oidckit

package

v0.54.1 Latest Latest Go to latest Published: Jun 23, 2026 License: MIT Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/open-rails/authkit

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GeneratePKCE() (verifier string, challenge string, err error)
func NewAppleClientSecretProvider(cfg AppleSecretConfig) (func(ctx context.Context) (string, error), error)
func OutboundHTTPClient() *http.Client
func SetOutboundHTTPClientForTest(c *http.Client)
type AppleSecretConfig
type Claims
- func DefaultExchanger(ctx context.Context, rpClient rp.RelyingParty, ...) (Claims, error)
type Manager
type RPClient
- func DefaultsFor(name string) (RPClient, bool)
- func RPClientFromProvider(provider authprovider.Provider) (RPClient, error)
type RPConfig
- func AppleWithKey(teamID, keyID string, privateKeyPEM []byte, clientID string, ttl time.Duration) RPConfig
type StateCache
type StateData

Constants ¶

View Source

const DefaultOutboundTimeout = 30 * time.Second

DefaultOutboundTimeout bounds OIDC discovery, JWKS fetch, and token exchange.

View Source

const DefaultRPCacheTTL = time.Hour

DefaultRPCacheTTL is how long static-secret relying parties are cached after discovery.

Variables ¶

This section is empty.

Functions ¶

func GeneratePKCE ¶

func GeneratePKCE() (verifier string, challenge string, err error)

GeneratePKCE returns a verifier and S256 challenge suitable for the auth request.

func NewAppleClientSecretProvider ¶

func NewAppleClientSecretProvider(cfg AppleSecretConfig) (func(ctx context.Context) (string, error), error)

NewAppleClientSecretProvider returns a function that mints a fresh ES256 JWT for client_secret on each call.

func OutboundHTTPClient ¶ added in v0.12.3

func OutboundHTTPClient() *http.Client

OutboundHTTPClient returns the HTTP client used for zitadel RP discovery and token calls.

func SetOutboundHTTPClientForTest ¶ added in v0.12.3

func SetOutboundHTTPClientForTest(c *http.Client)

SetOutboundHTTPClientForTest overrides the outbound client (tests only).

Types ¶

type AppleSecretConfig ¶

type AppleSecretConfig struct {
	TeamID        string        // Apple Developer Team ID (iss)
	KeyID         string        // Key ID (kid in header)
	ClientID      string        // Service ID / App ID (sub)
	PrivateKeyPEM []byte        // contents of the .p8 private key
	TTL           time.Duration // default 5 minutes if <= 0 (Apple allows up to 6 months)
}

AppleSecretConfig holds details needed to mint an Apple client_secret JWT. See: https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens

type Claims ¶

type Claims struct {
	Subject           string
	Email             *string
	EmailVerified     *bool
	Name              *string
	PreferredUsername *string
	AuthTime          time.Time
	RawIDToken        string
}

Claims is a minimal set of user identity fields extracted from the ID token/userinfo.

func DefaultExchanger ¶

func DefaultExchanger(ctx context.Context, rpClient rp.RelyingParty, provider, code, verifier, nonce string) (Claims, error)

DefaultExchanger exchanges an authorization code using PKCE and extracts minimal claims.

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

Manager builds provider RPs and helps construct auth URLs with PKCE.

func NewManager ¶

func NewManager(cfgs map[string]RPClient) *Manager

NewManager initializes the RP clients lazily on first use.

func NewManagerFromMinimal ¶

func NewManagerFromMinimal(min map[string]RPConfig) *Manager

NewManagerFromMinimal builds a Manager from minimal provider settings.

func NewManagerFromProviders ¶ added in v0.8.4

func NewManagerFromProviders(providers map[string]authprovider.Provider) *Manager

func (*Manager) Begin ¶

func (m *Manager) Begin(ctx context.Context, provider, state, nonce, codeChallenge, redirectURI string) (string, error)

Begin returns an authorization URL for the given provider using PKCE and state/nonce you supply. The caller should persist state+verifier (e.g., Redis) and redirect the user to the returned URL.

func (*Manager) BeginWithAuthParams ¶ added in v0.54.0

func (m *Manager) BeginWithAuthParams(ctx context.Context, provider, state, nonce, codeChallenge, redirectURI string, params map[string]string) (string, error)

func (*Manager) GetRPWithRedirect ¶

func (m *Manager) GetRPWithRedirect(ctx context.Context, provider, redirectURI string) (rp.RelyingParty, error)

GetRP exposes the relying party for a configured provider.

func (*Manager) IssuerFor ¶

func (m *Manager) IssuerFor(provider string) (string, bool)

IssuerFor returns the configured issuer URL for a provider slug.

func (*Manager) Provider ¶

func (m *Manager) Provider(name string) (RPClient, bool)

Provider returns the configured RPClient for a provider slug (if present).

type RPClient ¶

type RPClient struct {
	Issuer       string
	ClientID     string
	ClientSecret string // For Apple, supply a generated JWT client secret
	// ClientSecretProvider, if set, is called to obtain a fresh client_secret
	// whenever an RP is constructed (e.g., for Apple where the secret is a short‑lived ES256 JWT).
	ClientSecretProvider func(ctx context.Context) (string, error)
	Scopes               []string
	// Optional: additional auth params (e.g., response_mode)
	ExtraAuthParams map[string]string
	PKCE            bool
}

RPClient holds issuer-based OIDC settings for a single IdP (internal RP wiring).

func DefaultsFor ¶

func DefaultsFor(name string) (RPClient, bool)

DefaultsFor returns an internal RPClient for a known provider name.

func RPClientFromProvider ¶ added in v0.8.4

func RPClientFromProvider(provider authprovider.Provider) (RPClient, error)

type RPConfig ¶

type RPConfig struct {
	ClientID     string
	ClientSecret string
	// Optional: dynamic secret minting
	SecretProvider func(ctx context.Context) (string, error)
	// Optional: additional/override scopes. "openid" will be ensured.
	Scopes []string
}

RPConfig describes an IdP (Relying Party) with minimal fields. If ClientSecret is empty and SecretProvider is set, the manager will call it to obtain a short‑lived client_secret (e.g., Apple’s ES256 JWT).

func AppleWithKey ¶

func AppleWithKey(teamID, keyID string, privateKeyPEM []byte, clientID string, ttl time.Duration) RPConfig

AppleWithKey constructs an RPConfig for Apple that mints a short‑lived ES256 client_secret per request using the given developer key. Scopes default to openid,email,name; callers may override cfg.Scopes after use if needed.

type StateCache ¶

type StateCache interface {
	Put(ctx context.Context, state string, data StateData) error
	Get(ctx context.Context, state string) (StateData, bool, error)
	Del(ctx context.Context, state string) error
}

StateCache stores ephemeral OIDC state/PKCE data (backed by Redis in the app).

type StateData ¶

type StateData struct {
	Provider    string
	Verifier    string
	Nonce       string
	RedirectURI string
	LinkUserID  string
	ReturnTo    string
	// Reauth* fields identify a step-up reauthentication flow for an existing
	// session. Login/link flows leave these empty.
	ReauthUserID    string
	ReauthSessionID string
	ReauthReturnTo  string
	ReauthStartedAt time.Time
	UI              string // "popup" to trigger popup HTML callback; else redirect
	PopupNonce      string // echoed in popup postMessage for opener validation
}

StateData is what we persist for a pending OIDC login.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL