kinde

package
v0.4.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 6, 2026 License: MIT Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetSubject 

func GetSubject(ctx context.Context) string

GetSubject retrieves the authenticated user's subject (Kinde user ID) from context. Returns an empty string if the AuthMiddleware has not run.

func PermissionMiddleware 

func PermissionMiddleware(perms ...string) httpkit.Middleware

PermissionMiddleware returns an HTTP middleware that checks whether the already-parsed AccessTokenClaims (from AuthMiddleware) contain the required permissions. On failure it responds with 403. This middleware must be placed after AuthMiddleware in the middleware chain.

Types

type AccessTokenClaims 

type AccessTokenClaims struct {
	jwt.RegisteredClaims
	OrgCode      string          `json:"org_code,omitempty"` //nolint:tagliatelle // Kinde API uses snake_case.
	Permissions  []string        `json:"permissions,omitempty"`
	FeatureFlags map[string]Flag `json:"feature_flags,omitempty"` //nolint:tagliatelle // Kinde API uses snake_case.
}

AccessTokenClaims represents the claims in a Kinde access token.

func GetAccessTokenClaims 

func GetAccessTokenClaims(ctx context.Context) *AccessTokenClaims

GetAccessTokenClaims retrieves the AccessTokenClaims from the request context. Returns nil if the AuthMiddleware has not run.

func (*AccessTokenClaims) HasPermission 

func (c *AccessTokenClaims) HasPermission(perm string) bool

HasPermission checks whether the access token includes the given permission.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is the central Kinde integration point. It handles OIDC discovery and provides access to token verification, M2M authentication, and the management API.

func NewClient 

func NewClient(domain, clientID, clientSecret string, opts ...Option) (*Client, error)

NewClient creates a new Kinde client. It performs OIDC discovery and initializes the JWKS provider for token verification. The domain should be the full Kinde tenant URL (e.g., "https://myapp.kinde.com").

func (*Client) AuthMiddleware 

func (c *Client) AuthMiddleware() httpkit.Middleware

AuthMiddleware returns an HTTP middleware that verifies Kinde access tokens. It extracts the Bearer token from the Authorization header, verifies it using the JWKS provider, parses claims into AccessTokenClaims, and stores them in the request context. On failure it responds with 401.

func (*Client) GetOIDCConfig 

func (c *Client) GetOIDCConfig() OIDCConfig

GetOIDCConfig returns the discovered OIDC configuration.

func (*Client) NewM2MClient 

func (c *Client) NewM2MClient(opts ...M2MOption) *M2MClient

NewM2MClient creates a new M2M client that uses the parent Client's credentials and discovered token endpoint.

func (*Client) NewManagementClient 

func (c *Client) NewManagementClient() *ManagementClient

NewManagementClient creates a management API client. It initializes an M2M client targeting the Kinde management API audience.

func (*Client) TokenVerifier 

func (c *Client) TokenVerifier() *jwtkit.JWKSProvider

TokenVerifier returns the underlying JWKSProvider for direct token verification.

type Flag 

type Flag struct {
	Type  string `json:"t"`
	Value any    `json:"v"`
}

Flag represents a Kinde feature flag value.

type IDTokenClaims 

type IDTokenClaims struct {
	jwt.RegisteredClaims
	Email         string   `json:"email,omitempty"`
	EmailVerified bool     `json:"email_verified,omitempty"` //nolint:tagliatelle // OIDC standard claim.
	Name          string   `json:"name,omitempty"`
	GivenName     string   `json:"given_name,omitempty"`  //nolint:tagliatelle // OIDC standard claim.
	FamilyName    string   `json:"family_name,omitempty"` //nolint:tagliatelle // OIDC standard claim.
	Picture       string   `json:"picture,omitempty"`
	OrgCodes      []string `json:"org_codes,omitempty"` //nolint:tagliatelle // Kinde API uses snake_case.
}

IDTokenClaims represents the claims in a Kinde ID token.

type M2MClient 

type M2MClient struct {
	// contains filtered or unexported fields
}

M2MClient handles the client credentials OAuth flow for machine-to-machine authentication. It caches the token and automatically re-requests when expired.

func (*M2MClient) Token 

func (m *M2MClient) Token(ctx context.Context) (string, error)

Token returns a valid access token, requesting a new one if the cached token is expired or absent. Thread-safe.

type M2MOption 

type M2MOption func(*M2MClient)

M2MOption configures the M2M client.

func WithM2MAudience 

func WithM2MAudience(aud string) M2MOption

WithM2MAudience sets the audience for the M2M token request.

type ManagementClient 

type ManagementClient struct {
	// contains filtered or unexported fields
}

ManagementClient provides access to the Kinde Management API. It uses the M2M client credentials flow for authentication.

func (*ManagementClient) GetOrganization 

func (mc *ManagementClient) GetOrganization(ctx context.Context, orgCode string) (*Organization, error)

GetOrganization retrieves an organization by its code.

func (*ManagementClient) GetUser 

func (mc *ManagementClient) GetUser(ctx context.Context, userID string) (*User, error)

GetUser retrieves a user by their Kinde user ID.

func (*ManagementClient) ListOrganizations 

func (mc *ManagementClient) ListOrganizations(ctx context.Context) ([]Organization, error)

ListOrganizations retrieves a list of organizations.

func (*ManagementClient) ListUsers 

func (mc *ManagementClient) ListUsers(ctx context.Context) ([]User, error)

ListUsers retrieves a list of users.

type OIDCConfig 

type OIDCConfig struct {
	Issuer                string `json:"issuer"`
	AuthorizationEndpoint string `json:"authorization_endpoint"` //nolint:tagliatelle // OIDC standard field.
	TokenEndpoint         string `json:"token_endpoint"`         //nolint:tagliatelle // OIDC standard field.
	UserinfoEndpoint      string `json:"userinfo_endpoint"`      //nolint:tagliatelle // OIDC standard field.
	JWKSURI               string `json:"jwks_uri"`               //nolint:tagliatelle // OIDC standard field.
}

OIDCConfig holds the discovered OpenID Connect configuration.

type Option 

type Option func(*Client)

Option configures the Client.

func WithAudience 

func WithAudience(aud string) Option

WithAudience sets the expected audience for token verification.

func WithHTTPClient 

func WithHTTPClient(c *http.Client) Option

WithHTTPClient sets a custom HTTP client for all outbound requests.

func WithJWKSRefreshInterval 

func WithJWKSRefreshInterval(d time.Duration) Option

WithJWKSRefreshInterval sets the interval for refreshing the JWKS key cache.

type Organization 

type Organization struct {
	Code   string `json:"code"`
	Name   string `json:"name"`
	Handle string `json:"handle"`
}

Organization represents a Kinde organization.

type User 

type User struct {
	ID           string `json:"id"`
	Email        string `json:"email"`
	FirstName    string `json:"first_name"`   //nolint:tagliatelle // Kinde API uses snake_case.
	LastName     string `json:"last_name"`    //nolint:tagliatelle // Kinde API uses snake_case.
	IsSuspended  bool   `json:"is_suspended"` //nolint:tagliatelle // Kinde API uses snake_case.
	Picture      string `json:"picture"`
	TotalSignIns int    `json:"total_sign_ins"` //nolint:tagliatelle // Kinde API uses snake_case.
	CreatedOn    string `json:"created_on"`     //nolint:tagliatelle // Kinde API uses snake_case.
}

User represents a Kinde user.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.