oidc

package
v0.9.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 20, 2025 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package oidc implements OIDC token handling in a multi-tenant environment. For this a Handler is created, which holds the Providers for validating tokens. You can either register providers in a static manner, or inject a client to query providers during runtime.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidToken = errors.New("invalid token")
	ErrNoProvider   = errors.New("no provider")
)
View Source 
var (
	DefaultIssuerClaims = []string{"iss"}
)

Functions

This section is empty.

Types

type Handler 

type Handler struct {
	// contains filtered or unexported fields
}

Handler tracks the set of identity providers to support multi tenancy.

func NewHandler 

func NewHandler(opts ...HandlerOption) (*Handler, error)

NewHandler creates a new handler and applies the given options.

func (*Handler) Introspect 

func (handler *Handler) Introspect(ctx context.Context, issuer, introspectToken string, useCache bool) (Introspection, error)

Introspect an access or refresh token with the given issuer.

func (*Handler) ParseAndValidate 

func (handler *Handler) ParseAndValidate(ctx context.Context, rawToken string, userclaims any, useCache bool) error

func (*Handler) ProviderFor 

func (handler *Handler) ProviderFor(ctx context.Context, issuer string) (*Provider, error)

ProviderFor returns the provider for the given issuer. It either looks up the provider in the internal cache or queries the provider client.

func (*Handler) RegisterStaticProvider added in v0.5.4 

func (handler *Handler) RegisterStaticProvider(provider *Provider)

RegisterStaticProvider registers a provider with the handler.

type HandlerOption 

type HandlerOption func(*Handler) error

HandlerOption is used to configure a handler.

func WithFeatureGates added in v0.7.0 

func WithFeatureGates(fg *commoncfg.FeatureGates) HandlerOption

func WithIssuerClaimKeys 

func WithIssuerClaimKeys(issuerClaimKeys ...string) HandlerOption

WithIssuerClaimKeys configures the behavior of a certain provider.

func WithProviderCacheExpiration 

func WithProviderCacheExpiration(expiration, cleanup time.Duration) HandlerOption

WithProviderCacheExpiration configures the expiration of cached providers.

func WithProviderClient 

func WithProviderClient(providerClient ProviderClient) HandlerOption

func WithStaticProvider added in v0.5.4 

func WithStaticProvider(provider *Provider) HandlerOption

WithStaticProvider registers the given provider.

type Introspection 

type Introspection struct {
	Active bool `json:"active"` // Required. Indicator of whether the presented token is currently active.

	// Error response fields e.g. bad credentials
	Error            string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
}

type Provider 

type Provider struct {
	// contains filtered or unexported fields
}

Provider represents a specific OIDC provider.

func NewProvider 

func NewProvider(issuerURL *url.URL, audiences []string, opts ...ProviderOption) (*Provider, error)

NewProvider creates a new provider and applies the given options.

func (*Provider) SigningKeyFor 

func (provider *Provider) SigningKeyFor(ctx context.Context, keyID string) (*jose.JSONWebKey, error)

SigningKeyFor returns the key for the given key.

type ProviderClient 

type ProviderClient interface {
	Get(ctx context.Context, issuer string) (*Provider, error)
}

ProviderClient is an interface for looking up providers for the issuer.

type ProviderOption 

type ProviderOption func(*Provider) error

ProviderOption is used to configure a provider.

func WithCustomJWKSURI 

func WithCustomJWKSURI(jwksURI *url.URL) ProviderOption

WithCustomJWKSURI configures a custom JWKS URI.

func WithIntrospectTokenURL 

func WithIntrospectTokenURL(introspectURL *url.URL) ProviderOption

WithIntrospectTokenURL configures a token introspection endpoint.

func WithProviderHTTPClient added in v0.9.5 

func WithProviderHTTPClient(c *http.Client) ProviderOption

WithProviderHTTPClient configures a dedicated http client.

func WithSigningKeyCacheExpiration 

func WithSigningKeyCacheExpiration(expiration, cleanup time.Duration) ProviderOption

WithSigningKeyCacheExpiration configures the expiration of cached signing keys. A cach miss will result in a new request to the JWKS URI.

func WithoutCache 

func WithoutCache() ProviderOption

type ProviderSource 

type ProviderSource struct {
	// contains filtered or unexported fields
}

func NewProviderSource 

func NewProviderSource(opts ...ProviderSourceOption) (*ProviderSource, error)

NewProviderSource creates a new OIDC provider and applies the given options.

func (*ProviderSource) Get 

func (c *ProviderSource) Get(ctx context.Context, issuer string) (*Provider, error)

Get creates a new provider from the given issuer by calling the OIDC provider gRPC service of the Session Manager.

type ProviderSourceOption 

type ProviderSourceOption func(*ProviderSource) error

ProviderSourceOption is used to configure an OIDC provider source.

func WithGRPCConn 

func WithGRPCConn(grpcConn *grpc.ClientConn) ProviderSourceOption

func WithProviderSourceHTTPClient added in v0.9.5 

func WithProviderSourceHTTPClient(c *http.Client) ProviderSourceOption

WithProviderSourceHTTPClient configures a dedicated http client.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.