Documentation
¶
Overview ¶
Package oidc implements OIDC auth-code+PKCE login and refresh flows.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IdentityFromIDToken ¶
IdentityFromIDToken extracts the `sub` claim and the configured username claim (defaulting to "email") from an id_token. It does not verify the signature — verification already happened at the issuer when the token was minted.
Types ¶
type Discovery ¶
type Discovery struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
JWKSURI string `json:"jwks_uri"`
}
Discovery is the subset of an OIDC discovery document that Podplane uses.
type Tokens ¶
type Tokens struct {
IDToken string `json:"id_token"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
}
Tokens is the result of a successful auth-code or refresh exchange.
func Login ¶
func Login(ctx context.Context, client *http.Client, issuerURL, clientID string, callbackPort int, headless bool) (*Tokens, error)
Login runs the OIDC authorization-code + PKCE flow and returns the resulting tokens. The caller supplies the HTTP client (it is responsible for any TLS/CA configuration the issuer needs). callbackPort 0 defaults to 8000.
In interactive mode (headless == false) the user's browser is opened to the authorize URL and we wait for the issuer to redirect back to http://localhost:<callbackPort>/callback.
In headless mode we GET the authorize URL ourselves with redirects disabled and pull the `code` straight out of the Location header. This works against any issuer that does not require interactive consent for the request — e.g. a confidential client with an existing session, an issuer configured to skip the consent screen for trusted clients, or our local fake OIDC. It is intentionally not coupled to the local provider.
Source Files