authprovider

package
v0.77.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrProviderNonHTTPSURL = errors.New("provider_non_https_url")

Functions

This section is empty.

Types

type AppleJWTSecret

type AppleJWTSecret struct {
	TeamID        string
	KeyID         string
	PrivateKeyPEM []byte
	TTL           time.Duration
}

type ClientSecret

type ClientSecret struct {
	Value    string
	Strategy string
	AppleJWT *AppleJWTSecret
}

ClientSecret carries the provider's client secret as explicit config. There is deliberately NO env-var indirection (#231): AuthKit is a library and never reads process env — hosts/binaries resolve secrets at their own boundary and pass Value (or a Strategy) here.

func (ClientSecret) ResolveStatic

func (s ClientSecret) ResolveStatic() string

ResolveStatic returns the statically configured secret value (empty when unset or when a dynamic Strategy is used instead).

type Identity

type Identity struct {
	Subject           string
	Email             string
	EmailVerified     bool
	PreferredUsername string
	DisplayName       string
}

type Kind

type Kind string
const (
	KindOIDC   Kind = "oidc"
	KindOAuth2 Kind = "oauth2"

	// SecretStrategyAppleJWT selects dynamic Apple ES256 client-secret minting.
	SecretStrategyAppleJWT = "apple_jwt"
)

type Provider

type Provider struct {
	Name            string
	Kind            Kind
	Issuer          string
	ClientID        string
	ClientSecret    ClientSecret
	Scopes          []string
	PKCE            bool
	AuthorizeURL    string
	TokenURL        string
	UserInfoURL     string
	UserInfoAccept  string
	ExtraAuthParams map[string]string

	// EmailFallbackURL is an optional secondary userinfo endpoint queried when the
	// primary userinfo response yields no email. It exists for OAuth2 providers
	// (GitHub) whose /user email may be empty; the fetched JSON is expected to be an
	// array of {email, primary, verified} entries, and the primary+verified entry is
	// selected. Empty for providers without a fallback.
	EmailFallbackURL    string
	EmailFallbackAccept string

	// IdentityMapper maps a provider's parsed userinfo JSON into an Identity. It is
	// required for OAuth2 providers (OIDC providers read standard ID-token claims via
	// the oidc path instead). Built-ins set this in-code; custom OAuth2 providers must
	// supply their own.
	IdentityMapper func(any) (Identity, error)

	// SecretProvider is the internal escape hatch for callers that already
	// construct dynamic secrets in code. Config-first providers should prefer
	// ClientSecret strategies.
	SecretProvider func(context.Context) (string, error)
}

func Apple added in v0.72.0

func Apple(clientID, clientSecret string) Provider

Apple returns the built-in Apple OIDC provider configured with the given OAuth client credentials. For the Apple "client secret JWT" strategy, set ClientSecret.Strategy / ClientSecret.AppleJWT on the returned provider.

func BuiltIn

func BuiltIn(name string) (Provider, bool)

func Clone

func Clone(in Provider) Provider

func Discord added in v0.72.0

func Discord(clientID, clientSecret string) Provider

Discord returns the built-in Discord OAuth2 provider configured with the given OAuth client credentials.

func GitHub added in v0.72.0

func GitHub(clientID, clientSecret string) Provider

GitHub returns the built-in GitHub OAuth2 provider configured with the given OAuth client credentials.

func Google added in v0.72.0

func Google(clientID, clientSecret string) Provider

Google returns the built-in Google OIDC provider configured with the given OAuth client credentials — the convenience form of an authprovider.Provider for IdentityConfig.Providers (#143). Override fields on the result for custom scopes/mapping.

func (Provider) NormalizedName

func (p Provider) NormalizedName() string

func (Provider) Validate added in v0.12.2

func (p Provider) Validate() error

Validate checks descriptor shape for config-loaded providers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL