Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DiscoveryProvider ¶
type DiscoveryProvider interface {
Endpoints() Endpoints
PKCE() PKCE
SupportedSigningAlgs() []string
}
DiscoveryProvider holds information about an identity provider having used OIDC discovery to retrieve the information.
func NewProvider ¶
func NewProvider(ctx context.Context, issuerURL string, skipIssuerVerification bool, providerJson ProviderJSON) (DiscoveryProvider, error)
NewProvider allows a user to perform an OIDC discovery and returns the DiscoveryProvider. We implement this here as opposed to using oidc.Provider so that we can override the Issuer verification check. As we have our own verifier and fetch the userinfo separately, the rest of the oidc.Provider implementation is not useful to us.
type Endpoints ¶
Endpoints represents the endpoints discovered as part of the OIDC discovery process that will be used by the authentication providers.
type IDToken ¶
type IDToken struct {
// The URL of the server which issued this token. OpenID Connect
// requires this value always be identical to the URL used for
// initial discovery.
//
// Note: Because of a known issue with Google Accounts' implementation
// this value may differ when using Google.
//
// See: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
Issuer string
// The client ID, or set of client IDs, that this token is issued for. For
// common uses, this is the client that initialized the auth flow.
//
// This package ensures the audience contains an expected value.
Audience []string
// A unique string which identifies the end user.
Subject string
// Expiry of the token. Ths package will not process tokens that have
// expired unless that validation is explicitly turned off.
Expiry time.Time
// When the token was issued by the provider.
IssuedAt time.Time
// Initial nonce provided during the authentication redirect.
//
// This package does NOT provided verification on the value of this field
// and it's the user's responsibility to ensure it contains a valid value.
Nonce string
// at_hash claim, if set in the ID token. Callers can verify an access token
// that corresponds to the ID token using the VerifyAccessToken method.
AccessTokenHash string
// contains filtered or unexported fields
}
IDToken is an OpenID Connect extension that provides a predictable representation of an authorization event.
The ID Token only holds fields OpenID Connect requires. To access additional claims returned by the server, use the Claims method.
type IDTokenVerificationOptions ¶
type IDTokenVerificationOptions struct {
AudienceClaims []string
ClientID string
ExtraAudiences []string
}
IDTokenVerificationOptions options for the oidc.idTokenVerifier that are required to verify an ID Token
type IDTokenVerifier ¶
type IDTokenVerifier interface {
Verify(context.Context, string) (*oidc.IDToken, error)
GetKeySet() *oidc.KeySet
}
idTokenVerifier allows an ID Token to be verified against the issue and provided keys.
func NewVerifier ¶
func NewVerifier(iv *oidc.IDTokenVerifier, vo IDTokenVerificationOptions) IDTokenVerifier
NewVerifier constructs a new idTokenVerifier
type PKCE ¶
type PKCE struct {
CodeChallengeAlgs []string
}
PKCE holds information relevant to the PKCE (code challenge) support of the provider.
type ProviderJSON ¶
type ProviderJSON struct {
Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"`
TokenURL string `json:"token_endpoint"`
JWKsURL string `json:"jwks_uri"`
UserInfoURL string `json:"userinfo_endpoint"`
CodeChallengeAlgs []string `json:"code_challenge_methods_supported"`
SupportedSigningAlgs []string `json:"id_token_signing_alg_values_supported"`
}
providerJSON represents the information we need from an OIDC discovery
type ProviderVerifier ¶
type ProviderVerifier interface {
DiscoveryEnabled() bool
Provider() DiscoveryProvider
Verifier() IDTokenVerifier
}
ProviderVerifier represents the OIDC discovery and verification process
func NewProviderVerifier ¶
func NewProviderVerifier(ctx context.Context, opts ProviderVerifierOptions, providerJson ProviderJSON) (ProviderVerifier, error)
NewProviderVerifier constructs a ProviderVerifier from the options given.
type ProviderVerifierOptions ¶
type ProviderVerifierOptions struct {
// AudienceClaim allows to define any claim that is verified against the client id
// By default `aud` claim is used for verification.
AudienceClaims []string
// ClientID is the OAuth Client ID that is defined in the provider
ClientID string
// ExtraAudiences is a list of additional audiences that are allowed
// to pass verification in addition to the client id.
ExtraAudiences []string
// IssuerURL is the OpenID Connect issuer URL
// eg: https://accounts.google.com
IssuerURL string
// JWKsURL is the OpenID Connect JWKS URL
// eg: https://www.googleapis.com/oauth2/v3/certs
JWKsURL string
// SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
SkipDiscovery bool
// SkipIssuerVerification skips verification of ID token issuers.
// When false, ID Token Issuers must match the OIDC discovery URL.
SkipIssuerVerification bool
// SupportedSigningAlgs is the list of signature algorithms supported by the
// provider.
SupportedSigningAlgs []string
}
ProviderVerifierOptions allows you to configure a ProviderVerifier
Source Files