oidc

package
v0.0.14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ResponseTypeCode         = "code"
	CodeChallengeMethodPlain = "plain"
	CodeChallengeMethodS256  = "S256"
)
View Source 
const (
	GoogleIssuer          = "https://accounts.google.com"
	ConfigPath            = ".well-known/openid-configuration"
	OAuthConfigPath       = ".well-known/oauth-authorization-server"
	ProtectedResourcePath = ".well-known/oauth-protected-resource"
	JWKSPath              = ".well-known/jwks.json"
	AuthorizationPath     = "auth/authorize"
	AuthCodePath          = "auth/code"
	AuthRevokePath        = "auth/revoke"
	UserInfoPath          = "auth/userinfo"
	SigningAlgorithm      = "RS256"
)
View Source 
const (
	ScopeOpenID  = "openid"
	ScopeEmail   = "email"
	ScopeProfile = "profile"
)

Variables

View Source 
var DefaultOIDCAuthorizationScopes = []string{ScopeOpenID, ScopeEmail, ScopeProfile}

Functions

func AuthCodeURL 

func AuthCodeURL(issuer string) string

AuthCodeURL returns the local authorization-code exchange URL for an issuer.

func AuthRevokeURL 

func AuthRevokeURL(issuer string) string

AuthRevokeURL returns the local token revocation URL for an issuer.

func AuthorizationScopes 

func AuthorizationScopes(config OIDCConfiguration, scopes ...string) []string

AuthorizationScopes returns caller-supplied scopes, or preferred default OIDC scopes filtered to those advertised by discovery when present.

func AuthorizationURL 

func AuthorizationURL(issuer string) string

AuthorizationURL returns the authorization endpoint URL for an issuer.

func ConfigURL 

func ConfigURL(issuer string) string

ConfigURL returns the discovery document URL for an issuer.

func ExtractIssuer 

func ExtractIssuer(token string) (string, error)

ExtractIssuer returns the iss claim from a JWT payload without verifying the signature.

func ExtractKeyID 

func ExtractKeyID(token string) (string, error)

ExtractKeyID returns the kid header from a JWT payload without verifying the signature.

func IssueToken 

func IssueToken(key *rsa.PrivateKey, claims jwt.MapClaims) (string, error)

IssueToken applies standard OIDC claim defaults and serializes the claims into a JWT.

func JWKSURL 

func JWKSURL(issuer string) string

JWKSURL returns the JWKS document URL for an issuer.

func NewCodeChallenge 

func NewCodeChallenge(method string) (string, string, error)

NewCodeChallenge generates a code verifier and derived code challenge using the requested PKCE method.

func OAuthAuthorizationScopes 

func OAuthAuthorizationScopes(config OAuthConfiguration, scopes ...string) []string

OAuthAuthorizationScopes returns caller-supplied scopes, or advertised OAuth scopes when present. OAuth metadata has no implicit openid/profile default.

func OAuthConfigURL 

func OAuthConfigURL(issuer string) string

OAuthConfigURL returns the OAuth authorization server metadata URL for an issuer.

func PreferredCodeChallengeMethod 

func PreferredCodeChallengeMethod(methods []string) string

PreferredCodeChallengeMethod chooses the strongest supported PKCE method.

func PublicJWKSet 

func PublicJWKSet(key *rsa.PrivateKey) (jwk.Set, error)

PublicJWKSet returns a JWKS document containing the public signing key for the supplied RSA private key without assigning a kid.

func PublicJWKSetForKeys 

func PublicJWKSetForKeys(activeKeyID string, keys map[string]*rsa.PrivateKey) (jwk.Set, error)

PublicJWKSetForKeys returns a JWKS document containing the supplied public signing keys. When activeKeyID is present, it is added first.

func SignToken 

func SignToken(key *rsa.PrivateKey, claims jwt.Claims) (string, error)

SignToken serializes claims into a JWT signed with the supplied RSA private key without setting a kid header. If key is nil, it returns an unsecured JWT using the "none" algorithm.

func SignTokenWithKeyID 

func SignTokenWithKeyID(kid string, key *rsa.PrivateKey, claims jwt.Claims) (string, error)

SignTokenWithKeyID serializes claims into a JWT signed with the supplied RSA private key and uses kid for the JWT kid header.

func UserInfoURL 

func UserInfoURL(issuer string) string

UserInfoURL returns the userinfo URL for an issuer.

func VerifySignedToken 

func VerifySignedToken(key *rsa.PublicKey, token, issuer string) (map[string]any, error)

VerifySignedToken verifies a locally signed JWT with the supplied RSA public key and optionally checks the expected issuer.

func VerifyToken 

func VerifyToken(ctx context.Context, token string) (map[string]any, error)

VerifyToken verifies a JWT using OIDC discovery based on its issuer and returns the decoded claims.

Types

type AuthorizationCodeFlow 

type AuthorizationCodeFlow struct {
	Provider                 string   `json:"provider,omitempty"`
	Issuer                   string   `json:"issuer,omitempty"`
	AuthorizationEndpoint    string   `json:"authorization_endpoint"`
	AuthorizationURL         string   `json:"authorization_url"`
	TokenEndpoint            string   `json:"token_endpoint,omitempty"`
	TokenEndpointAuthMethods []string `json:"-"`
	ClientID                 string   `json:"client_id"`
	RedirectURL              string   `json:"redirect_url"`
	ResponseType             string   `json:"response_type"`
	Scopes                   []string `json:"scopes,omitempty"`
	State                    string   `json:"state"`
	Nonce                    string   `json:"nonce,omitempty"`
	CodeChallenge            string   `json:"code_challenge,omitempty"`
	CodeChallengeMethod      string   `json:"code_challenge_method,omitempty"`
	CodeVerifier             string   `json:"code_verifier,omitempty"`
}

