oidckit

package
v0.4.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AuthURL 

func AuthURL(state string, rpClient *RelyingParty, opts ...AuthURLOpt) string

AuthURL builds an authorization URL for the given RP.

func GeneratePKCE 

func GeneratePKCE() (verifier string, challenge string, err error)

GeneratePKCE returns a verifier and S256 challenge suitable for the auth request.

func NewAppleClientSecretProvider 

func NewAppleClientSecretProvider(cfg AppleSecretConfig) (func(ctx context.Context) (string, error), error)

NewAppleClientSecretProvider returns a function that mints a fresh ES256 JWT for client_secret on each call.

Types

type AppleSecretConfig 

type AppleSecretConfig struct {
	TeamID        string        // Apple Developer Team ID (iss)
	KeyID         string        // Key ID (kid in header)
	ClientID      string        // Service ID / App ID (sub)
	PrivateKeyPEM []byte        // contents of the .p8 private key
	TTL           time.Duration // default 5 minutes if <= 0 (Apple allows up to 6 months)
}

AppleSecretConfig holds details needed to mint an Apple client_secret JWT. See: https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens

type AuthURLOpt 

type AuthURLOpt = oauth2.AuthCodeOption

AuthURLOpt configures authorization URL parameters.

func WithCodeChallenge 

func WithCodeChallenge(challenge string) AuthURLOpt

WithCodeChallenge sets the PKCE code_challenge parameter.

func WithURLParam 

func WithURLParam(key, value string) AuthURLOpt

WithURLParam adds an arbitrary URL parameter to the auth request.

type Claims 

type Claims struct {
	Subject           string
	Email             *string
	EmailVerified     *bool
	Name              *string
	PreferredUsername *string
	RawIDToken        string
}

Claims is a minimal set of user identity fields extracted from the ID token/userinfo.

func DefaultExchanger 

func DefaultExchanger(ctx context.Context, rpClient rp.RelyingParty, provider, code, verifier, nonce string) (Claims, error)

DefaultExchanger exchanges an authorization code using PKCE and extracts minimal claims.

type Config 

type Config struct {
	Issuer       string // Discovery URL
	ClientID     string
	ClientSecret string
	RedirectURI  string
	Scopes       []string
}

Config holds per-provider client settings.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager builds provider RPs and helps construct auth URLs with PKCE.

func NewManager 

func NewManager(cfgs map[string]RPClient) *Manager

NewManager initializes the RP clients lazily on first use.

func NewManagerFromMinimal 

func NewManagerFromMinimal(min map[string]RPConfig) *Manager

NewManagerFromMinimal builds a Manager from minimal provider settings.

func (*Manager) Begin 

func (m *Manager) Begin(ctx context.Context, provider, state, nonce, codeChallenge, redirectURI string) (string, error)

Begin returns an authorization URL for the given provider using PKCE and state/nonce you supply. The caller should persist state+verifier (e.g., Redis) and redirect the user to the returned URL.

func (*Manager) GetRPWithRedirect 

func (m *Manager) GetRPWithRedirect(ctx context.Context, provider, redirectURI string) (rp.RelyingParty, error)

GetRP exposes the relying party for a configured provider.

func (*Manager) IssuerFor 

func (m *Manager) IssuerFor(provider string) (string, bool)

IssuerFor returns the configured issuer URL for a provider slug.

func (*Manager) Provider 

func (m *Manager) Provider(name string) (RPClient, bool)

Provider returns the configured RPClient for a provider slug (if present).

type Provider 

type Provider string

Provider identifies a configured OIDC provider. 

const (
	ProviderGoogle  Provider = "google"
	ProviderGitHub  Provider = "github"
	ProviderDiscord Provider = "discord"
)

type RPClient 

type RPClient struct {
	Issuer       string
	ClientID     string
	ClientSecret string // For Apple, supply a generated JWT client secret
	// ClientSecretProvider, if set, is called to obtain a fresh client_secret
	// whenever an RP is constructed (e.g., for Apple where the secret is a short‑lived ES256 JWT).
	ClientSecretProvider func(ctx context.Context) (string, error)
	Scopes               []string
	// Optional: additional auth params (e.g., response_mode)
	ExtraAuthParams map[string]string
}

RPClient holds issuer-based OIDC settings for a single IdP (internal RP wiring).

func DefaultsFor 

func DefaultsFor(name string) (RPClient, bool)

DefaultsFor returns an internal RPClient for a known provider name.

type RPConfig 

type RPConfig struct {
	ClientID     string
	ClientSecret string
	// Optional: dynamic secret minting
	SecretProvider func(ctx context.Context) (string, error)
	// Optional: additional/override scopes. "openid" will be ensured.
	Scopes []string
}

RPConfig describes an IdP (Relying Party) with minimal fields. If ClientSecret is empty and SecretProvider is set, the manager will call it to obtain a short‑lived client_secret (e.g., Apple’s ES256 JWT).

func AppleWithKey 

func AppleWithKey(teamID, keyID string, privateKeyPEM []byte, clientID string, ttl time.Duration) RPConfig

AppleWithKey constructs an RPConfig for Apple that mints a short‑lived ES256 client_secret per request using the given developer key. Scopes default to openid,email,name; callers may override cfg.Scopes after use if needed.

type RelyingParty 

type RelyingParty struct {
	// contains filtered or unexported fields
}

RelyingParty holds discovery-backed OIDC configuration for a provider.

func NewRelyingPartyOIDC 

func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURI string, scopes []string) (*RelyingParty, error)

NewRelyingPartyOIDC discovers OIDC metadata and constructs a relying party.

func (*RelyingParty) ClientID 

func (rp *RelyingParty) ClientID() string

ClientID returns the OAuth client_id for the relying party.

func (*RelyingParty) Issuer 

func (rp *RelyingParty) Issuer() string

Issuer returns the issuer URL associated with the relying party.

func (*RelyingParty) KeySet 

func (rp *RelyingParty) KeySet(ctx context.Context) (jwk.Set, error)

KeySet fetches the current JWKS for signature verification.

func (*RelyingParty) OAuthConfig 

func (rp *RelyingParty) OAuthConfig() *oauth2.Config

OAuthConfig returns the OAuth2 configuration derived from discovery.

type StateCache 

type StateCache interface {
	Put(ctx context.Context, state string, data StateData) error
	Get(ctx context.Context, state string) (StateData, bool, error)
	Del(ctx context.Context, state string) error
}

StateCache stores ephemeral OIDC state/PKCE data (backed by Redis in the app).

type StateData 

type StateData struct {
	Provider    string
	Verifier    string
	Nonce       string
	RedirectURI string
	LinkUserID  string
	UI          string // "popup" to trigger popup HTML callback; else redirect
	PopupNonce  string // echoed in popup postMessage for opener validation
}

StateData is what we persist for a pending OIDC login.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.