README
¶
authlib
A low-level Go SDK for OAuth 2.0 and OpenID Connect (OIDC).
Motivation
authlib's mission is to provide complete toolset for OAuth 2.0 and OpenID Connect clients including draft specifications for early experimentation. authlib follows Go's approach of maintaining backwards compatibility for all existing RFCs other than draft specifications.
Installation
go get github.com/matoous/authlib
Supported RFCs
This library implements and provides helpers for the following specifications:
- RFC 6749 - The OAuth 2.0 Authorization Framework
- RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
- RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol
- RFC 7592 - OAuth 2.0 Dynamic Client Registration Management Protocol
- RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)
- RFC 7662 - OAuth 2.0 Token Introspection
- RFC 8414 - OAuth 2.0 Authorization Server Metadata
- RFC 8628 - OAuth 2.0 Device Authorization Grant
- RFC 8693 - OAuth 2.0 Token Exchange
- RFC 9110 - HTTP Semantics (WWW-Authenticate header parsing)
- RFC 9396 - OAuth 2.0 Rich Authorization Requests
- RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- RFC 9470 - OAuth 2.0 Step-Up Authentication Challenge Protocol
Features
- OAuth 2.0 client configuration and management
- Authorization Code Grant flow
- Client Credentials Grant flow
- Device Authorization Grant flow
- Token Exchange Grant flow
- PKCE (Proof Key for Code Exchange) parameter generation
- DPoP (Demonstrating Proof of Possession) JWT generation and key management
- OpenID Connect Discovery metadata parsing
- Rich Authorization Requests (RAR) support
- WWW-Authenticate header parsing for Bearer tokens
- Token introspection (RFC 7662)
- Protected resource metadata handling
- Flexible request options (custom headers, parameters, HTTP client, DPoP)
Examples
PKCE (Proof Key for Code Exchange)
Generate PKCE parameters for the authorization code flow:
package main
import (
"fmt"
"log"
"github.com/matoous/authlib"
)
func main() {
// Generate PKCE parameters with S256 challenge method
params, err := authlib.GeneratePKCEParams()
if err != nil {
log.Fatalf("failed to generate PKCE params: %v", err)
}
fmt.Printf("Code Verifier: %s\n", params.CodeVerifier)
fmt.Printf("Code Challenge: %s\n", params.CodeChallenge)
fmt.Printf("Challenge Method: %s\n", params.CodeChallengeMethod)
// Use params.CodeChallenge and params.CodeChallengeMethod in authorization request
// Store params.CodeVerifier securely for the token exchange
}
Device Authorization Grant
Implement the OAuth 2.0 Device Authorization Grant flow:
package main
import (
"context"
"fmt"
"log"
"time"
"github.com/matoous/authlib"
)
func main() {
client := &authlib.Client{
ClientID: "your-client-id",
}
as := &authlib.AuthorizationServerConfig{
DeviceAuthorizationEndpoint: "https://auth.example.com/device/code",
TokenEndpoint: "https://auth.example.com/token",
}
// Initiate device authorization
authResp, err := client.DeviceAuth(
context.Background(),
as.DeviceAuthorizationEndpoint,
"openid profile email",
)
if err != nil {
log.Fatalf("device authorization failed: %v", err)
}
// Display user code and verification URL to user
if authResp.VerificationURIComplete != nil {
fmt.Printf("Please visit: %s\n", *authResp.VerificationURIComplete)
} else {
fmt.Printf("Please visit: %s\n", authResp.VerificationURI)
fmt.Printf("And enter code: %s\n", authResp.UserCode)
}
// Poll for token (handles polling internally with proper intervals)
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel()
tokenResp, err := client.PollForDeviceAccessToken(ctx, as, authResp)
if err != nil {
log.Fatalf("token request failed: %v", err)
}
fmt.Printf("Access Token: %s\n", tokenResp.AccessToken)
}
DPoP (Demonstrating Proof of Possession)
Generate and use DPoP proofs for enhanced token security:
package main
import (
"fmt"
"log"
"net/http"
"github.com/matoous/authlib/dpop"
)
func main() {
// Generate a key pair for DPoP
keypair, err := dpop.GenerateKeyPair(dpop.ES256)
if err != nil {
log.Fatalf("failed to generate key pair: %v", err)
}
// Generate a DPoP proof for a request
proof, err := keypair.GenerateProof(
"https://api.example.com/resource", // HTU (HTTP URI)
http.MethodGet, // HTM (HTTP Method)
"", // nonce (if required by server)
"your-access-token", // access token
nil, // additional claims
)
if err != nil {
log.Fatalf("generate DPoP proof: %v", err)
}
// Use the proof in an HTTP request
req, _ := http.NewRequest(http.MethodGet, "https://api.example.com/resource", nil)
req.Header.Set("Authorization", "DPoP your-access-token")
req.Header.Set("DPoP", proof)
// Send the request...
fmt.Printf("DPoP header: %s\n", proof)
}
Client Credentials Grant
Use the Client Credentials grant for machine-to-machine authentication:
package main
import (
"context"
"fmt"
"log"
"github.com/matoous/authlib"
"github.com/matoous/authlib/secret"
)
func main() {
client := &authlib.Client{
ClientID: "your-client-id",
ClientSecret: secret.New("your-client-secret"),
}
as := &authlib.AuthorizationServerConfig{
TokenEndpoint: "https://auth.example.com/token",
}
// Request access token using client credentials
token, err := client.ClientCredentials(context.Background(), as, &authlib.ClientCredentialsRequest{
Scope: "read write",
})
if err != nil {
log.Fatalf("client credentials request failed: %v", err)
}
fmt.Printf("Access Token: %s\n", token.AccessToken)
fmt.Printf("Token Type: %s\n", token.TokenType)
fmt.Printf("Expires In: %d seconds\n", token.ExpiresIn)
}
Token Exchange
Exchange one security token for another:
package main
import (
"context"
"fmt"
"log"
"github.com/matoous/authlib"
"github.com/matoous/authlib/secret"
)
func main() {
client := &authlib.Client{
ClientID: "your-client-id",
ClientSecret: secret.New("your-client-secret"),
}
as := &authlib.AuthorizationServerConfig{
TokenEndpoint: "https://auth.example.com/token",
}
// Exchange an access token for a different audience
exchangedToken, err := client.TokenExchange(context.Background(), as, &authlib.TokenExchangeRequest{
SubjectToken: secret.New("original-access-token"),
SubjectTokenType: authlib.TokenTypeAccessToken,
Audience: "api-service",
Scope: "read",
})
if err != nil {
log.Fatalf("token exchange failed: %v", err)
}
fmt.Printf("Exchanged Token: %s\n", exchangedToken.AccessToken)
fmt.Printf("Issued Token Type: %s\n", exchangedToken.IssuedTokenType)
}
Token Introspection
Query the authorization server about the state of an access token:
package main
import (
"context"
"fmt"
"log"
"github.com/matoous/authlib"
"github.com/matoous/authlib/secret"
)
func main() {
client := &authlib.Client{
ClientID: "your-client-id",
ClientSecret: secret.New("your-client-secret"),
}
// Introspect an access token
resp, err := client.IntrospectToken(
context.Background(),
"https://auth.example.com/introspect",
&authlib.IntrospectionRequest{
Token: secret.New("access-token-to-check"),
TokenTypeHint: "access_token",
},
)
if err != nil {
log.Fatalf("introspection failed: %v", err)
}
if resp.Active {
fmt.Printf("Token is active\n")
fmt.Printf("Scope: %s\n", resp.Scope)
fmt.Printf("Client ID: %s\n", resp.ClientID)
fmt.Printf("Username: %s\n", resp.Username)
fmt.Printf("Expires at: %d\n", resp.Exp)
} else {
fmt.Println("Token is not active (expired, revoked, or invalid)")
}
}
Request Options
All OAuth 2.0 token request methods support flexible options for customization:
package main
import (
"context"
"fmt"
"log"
"net/http"
"net/url"
"time"
"github.com/matoous/authlib"
"github.com/matoous/authlib/dpop"
"github.com/matoous/authlib/secret"
)
func main() {
client := &authlib.Client{
ClientID: "your-client-id",
ClientSecret: secret.New("your-client-secret"),
}
as := &authlib.AuthorizationServerConfig{
TokenEndpoint: "https://auth.example.com/token",
}
// Generate DPoP key pair
dpopKey, err := dpop.GenerateKeyPair(dpop.ES256)
if err != nil {
log.Fatal(err)
}
// Use options for extra parameters, headers, custom HTTP client, and DPoP
customClient := &http.Client{
Timeout: 30 * time.Second,
}
extraParams := url.Values{}
extraParams.Set("audience", "api-service")
token, err := client.ClientCredentials(context.Background(), as,
&authlib.ClientCredentialsRequest{Scope: "read write"},
authlib.WithDPoP(dpopKey), // Enable DPoP
authlib.WithExtraParams(extraParams), // Add extra parameters
authlib.WithExtraHeader("X-Tenant-ID", "tenant"), // Add custom header
authlib.WithHTTPClient(customClient)) // Use custom HTTP client
if err != nil {
log.Fatal(err)
}
fmt.Printf("Access Token: %s\n", token.AccessToken)
fmt.Printf("Token Type: %s\n", token.TokenType) // Will be "DPoP" when using DPoP
}
Available options:
WithExtraParam(key, value)- Add a single extra parameter to the requestWithExtraParams(params)- Add multiple extra parametersWithExtraHeader(key, value)- Add a single extra headerWithExtraHeaders(headers)- Add multiple extra headersWithHTTPClient(client)- Use a custom HTTP clientWithDPoP(proofGenerator)- Enable DPoP proof-of-possessionWithDPoPNonce(nonce)- Set DPoP nonce from previous response
WWW-Authenticate Header Parsing
Parse WWW-Authenticate headers from protected resource responses:
package main
import (
"fmt"
"log"
"github.com/matoous/authlib/wwwauthenticate"
)
func main() {
// Parse a WWW-Authenticate header
headerValue := `Bearer realm="example", error="invalid_token", error_description="Token expired"`
challenge, err := wwwauthenticate.Parse(headerValue)
if err != nil {
log.Fatalf("failed to parse header: %v", err)
}
bearerChallenge, ok := challenge.(*wwwauthenticate.BearerChallenge)
if !ok {
log.Fatal("expected Bearer challenge")
}
fmt.Printf("Realm: %s\n", bearerChallenge.Realm)
fmt.Printf("Error: %s\n", bearerChallenge.Error)
fmt.Printf("Error Description: %s\n", bearerChallenge.ErrorDescription)
}
Step-Up Authentication (RFC 9470)
Handle step-up authentication challenges when a resource server requires higher authentication:
package main
import (
"context"
"errors"
"fmt"
"log"
"net/http"
"github.com/matoous/authlib"
"github.com/matoous/authlib/wwwauthenticate"
)
func main() {
// Initial request with basic token
req, _ := http.NewRequest("GET", "https://api.example.com/sensitive", nil)
req.Header.Set("Authorization", "Bearer "+accessToken.Value())
resp, err := http.DefaultClient.Do(req)
if err != nil {
log.Fatal(err)
}
defer resp.Body.Close()
// Check for step-up challenge
if resp.StatusCode == http.StatusUnauthorized {
authHeader := resp.Header.Get("WWW-Authenticate")
challengeErr := wwwauthenticate.ParseChallenge(authHeader)
var bearerErr *wwwauthenticate.BearerError
if errors.As(challengeErr, &bearerErr) {
if bearerErr.Reason == wwwauthenticate.InsufficientUserAuthenticationError {
// Extract step-up requirements
if bearerErr.ACRValues != nil {
fmt.Printf("Required ACR: %s\n", *bearerErr.ACRValues)
}
if bearerErr.MaxAge != nil {
fmt.Printf("Max age: %v\n", *bearerErr.MaxAge)
}
// Re-authenticate with required parameters
// Include acr_values in authorization request
// Then retry with new token
}
}
}
}
Documentation
For complete documentation, see the Go package documentation.
License
Licensed under the Apache License, Version 2.0. See LICENSE for details.
Documentation
¶
Index ¶
- Constants
- func VerifyCodeChallenge(verifier, challenge string, method CodeChallengeMethod) (bool, error)
- type AuthorizationChallengeError
- type AuthorizationChallengeRequest
- type AuthorizationChallengeResponse
- type AuthorizationRequest
- type AuthorizationResponse
- type AuthorizationServer
- type AuthorizationServerConfig
- func (c *AuthorizationServerConfig) GetAuthorizationChallengeEndpoint() string
- func (c *AuthorizationServerConfig) GetAuthorizationEndpoint() string
- func (c *AuthorizationServerConfig) GetDeviceAuthorizationEndpoint() string
- func (c *AuthorizationServerConfig) GetIntrospectionEndpoint() string
- func (c *AuthorizationServerConfig) GetPushedAuthorizationRequestEndpoint() string
- func (c *AuthorizationServerConfig) GetTokenEndpoint() string
- func (c *AuthorizationServerConfig) RequiresPushedAuthorizationRequests() bool
- type AuthorizationServerMetadata
- func (m *AuthorizationServerMetadata) GetAuthorizationChallengeEndpoint() string
- func (m *AuthorizationServerMetadata) GetAuthorizationEndpoint() string
- func (m *AuthorizationServerMetadata) GetDeviceAuthorizationEndpoint() string
- func (m *AuthorizationServerMetadata) GetIntrospectionEndpoint() string
- func (m *AuthorizationServerMetadata) GetPushedAuthorizationRequestEndpoint() string
- func (m *AuthorizationServerMetadata) GetTokenEndpoint() string
- func (m *AuthorizationServerMetadata) RequiresPushedAuthorizationRequests() bool
- type Client
- func (c *Client) AuthorizationChallenge(ctx context.Context, as AuthorizationServer, ...) (*AuthorizationChallengeResponse, error)
- func (c *Client) BuildAuthorizationURL(ctx context.Context, as AuthorizationServer, req *AuthorizationRequest, ...) (string, error)
- func (c *Client) ClientCredentials(ctx context.Context, as AuthorizationServer, req *ClientCredentialsRequest, ...) (*TokenResponse, error)
- func (r *Client) ClientSecretExpired() bool
- func (c *Client) DeleteClient(ctx context.Context, registrationClientURI, registrationAccessToken string) error
- func (c *Client) DeviceAccessToken(ctx context.Context, as AuthorizationServer, deviceCode string, opts ...Option) (*TokenResponse, error)
- func (c *Client) DeviceAuth(ctx context.Context, deviceEndpoint string, scope string, opts ...Option) (*DeviceAuthorizationResponse, error)
- func (c *Client) ExchangeAuthorizationCode(ctx context.Context, as AuthorizationServer, ...) (*TokenResponse, error)
- func (c *Client) GetClientConfiguration(ctx context.Context, registrationClientURI, registrationAccessToken string) (*Client, error)
- func (c *Client) IntrospectToken(ctx context.Context, introspectionEndpoint string, req *IntrospectionRequest, ...) (*IntrospectionResponse, error)
- func (c *Client) PollForDeviceAccessToken(ctx context.Context, as AuthorizationServer, ...) (*TokenResponse, error)
- func (c *Client) PushedAuthorizationRequest(ctx context.Context, as AuthorizationServer, redirectURI, scope string, ...) (*PushedAuthorizationResponse, error)
- func (c *Client) Register(ctx context.Context, registrationEndpoint string, ...) (*Client, error)
- func (c *Client) TokenExchange(ctx context.Context, as AuthorizationServer, req *TokenExchangeRequest, ...) (*TokenExchangeResponse, error)
- func (c *Client) UpdateClientConfiguration(ctx context.Context, registrationClientURI, registrationAccessToken string, ...) (*Client, error)
- type ClientCredentialsRequest
- type ClientRegistrationError
- type ClientRegistrationRequest
- type CodeChallengeMethod
- type DPoPProofGenerator
- type DefaultAuthorizationServer
- func (d *DefaultAuthorizationServer) GetAuthorizationChallengeEndpoint() string
- func (d *DefaultAuthorizationServer) GetAuthorizationEndpoint() string
- func (d *DefaultAuthorizationServer) GetDeviceAuthorizationEndpoint() string
- func (d *DefaultAuthorizationServer) GetIntrospectionEndpoint() string
- func (d *DefaultAuthorizationServer) GetPushedAuthorizationRequestEndpoint() string
- func (d *DefaultAuthorizationServer) GetTokenEndpoint() string
- func (d *DefaultAuthorizationServer) RequiresPushedAuthorizationRequests() bool
- type DeviceAccessTokenRequest
- type DeviceAuthorizationRequest
- type DeviceAuthorizationResponse
- type ErrorType
- type ExchangeAuthorizationCodeRequest
- type GrantType
- type IntrospectionRequest
- type IntrospectionResponse
- type OAuth2Error
- type Option
- func WithDPoP(proofGenerator DPoPProofGenerator) Option
- func WithDPoPNonce(nonce string) Option
- func WithExtraHeader(key, value string) Option
- func WithExtraHeaders(headers http.Header) Option
- func WithExtraParam(key, value string) Option
- func WithExtraParams(params url.Values) Option
- func WithHTTPClient(client *http.Client) Option
- type PKCEParams
- type ProtectedResourceMetadata
- type PushedAuthorizationRequest
- type PushedAuthorizationResponse
- type ResponseType
- type StringOrArray
- type TokenEndpointAuthMethod
- type TokenExchangeRequest
- type TokenExchangeResponse
- type TokenRequest
- type TokenResponse
- type TokenType
Constants ¶
const ( // ErrorInvalidRedirectURI indicates invalid redirect_uri values. ErrorInvalidRedirectURI = "invalid_redirect_uri" // ErrorInvalidClientMetadata indicates invalid client metadata. ErrorInvalidClientMetadata = "invalid_client_metadata" // ErrorInvalidSoftwareStatement indicates invalid or unapproved software statement. ErrorInvalidSoftwareStatement = "invalid_software_statement" // ErrorUnapprovedSoftwareStatement indicates the software statement is not approved. ErrorUnapprovedSoftwareStatement = "unapproved_software_statement" )
Registration error codes defined in RFC 7591.
Variables ¶
This section is empty.
Functions ¶
func VerifyCodeChallenge ¶
func VerifyCodeChallenge(verifier, challenge string, method CodeChallengeMethod) (bool, error)
VerifyCodeChallenge verifies that the code verifier matches the code challenge using the specified method. This is typically used by the authorization server to verify the PKCE challenge.