AuthorizationCodeFlow contains the generated state required to start an interactive OAuth2/OIDC authorization code flow with optional PKCE.

func NewAuthorizationCodeFlow 

func NewAuthorizationCodeFlow(config BaseConfiguration, clientID, redirectURL string, scopes ...string) (*AuthorizationCodeFlow, error)

NewAuthorizationCodeFlow generates state and PKCE data needed to begin an interactive OAuth2/OIDC authorization code flow using the supplied discovery document. A nonce is added only for OIDC-capable configurations. clientID may be empty for provider-routed server-side exchanges where the server holds the upstream client credentials.

func (AuthorizationCodeFlow) URL 

func (flow AuthorizationCodeFlow) URL() (string, error)

URL returns the authorization URL for the flow.

func (*AuthorizationCodeFlow) ValidateCallback 

func (flow *AuthorizationCodeFlow) ValidateCallback(code, state string) (string, error)

ValidateCallback validates the authorization callback code and state against the flow state and returns the authorization code.

type BaseConfiguration 

type BaseConfiguration struct {
	Issuer                   string   `` /* 132-byte string literal not displayed */
	AuthorizationEndpoint    string   `` /* 168-byte string literal not displayed */
	TokenEndpoint            string   `` /* 169-byte string literal not displayed */
	RegistrationEndpoint     string   `json:"registration_endpoint,omitempty" jsonschema:"Dynamic client registration endpoint, when supported." format:"uri"`
	RevocationEndpoint       string   `` /* 180-byte string literal not displayed */
	ResponseTypes            []string `json:"response_types_supported,omitempty" jsonschema:"OAuth and OIDC response types supported by the authorization endpoint."`
	GrantTypesSupported      []string `json:"grant_types_supported,omitempty" jsonschema:"OAuth grant types supported by the token endpoint."`
	ScopesSupported          []string `json:"scopes_supported,omitempty" jsonschema:"Scopes that clients may request during authorization."`
	CodeChallengeMethods     []string `` /* 130-byte string literal not displayed */
	TokenEndpointAuthMethods []string `json:"-"`
	NonceSupported           bool     `json:"-"`
}

BaseConfiguration contains the fields shared by OIDC and OAuth authorization server metadata documents.

type JSONWebKey 

type JSONWebKey struct {
	Algorithm string `json:"alg" jsonschema:"Signing algorithm associated with this key." example:"RS256"`
	Exponent  string `json:"e" jsonschema:"Base64url-encoded RSA public exponent." example:"AQAB"`
	KeyID     string `json:"kid,omitempty" jsonschema:"Key identifier used in JWT headers to select this key." example:"main"`
	KeyType   string `json:"kty" jsonschema:"Cryptographic key type." example:"RSA"`
	Modulus   string `` /* 412-byte string literal not displayed */
	Use       string `json:"use,omitempty" jsonschema:"Intended use of the key." example:"sig"`
}

JSONWebKey represents a public RSA signing key published in the JWKS document for locally issued tokens.

type JSONWebKeySet 

type JSONWebKeySet struct {
	Keys []JSONWebKey `json:"keys" jsonschema:"Public signing keys published by this issuer for JWT verification."`
}

JSONWebKeySet is the public JWKS document returned for locally issued tokens.

type OAuthConfiguration 

type OAuthConfiguration struct {
	BaseConfiguration
	ResponseModesSupported            []string `json:"response_modes_supported,omitempty"`
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
}

OAuthConfiguration represents OAuth 2.0 Authorization Server Metadata.

type OIDCConfiguration 

type OIDCConfiguration struct {
	BaseConfiguration
	UserInfoEndpoint                  string   `` /* 186-byte string literal not displayed */
	JwksURI                           string   `` /* 158-byte string literal not displayed */
	SigningAlgorithms                 []string `json:"id_token_signing_alg_values_supported" jsonschema:"Signing algorithms used for locally issued ID and access tokens."`
	SubjectTypes                      []string `json:"subject_types_supported" jsonschema:"OIDC subject identifier types supported by this issuer."`
	ClaimsSupported                   []string `json:"claims_supported" jsonschema:"Claims that may appear in locally issued tokens and userinfo responses."`
	TokenEndpointAuthMethodsSupported []string `` /* 146-byte string literal not displayed */
}

OIDCConfiguration represents the OpenID Connect discovery document.

type ProtectedResourceMetadata 

type ProtectedResourceMetadata struct {
	Resource               string   `` /* 139-byte string literal not displayed */
	AuthorizationServers   []string `json:"authorization_servers,omitempty" jsonschema:"Authorization servers that issue bearer tokens accepted by this resource."`
	ScopesSupported        []string `json:"scopes_supported,omitempty" jsonschema:"Scopes that may be used when requesting access to this resource."`
	BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty" jsonschema:"Bearer token transport methods accepted by this resource."`
	ResourceDocumentation  string   `` /* 127-byte string literal not displayed */
	ResourceName           string   `json:"resource_name,omitempty" jsonschema:"Display name for this protected resource." example:"go-auth"`
}

ProtectedResourceMetadata describes this server as an OAuth protected resource.

func (ProtectedResourceMetadata) String 

func (c ProtectedResourceMetadata) String() string

type UserInfo 

type UserInfo struct {
	Subject string         `json:"id"`
	Name    string         `json:"name,omitempty"`
	Email   string         `json:"email,omitempty"`
	Claims  map[string]any `json:"claims,omitempty"`
}

func (*UserInfo) String 

func (u *UserInfo) String() string

func (*UserInfo) UnmarshalJSON 

func (u *UserInfo) UnmarshalJSON(data []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.