README
¶
KexCore OpenID Connect SDK (client and server) for Go
What Is It
A full-stack OAuth 2.1 / OpenID Connect Core 1.0 SDK for Go — OP + RP — with a plugin-based server engine (StormEngine) and Chinese Commercial Cryptography (SM2/SM3/SM4/SM9).
Based on zitadel/oidc (RP client), with self-developed components:
- StormEngine (
/pkg/storm) — plugin-based OP, each RFC endpoint is an independent plugin - GM/T national cryptography (
/pkg/crypto) — SM2/SM3/SM4/SM9 full suite, HSM/KMS support - Shared protocol layer (
/pkg/protocol) — zero dependency, single source of truth
The RP is certified for the oidf-basic and oidf-config profile. The OP is certified for the oidf-backchannel profile.
Basic Overview
The most important packages of the library:
/pkg
/protocol OAuth 2.1 / OIDC types, errors, verifiers (zero dependency)
/storm Plugin-based OIDC server engine
/plugins Individual RFC endpoint plugins (17 plugins)
/client RP client (based on zitadel/oidc)
/rp OIDC Relying Party
/rs OAuth Resource Server
/crypto SM2/SM3/SM4/SM9 + HSM/KMS provider registry
/example
/storm-server StormEngine-based OP (recommended)
/client/app RP web app (authorization code flow)
/client/api Resource server with token introspection
Semver
This package uses semver for releases. Major releases ship breaking changes. Starting with the v2 to v3 increment we provide an upgrade guide to ease migration to a newer version.
How To Use It
Check the /example folder where example code for different scenarios is located.
# start oidc op server (StormEngine)
# oidc discovery http://localhost:9998/.well-known/openid-configuration
go run github.com/roidmc/kexcore-oidc/example/storm-server
# start oidc web client (in a new terminal)
CLIENT_ID=web CLIENT_SECRET=secret ISSUER=http://localhost:9998/ SCOPES="openid profile" PORT=9999 go run github.com/roidmc/kexcore-oidc/example/client/app
- open http://localhost:9999/login in your browser
- you will be redirected to op server and the login UI
- login with user
test-user@localhostand passwordverysecure - the OP will redirect you to the client app, which displays the user info
for the dynamic issuer, just start it with:
go run github.com/roidmc/kexcore-oidc/example/server/dynamic
the oidc web client above will still work, but if you add oidc.local (pointing to 127.0.0.1) in your hosts file you can also start it with:
CLIENT_ID=web CLIENT_SECRET=secret ISSUER=http://oidc.local:9998/ SCOPES="openid profile" PORT=9999 go run github.com/roidmc/kexcore-oidc/example/client/app
Note: Usernames are suffixed with the hostname (
test-user@localhostortest-user@oidc.local)
Build Tags
The library uses build tags to enable or disable features. The following build tags are available:
| Build Tag | Description |
|---|---|
no_otel |
Disables the OTel instrumentation, which is enabled by default. This is useful if you do not want to use OTel or if you want to use a different instrumentation library. |
Server configuration
Example server allows extra configuration using environment variables and could be used for end-to-end testing of your services.
| Name | Format | Description |
|---|---|---|
| PORT | Number between 1 and 65535 | OIDC listen port |
| REDIRECT_URI | Comma-separated URIs | List of allowed redirect URIs |
| USERS_FILE | Path to json in local filesystem | Users with their data and credentials |
| ISSUER | URL | Issuer identifier (e.g. https://your-domain.com/) |
| SIGNING_ALGORITHMS | Comma-separated algorithms | Enabled JWS algorithms (default: RS256,RS384,RS512,PS256,PS384,PS512,ES256,ES384,ES512,EdDSA,HS256,HS384,HS512,SGD_SM3_SM2,SGD_SM3_SM9) |
Here is json equivalent for one of the default users
{
"id2": {
"ID": "id2",
"Username": "test-user2",
"Password": "verysecure",
"FirstName": "Test",
"LastName": "User2",
"Email": "test-user2@zitadel.ch",
"EmailVerified": true,
"Phone": "",
"PhoneVerified": false,
"PreferredLanguage": "DE",
"IsAdmin": false
}
}
Features
OpenID Provider (/pkg/storm) — StormEngine
Plugin-based OIDC server framework.