Types ¶
type AuthorizationChallengeError ¶
type AuthorizationChallengeError struct {
OAuth2Error
// AuthSession allows the authorization server to associate subsequent requests
// by this client with an ongoing authorization request sequence. The client MUST
// include the auth_session in follow-up requests to the authorization challenge
// endpoint if it receives one along with the error response.
// OPTIONAL.
AuthSession string `json:"auth_session,omitempty"`
// RequestURI is a request URI as described by RFC 9126 (PAR) Section 2.2.
// OPTIONAL.
RequestURI string `json:"request_uri,omitempty"`
// ExpiresIn is the lifetime of the request_uri in seconds.
// OPTIONAL.
ExpiresIn int `json:"expires_in,omitempty"`
}
AuthorizationChallengeError represents an error response from the authorization challenge endpoint. It extends the standard OAuth2Error with first-party specific fields.
EXPERIMENTAL: draft-ietf-oauth-first-party-apps
func (*AuthorizationChallengeError) Error ¶
func (e *AuthorizationChallengeError) Error() string
type AuthorizationChallengeRequest ¶
type AuthorizationChallengeRequest struct {
// Scope is the scope of the access request.
// OPTIONAL.
Scope string
// AuthSession is a session token from a previous authorization challenge response
// that allows the authorization server to associate subsequent requests with an
// ongoing authorization request sequence.
// OPTIONAL.
AuthSession string
// CodeChallenge is the PKCE code challenge derived from the code verifier.
// OPTIONAL but RECOMMENDED.
CodeChallenge string
// CodeChallengeMethod is the method used to derive the code challenge.
// OPTIONAL but RECOMMENDED.
CodeChallengeMethod CodeChallengeMethod
}
AuthorizationChallengeRequest represents a request to the authorization challenge endpoint. The authorization challenge endpoint is used by first-party clients to obtain authorization codes through a native experience without browser redirection.
EXPERIMENTAL: draft-ietf-oauth-first-party-apps
type AuthorizationChallengeResponse ¶
type AuthorizationChallengeResponse struct {
// AuthorizationCode is the authorization code issued by the authorization server.
// REQUIRED.
AuthorizationCode string `json:"authorization_code"`
}
AuthorizationChallengeResponse represents a successful response from the authorization challenge endpoint containing an authorization code.
EXPERIMENTAL: draft-ietf-oauth-first-party-apps
type AuthorizationRequest ¶
type AuthorizationRequest struct {
// RedirectURI is the client's redirection endpoint.
// OPTIONAL.
RedirectURI string
// Scope is the scope of the access request.
// OPTIONAL.
Scope string
// State is an opaque value used by the client to maintain state between the request
// and callback. RECOMMENDED to prevent CSRF attacks.
// OPTIONAL.
State string
// CodeChallenge is the PKCE code challenge derived from the code verifier.
// OPTIONAL but RECOMMENDED per RFC 7636.
CodeChallenge string
// CodeChallengeMethod is the method used to derive the code challenge.
// OPTIONAL but RECOMMENDED per RFC 7636.
CodeChallengeMethod CodeChallengeMethod
}
AuthorizationRequest represents parameters for an OAuth 2.0 authorization request.
type AuthorizationResponse ¶
type AuthorizationResponse struct {
// Code is the authorization code generated by the authorization server.
// REQUIRED.
Code string
// State is the exact value received from the client if present in the request.
// REQUIRED if the "state" parameter was present in the authorization request.
State string
}
AuthorizationResponse represents the response from the authorization endpoint.
func ParseAuthorizationResponse ¶
func ParseAuthorizationResponse(redirectURL string, expectedState string) (*AuthorizationResponse, error)
ParseAuthorizationResponse parses the authorization response from the redirect URI query parameters. It validates that the state matches if a state parameter was provided in the original request.
type AuthorizationServer ¶
type AuthorizationServer interface {
// GetAuthorizationEndpoint returns the URL of the authorization server's authorization endpoint.
GetAuthorizationEndpoint() string
// GetTokenEndpoint returns the URL of the authorization server's token endpoint.
GetTokenEndpoint() string
// GetDeviceAuthorizationEndpoint returns the URL of the authorization server's device authorization endpoint.
GetDeviceAuthorizationEndpoint() string
// GetPushedAuthorizationRequestEndpoint returns the URL of the authorization server's PAR endpoint.
GetPushedAuthorizationRequestEndpoint() string
// GetAuthorizationChallengeEndpoint returns the URL of the authorization server's authorization challenge endpoint.
// EXPERIMENTAL: draft-ietf-oauth-first-party-apps-02
GetAuthorizationChallengeEndpoint() string
// GetIntrospectionEndpoint returns the URL of the authorization server's token introspection endpoint.
GetIntrospectionEndpoint() string
// RequiresPushedAuthorizationRequests indicates whether the authorization server requires
// authorization request data to be sent only via PAR.
RequiresPushedAuthorizationRequests() bool
}
AuthorizationServer is an interface for accessing authorization server endpoint URLs. It abstracts the source of these URLs, which can come from: - Static configuration (AuthorizationServerConfig) - Discovery metadata (oidc.AuthorizationServerMetadata) - Other metadata sources
type AuthorizationServerConfig ¶
type AuthorizationServerConfig struct {
// AuthorizationEndpoint is the URL of the authorization server's authorization endpoint.
AuthorizationEndpoint string
// TokenEndpoint is the URL of the authorization server's token endpoint.
TokenEndpoint string
// DeviceAuthorizationEndpoint is the URL of the authorization server's device authorization endpoint.
DeviceAuthorizationEndpoint string
// PushedAuthorizationRequestEndpoint is the URL of the authorization server's PAR endpoint.
PushedAuthorizationRequestEndpoint string
// AuthorizationChallengeEndpoint is the URL of the authorization server's authorization challenge endpoint.
// EXPERIMENTAL: draft-ietf-oauth-first-party-apps-02
AuthorizationChallengeEndpoint string
// IntrospectionEndpoint is the URL of the authorization server's token introspection endpoint.
IntrospectionEndpoint string
// RequirePushedAuthorizationRequests indicates whether the authorization server requires
// authorization request data to be sent only via PAR.
RequirePushedAuthorizationRequests bool
}
AuthorizationServerConfig is a static configuration for authorization server endpoints. It implements the AuthorizationServer interface.
func (*AuthorizationServerConfig) GetAuthorizationChallengeEndpoint ¶
func (c *AuthorizationServerConfig) GetAuthorizationChallengeEndpoint() string
GetAuthorizationChallengeEndpoint returns the URL of the authorization server's authorization challenge endpoint. EXPERIMENTAL: draft-ietf-oauth-first-party-apps-02
func (*AuthorizationServerConfig) GetAuthorizationEndpoint ¶
func (c *AuthorizationServerConfig) GetAuthorizationEndpoint() string
GetAuthorizationEndpoint returns the URL of the authorization server's authorization endpoint.
func (*AuthorizationServerConfig) GetDeviceAuthorizationEndpoint ¶
func (c *AuthorizationServerConfig) GetDeviceAuthorizationEndpoint() string
GetDeviceAuthorizationEndpoint returns the URL of the authorization server's device authorization endpoint.
func (*AuthorizationServerConfig) GetIntrospectionEndpoint ¶
func (c *AuthorizationServerConfig) GetIntrospectionEndpoint() string
GetIntrospectionEndpoint returns the URL of the authorization server's token introspection endpoint.
func (*AuthorizationServerConfig) GetPushedAuthorizationRequestEndpoint ¶
func (c *AuthorizationServerConfig) GetPushedAuthorizationRequestEndpoint() string
GetPushedAuthorizationRequestEndpoint returns the URL of the authorization server's PAR endpoint.
func (*AuthorizationServerConfig) GetTokenEndpoint ¶
func (c *AuthorizationServerConfig) GetTokenEndpoint() string
GetTokenEndpoint returns the URL of the authorization server's token endpoint.
func (*AuthorizationServerConfig) RequiresPushedAuthorizationRequests ¶
func (c *AuthorizationServerConfig) RequiresPushedAuthorizationRequests() bool
RequiresPushedAuthorizationRequests indicates whether the authorization server requires authorization request data to be sent only via PAR.
type AuthorizationServerMetadata ¶
type AuthorizationServerMetadata struct {
// Issuer is the authorization server's issuer identifier, which is
// a URL that uses the "https" scheme and has no query or fragment
// components.
// REQUIRED.
Issuer string `json:"issuer"`
// AuthorizationEndpoint is the URL of the authorization server's authorization endpoint
// [RFC6749].
// REQUIRED unless no grant types are supported that use the authorization endpoint.
AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
// TokenEndpoint is the URL of the authorization server's token endpoint [RFC6749].
// REQUIRED unless only the implicit grant type is supported.
TokenEndpoint string `json:"token_endpoint,omitempty"`
// JWKSURI is the URL of the authorization server's JWK Set [JWK] document.
// OPTIONAL.
JWKSURI string `json:"jwks_uri,omitempty"`
// RegistrationEndpoint is the URL of the authorization server's OAuth 2.0 Dynamic
// Client Registration endpoint [RFC7591].
// OPTIONAL.
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
// ScopesSupported is a JSON array containing a list of the OAuth 2.0 [RFC6749]
// "scope" values that this authorization server supports.
// OPTIONAL.
ScopesSupported []string `json:"scopes_supported,omitempty"`
// ResponseTypesSupported is a JSON array containing a list of the OAuth 2.0
// "response_type" values that this authorization server supports.
// REQUIRED.
