oidc

package

v0.5.0 Latest Latest Go to latest Published: Oct 27, 2025 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openkcm/extauthz

Links

Open Source Insights

Documentation ¶

Overview ¶

Package oidc implements OIDC token handling in a multi-tenant environment. For this a Handler is created, which holds the Providers for validating tokens. You can either register providers in a static manner, or inject a client to query providers during runtime.

Index ¶

Variables
type Handler
- func NewHandler(opts ...HandlerOption) (*Handler, error)
type HandlerOption
type Introspection
type Provider
- func NewProvider(issuerURL *url.URL, audiences []string, opts ...ProviderOption) (*Provider, error)
- func (provider *Provider) SigningKeyFor(ctx context.Context, keyID string) (*jose.JSONWebKey, error)
type ProviderClient
type ProviderOption
type ProviderSource
- func NewProviderSource(opts ...ProviderSourceOption) (*ProviderSource, error)
- func (c *ProviderSource) Get(ctx context.Context, issuer string) (*Provider, error)
type ProviderSourceOption
- func WithGRPCConn(grpcConn *grpc.ClientConn) ProviderSourceOption

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrInvalidToken = errors.New("invalid token")
	ErrNoProvider   = errors.New("no provider")
)

View Source

var (
	DefaultIssuerClaims = []string{"iss"}
)

Functions ¶

This section is empty.

Types ¶

type Handler ¶

type Handler struct {
	// contains filtered or unexported fields
}

Handler tracks the set of identity providers to support multi tenancy.

func NewHandler ¶

func NewHandler(opts ...HandlerOption) (*Handler, error)

NewHandler creates a new handler and applies the given options.

func (*Handler) Introspect ¶

func (handler *Handler) Introspect(ctx context.Context, issuer, bearerToken, introspectToken string, useCache bool) (Introspection, error)

Introspect an access or refresh token with the given issuer.

func (*Handler) ParseAndValidate ¶

func (handler *Handler) ParseAndValidate(ctx context.Context, rawToken string, userclaims any, useCache bool) error

func (*Handler) ProviderFor ¶

func (handler *Handler) ProviderFor(ctx context.Context, issuer string) (*Provider, error)

ProviderFor returns the provider for the given issuer. It either looks up the provider in the internal cache or queries the provider client.

func (*Handler) RegisterProvider ¶

func (handler *Handler) RegisterProvider(provider *Provider)

RegisterProvider registers a provider with the handler.

type HandlerOption ¶

type HandlerOption func(*Handler) error

HandlerOption is used to configure a handler.

func WithIssuerClaimKeys ¶

func WithIssuerClaimKeys(issuerClaimKeys ...string) HandlerOption

WithIssuerClaimKeys configures the behavior of a certain provider.

func WithProvider ¶

func WithProvider(provider *Provider) HandlerOption

WithProvider registers the given provider.

func WithProviderCacheExpiration ¶

func WithProviderCacheExpiration(expiration, cleanup time.Duration) HandlerOption

WithProviderCacheExpiration configures the expiration of cached providers.

func WithProviderClient ¶

func WithProviderClient(providerClient ProviderClient) HandlerOption

type Introspection ¶

type Introspection struct {
	Active bool `json:"active"` // Required. Indicator of whether the presented token is currently active.

}

type Provider ¶

type Provider struct {
	// contains filtered or unexported fields
}

Provider represents a specific OIDC provider.

func NewProvider ¶

func NewProvider(issuerURL *url.URL, audiences []string, opts ...ProviderOption) (*Provider, error)

NewProvider creates a new provider and applies the given options.

func (*Provider) SigningKeyFor ¶

func (provider *Provider) SigningKeyFor(ctx context.Context, keyID string) (*jose.JSONWebKey, error)

SigningKeyFor returns the key for the given key.

type ProviderClient ¶

type ProviderClient interface {
	Get(ctx context.Context, issuer string) (*Provider, error)
}

ProviderClient is an interface for looking up providers for the issuer.

type ProviderOption ¶

type ProviderOption func(*Provider) error

ProviderOption is used to configure a provider.

func WithClient ¶

func WithClient(c *http.Client) ProviderOption

WithClient configures a dedicated http client.

func WithCustomJWKSURI ¶

func WithCustomJWKSURI(jwksURI *url.URL) ProviderOption

WithCustomJWKSURI configures a custom JWKS URI.

func WithIntrospectTokenURL ¶

func WithIntrospectTokenURL(introspectURL *url.URL) ProviderOption

WithIntrospectTokenURL configures a token introspection endpoint.

func WithSigningKeyCacheExpiration ¶

func WithSigningKeyCacheExpiration(expiration, cleanup time.Duration) ProviderOption

WithSigningKeyCacheExpiration configures the expiration of cached signing keys. A cach miss will result in a new request to the JWKS URI.

func WithoutCache ¶

func WithoutCache() ProviderOption

type ProviderSource ¶

type ProviderSource struct {
	// contains filtered or unexported fields
}

func NewProviderSource ¶

func NewProviderSource(opts ...ProviderSourceOption) (*ProviderSource, error)

NewProviderSource creates a new OIDC provider and applies the given options.

func (*ProviderSource) Get ¶

func (c *ProviderSource) Get(ctx context.Context, issuer string) (*Provider, error)

Get creates a new provider from the given issuer by calling the OIDC provider gRPC service of the Session Manager.

type ProviderSourceOption ¶

type ProviderSourceOption func(*ProviderSource) error

ProviderSourceOption is used to configure an OIDC provider source.

func WithGRPCConn ¶

func WithGRPCConn(grpcConn *grpc.ClientConn) ProviderSourceOption

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL