoles) UnmarshalJSON added in v1.37.0 

func (r *FlexRoles) UnmarshalJSON(data []byte) error

type IAMAdminClient added in v1.37.0 

type IAMAdminClient struct {
	BaseURL      string // e.g. https://hanzo.id
	ClientID     string
	ClientSecret string
	HTTPClient   *http.Client
}

IAMAdminClient is a thin HTTP client for Casdoor admin endpoints on hanzo.id. All calls authenticate via clientId/clientSecret query params — no session.

func NewIAMAdminClient added in v1.37.0 

func NewIAMAdminClient(baseURL, clientID, clientSecret string, httpClient *http.Client) *IAMAdminClient

NewIAMAdminClient constructs an admin client. BaseURL must be the IAM origin without trailing slash; ClientID/ClientSecret are the service credentials.

func (*IAMAdminClient) GetUserByEmail added in v1.37.0 

func (c *IAMAdminClient) GetUserByEmail(ctx context.Context, email string) (*AdminUser, error)

GetUserByEmail finds a user by email across all organizations. It uses Casdoor's /api/get-global-users search endpoint with field=email filter.

type IAMClaims 

type IAMClaims struct {
	jwt.StandardClaims

	// Override Audience to handle both string and array formats from IAM.
	Audience FlexAudience `json:"aud,omitempty"`

	// User identification
	Owner       string `json:"owner,omitempty"`
	Name        string `json:"name,omitempty"`
	DisplayName string `json:"displayName,omitempty"`
	Avatar      string `json:"avatar,omitempty"`
	Email       string `json:"email,omitempty"`
	Phone       string `json:"phone,omitempty"`

	// Token metadata
	TokenType string `json:"tokenType,omitempty"`
	Nonce     string `json:"nonce,omitempty"`
	Scope     string `json:"scope,omitempty"`
	Azp       string `json:"azp,omitempty"` // Authorized party

	// Authorization
	IsAdmin     bool      `json:"isAdmin,omitempty"`
	Groups      []string  `json:"groups,omitempty"`
	Roles       FlexRoles `json:"roles,omitempty"`
	Permissions []string  `json:"permissions,omitempty"`

	// User properties (arbitrary key-value pairs from IAM).
	// The "tier" property is used for tiered billing (free/starter/pro/enterprise).
	Properties map[string]string `json:"properties,omitempty"`
}

IAMClaims represents the JWT claims from Hanzo IAM tokens.

func ValidateToken 

func ValidateToken(ctx context.Context, config *IAMConfig, token string) (*IAMClaims, error)

ValidateToken is a package-level convenience function.

func (*IAMClaims) Tier added in v1.36.4 

func (c *IAMClaims) Tier() string

Tier returns the user's billing tier from the "tier" property. Returns an empty string if not set; callers should default to "free".

func (*IAMClaims) Valid 

func (c *IAMClaims) Valid() error

Valid implements jwt.Claims interface.

type IAMClient 

type IAMClient struct {
	// contains filtered or unexported fields
}

IAMClient is an OAuth2/OIDC client for Hanzo IAM.

func NewIAMClient 

func NewIAMClient(config *IAMConfig) (*IAMClient, error)

NewIAMClient creates a new IAM client with the given configuration.

func (*IAMClient) ExchangeCode 

func (c *IAMClient) ExchangeCode(ctx context.Context, code string) (*TokenResponse, error)

ExchangeCode exchanges an authorization code for tokens.

func (*IAMClient) GetAuthorizationURL 

func (c *IAMClient) GetAuthorizationURL(state string, nonce string) (string, error)

GetAuthorizationURL generates the OAuth2 authorization URL for login.

func (*IAMClient) GetUserInfo 

func (c *IAMClient) GetUserInfo(ctx context.Context, accessToken string) (*IAMUserInfo, error)

GetUserInfo fetches user information using an access token.

func (*IAMClient) IntrospectToken 

func (c *IAMClient) IntrospectToken(ctx context.Context, token string, tokenTypeHint string) (*IntrospectionResponse, error)

IntrospectToken introspects a token to check its validity.

func (*IAMClient) RefreshToken 

func (c *IAMClient) RefreshToken(ctx context.Context, refreshToken string) (*TokenResponse, error)

RefreshToken exchanges a refresh token for new tokens.

func (*IAMClient) RevokeToken 

func (c *IAMClient) RevokeToken(ctx context.Context, token string, tokenTypeHint string) error

RevokeToken revokes an access or refresh token.

func (*IAMClient) ValidateToken 

func (c *IAMClient) ValidateToken(ctx context.Context, tokenString string) (*IAMClaims, error)

ValidateToken validates a JWT access token and returns the claims.

type IAMConfig 

type IAMConfig struct {
	// Issuer is the IAM server URL (e.g., "https://id.hanzo.ai")
	Issuer string

	// ClientID is the OAuth2 client identifier
	ClientID string

	// ClientSecret is the OAuth2 client secret
	ClientSecret string

	// AcceptedAudiences is a list of additional client IDs to accept when
	// acting as a resource server. Tokens issued for any of these audiences
	// (or for ClientID) will be accepted.
	AcceptedAudiences []string