ResponseTypesSupported []string `json:"response_types_supported"`
// ResponseModesSupported is a JSON array containing a list of the OAuth 2.0
// "response_mode" values that this authorization server supports.
// OPTIONAL. If omitted, the default is ["query", "fragment"].
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
// GrantTypesSupported is a JSON array containing a list of the OAuth 2.0 grant
// type values that this authorization server supports.
// OPTIONAL. If omitted, the default value is ["authorization_code", "implicit"].
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
// TokenEndpointAuthMethodsSupported is a JSON array containing a list of client
// authentication methods supported by this token endpoint.
// OPTIONAL. If omitted, the default is "client_secret_basic".
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
// TokenEndpointAuthSigningAlgValuesSupported is a JSON array containing a list of the
// JWS signing algorithms ("alg" values) supported by the token endpoint for the
// signature on the JWT used to authenticate the client.
// OPTIONAL.
TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
// ServiceDocumentation is a URL of a page containing human-readable information
// that developers might want or need to know when using the authorization server.
// OPTIONAL.
ServiceDocumentation string `json:"service_documentation,omitempty"`
// UILocalesSupported is a languages and scripts supported for the user interface,
// represented as a JSON array of language tag values from BCP 47 [RFC5646].
// OPTIONAL.
UILocalesSupported []string `json:"ui_locales_supported,omitempty"`
// OPPolicyURI is a URL that the authorization server provides to the person
// registering the client to read about the authorization server's requirements
// on how the client can use the data provided by the authorization server.
// OPTIONAL.
OPPolicyURI string `json:"op_policy_uri,omitempty"`
// OPTosURI is a URL that the authorization server provides to the person
// registering the client to read about the authorization server's terms of service.
// OPTIONAL.
OPTosURI string `json:"op_tos_uri,omitempty"`
// RevocationEndpoint is the URL of the authorization server's OAuth 2.0 revocation
// endpoint [RFC7009].
// OPTIONAL.
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
// RevocationEndpointAuthMethodsSupported is a JSON array containing a list of client
// authentication methods supported by this revocation endpoint.
// OPTIONAL.
RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
// RevocationEndpointAuthSigningAlgValuesSupported is a JSON array containing a list
// of the JWS signing algorithms supported by the revocation endpoint.
// OPTIONAL.
RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
// IntrospectionEndpoint is the URL of the authorization server's OAuth 2.0
// introspection endpoint [RFC7662].
// OPTIONAL.
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
// IntrospectionEndpointAuthMethodsSupported is a JSON array containing a list of
// client authentication methods supported by this introspection endpoint.
// OPTIONAL.
IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`
// IntrospectionEndpointAuthSigningAlgValuesSupported is a JSON array containing a
// list of the JWS signing algorithms supported by the introspection endpoint.
// OPTIONAL.
IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
// CodeChallengeMethodsSupported is a JSON array containing a list of Proof Key for
// Code Exchange (PKCE) [RFC7636] code challenge methods supported by this
// authorization server.
// OPTIONAL.
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
// PushedAuthorizationRequestEndpoint is the URL of the authorization server's
// pushed authorization request endpoint [RFC9126].
// OPTIONAL.
PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`
// RequirePushedAuthorizationRequests is a boolean parameter indicating whether
// the authorization server accepts authorization request data only via PAR.
// OPTIONAL. If omitted, the default value is false.
RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests,omitempty"`
// DeviceAuthorizationEndpoint is the URL of the authorization server's device
// authorization endpoint [RFC8628].
// OPTIONAL.
DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"`
// AuthorizationChallengeEndpoint is the URL of the authorization server's
// authorization challenge endpoint.
// EXPERIMENTAL: draft-ietf-oauth-first-party-apps-02
// OPTIONAL.
AuthorizationChallengeEndpoint string `json:"authorization_challenge_endpoint,omitempty"`
}
AuthorizationServerMetadata represents OAuth 2.0 Authorization Server Metadata as defined in RFC 8414.
This metadata allows authorization servers to publish information about their configuration and capabilities to facilitate OAuth 2.0 clients in interacting with the authorization server.
Specification: https://datatracker.ietf.org/doc/html/rfc8414
func FetchAuthorizationServerMetadata ¶
func FetchAuthorizationServerMetadata(ctx context.Context, issuer string) (*AuthorizationServerMetadata, error)
FetchAuthorizationServerMetadata fetches the authorization server metadata from the well-known endpoint.
It supports both RFC 8414 discovery methods:
For issuer identifiers with a path component: /.well-known/oauth-authorization-server/<path>
For issuer identifiers without a path: /.well-known/oauth-authorization-server
The issuer parameter should be the authorization server's issuer identifier (a URL using HTTPS scheme).
Example:
metadata, err := FetchAuthorizationServerMetadata(ctx, "https://auth.example.com")
func FetchAuthorizationServerMetadataWithClient ¶
func FetchAuthorizationServerMetadataWithClient(ctx context.Context, issuer string, client *http.Client) (*AuthorizationServerMetadata, error)
FetchAuthorizationServerMetadataWithClient fetches the authorization server metadata using a custom HTTP client. See FetchAuthorizationServerMetadata for details on the discovery process.
func (*AuthorizationServerMetadata) GetAuthorizationChallengeEndpoint ¶
func (m *AuthorizationServerMetadata) GetAuthorizationChallengeEndpoint() string
GetAuthorizationChallengeEndpoint returns the URL of the authorization server's authorization challenge endpoint.
func (*AuthorizationServerMetadata) GetAuthorizationEndpoint ¶
func (m *AuthorizationServerMetadata) GetAuthorizationEndpoint() string
GetAuthorizationEndpoint returns the URL of the authorization server's authorization endpoint.
func (*AuthorizationServerMetadata) GetDeviceAuthorizationEndpoint ¶
func (m *AuthorizationServerMetadata) GetDeviceAuthorizationEndpoint() string
GetDeviceAuthorizationEndpoint returns the URL of the authorization server's device authorization endpoint.
func (*AuthorizationServerMetadata) GetIntrospectionEndpoint ¶
func (m *AuthorizationServerMetadata) GetIntrospectionEndpoint() string
GetIntrospectionEndpoint returns the URL of the authorization server's token introspection endpoint.
func (*AuthorizationServerMetadata) GetPushedAuthorizationRequestEndpoint ¶
func (m *AuthorizationServerMetadata) GetPushedAuthorizationRequestEndpoint() string
GetPushedAuthorizationRequestEndpoint returns the URL of the authorization server's PAR endpoint.
func (*AuthorizationServerMetadata) GetTokenEndpoint ¶
func (m *AuthorizationServerMetadata) GetTokenEndpoint() string
GetTokenEndpoint returns the URL of the authorization server's token endpoint.
func (*AuthorizationServerMetadata) RequiresPushedAuthorizationRequests ¶
func (m *AuthorizationServerMetadata) RequiresPushedAuthorizationRequests() bool
RequiresPushedAuthorizationRequests returns true if the AS requires pushed authorization request (PAR) when calling the authorization endpoint.
type Client ¶
type Client struct {
// ClientID is the client identifier issued to the client during registration.
// The client identifier is a unique string representing the registration
// information provided by the client. The client identifier is not a secret;
// it is exposed to the resource owner and MUST NOT be used alone for client authentication.
//
// REQUIRED.
//
// [RFC 6749 Section 2.2]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.2
ClientID string `json:"client_id"`
// ClientSecret is a secret known only to the client and the authorization server.
// The authorization server MAY choose not to require client authentication for public clients.
//
// OPTIONAL for confidential clients, not used for public clients.
//
// [RFC 6749 Section 2.3.1]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
ClientSecret secret.Secret `json:"client_secret,omitempty"`
// RedirectURIs is the set of redirection endpoints to which the authorization server
// will redirect the resource owner's user-agent after completing its interaction.
// The redirection endpoint URI MUST be an absolute URI and MAY include a query component
// but MUST NOT include a fragment component.
//
// REQUIRED for authorization code and implicit grants.
//
// [RFC 6749 Section 3.1.2]: https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
RedirectURIs []string `json:"redirect_uris,omitempty"`
// GrantTypes is the list of OAuth 2.0 grant types the client may use.
// Grant types determine how the client obtains an access token.
//
// [RFC 6749 Section 1.3]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
GrantTypes []GrantType `json:"grant_types,omitempty"`
// ResponseTypes is the list of OAuth 2.0 response types the client may use at the
// authorization endpoint. Response types determine what is returned to the client
// from the authorization endpoint.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
ResponseTypes []ResponseType `json:"response_types,omitempty"`
// TokenEndpointAuthMethod is the requested authentication method for the token endpoint.
// Clients MAY use any authentication method supported by the authorization server.
//
// [RFC 6749 Section 2.3]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"token_endpoint_auth_method,omitempty"`
// Scope is a space-delimited list of scope values the client can request.
// The authorization and token endpoints allow the client to specify the scope of the
// access request using the "scope" request parameter.
//
// [RFC 6749 Section 3.3]: https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
Scope string `json:"scope,omitempty"`
// ClientIDIssuedAt is the time at which the client identifier was issued (Unix timestamp).
// OPTIONAL.
//
// [RFC 7591 Section 3.2.1]: https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1
ClientIDIssuedAt int64 `json:"client_id_issued_at,omitempty"`
// ClientSecretExpiresAt is the time at which the client secret will expire (Unix timestamp).
// Set to 0 if the secret does not expire.
// REQUIRED if client_secret is issued.
//
// [RFC 7591 Section 3.2.1]: https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1
ClientSecretExpiresAt int64 `json:"client_secret_expires_at,omitempty"`
// RegistrationAccessToken is a token for accessing the client configuration endpoint.
// OPTIONAL.
//
// EXPERIMENTAL: This field is part of RFC 7592 (Dynamic Client Registration Management Protocol),
// which is an experimental specification.
//
// [RFC 7592 Section 3]: https://datatracker.ietf.org/doc/html/rfc7592#section-3
RegistrationAccessToken secret.Secret `json:"registration_access_token,omitempty"`
// RegistrationClientURI is the location of the client configuration endpoint.
// OPTIONAL.
//
// EXPERIMENTAL: This field is part of RFC 7592 (Dynamic Client Registration Management Protocol),
// which is an experimental specification.
//
// [RFC 7592 Section 3]: https://datatracker.ietf.org/doc/html/rfc7592#section-3
RegistrationClientURI string `json:"registration_client_uri,omitempty"`
// ClientName is the human-readable client name.
ClientName string `json:"client_name,omitempty"`
// ClientURI is the URL of the client's home page.
ClientURI string `json:"client_uri,omitempty"`
// LogoURI is the URL of the client's logo.
LogoURI string `json:"logo_uri,omitempty"`
// Contacts is the registered contact information.
Contacts []string `json:"contacts,omitempty"`
// TosURI is the client's terms of service URL.
TosURI string `json:"tos_uri,omitempty"`
// PolicyURI is the client's policy URL.
PolicyURI string `json:"policy_uri,omitempty"`
// JWKSURI is the client's JWK Set URL.
JWKSURI string `json:"jwks_uri,omitempty"`
// JWKS is the client's JWK Set.
JWKS json.RawMessage `json:"jwks,omitempty"`
// SoftwareID is the software identifier.
SoftwareID string `json:"software_id,omitempty"`
// SoftwareVersion is the software version.
SoftwareVersion string `json:"software_version,omitempty"`
// SoftwareStatement is the software statement that was used during registration.
SoftwareStatement string `json:"software_statement,omitempty"`
}
Client represents an OAuth 2.0 client as defined in RFC 6749. A client is an application making protected resource requests on behalf of the resource owner and with its authorization.
func (*Client) AuthorizationChallenge ¶
func (c *Client) AuthorizationChallenge(ctx context.Context, as AuthorizationServer, req *AuthorizationChallengeRequest, opts ...Option) (*AuthorizationChallengeResponse, error)
AuthorizationChallenge initiates or continues an authorization flow using the authorization challenge endpoint. This is designed for first-party applications that want to control the authorization process using a native experience.
The method may be called multiple times in a flow, with each call potentially returning either:
- An authorization code (AuthorizationChallengeResponse) on success
- An error requiring additional authentication steps (AuthorizationChallengeError) with an auth_session to use in the next request
- A terminal error (e.g., redirect_to_web, invalid_client)
EXPERIMENTAL: draft-ietf-oauth-first-party-apps
func (*Client) BuildAuthorizationURL ¶
func (c *Client) BuildAuthorizationURL(ctx context.Context, as AuthorizationServer, req *AuthorizationRequest, opts ...Option) (string, error)
BuildAuthorizationURL constructs the authorization endpoint URL with the request parameters. If the authorization server requires PAR, this method will automatically perform a PAR request and return the authorization URL with the request_uri parameter.
func (*Client) ClientCredentials ¶
func (c *Client) ClientCredentials(ctx context.Context, as AuthorizationServer, req *ClientCredentialsRequest, opts ...Option) (*TokenResponse, error)
ClientCredentials obtains an access token using the client credentials grant. This grant type is used when the client is acting on its own behalf (the client is also the resource owner).
The client MUST authenticate with the authorization server using the client credentials as described in RFC 6749 Section 2.3.
func (*Client) ClientSecretExpired ¶
ClientSecretExpired checks if the client secret has expired.
func (*Client) DeleteClient ¶
func (c *Client) DeleteClient(ctx context.Context, registrationClientURI, registrationAccessToken string) error
DeleteClient deletes a registered client from the authorization server. Requires a registration access token from the initial registration response.
EXPERIMENTAL: This function implements RFC 7592 (Dynamic Client Registration Management Protocol), which is an experimental specification.
func (*Client) DeviceAccessToken ¶
func (c *Client) DeviceAccessToken(ctx context.Context, as AuthorizationServer, deviceCode string, opts ...Option) (*TokenResponse, error)
DeviceAccessToken exchanges a device code for an access token.
DeviceAccessToken returns error if:
- The device code expires (expired_token error)
- The user denies authorization (access_denied error)
- The context is cancelled
- An unrecoverable error occurs
Use Client.PollForDeviceAccessToken to poll the token endpoint until the user confirms (or denies) the request.
func (*Client) DeviceAuth ¶
func (c *Client) DeviceAuth(ctx context.Context, deviceEndpoint string, scope string, opts ...Option) (*DeviceAuthorizationResponse, error)
DeviceAuth initiates the device authorization flow by requesting verification codes from the authorization server's device authorization endpoint.
func (*Client) ExchangeAuthorizationCode ¶
func (c *Client) ExchangeAuthorizationCode(ctx context.Context, as AuthorizationServer, req *ExchangeAuthorizationCodeRequest, opts ...Option) (*TokenResponse, error)
ExchangeAuthorizationCode exchanges an authorization code for an access token.
func (*Client) GetClientConfiguration ¶
func (c *Client) GetClientConfiguration(ctx context.Context, registrationClientURI, registrationAccessToken string) (*Client, error)
GetClientConfiguration retrieves the current configuration of a registered client. Requires a registration access token from the initial registration response.
EXPERIMENTAL: This function implements RFC 7592 (Dynamic Client Registration Management Protocol), which is an experimental specification.
func (*Client) IntrospectToken ¶
func (c *Client) IntrospectToken(ctx context.Context, introspectionEndpoint string, req *IntrospectionRequest, opts ...Option) (*IntrospectionResponse, error)
IntrospectToken introspects a token at the authorization server's introspection endpoint. This method determines the active state of an OAuth 2.0 token and to determine meta-information about this token.
The client MUST authenticate with the authorization server using the client credentials.
func (*Client) PollForDeviceAccessToken ¶
func (c *Client) PollForDeviceAccessToken(ctx context.Context, as AuthorizationServer, authResp *DeviceAuthorizationResponse, opts ...Option) (*TokenResponse, error)
PollForDeviceAccessToken exchanges a device code for an access token by polling the token endpoint. The client polls the token endpoint at the interval specified in the device authorization response, respecting the authorization_pending, slow_down, and other error responses according to RFC 8628.
The method continues polling until:
- The authorization is granted and a token is returned
- The device code expires (expired_token error)
- The user denies authorization (access_denied error)
- The context is cancelled
- An unrecoverable error occurs
func (*Client) PushedAuthorizationRequest ¶
func (c *Client) PushedAuthorizationRequest(ctx context.Context, as AuthorizationServer, redirectURI, scope string, opts ...Option) (*PushedAuthorizationResponse, error)
PushedAuthorizationRequest initiates a pushed authorization request by sending authorization request parameters directly to the PAR endpoint.
func (*Client) Register ¶
func (c *Client) Register(ctx context.Context, registrationEndpoint string, req *ClientRegistrationRequest) (*Client, error)
Register registers a new OAuth 2.0 client with the authorization server. Returns the client registration response containing client credentials.
func (*Client) TokenExchange ¶
func (c *Client) TokenExchange(ctx context.Context, as AuthorizationServer, req *TokenExchangeRequest, opts ...Option) (*TokenExchangeResponse, error)
TokenExchange performs a token exchange as defined in RFC 8693. This grant type enables clients to exchange one security token for another.
func (*Client) UpdateClientConfiguration ¶
func (c *Client) UpdateClientConfiguration(ctx context.Context, registrationClientURI, registrationAccessToken string, req *ClientRegistrationRequest) (*Client, error)
UpdateClientConfiguration updates the configuration of a registered client. Requires a registration access token from the initial registration response.
EXPERIMENTAL: This function implements RFC 7592 (Dynamic Client Registration Management Protocol), which is an experimental specification.
type ClientCredentialsRequest ¶
type ClientCredentialsRequest struct {
// Scope is the scope of the access request.
// OPTIONAL.
Scope string
}
ClientCredentialsRequest represents parameters for the Client Credentials grant.
type ClientRegistrationError ¶
type ClientRegistrationError struct {
// ErrorCode is the error code.
ErrorCode string `json:"error"`
// ErrorDescription is a human-readable error description.
ErrorDescription string `json:"error_description,omitempty"`
}
ClientRegistrationError represents an error response from the registration endpoint.
func (*ClientRegistrationError) Error ¶
func (e *ClientRegistrationError) Error() string
type ClientRegistrationRequest ¶
type ClientRegistrationRequest struct {
// RedirectURIs is an array of redirection URIs for use in redirect-based flows.
// REQUIRED for clients using redirect-based flows.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
RedirectURIs []string `json:"redirect_uris,omitempty"`
// TokenEndpointAuthMethod is the requested authentication method for the token endpoint.
// OPTIONAL. Default is "client_secret_basic".
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"token_endpoint_auth_method,omitempty"`
// GrantTypes is an array of OAuth 2.0 grant types the client may use.
// OPTIONAL. Default is ["authorization_code"].
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
GrantTypes []GrantType `json:"grant_types,omitempty"`
// ResponseTypes is an array of OAuth 2.0 response types the client may use.
// OPTIONAL. Default is ["code"].
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
ResponseTypes []ResponseType `json:"response_types,omitempty"`
// ClientName is a human-readable name of the client to be presented to the end-user.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
ClientName string `json:"client_name,omitempty"`
// ClientURI is the URL of the client's home page.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
ClientURI string `json:"client_uri,omitempty"`
// LogoURI is the URL that references a logo for the client.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
LogoURI string `json:"logo_uri,omitempty"`
// Scope is a space-delimited list of scope values the client can request.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
Scope string `json:"scope,omitempty"`
// Contacts is an array of strings representing ways to contact the client developers.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
Contacts []string `json:"contacts,omitempty"`
// TosURI is a URL that points to the client's terms of service document.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
TosURI string `json:"tos_uri,omitempty"`
// PolicyURI is a URL that points to the client's policy document.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
PolicyURI string `json:"policy_uri,omitempty"`
// JWKSURI is the URL for the client's JSON Web Key Set document.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
JWKSURI string `json:"jwks_uri,omitempty"`
// JWKS is the client's JSON Web Key Set document value.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
JWKS json.RawMessage `json:"jwks,omitempty"`
// SoftwareID is a unique identifier string assigned by the client developer.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
SoftwareID string `json:"software_id,omitempty"`
// SoftwareVersion is a version identifier string for the client software.
// OPTIONAL.
//
// [RFC 7591 Section 2]: https://datatracker.ietf.org/doc/html/rfc7591#section-2
SoftwareVersion string `json:"software_version,omitempty"`
// SoftwareStatement is a JWT containing client metadata claims that are signed by a
// software publisher. The JWT is used to assert metadata values about the client software.
// OPTIONAL.
//
// [RFC 7591 Section 2.3]: https://datatracker.ietf.org/doc/html/rfc7591#section-2.3
SoftwareStatement string `json:"software_statement,omitempty"`
}
ClientRegistrationRequest represents a client registration request to the registration endpoint. The client sends metadata about itself to the registration endpoint.
type CodeChallengeMethod ¶
type CodeChallengeMethod string
CodeChallengeMethod represents the method used to derive the code challenge from the code verifier.
const ( // CodeChallengeMethodS256 represents the SHA-256 hash method. // This is the recommended method per RFC 7636. CodeChallengeMethodS256 CodeChallengeMethod = "S256" // CodeChallengeMethodPlain represents the plain text method. // This should only be used if S256 is not supported by the server. CodeChallengeMethodPlain CodeChallengeMethod = "plain" )
type DPoPProofGenerator ¶
type DPoPProofGenerator interface {
GenerateProof(htu, htm, nonce, accessToken string, additional map[string]any) (string, error)
}
DPoPProofGenerator is an interface for generating DPoP proofs. Implementations should generate a DPoP proof JWT as specified in RFC 9449.
type DefaultAuthorizationServer ¶
type DefaultAuthorizationServer struct{}
DefaultAuthorizationServer provides default implementations for all AuthorizationServer methods. It returns empty strings for all endpoints and can be embedded in custom implementations to satisfy the interface while only overriding needed methods.
func (*DefaultAuthorizationServer) GetAuthorizationChallengeEndpoint ¶
func (d *DefaultAuthorizationServer) GetAuthorizationChallengeEndpoint() string
GetAuthorizationChallengeEndpoint returns an empty string.
func (*DefaultAuthorizationServer) GetAuthorizationEndpoint ¶
func (d *DefaultAuthorizationServer) GetAuthorizationEndpoint() string
GetAuthorizationEndpoint returns an empty string.
func (*DefaultAuthorizationServer) GetDeviceAuthorizationEndpoint ¶
func (d *DefaultAuthorizationServer) GetDeviceAuthorizationEndpoint() string
GetDeviceAuthorizationEndpoint returns an empty string.
func (*DefaultAuthorizationServer) GetIntrospectionEndpoint ¶
func (d *DefaultAuthorizationServer) GetIntrospectionEndpoint() string
GetIntrospectionEndpoint returns an empty string.
func (*DefaultAuthorizationServer) GetPushedAuthorizationRequestEndpoint ¶
func (d *DefaultAuthorizationServer) GetPushedAuthorizationRequestEndpoint() string
GetPushedAuthorizationRequestEndpoint returns an empty string.
func (*DefaultAuthorizationServer) GetTokenEndpoint ¶
func (d *DefaultAuthorizationServer) GetTokenEndpoint() string
GetTokenEndpoint returns an empty string.
func (*DefaultAuthorizationServer) RequiresPushedAuthorizationRequests ¶
func (d *DefaultAuthorizationServer) RequiresPushedAuthorizationRequests() bool
RequiresPushedAuthorizationRequests returns false.
type DeviceAccessTokenRequest ¶
type DeviceAccessTokenRequest struct {
// GrantType MUST be set to "urn:ietf:params:oauth:grant-type:device_code".
// REQUIRED.
GrantType GrantType `form:"grant_type"`
// DeviceCode is the device verification code from the authorization response.
// REQUIRED.
DeviceCode secret.Secret `form:"device_code"`
// ClientID is the client identifier.
// REQUIRED if the client is not authenticating with the authorization server.
ClientID string `form:"client_id"`
}
DeviceAccessTokenRequest represents a token request using the device authorization grant. The client makes a DeviceAccessTokenRequest to the token endpoint with the following parameters using the "application/x-www-form-urlencoded" format.
type DeviceAuthorizationRequest ¶
type DeviceAuthorizationRequest struct {
// ClientID is the client identifier, a unique string representing the registration information provided by the client
// REQUIRED if the client is not authenticating with the authorization server.
// The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.
// The client identifier is unique to the authorization server.
ClientID string `form:"client_id"`
// ClientSecret is the client's secret. The client MAY omit the parameter if the client secret is an empty string
// i.e. the client is a public client.
ClientSecret secret.Secret `form:"client_secret"`
// Scope is the scope of the access request. List of space-delimited, case-sensitive strings.
// The order does not matter. Each string adds an additional access range to the requested scope
// OPTIONAL.
Scope string `form:"scope"`
}
The client initiates the authorization flow by requesting a set of verification codes from the authorization server by making an HTTP "POST" request to the device authorization endpoint. The client makes a DeviceAuthorizationRequest request with the following parameters using the "application/x-www-form-urlencoded" format with a character encoding of UTF-8 in the HTTP request entity-body
type DeviceAuthorizationResponse ¶
type DeviceAuthorizationResponse struct {
// DeviceCode is the device verification code.
DeviceCode secret.Secret `json:"device_code"`
// UserCode is the end-user verification code.
UserCode string `json:"user_code"`
// VerificationURI is the end-user verification URI on the authorization server.
// Should be short and easy to remember as end users will be asked to manually type it into their user agent
VerificationURI string `json:"verification_uri"`
// VerificationURIComplete is a verification URI that includes the user_code.
// OPTIONAL
VerificationURIComplete *string `json:"verification_uri_complete,omitempty"`
// ExpiresIn is the lifetime in seconds of the device_code and user_code.
ExpiresIn int `json:"expires_in"`
// Interval is the minimum amount of time in seconds that the client SHOULD wait
// between polling requests to the token endpoint. If no value is provided,
// clients MUST use 5 as the default.
Interval int `json:"interval,omitempty"`
}
DeviceAuthorizationResponse is a response to a successful device authorization request. The authorization server responds with a JSON object containing the following parameters:
type ErrorType ¶
type ErrorType string
const ( // ErrorAuthorizationPending indicates that the authorization request is still pending as the end user // hasn't yet completed the user-interaction steps. // // See: [RFC 8628 Section 3.5](https://datatracker.ietf.org/doc/html/rfc8628#section-3.5). ErrorAuthorizationPending ErrorType = "authorization_pending" // ErrorSlowDown indicates that the authorization request is still pending and polling should continue, // but the interval must be increased by 5 seconds for this and all subsequent requests. // // See: [RFC 8628 Section 3.5](https://datatracker.ietf.org/doc/html/rfc8628#section-3.5). ErrorSlowDown ErrorType = "slow_down" // ErrorExpiredToken indicates that the device_code has expired and the device authorization session // has concluded. // // See: [RFC 8628 Section 3.5](https://datatracker.ietf.org/doc/html/rfc8628#section-3.5). ErrorExpiredToken ErrorType = "expired_token" )
const ( // ErrorInsufficientAuthorization indicates that the presented authorization is // insufficient, and the authorization server is requesting the client take // additional steps to complete the authorization. // // EXPERIMENTAL: draft-ietf-oauth-first-party-apps-02 ErrorInsufficientAuthorization ErrorType = "insufficient_authorization" // ErrorInvalidSession indicates that the provided auth_session is invalid, // expired, revoked, or is otherwise invalid. // // EXPERIMENTAL: draft-ietf-oauth-first-party-apps-02 ErrorInvalidSession ErrorType = "invalid_session" // ErrorRedirectToWeb indicates that the request cannot be fulfilled with // any further direct interaction with the user. Instead, the client should // initiate a new authorization code flow so that the user interacts with // the authorization server in a web browser. // // EXPERIMENTAL: draft-ietf-oauth-first-party-apps-02 ErrorRedirectToWeb ErrorType = "redirect_to_web" )
type ExchangeAuthorizationCodeRequest ¶
type ExchangeAuthorizationCodeRequest struct {
// Code is the authorization code received from the authorization server.
