client

package
v2.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 21, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	Encoder = httphelper.Encoder(protocol.NewEncoder())
	Tracer  = otel.Tracer("github.com/zitadel/oidc/pkg/client")
)
View Source 
var ErrEndpointNotSet = errors.New("endpoint not set")

Functions

func CallDeviceAccessTokenEndpoint 

func CallDeviceAccessTokenEndpoint(ctx context.Context, request *DeviceAccessTokenRequest, caller TokenEndpointCaller) (*protocol.AccessTokenResponse, error)

func CallDeviceAuthorizationEndpoint 

func CallDeviceAuthorizationEndpoint(ctx context.Context, request *protocol.ClientCredentialsRequest, caller DeviceAuthorizationCaller, authFn any) (*protocol.DeviceAuthorizationResponse, error)

func CallEndSessionEndpoint 

func CallEndSessionEndpoint(ctx context.Context, request any, authFn any, caller EndSessionCaller) (*url.URL, error)

func CallIntrospectionEndpoint 

func CallIntrospectionEndpoint(ctx context.Context, token string, caller IntrospectionCaller, authFn any) (*protocol.IntrospectionResponse, error)

CallIntrospectionEndpoint calls the RFC 7662 token introspection endpoint.

func CallRevokeEndpoint 

func CallRevokeEndpoint(ctx context.Context, request any, authFn any, caller RevokeCaller) error

func CallTokenEndpoint 

func CallTokenEndpoint(ctx context.Context, request any, caller TokenEndpointCaller) (newToken *oauth2.Token, err error)

func CallTokenExchangeEndpoint 

func CallTokenExchangeEndpoint(ctx context.Context, request any, authFn any, caller TokenEndpointCaller) (resp *protocol.TokenExchangeResponse, err error)

func ClientAssertionCodeOptions 

func ClientAssertionCodeOptions(assertion string) []oauth2.AuthCodeOption

func ClientAssertionFormAuthorization 

func ClientAssertionFormAuthorization(assertion string) http.FormAuthorization

func ClientCredentials 

func ClientCredentials(ctx context.Context, tokenURL string, req *protocol.ClientCredentialsRequest, httpClient *http.Client) (*oauth2.Token, error)

ClientCredentials performs the client credentials grant flow. This is a shared implementation used by both RP and RS.

func Discover 

func Discover(ctx context.Context, issuer string, httpClient *http.Client, wellKnownUrl ...string) (*protocol.DiscoveryConfiguration, error)

Discover calls the discovery endpoint of the provided issuer and returns its configuration It accepts an optional argument "wellknownUrl" which can be used to override the discovery endpoint url

func JWTProfileExchange 

func JWTProfileExchange(ctx context.Context, jwtProfileGrantRequest *protocol.JWTProfileGrantRequest, caller TokenEndpointCaller) (*oauth2.Token, error)

JWTProfileExchange handles the oauth2 jwt profile exchange

func NewSignerFromPrivateKeyByte 

func NewSignerFromPrivateKeyByte(key []byte, keyID string) (*crypto.Signer, error)

func PollDeviceAccessTokenEndpoint 

func PollDeviceAccessTokenEndpoint(ctx context.Context, interval time.Duration, request *DeviceAccessTokenRequest, caller TokenEndpointCaller) (*protocol.AccessTokenResponse, error)

func SignedJWTProfileAssertion 

func SignedJWTProfileAssertion(clientID string, audience []string, expiration time.Duration, signer *crypto.Signer) (string, error)

Types

type BaseClient 

type BaseClient struct {
	Issuer     string
	Endpoints  Endpoints
	HTTPClient *http.Client
}

BaseClient provides common functionality for both RP and RS. It handles discovery, endpoint management, and HTTP client configuration.

func NewBaseClient 

func NewBaseClient(issuer string, httpClient *http.Client) *BaseClient

NewBaseClient creates a base client with the given issuer and HTTP client.

func (*BaseClient) Discover 

func (c *BaseClient) Discover(ctx context.Context, wellKnownURL ...string) error

Discover performs OIDC discovery and populates the endpoints.

type ClientAuthMethod 

type ClientAuthMethod int

ClientAuthMethod represents the client authentication method. 

const (
	ClientAuthNone ClientAuthMethod = iota
	ClientAuthBasic
	ClientAuthJWTProfile
)

type ClientCredentialsBuilder 

type ClientCredentialsBuilder struct {
	ClientID     string
	ClientSecret string
	Signer       *crypto.Signer
	Issuer       string
	Scopes       []string
}

ClientCredentialsBuilder helps construct client credentials requests. It is used by both RP and RS to avoid code duplication.

func NewClientCredentialsBuilder 

func NewClientCredentialsBuilder(clientID, clientSecret string) *ClientCredentialsBuilder

NewClientCredentialsBuilder creates a new builder for client credentials.

func (*ClientCredentialsBuilder) Build 

func (b *ClientCredentialsBuilder) Build() (*protocol.ClientCredentialsRequest, error)

Build creates the ClientCredentialsRequest. If a signer is set, it will use JWT Profile assertion authentication. Otherwise, it uses client_secret_basic authentication.

func (*ClientCredentialsBuilder) WithScopes 

func (b *ClientCredentialsBuilder) WithScopes(scopes ...string) *ClientCredentialsBuilder

WithScopes sets the requested scopes.

func (*ClientCredentialsBuilder) WithSigner 

func (b *ClientCredentialsBuilder) WithSigner(signer *crypto.Signer, issuer string) *ClientCredentialsBuilder

WithSigner sets the JWT profile signer for private_key_jwt authentication.

type ClientSecretBasicAuthRequest 

type ClientSecretBasicAuthRequest interface {
	Auth(req *http.Request)
}

type DeviceAccessTokenRequest 

type DeviceAccessTokenRequest struct {
	*protocol.ClientCredentialsRequest
	protocol.DeviceAccessTokenRequest
}

func (*DeviceAccessTokenRequest) Auth 

func (r *DeviceAccessTokenRequest) Auth(req *http.Request)

type DeviceAuthorizationCaller 

type DeviceAuthorizationCaller interface {
	GetDeviceAuthorizationEndpoint() string
	HttpClient() *http.Client
}

type EndSessionCaller 

type EndSessionCaller interface {
	GetEndSessionEndpoint() string
	HttpClient() *http.Client
}

type Endpoints 

type Endpoints struct {
	// OAuth2 endpoints
	AuthURL  string
	TokenURL string

	// OIDC endpoints
	IntrospectionURL       string
	UserinfoURL            string
	JWKSURL                string
	EndSessionURL          string
	RevocationURL          string
	DeviceAuthorizationURL string
	PushedAuthRequestURL   string

	// AuthStyle for token endpoint
	AuthStyle oauth2.AuthStyle
}

Endpoints holds all OAuth2/OIDC endpoints discovered from an issuer. This is shared between RP and RS to avoid duplication.

func GetEndpoints 

func GetEndpoints(config *protocol.DiscoveryConfiguration) Endpoints

GetEndpoints extracts all endpoints from a discovery configuration.

type IntrospectionCaller 

type IntrospectionCaller interface {
	IntrospectionURL() string
	HttpClient() *http.Client
}

IntrospectionCaller is the interface for calling the introspection endpoint. Both RP and RS can implement this interface.

type KeyFile 

type KeyFile struct {
	Type   string `json:"type"` // serviceaccount or application
	KeyID  string `json:"keyId"`
	Key    string `json:"key"`
	Issuer string `json:"issuer"` // not yet in file

	// serviceaccount
	UserID string `json:"userId"`

	// application
	ClientID string `json:"clientId"`
}

func ConfigFromKeyFile 

func ConfigFromKeyFile(path string) (*KeyFile, error)

func ConfigFromKeyFileData 

func ConfigFromKeyFileData(data []byte) (*KeyFile, error)

type RevokeCaller 

type RevokeCaller interface {
	GetRevokeEndpoint() string
	HttpClient() *http.Client
}

type RevokeRequest 

type RevokeRequest struct {
	Token         string `schema:"token"`
	TokenTypeHint string `schema:"token_type_hint"`
	ClientID      string `schema:"client_id"`
	ClientSecret  string `schema:"client_secret"`
}

func (RevokeRequest) Auth 

func (r RevokeRequest) Auth(req *http.Request)

type TokenEndpointCaller 

type TokenEndpointCaller interface {
	TokenEndpoint() string
	HttpClient() *http.Client
}

Source Files

View all Source files

Directories

Path Synopsis
rp
cli

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.