	// AcceptedIssuers is a list of additional issuer URLs to accept.
	// Useful when the IAM server is reachable under multiple domains
	// (e.g., "https://hanzo.id" and "https://iam.hanzo.ai").
	AcceptedIssuers []string

	// JwksURI overrides the JWKS endpoint URL.
	// When set, skips OIDC discovery and fetches JWKS directly from this URL.
	// Useful when the IAM discovery doc returns an HTTPS URL but the internal
	// service is only reachable via HTTP.
	JwksURI string

	// RedirectURL is the callback URL for authorization code flow
	RedirectURL string

	// Scopes to request during authorization (defaults to "openid profile email")
	Scopes []string

	// HTTPClient allows custom HTTP client (for timeouts, proxies, etc.)
	HTTPClient *http.Client
}

IAMConfig holds the OAuth2/OIDC configuration for Hanzo IAM (hanzo.id).

type IAMUserInfo 

type IAMUserInfo struct {
	Sub           string    `json:"sub"`
	Iss           string    `json:"iss,omitempty"`
	Aud           string    `json:"aud,omitempty"`
	Name          string    `json:"preferred_username,omitempty"`
	DisplayName   string    `json:"name,omitempty"`
	Email         string    `json:"email,omitempty"`
	EmailVerified bool      `json:"email_verified,omitempty"`
	Picture       string    `json:"picture,omitempty"`
	Address       string    `json:"address,omitempty"`
	Phone         string    `json:"phone,omitempty"`
	RealName      string    `json:"real_name,omitempty"`
	IsVerified    bool      `json:"is_verified,omitempty"`
	Groups        []string  `json:"groups,omitempty"`
	Roles         FlexRoles `json:"roles,omitempty"`
	Permissions   []string  `json:"permissions,omitempty"`
}

IAMUserInfo represents the OIDC userinfo response from Hanzo IAM.

func GetUserInfoFromToken 

func GetUserInfoFromToken(ctx context.Context, config *IAMConfig, accessToken string) (*IAMUserInfo, error)

GetUserInfo is a package-level convenience function.

type IntrospectionResponse 

type IntrospectionResponse struct {
	Active    bool   `json:"active"`
	Scope     string `json:"scope,omitempty"`
	ClientID  string `json:"client_id,omitempty"`
	Username  string `json:"username,omitempty"`
	TokenType string `json:"token_type,omitempty"`
	Exp       int64  `json:"exp,omitempty"`
	Iat       int64  `json:"iat,omitempty"`
	Nbf       int64  `json:"nbf,omitempty"`
	Sub       string `json:"sub,omitempty"`
	Aud       string `json:"aud,omitempty"`
	Iss       string `json:"iss,omitempty"`
	Jti       string `json:"jti,omitempty"`
}

IntrospectionResponse represents the token introspection response.

type JWK 

type JWK struct {
	Kty string `json:"kty"` // Key type (RSA, EC)
	Kid string `json:"kid"` // Key ID
	Use string `json:"use"` // Key use (sig, enc)
	Alg string `json:"alg"` // Algorithm
	N   string `json:"n"`   // RSA modulus
	E   string `json:"e"`   // RSA exponent
	X   string `json:"x"`   // EC X coordinate
	Y   string `json:"y"`   // EC Y coordinate
	Crv string `json:"crv"` // EC curve
}

JWK represents a JSON Web Key.

type JWKS 

type JWKS struct {
	Keys      []JWK     `json:"keys"`
	FetchedAt time.Time `json:"-"`
}

JWKS holds the JSON Web Key Set for token validation.

type LoginForm 

type LoginForm struct {
	Email    string
	Password string
}

func (*LoginForm) Parse 

func (f *LoginForm) Parse(c *gin.Context) error

func (LoginForm) PasswordHash 

func (f LoginForm) PasswordHash() ([]byte, error)

func (LoginForm) PasswordHashAndCompare 

func (f LoginForm) PasswordHashAndCompare(hash []byte) bool

type OIDCDiscovery 

type OIDCDiscovery struct {
	Issuer                 string   `json:"issuer"`
	AuthorizationEndpoint  string   `json:"authorization_endpoint"`
	TokenEndpoint          string   `json:"token_endpoint"`
	UserinfoEndpoint       string   `json:"userinfo_endpoint"`
	JwksURI                string   `json:"jwks_uri"`
	IntrospectionEndpoint  string   `json:"introspection_endpoint"`
	RevocationEndpoint     string   `json:"revocation_endpoint"`
	ScopesSupported        []string `json:"scopes_supported"`
	ResponseTypesSupported []string `json:"response_types_supported"`
	GrantTypesSupported    []string `json:"grant_types_supported"`
}

OIDCDiscovery holds the OIDC well-known configuration.

type TokenError 

type TokenError struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
}

TokenError represents an OAuth2 error response.

type TokenResponse 

type TokenResponse struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int    `json:"expires_in"`
	RefreshToken string `json:"refresh_token,omitempty"`
	IDToken      string `json:"id_token,omitempty"`
	Scope        string `json:"scope,omitempty"`
}

TokenResponse represents the OAuth2 token response.

func ExchangeCode 

func ExchangeCode(ctx context.Context, config *IAMConfig, code string) (*TokenResponse, error)

ExchangeCode is a package-level convenience function.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.