// REQUIRED.
Code string
// RedirectURI is the redirect URI used in the authorization request.
// REQUIRED if the "redirect_uri" parameter was included in the authorization request.
RedirectURI string
// CodeVerifier is the PKCE code verifier.
// REQUIRED if PKCE was used in the authorization request.
CodeVerifier secret.Secret
}
ExchangeAuthorizationCodeRequest represents parameters for exchanging an authorization code for tokens.
type GrantType ¶
type GrantType string
const ( GrantTypeClientCredentials GrantType = "client_credentials" GrantTypeTokenExchange GrantType = "urn:ietf:params:oauth:grant-type:token-exchange" GrantTypeAuthorizationCode GrantType = "authorization_code" GrantTypeRefreshToken GrantType = "refresh_token" GrantTypeDeviceCode GrantType = "urn:ietf:params:oauth:grant-type:device_code" )
type IntrospectionRequest ¶
type IntrospectionRequest struct {
// Token is the string value of the token to be introspected.
// REQUIRED.
Token secret.Secret
// TokenTypeHint is a hint about the type of the token submitted for introspection.
// The authorization server MAY ignore this parameter.
// Valid values include "access_token" and "refresh_token".
// OPTIONAL.
TokenTypeHint string
}
IntrospectionRequest represents parameters for a token introspection request.
type IntrospectionResponse ¶
type IntrospectionResponse struct {
// Active is a boolean indicator of whether the token is currently active.
// The specifics of a token's "active" state will vary depending on the implementation
// of the authorization server and the information it keeps about its tokens.
// REQUIRED.
Active bool `json:"active"`
// Scope is a space-separated list of scopes associated with this token.
// OPTIONAL.
Scope string `json:"scope,omitempty"`
// ClientID is the client identifier for the OAuth 2.0 client that requested this token.
// OPTIONAL.
ClientID string `json:"client_id,omitempty"`
// Username is the human-readable identifier for the resource owner who authorized this token.
// OPTIONAL.
Username string `json:"username,omitempty"`
// TokenType is the type of the token as defined in RFC 6749 Section 7.1.
// OPTIONAL.
TokenType string `json:"token_type,omitempty"`
// Exp is the timestamp indicating when this token will expire (seconds since Unix epoch).
// OPTIONAL.
Exp int64 `json:"exp,omitempty"`
// Iat is the timestamp indicating when this token was originally issued (seconds since Unix epoch).
// OPTIONAL.
Iat int64 `json:"iat,omitempty"`
// Nbf is the timestamp indicating when this token is not to be used before (seconds since Unix epoch).
// OPTIONAL.
Nbf int64 `json:"nbf,omitempty"`
// Sub is the subject of the token, usually a machine-readable identifier of the resource owner.
// OPTIONAL.
Sub string `json:"sub,omitempty"`
// Aud is the intended audience for this token (service-specific string identifier or array of strings).
// OPTIONAL.
Aud StringOrArray `json:"aud,omitempty"`
// Iss is the issuer of the token.
// OPTIONAL.
Iss string `json:"iss,omitempty"`
// Jti is a unique identifier for the token.
// OPTIONAL.
Jti string `json:"jti,omitempty"`
}
IntrospectionResponse represents the response from a token introspection request.
type OAuth2Error ¶
type OAuth2Error struct {
// Error is the error code.
ErrorCode ErrorType `json:"error"`
// ErrorDescription is a human-readable description of the error.
ErrorDescription string `json:"error_description,omitempty"`
// ErrorURI is a URI identifying a human-readable web page with error information.
ErrorURI string `json:"error_uri,omitempty"`
}
OAuth2Error represents an OAuth 2.0 error response.
func (*OAuth2Error) Error ¶
func (e *OAuth2Error) Error() string
type Option ¶
type Option func(*requestOptions)
Option is a functional option for configuring OAuth 2.0 requests
func WithDPoP ¶
func WithDPoP(proofGenerator DPoPProofGenerator) Option
WithDPoP enables DPoP (Demonstrating Proof of Possession) for the request. The proofGenerator will be used to generate a DPoP proof bound to the HTTP method and URI.
Example using github.com/matoous/authlib/dpop:
keypair, _ := dpop.GenerateKeyPair(dpop.ES256) token, err := client.ClientCredentials(ctx, as, req, authlib.WithDPoP(keypair))
func WithDPoPNonce ¶
WithDPoPNonce sets the nonce for DPoP proof generation. The nonce should be obtained from a previous response's DPoP-Nonce header.
func WithExtraHeader ¶
WithExtraHeader adds a single extra header to the token request
func WithExtraHeaders ¶
WithExtraHeaders adds extra headers to the token request
func WithExtraParam ¶
WithExtraParam adds a single extra parameter to the token request
func WithExtraParams ¶
WithExtraParams adds extra parameters to the token request
func WithHTTPClient ¶
WithHTTPClient sets a custom HTTP client for the request
type PKCEParams ¶
type PKCEParams struct {
// CodeVerifier is the code verifier used in the token request.
// This should be stored securely by the client.
CodeVerifier string
// CodeChallenge is the code challenge sent in the authorization request.
CodeChallenge string
// CodeChallengeMethod is the method used to derive the code challenge.
CodeChallengeMethod CodeChallengeMethod
}
PKCEParams holds the PKCE parameters for an authorization request.
func GeneratePKCEParams ¶
func GeneratePKCEParams() (*PKCEParams, error)
GeneratePKCEParams generates a new set of PKCE parameters with the S256 challenge method. The code verifier is 43 URL-safe base64-encoded bytes (64 characters after encoding).
func GeneratePKCEParamsWithMethod ¶
func GeneratePKCEParamsWithMethod(method CodeChallengeMethod) (*PKCEParams, error)
GeneratePKCEParamsWithMethod generates a new set of PKCE parameters with the specified challenge method.
type ProtectedResourceMetadata ¶
type ProtectedResourceMetadata struct {
// Resource is the protected resource identifier.
// This is typically a URI that identifies the protected resource.
// REQUIRED.
Resource string `json:"resource"`
// AuthorizationServers contains a list of authorization server issuer identifiers
// that can issue access tokens for this protected resource.
// OPTIONAL.
AuthorizationServers []string `json:"authorization_servers,omitempty"`
// BearerMethodsSupported indicates the methods the protected resource supports
// for bearer token authentication as defined in RFC 6750.
// Values: "header", "body", "query"
// OPTIONAL.
BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
// ResourceSigningAlgValuesSupported contains a list of JWS signing algorithms
// supported for signed requests to this protected resource.
// OPTIONAL.
ResourceSigningAlgValuesSupported []string `json:"resource_signing_alg_values_supported,omitempty"`
// ResourceEncryptionAlgValuesSupported contains a list of JWE encryption algorithms
// supported for encrypted requests to this protected resource.
// OPTIONAL.
ResourceEncryptionAlgValuesSupported []string `json:"resource_encryption_alg_values_supported,omitempty"`
// ResourceEncryptionEncValuesSupported contains a list of JWE content encryption
// algorithms supported for encrypted requests to this protected resource.
// OPTIONAL.
ResourceEncryptionEncValuesSupported []string `json:"resource_encryption_enc_values_supported,omitempty"`
// ResourceDocumentation is a URL of a page containing human-readable information
// developers might need to know about the protected resource.
// OPTIONAL.
ResourceDocumentation string `json:"resource_documentation,omitempty"`
// Scopes contains a list of OAuth 2.0 scope values that can be used with this
// protected resource. The protected resource SHOULD include all scopes it supports.
// OPTIONAL.
Scopes []string `json:"scopes_supported,omitempty"`
// DPoPSigningAlgValuesSupported contains a list of JWS signing algorithms
// supported for DPoP proof JWTs as per RFC 9449.
// OPTIONAL.
DPoPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported,omitempty"`
}
ProtectedResourceMetadata represents OAuth 2.0 Protected Resource Metadata as defined in RFC 9449 and RFC 8693.
This metadata allows protected resources to publish information about their configuration, capabilities, and requirements to facilitate OAuth 2.0 clients in interacting with the protected resource.
Specification: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata
func (*ProtectedResourceMetadata) SupportsBearerMethod ¶
func (m *ProtectedResourceMetadata) SupportsBearerMethod(method string) bool
SupportsBearerMethod returns true if the protected resource supports the given bearer token authentication method.
func (*ProtectedResourceMetadata) SupportsDPoP ¶
func (m *ProtectedResourceMetadata) SupportsDPoP() bool
SupportsDPoP returns true if the protected resource supports DPoP.
func (*ProtectedResourceMetadata) SupportsDPoPAlgorithm ¶
func (m *ProtectedResourceMetadata) SupportsDPoPAlgorithm(alg string) bool
SupportsDPoPAlgorithm returns true if the protected resource supports the given DPoP signing algorithm.
func (*ProtectedResourceMetadata) SupportsScope ¶
func (m *ProtectedResourceMetadata) SupportsScope(scope string) bool
SupportsScope returns true if the protected resource supports the given scope.
type PushedAuthorizationRequest ¶
type PushedAuthorizationRequest struct {
// ResponseType is the response type, the value MUST be set to "code".
ResponseType string `form:"response_type"`
// ClientID is the client identifier as described in [Section 2.2](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2).
