Documentation
¶
Index ¶
- Constants
- func DefaultScopes() []string
- func EnterpriseReadOnlyScopes() []string
- func EnterpriseScopes() []string
- func ReadOnlyScopes() []string
- func StoreToken(store secrets.Store, email string, data *TokenData) error
- type AccountInfo
- type Authenticator
- func (a *Authenticator) GetCredential(ctx context.Context, email string) (azcore.TokenCredential, error)
- func (a *Authenticator) ListAccounts() ([]AccountInfo, error)
- func (a *Authenticator) LoginDeviceCode(ctx context.Context, scopes []string, verbose bool) (*AccountInfo, error)
- func (a *Authenticator) Logout(email string) error
- type DeviceCodeResponse
- type ErrorResponse
- type StaticTokenCredential
- type TokenData
- type TokenResponse
Constants ¶
const ( ScopeMail = "Mail.ReadWrite" ScopeMailSend = "Mail.Send" ScopeCalendar = "Calendars.ReadWrite" ScopeContacts = "Contacts.ReadWrite" ScopeTasks = "Tasks.ReadWrite" ScopeFiles = "Files.ReadWrite" ScopePeople = "People.Read" ScopeUser = "User.Read" ScopeUserReadAll = "User.ReadBasic.All" ScopeMailboxSettings = "MailboxSettings.ReadWrite" ScopeOfflineAccess = "offline_access" )
Microsoft Graph API scopes
Variables ¶
This section is empty.
Functions ¶
func DefaultScopes ¶
func DefaultScopes() []string
func EnterpriseReadOnlyScopes ¶ added in v0.4.8
func EnterpriseReadOnlyScopes() []string
EnterpriseReadOnlyScopes returns read-only scopes including enterprise-only ones.
func EnterpriseScopes ¶ added in v0.4.8
func EnterpriseScopes() []string
EnterpriseScopes returns all scopes including enterprise-only ones. Personal Microsoft accounts cannot consent to User.ReadBasic.All or MailboxSettings.ReadWrite — requesting them causes device code flow to fail with a misleading "code expired" error.
func ReadOnlyScopes ¶
func ReadOnlyScopes() []string
Types ¶
type AccountInfo ¶
type AccountInfo struct {
Email string `json:"email"`
DisplayName string `json:"display_name"`
TenantID string `json:"tenant_id"`
ClientID string `json:"client_id"`
LoginTime time.Time `json:"login_time"`
}
AccountInfo holds the metadata for a logged-in Microsoft account.
type Authenticator ¶
Authenticator manages Microsoft OAuth2 authentication and token lifecycle.
func NewAuthenticator ¶
func NewAuthenticator(store secrets.Store, clientID, tenantID string) *Authenticator
NewAuthenticator creates a new Authenticator with the given credential store and Azure AD application identifiers.
func (*Authenticator) GetCredential ¶
func (a *Authenticator) GetCredential(ctx context.Context, email string) (azcore.TokenCredential, error)
GetCredential returns an azcore.TokenCredential for the given email account. It loads the stored token, refreshes it if expired, and returns a StaticTokenCredential suitable for use with the Azure/Microsoft Graph SDKs.
func (*Authenticator) ListAccounts ¶
func (a *Authenticator) ListAccounts() ([]AccountInfo, error)
ListAccounts reads all account JSON files from the accounts directory and returns the parsed AccountInfo records.
func (*Authenticator) LoginDeviceCode ¶
func (a *Authenticator) LoginDeviceCode(ctx context.Context, scopes []string, verbose bool) (*AccountInfo, error)
LoginDeviceCode performs the device code flow, retrieves the user profile, and persists the tokens and account information.
func (*Authenticator) Logout ¶
func (a *Authenticator) Logout(email string) error
Logout removes the stored credentials and account file for the given email.
type DeviceCodeResponse ¶
type DeviceCodeResponse struct {
DeviceCode string `json:"device_code"`
UserCode string `json:"user_code"`
VerificationURI string `json:"verification_uri"`
ExpiresIn int `json:"expires_in"`
Interval int `json:"interval"`
Message string `json:"message"`
// CodeVerifier holds the PKCE verifier generated during the device code
// request. It must be passed back during token polling.
CodeVerifier string `json:"-"`
}
DeviceCodeResponse holds the response from the device code authorization request.
func RequestDeviceCode ¶
func RequestDeviceCode(ctx context.Context, clientID, tenantID string, scopes []string) (*DeviceCodeResponse, error)
RequestDeviceCode initiates the device code flow by requesting a device code from the Microsoft identity platform.
type ErrorResponse ¶
type ErrorResponse struct {
Error string `json:"error"`
ErrorDescription string `json:"error_description"`
}
ErrorResponse represents an OAuth2 error response.
type StaticTokenCredential ¶
type StaticTokenCredential struct {
// contains filtered or unexported fields
}
StaticTokenCredential implements azcore.TokenCredential using a pre-obtained access token. This bridges our OAuth2 device-code flow tokens into the Azure SDK credential system.
func NewStaticTokenCredential ¶
func NewStaticTokenCredential(token string, expiresOn time.Time) *StaticTokenCredential
NewStaticTokenCredential creates a new StaticTokenCredential with the given access token and expiration time.
func (*StaticTokenCredential) Clear ¶ added in v0.4.9
func (c *StaticTokenCredential) Clear()
Clear overwrites the access token to reduce exposure in memory. Note: Go strings are immutable, so this replaces the reference but the original bytes may persist until garbage collected. This is a best-effort mitigation — use short-lived credentials where possible.
func (*StaticTokenCredential) GetToken ¶
func (c *StaticTokenCredential) GetToken(_ context.Context, _ policy.TokenRequestOptions) (azcore.AccessToken, error)
GetToken returns the static access token. It satisfies the azcore.TokenCredential interface.
type TokenData ¶
type TokenData struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
ExpiresAt time.Time `json:"expires_at"`
Email string `json:"email"`
}
TokenData holds the persisted token information for an account.
type TokenResponse ¶
type TokenResponse struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
ExpiresIn int `json:"expires_in"`
TokenType string `json:"token_type"`
Scope string `json:"scope"`
}
TokenResponse holds the OAuth2 token response from the token endpoint.
func PollForToken ¶
func PollForToken(ctx context.Context, clientID, tenantID, deviceCode string, interval, expiresIn int, codeVerifier string, verbose bool) (*TokenResponse, error)
PollForToken polls the token endpoint until the user completes authentication, the device code expires, or an unrecoverable error occurs. expiresIn from the device code response caps the maximum polling duration. codeVerifier is the PKCE verifier from the device code request (RFC 7636).
func RefreshAccessToken ¶
func RefreshAccessToken(ctx context.Context, clientID, tenantID, refreshToken string, verbose ...bool) (*TokenResponse, error)
RefreshAccessToken exchanges a refresh token for a new access token.
Source Files