oidc

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2025 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Iss                    = "iss"
	Sub                    = "sub"
	Email                  = "email"
	Name                   = "name"
	PreferredUsername      = "preferred_username"
	UIDNumber              = "uidnumber"
	GIDNumber              = "gidnumber"
	Groups                 = "groups"
	OpenCloudUUID          = "openclouduuid"
	OpenCloudRoutingPolicy = "opencloud.routing.policy"
)
View Source 
const (
	RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
	RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
	RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
	ES256 = "ES256" // ECDSA using P-256 and SHA-256
	ES384 = "ES384" // ECDSA using P-384 and SHA-384
	ES512 = "ES512" // ECDSA using P-521 and SHA-512
	PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
	PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
	PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
)

JOSE asymmetric signing algorithm values as defined by RFC 7518

see: https://tools.ietf.org/html/rfc7518#section-3.1

Variables

This section is empty.

Functions

func FromContext 

func FromContext(ctx context.Context) map[string]interface{}

FromContext returns the claims map stored in a context, or nil if there isn't one.

func NewContext 

func NewContext(parent context.Context, c map[string]interface{}) context.Context

NewContext makes a new context that contains the OpenID connect claims in a map.

func NewContextSessionFlag 

func NewContextSessionFlag(ctx context.Context, flag bool) context.Context

NewContextSessionFlag makes a new context that contains the new session flag.

func NewSessionFlagFromContext 

func NewSessionFlagFromContext(ctx context.Context) bool

NewSessionFlagFromContext returns the new session flag stored in a context.

func ReadStringClaim 

func ReadStringClaim(path string, claims map[string]interface{}) (string, error)

ReadStringClaim returns the string obtained by following the . seperated path in the claims

func SplitWithEscaping 

func SplitWithEscaping(s string, separator string, escapeString string) []string

SplitWithEscaping splits s into segments using separator which can be escaped using the escape string See https://codereview.stackexchange.com/a/280193

func WalkSegments 

func WalkSegments(segments []string, claims map[string]interface{}) (interface{}, error)

WalkSegments uses the given array of segments to walk the claims and return whatever interface was found

Types

type KeySet 

type KeySet interface {
	// VerifySignature parses the JSON web token, verifies the signature, and returns
	// the raw payload. Header and claim fields are validated by other parts of the
	// package. For example, the KeySet does not need to check values such as signature
	// algorithm, issuer, and audience since the IDTokenVerifier validates these values
	// independently.
	//
	// If VerifySignature makes HTTP requests to verify the token, it's expected to
	// use any HTTP client associated with the context through ClientContext.
	VerifySignature(ctx context.Context, jwt string) (payload []byte, err error)
}

KeySet is a set of public JSON Web Keys that can be used to validate the signature of JSON web tokens. This is expected to be backed by a remote key set through provider metadata discovery or an in-memory set of keys delivered out-of-band.

type LogoutEvent 

type LogoutEvent struct {
	Event *struct{} `json:"http://schemas.openid.net/event/backchannel-logout"`
}

LogoutEvent defines a logout Event

type LogoutToken 

type LogoutToken struct {
	jwt.RegisteredClaims
	// The Session Id
	SessionId string      `json:"sid"`
	Events    LogoutEvent `json:"events"`
	// Note: This is just here to be able to check for nonce being absent
	Nonce *string `json:"nonce"`
}

Logout Token defines an logout Token

type OIDCClient 

type OIDCClient interface {
	UserInfo(ctx context.Context, ts oauth2.TokenSource) (*UserInfo, error)
	VerifyAccessToken(ctx context.Context, token string) (RegClaimsWithSID, jwt.MapClaims, error)
	VerifyLogoutToken(ctx context.Context, token string) (*LogoutToken, error)
}

OIDCClient used to mock the oidc client during tests

func NewOIDCClient 

func NewOIDCClient(opts ...Option) OIDCClient

NewOIDCClient returns an OIDClient instance for the given issuer

type Option 

type Option func(o *Options)

Option defines a single option function.

func WithAccessTokenVerifyMethod 

func WithAccessTokenVerifyMethod(val string) Option

WithAccessTokenVerifyMethod provides a function to set the accessTokenVerifyMethod option.

func WithConfig 

func WithConfig(val *goidc.Config) Option

WithConfig provides a function to set the Config option.

func WithHTTPClient 

func WithHTTPClient(val *http.Client) Option

WithHTTPClient provides a function to set the httpClient option.

func WithJWKS 

func WithJWKS(val *keyfunc.JWKS) Option

WithJWKS provides a function to set the JWKS option (mainly useful for testing).

func WithJWKSOptions 

func WithJWKSOptions(val config.JWKS) Option

WithJWKSOptions provides a function to set the jwksOptions option.

func WithKeySet 

func WithKeySet(val KeySet) Option

WithKeySet provides a function to set the KeySet option.

func WithLogger 

func WithLogger(val log.Logger) Option

WithLogger provides a function to set the logger option.

func WithOidcIssuer 

func WithOidcIssuer(val string) Option

WithOidcIssuer provides a function to set the openid connect issuer option.

func WithProviderMetadata 

func WithProviderMetadata(val *ProviderMetadata) Option

WithProviderMetadata provides a function to set the provider option.

type Options 

type Options struct {
	// HTTPClient to use for requests
	HTTPClient *http.Client
	// Logger to use for logging, must be set
	Logger log.Logger
	// The OpenID Connect Issuer URL
	OIDCIssuer string
	// JWKSOptions to use when retrieving keys
	JWKSOptions config.JWKS
	// the JWKS keyset to use for verifying signatures of Access- and
	// Logout-Tokens
	// this option is mostly needed for unit test. To avoid fetching the keys
	// from the issuer
	JWKS *keyfunc.JWKS
	// KeySet to use when verifiing signatures of jwt encoded
	// user info responses
	// TODO move userinfo verification to use jwt/keyfunc as well
	KeySet KeySet
	// AccessTokenVerifyMethod to use when verifying access tokens
	// TODO pass a function or interface to verify? an AccessTokenVerifier?
	AccessTokenVerifyMethod string
	// Config to use
	Config *goidc.Config

	// ProviderMetadata to use
	ProviderMetadata *ProviderMetadata
}

Options defines the available options for this package.

type ProviderMetadata 

type ProviderMetadata struct {
	AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
	//claims_parameter_supported
	ClaimsSupported []string `json:"claims_supported,omitempty"`
	//grant_types_supported
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
	Issuer                           string   `json:"issuer,omitempty"`
	// AccessTokenIssuer is only used by AD FS and needs to be used when validating the iss of its access tokens
	// See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c
	AccessTokenIssuer string `json:"access_token_issuer,omitempty"`
	JwksURI           string `json:"jwks_uri,omitempty"`
	//registration_endpoint
	//request_object_signing_alg_values_supported
	//request_parameter_supported
	//request_uri_parameter_supported
	//require_request_uri_registration
	//response_modes_supported
	ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
	ScopesSupported        []string `json:"scopes_supported,omitempty"`
	SubjectTypesSupported  []string `json:"subject_types_supported,omitempty"`
	TokenEndpoint          string   `json:"token_endpoint,omitempty"`
	//token_endpoint_auth_methods_supported
	//token_endpoint_auth_signing_alg_values_supported
	UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
	//userinfo_signing_alg_values_supported
	//code_challenge_methods_supported
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
	//introspection_endpoint_auth_methods_supported
	//introspection_endpoint_auth_signing_alg_values_supported
	RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
	//revocation_endpoint_auth_methods_supported
	//revocation_endpoint_auth_signing_alg_values_supported
	//id_token_encryption_alg_values_supported
	//id_token_encryption_enc_values_supported
	//userinfo_encryption_alg_values_supported
	//userinfo_encryption_enc_values_supported
	//request_object_encryption_alg_values_supported
	//request_object_encryption_enc_values_supported
	CheckSessionIframe string `json:"check_session_iframe,omitempty"`
	EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
}

The ProviderMetadata describes an idp. see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

func GetIDPMetadata 

func GetIDPMetadata(logger log.Logger, client *http.Client, idpURI string) (ProviderMetadata, error)

type RegClaimsWithSID 

type RegClaimsWithSID struct {
	SessionID string `json:"sid"`
	jwt.RegisteredClaims
}

type UserInfo 

type UserInfo struct {
	Subject       string `json:"sub"`
	Profile       string `json:"profile"`
	Email         string `json:"email"`
	EmailVerified bool   `json:"email_verified"`
	// contains filtered or unexported fields
}

UserInfo represents the OpenID Connect userinfo claims.

func (*UserInfo) Claims 

func (u *UserInfo) Claims(v interface{}) error

Claims unmarshals the raw JSON object claims into the provided object.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.