ClientID string `form:"client_id"`
// ClientSecret is the client's secret. The client MAY omit the parameter if the client secret is an empty string.
ClientSecret secret.Secret `form:"client_secret"`
// As described in [Section 3.1.2](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2).
RedirectURI string `form:"redirect_uri"`
// Scope is the scope of the access request as described by [Section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
Scope string `form:"scope"`
// State is an opaque value used by the client to maintain
// state between the request and callback. The authorization
// server includes this value when redirecting the user-agent back
// to the client. The parameter SHOULD be used for preventing
// cross-site request forgery as described in [Section 10.12](https://datatracker.ietf.org/doc/html/rfc6749#section-10.12).
State *string `form:"state"`
// ClientAssertion is the assertion being used to authenticate the client.
// Specific serialization of the assertion is defined by profile documents.
//
// If ClientAssertion is present the "client_id" is unnecessary for client assertion authentication
// because the client is identified by the subject of the assertion.
// If present, the value of the "client_id" parameter MUST identify the same client as is identified by the client assertion.
//
// [RFC7521]: https://www.rfc-editor.org/rfc/rfc7521
ClientAssertion secret.Secret `form:"client_assertion"`
// ClientAssertionType is the format of the assertion as defined by the authorization server.
// The value will be an absolute URI.
//
// [RFC7521]: https://www.rfc-editor.org/rfc/rfc7521
ClientAssertionType string `form:"client_assertion_type"`
// Code challenge is derived from the the code verifier generated by the client that initiated
// the request.
//
// The code challenge is a Base64-URL-encoded string of the SHA256 hash of the code verifier.
CodeChallenge *string `form:"code_challenge"`
}
PushedAuthorizationRequest is a structure for the form-encoded request body to the PAR endpoint.
A client sends the parameters that comprise an authorization request directly to the PAR endpoint. A typical parameter set might include: client_id, response_type, redirect_uri, scope, state, code_challenge, and code_challenge_method as shown in the example below. However, the pushed authorization request can be composed of any of the parameters applicable for use at the authorization endpoint, including those defined in [RFC6749] as well as all applicable extensions. The request_uri authorization request parameter is one exception, and it MUST NOT be provided.
The request also includes, as appropriate for the given client, any additional parameters necessary for client authentication (e.g., client_secret or client_assertion and client_assertion_type). Such parameters are defined and registered for use at the token endpoint but are applicable only for client authentication. When present in a pushed authorization request, they are relied upon only for client authentication and are not germane to the authorization request itself. Any token endpoint parameters that are not related to client authentication have no defined meaning for a pushed authorization request. The client_id parameter is defined with the same semantics for both authorization requests and requests to the token endpoint; as a required authorization request parameter, it is similarly required in a pushed authorization request.
type PushedAuthorizationResponse ¶
type PushedAuthorizationResponse struct {
// RequestURI corresponds to the authorization request posted. This URI is a single-use
// reference to the respective request data in the subsequent authorization request. The way
// the authorization process obtains the authorization request data is at the discretion of the
// authorization server and is out of scope of this specification. There is no need to make the
// authorization request data available to other parties via this URI.
RequestURI string `json:"request_uri"`
// ExpiresIn is a JSON number that represents the lifetime of the request URI in seconds as a positive integer.
// The request URI lifetime is at the discretion of the authorization server but will typically be
// relatively short (e.g., between 5 and 600 seconds).
ExpiresIn int `json:"expires_in"`
}
PushedAuthorizationResponse is a response to a successful pushed authorization request. If the verification is successful, the server MUST generate a request URI and provide it in the response with a 201 HTTP status code. The following parameters are included as top-level members in the message body of the HTTP response using the application/json media type as defined by [RFC8259].
type ResponseType ¶
type ResponseType string
const ( ResponseTypeNone ResponseType = "none" ResponseTypeCode ResponseType = "code" )
type StringOrArray ¶
type StringOrArray []string
StringOrArray represents a value that can be either a single string or an array of strings. This is commonly used in OAuth 2.0 and OIDC specifications for fields like "aud" (audience) that may be represented as either a string or an array of strings in JSON.
func (StringOrArray) Contains ¶
func (s StringOrArray) Contains(value string) bool
Contains checks if the given value is present in the array.
func (StringOrArray) MarshalJSON ¶
func (s StringOrArray) MarshalJSON() ([]byte, error)
MarshalJSON implements json.Marshaler. If the array contains a single element, it marshals as a string. Otherwise, it marshals as an array of strings.
func (StringOrArray) String ¶
func (s StringOrArray) String() string
String returns the first element if the array has exactly one element, otherwise returns an empty string.
func (StringOrArray) Strings ¶
func (s StringOrArray) Strings() []string
Strings returns all values as a slice of strings.
func (*StringOrArray) UnmarshalJSON ¶
func (s *StringOrArray) UnmarshalJSON(data []byte) error
UnmarshalJSON implements json.Unmarshaler to handle both string and array formats.
type TokenEndpointAuthMethod ¶
type TokenEndpointAuthMethod string
const ( TokenEndpointAuthMethodClientSecretBasic TokenEndpointAuthMethod = "client_secret_basic" TokenEndpointAuthMethodClientSecretPost TokenEndpointAuthMethod = "client_secret_post" TokenEndpointAuthMethodNone TokenEndpointAuthMethod = "none" )
type TokenExchangeRequest ¶
type TokenExchangeRequest struct {
// SubjectToken is the security token that represents the identity of the party
// on behalf of whom the request is being made.
// REQUIRED.
SubjectToken secret.Secret
// SubjectTokenType is an identifier for the type of the requested security token.
// REQUIRED.
SubjectTokenType TokenType
// ActorToken is a security token that represents the identity of the acting party.
// OPTIONAL.
ActorToken secret.Secret
// ActorTokenType is an identifier for the type of the actor token.
// REQUIRED if actor_token is specified.
ActorTokenType TokenType
// Resource is the physical location of the target service or resource where the
// client intends to use the requested security token.
// OPTIONAL.
Resource string
// Audience is the logical name of the target service where the client intends
// to use the requested security token.
// OPTIONAL.
Audience string
// Scope is the scope of the access request.
// OPTIONAL.
Scope string
// RequestedTokenType is an identifier for the type of the requested security token.
// OPTIONAL.
RequestedTokenType TokenType
}
TokenExchangeRequest represents parameters for the Token Exchange grant.
type TokenExchangeResponse ¶
type TokenExchangeResponse struct {
TokenResponse
// IssuedTokenType is an identifier for the representation of the issued security token.
IssuedTokenType TokenType `json:"issued_token_type"`
}
TokenExchangeResponse represents a successful token exchange response. This extends TokenResponse with additional fields specific to token exchange.
type TokenRequest ¶
type TokenRequest struct {
GrantType GrantType `form:"grant_type"`
ClientID string `form:"client_id"`
Secret secret.Secret `form:"client_secret"`
Scope string `form:"scope"`
ClientAssertionType string `form:"client_assertion_type"`
ClientAssertion secret.Secret `form:"client_assertion"`
Code string `form:"code"`
CodeVerifier secret.Secret `form:"code_verifier"`
RedirectURI string `form:"redirect_uri"`
RefreshToken secret.Secret `form:"refresh_token"`
DeviceCode secret.Secret `form:"device_code"`
}
TokenRequest represents the incoming token request parameters from the HTTP form. See: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
type TokenResponse ¶
type TokenResponse struct {
// AccessToken is the access token issued by the authorization server.
// REQUIRED.
AccessToken secret.Secret `json:"access_token"`
// TokenType is the type of the token issued (e.g., "Bearer").
// REQUIRED.
TokenType string `json:"token_type"`
// ExpiresIn is the lifetime in seconds of the access token.
// OPTIONAL.
ExpiresIn int `json:"expires_in,omitempty"`
// RefreshToken is the refresh token, which can be used to obtain new access tokens.
// OPTIONAL.
RefreshToken secret.Secret `json:"refresh_token,omitempty"`
// Scope is the scope of the access token. OPTIONAL if identical to the requested scope.
Scope string `json:"scope,omitempty"`
}
TokenResponse represents a successful token response from the authorization server.
type TokenType ¶
type TokenType string
TokenType represents the type of token being exchanged or requested.
const ( TokenTypeAccessToken TokenType = "urn:ietf:params:oauth:token-type:access_token" TokenTypeRefreshToken TokenType = "urn:ietf:params:oauth:token-type:refresh_token" TokenTypeIDToken TokenType = "urn:ietf:params:oauth:token-type:id_token" TokenTypeSAML1 TokenType = "urn:ietf:params:oauth:token-type:saml1" TokenTypeSAML2 TokenType = "urn:ietf:params:oauth:token-type:saml2" TokenTypeJWT TokenType = "urn:ietf:params:oauth:token-type:jwt" )
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
libauth
command
|
|
|
dpop
module
|
|
|
examples
|
|
|
discovery
command
|
|
|
Package rar implements OAuth 2.0 Rich Authorization Requests [RFC9396].
|
Package rar implements OAuth 2.0 Rich Authorization Requests [RFC9396]. |
|
softwarestatement
module
|
|
|
Package wwwauthenticate provides tooling for creating and parsing WWW-Authenticate headers according to the [RFC9110] and the extensions defined by the Bearer scheme in [RFC6750].
|
Package wwwauthenticate provides tooling for creating and parsing WWW-Authenticate headers according to the [RFC9110] and the extensions defined by the Bearer scheme in [RFC6750]. |