oauth2

package module
v0.1.35 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2026 License: Apache-2.0 Imports: 16 Imported by: 2

Documentation

Index

Constants

View Source
const (
	// PKCECookieName is the cookie name for storing the code verifier.
	PKCECookieName = "pkce_verifier"

	// PKCECookieTTL is how long the verifier cookie lives (covers the OAuth round-trip).
	PKCECookieTTL = 10 * time.Minute

	// CodeVerifierLength is the length of the random verifier in bytes (before base64).
	// 32 bytes → 43 base64url characters, which is the minimum per RFC 7636.
	CodeVerifierLength = 32
)

Variables

This section is empty.

Functions

func ClearPKCECookie added in v0.0.47

func ClearPKCECookie(w http.ResponseWriter)

ClearPKCECookie removes the PKCE verifier cookie after use.

func GenerateCodeVerifier added in v0.0.47

func GenerateCodeVerifier() (string, error)

GenerateCodeVerifier creates a cryptographically random code verifier per RFC 7636 §4.1. Returns a 43-character base64url-encoded string.

func GetPKCEVerifier added in v0.0.47

func GetPKCEVerifier(r *http.Request) string

GetPKCEVerifier reads the code verifier from the request cookie. Returns empty string if the cookie is not present.

func OauthRedirector

func OauthRedirector(oauthConfig *oauth2.Config) func(w http.ResponseWriter, r *http.Request)

OauthRedirector creates a redirect handler with PKCE enabled (default).

func OauthRedirectorNoPKCE added in v0.0.47

func OauthRedirectorNoPKCE(oauthConfig *oauth2.Config) func(w http.ResponseWriter, r *http.Request)

OauthRedirectorNoPKCE creates a redirect handler WITHOUT PKCE. Use only for OAuth providers that don't support PKCE.

func OauthRedirectorWithPKCE added in v0.0.47

func OauthRedirectorWithPKCE(oauthConfig *oauth2.Config, secure bool) func(w http.ResponseWriter, r *http.Request)

OauthRedirectorWithPKCE creates a redirect handler with PKCE support (RFC 7636). When secure is true, the PKCE cookie is marked Secure (HTTPS only).

func SetPKCECookie added in v0.0.47

func SetPKCECookie(w http.ResponseWriter, verifier string, secure bool)

SetPKCECookie stores the code verifier in an HttpOnly cookie for the duration of the OAuth flow. The cookie is read back in the callback handler and sent as the code_verifier in the token exchange.

Types

type BaseOAuth2

type BaseOAuth2 struct {
	ClientId       string
	ClientSecret   string
	CallbackURL    string
	HandleUser     HandleUserFunc
	AuthFailureUrl string

	// HTTPClient is used for making HTTP requests during OAuth flows.
	// If nil, http.DefaultClient is used. This can be set for testing.
	HTTPClient *http.Client

	// DisablePKCE disables Proof Key for Code Exchange (RFC 7636).
	// PKCE is enabled by default (zero value = enabled) because OAuth 2.1
	// requires it for all clients. Set to true only for providers that
	// don't support PKCE — a warning will be logged on startup.
	DisablePKCE bool

	// SecureCookies sets the Secure flag on PKCE and state cookies (HTTPS only).
	SecureCookies bool
	// contains filtered or unexported fields
}

func NewBaseOAuth2

func NewBaseOAuth2(clientId string, clientSecret string, callbackUrl string, handleUser HandleUserFunc) *BaseOAuth2

func (*BaseOAuth2) ExchangeContext

func (b *BaseOAuth2) ExchangeContext() context.Context

ExchangeContext returns a context configured with the HTTP client for token exchange

func (*BaseOAuth2) Handler

func (b *BaseOAuth2) Handler() http.Handler

func (*BaseOAuth2) SetHTTPClient

func (b *BaseOAuth2) SetHTTPClient(client *http.Client)

SetHTTPClient sets the HTTP client used for OAuth requests. This is primarily used for testing with mock servers.

func (*BaseOAuth2) SetOAuthEndpoint

func (b *BaseOAuth2) SetOAuthEndpoint(endpoint oauth2.Endpoint)

SetOAuthEndpoint sets the OAuth endpoint (auth URL and token URL). This is primarily used for testing with mock servers.

type GithubOAuth2

type GithubOAuth2 struct {
	*BaseOAuth2

	// UserInfoURL is the URL to fetch user info from. Defaults to GitHub's API.
	// Can be overridden for testing.
	UserInfoURL string
}

func NewGithubOAuth2

func NewGithubOAuth2(clientId string, clientSecret string, callbackUrl string, handleUser HandleUserFunc) *GithubOAuth2

type GoogleOAuth2

type GoogleOAuth2 struct {
	*BaseOAuth2

	// UserInfoURL is the URL to fetch user info from. Defaults to Google's API.
	// Can be overridden for testing.
	UserInfoURL string
}

func NewGoogleOAuth2

func NewGoogleOAuth2(clientId string, clientSecret string, callbackUrl string, handleUser HandleUserFunc) *GoogleOAuth2

type HandleUserFunc

type HandleUserFunc func(authtype string, provider string, token *oauth2.Token, userInfo map[string]any, w http.ResponseWriter, r *http.Request)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL