Documentation
¶
Overview ¶
Package oneauth provides a unified authentication framework for Go applications.
OneAuth is organized into subpackages:
- core/ — Foundation types: User, Identity, Channel, store interfaces, tokens, credentials, scopes
- keys/ — Key storage, KID tracking, JWKS serving/fetching, encrypted key storage
- admin/ — Admin auth, app registration API, resource token minting
- apiauth/ — API token auth (JWT + API keys), validation middleware
- localauth/ — Local username/password auth: signup, login, email verify, password reset
- httpauth/ — HTTP middleware, CSRF protection, session-based auth mux
- stores/ — Storage backends: fs/, gorm/, gae/
- utils/ — Crypto helpers (PEM, JWK, key generation)
- client/ — Client SDK
- oauth2/ — OAuth2 provider implementations
- grpc/ — gRPC auth interceptors
See each subpackage's SUMMARY.md for details.
Directories
¶
| Path | Synopsis |
|---|---|
|
Package admin owns OneAuth's client-administration surface — RFC 7591 Dynamic Client Registration, RFC 7592 registration management, the proprietary /apps registry, admin-side CRUD, signing-key rotation with grace periods, and resource-token minting.
|
Package admin owns OneAuth's client-administration surface — RFC 7591 Dynamic Client Registration, RFC 7592 registration management, the proprietary /apps registry, admin-side CRUD, signing-key rotation with grace periods, and resource-token minting. |
|
Package apiauth is the transport-independent OAuth 2.0 core of OneAuth — token issuance, validation, introspection, revocation, and client authentication — together with thin HTTP bindings for the token endpoint, the RFC 7662 / 7009 handlers, AS/PRM discovery metadata, and resource-server middleware.
|
Package apiauth is the transport-independent OAuth 2.0 core of OneAuth — token issuance, validation, introspection, revocation, and client authentication — together with thin HTTP bindings for the token endpoint, the RFC 7662 / 7009 handlers, AS/PRM discovery metadata, and resource-server middleware. |
|
Package appstoretest provides a shared contract test suite for all AppRegistrationStore implementations.
|
Package appstoretest provides a shared contract test suite for all AppRegistrationStore implementations. |
|
Package client is the client-side OAuth SDK for oneauth: AS discovery, browser/PKCE login, client-credentials and private_key_jwt token acquisition with caching/refresh, dynamic client registration, and an auth-injecting HTTP transport.
|
Package client is the client-side OAuth SDK for oneauth: AS discovery, browser/PKCE login, client-credentials and private_key_jwt token acquisition with caching/refresh, dynamic client registration, and an auth-injecting HTTP transport. |
|
stores/fs
Package fs provides a filesystem-backed credential store that persists oneauth client server credentials as a single JSON file keyed by normalized server URL.
|
Package fs provides a filesystem-backed credential store that persists oneauth client server credentials as a single JSON file keyed by normalized server URL. |
|
cmd
|
|
|
oneauth
module
|
|
|
Package core provides the foundation types and interfaces for the OneAuth authentication framework.
|
Package core provides the foundation types and interfaces for the OneAuth authentication framework. |
|
examples
|
|
|
01-client-credentials
command
Example 01: OAuth 2.0 Client Credentials Flow.
|
Example 01: OAuth 2.0 Client Credentials Flow. |
|
02-resource-token-hs256
command
Example 02: Resource Token with HS256 (Federated Auth).
|
Example 02: Resource Token with HS256 (Federated Auth). |
|
03-resource-token-rs256-jwks
command
Example 03: Resource Token with RS256 + JWKS Discovery.
|
Example 03: Resource Token with RS256 + JWKS Discovery. |
|
04-discovery
command
Example 04: AS Metadata Discovery (RFC 8414).
|
Example 04: AS Metadata Discovery (RFC 8414). |
|
05-introspection
command
Example 05: Token Introspection (RFC 7662).
|
Example 05: Token Introspection (RFC 7662). |
|
06-dynamic-client-registration
command
Example 06: Dynamic Client Registration (RFC 7591).
|
Example 06: Dynamic Client Registration (RFC 7591). |
|
07-client-sdk
command
Example 07: Client SDK — Production Patterns.
|
Example 07: Client SDK — Production Patterns. |
|
08-rich-authorization-requests
command
Example 08: Rich Authorization Requests (RFC 9396).
|
Example 08: Rich Authorization Requests (RFC 9396). |
|
09-key-rotation
command
Example 09: Key Rotation with Grace Periods.
|
Example 09: Key Rotation with Grace Periods. |
|
10-security
command
Example 10: Security — Attack Prevention.
|
Example 10: Security — Attack Prevention. |
|
common
Package common holds helpers shared across oneauth examples — the seam where "every example needs this now" updates land in one place instead of N copy-paste edits.
|
Package common holds helpers shared across oneauth examples — the seam where "every example needs this now" updates land in one place instead of N copy-paste edits. |
|
refs
Package refs provides pre-defined reference constants for OneAuth examples.
|
Package refs provides pre-defined reference constants for OneAuth examples. |
|
grpc
module
|
|
|
Package httpauth provides session-based HTTP auth glue plus standalone middleware for CSRF, security headers, and request body limits.
|
Package httpauth provides session-based HTTP auth glue plus standalone middleware for CSRF, security headers, and request body limits. |
|
Package keys owns signing-key storage, lookup, encryption-at-rest, kid-based rotation with grace periods, and JWKS publication/consumption for OneAuth.
|
Package keys owns signing-key storage, lookup, encryption-at-rest, kid-based rotation with grace periods, and JWKS publication/consumption for OneAuth. |
|
Package keystoretest is the shared contract test suite that every KeyStore backend (inmem, gorm, fs, gae) runs against its own factory.
|
Package keystoretest is the shared contract test suite that every KeyStore backend (inmem, gorm, fs, gae) runs against its own factory. |
|
Package kidstoretest provides a shared, test-only contract suite that every KidStorage backend (in-memory KidStore, FS, GORM, GAE) runs against its own factory, mirroring keystoretest.
|
Package kidstoretest provides a shared, test-only contract suite that every KidStorage backend (in-memory KidStore, FS, GORM, GAE) runs against its own factory, mirroring keystoretest. |
|
Package localauth provides HTTP handlers and store-backed callbacks for local username/password authentication — signup, login, email verification, password reset, and linking local credentials onto existing OAuth users.
|
Package localauth provides HTTP handlers and store-backed callbacks for local username/password authentication — signup, login, email verification, password reset, and linking local credentials onto existing OAuth users. |
|
oauth2
module
|
|
|
saml
module
|
|
|
stores
|
|
|
fs
Package fs provides filesystem-backed (JSON-file-per-record) implementations of OneAuth's KeyStore, KidStore, AppRegistrationStore, User/Username/Identity/ Channel/Token/RefreshToken/APIKey store interfaces, intended for single-process dev and small deployments.
|
Package fs provides filesystem-backed (JSON-file-per-record) implementations of OneAuth's KeyStore, KidStore, AppRegistrationStore, User/Username/Identity/ Channel/Token/RefreshToken/APIKey store interfaces, intended for single-process dev and small deployments. |
|
gae
module
|
|
|
gorm
module
|
|
|
Package testutil provides reusable test infrastructure for oneauth integration tests.
|
Package testutil provides reusable test infrastructure for oneauth integration tests. |
|
Package utils provides crypto and encoding helpers — PEM/PKCS8 key generation and parsing, JWK/JWKS conversion, RFC 7638 kid thumbprints, JWT signing-method lookup, and Flask session-cookie decoding.
|
Package utils provides crypto and encoding helpers — PEM/PKCS8 key generation and parsing, JWK/JWKS conversion, RFC 7638 kid thumbprints, JWT signing-method lookup, and Flask session-cookie decoding. |
Click to show internal directories.
Click to hide internal directories.