| Feature | Plugin | RFC / Spec | Status |
|---|---|---|---|
| Authorization Code Grant | authorization |
OpenID Connect Core 1.0, Section 3.1 | ✅ |
| Refresh Token + Rotation | token |
OpenID Connect Core 1.0, Section 12 + OAuth 2.1 §6.1 | ✅ |
| Client Credentials | token |
OpenID Connect Core 1.0, Section 9 | ✅ |
| JWT Bearer Grant | token |
RFC 7523 | ✅ |
| PKCE (S256, plain opt-in) | token |
RFC 7636 + OAuth 2.1 §4.1.1 | ✅ plain 默认拒绝,需 WithPlainPKCE() 启用 |
| Token Introspection | introspection |
RFC 7662 | ✅ |
| Token Revocation | revocation |
RFC 7009 | ✅ |
| UserInfo Endpoint (JSON + JWT) | userinfo |
OpenID Connect Core 1.0, Section 5.3 | ✅ Accept: application/jwt 返回签名 JWT |
| Discovery Document | discovery |
OpenID Connect Discovery 1.0 | ✅ |
| JWKS Endpoint | keys |
OpenID Connect Core 1.0, Section 7.3 | ✅ |
| Dynamic Client Registration | dcr |
RFC 7591 | ✅ |
| End Session | endsession |
OpenID Connect Session Section 5 | ✅ |
| Device Authorization | device |
RFC 8628 | ✅ |
| Token Exchange | token |
RFC 8693 | ✅ |
| PAR (Pushed Auth Request) | par |
RFC 9126 | ✅ |
| mTLS Client Auth + Cert-Bound | mtls |
RFC 8705 | ✅ |
| DPoP Proof Validation + Nonce | dpop |
RFC 9449 §4.3, §8 | ✅ 无效 proof 返回 400;server-provided nonce 自动下发 |
| JARM (JWT Secured Auth Response) | jarm |
RFC 9101 | ✅ query.jwt / fragment.jwt / form_post.jwt |
| iss in Auth Response (Mix-Up Defense) | authorization |
RFC 9207 | ✅ 所有响应路径返回 iss 参数 |
| Private Key JWT Auth | token |
RFC 7523 §2.2, OIDC Core §9 | ✅ |
| Request Object (JWT, 含时间验证) | authorization |
OpenID Connect Core 1.0, Section 6.1 | ✅ exp/nbf 验证,10s clock skew |
| id_token_hint Validation | authorization |
OpenID Connect Core 1.0, Section 3.1.2.2 | ✅ |
| Implicit Flow (可选) | authorization |
OpenID Connect Core 1.0, Section 3.2 | ✅ 默认关闭 |
| Hybrid Flow (可选) | authorization |
OpenID Connect Core 1.0, Section 3.3 | ✅ 默认关闭 |
| Back-Channel Logout | backchannel |
OpenID Connect Back-Channel Logout 1.0 | ✅ |
| Resource Indicators | token |
RFC 8707 | ✅ |
| Rich Authorization Requests (RAR) | authorization |
RFC 9396 | ✅ 可通过 AuthorizationDetailsTypes 配置支持的 type |
| DCR Management | dcr |
RFC 7592 | ✅ GET/PUT/DELETE /register/{client_id} |
| WebFinger | webfinger |
RFC 7033 | ✅ /.well-known/webfinger issuer 发现 |
| CIBA (Client-Initiated Backchannel Auth) | ciba + token |
CIBA Core 1.0 | ✅ POST /bc-authorize + ping/poll + slow_down + 审批 UI + 通知回调 |
| HTTPS redirect_uri 强制 | authorization |
OpenID Connect Core 1.0, Section 15.6.3 | ✅ (localhost 豁免) |
| Pairwise Subject | pairwise |
OpenID Connect Core 1.0, Section 8.1 | ✅ |
| ID Token 签名 (RSA/ECDSA/EdDSA/HMAC) | token |
RFC 7515 + RFC 7518 | ✅ RS256/384/512, PS256/384/512, ES256/384/512, EdDSA, HS256/384/512 |
| ID Token 签名 (SM2/SM9 国密) | token |
GM/T 0125.1-2022 | ✅ SGD_SM3_SM2 (SM2+SM3), SGD_SM3_SM9 (SM9 identity-based) |
| JWE ID Token Encryption | token |
JWE (RFC 7516) + GM/T 0125.3-2022 | ✅ Key wrapping: dir, A128KW/A192KW/A256KW, A128GCMKW/A192GCMKW/A256GCMKW, ECDH-ES/ECDH-ES+A128KW/+A192KW/+A256KW, SGD_SM2_3 (SM2), SGD_SM9_3 (SM9). Content encryption: A128GCM/A192GCM/A256GCM, A128CBC-HS256/A192CBC-HS384/A256CBC-HS512, SGD_SM4_GCM, SGD_SM4_CCM |
| OAuth 2.1 合规 Discovery | discovery |
OAuth 2.1 | ✅ |
| Front-Channel Logout | — | OIDC Front-Channel | ❌ 不实现(纯后端 API 不需要) |
| Session Management (iframe) | — | OIDC Session Management §3 | ❌ 不实现(纯后端 API 不需要) |
FAPI Profiles (Financial-grade API)
StormEngine 实现 FAPI 1.0 Advanced 与 FAPI 2.0 Security Profile 的核心安全要求,支持通过 OIDF Conformance Test Suite 认证。
| Feature | Spec | Status |
|---|---|---|
| 强制 Request Object (签名 JWT) | FAPI 2.0 §5.3.1 | ✅ FAPI client 必须使用 request object 或 PAR,否则拒绝 |
| Request Object 签名算法强制 | FAPI 2.0 §5.3.2.1 | ✅ client 注册 request_object_signing_alg 时拒绝未签名请求 |
| Request Object 时间校验 | FAPI 2.0 §5.3.2.2 | ✅ 必须含 nbf;exp - nbf ≤ 60 分钟 |
| PAR 强制 (FAPI 2.0) | RFC 9126 + FAPI 2.0 | ✅ FAPI client 必须使用 PAR 或 request_uri |
PAR: 拒绝含 request_uri 的 request object |
RFC 9126 §2 | ✅ 返回 invalid_request_object |
| PAR: 拒绝未签名 request object | FAPI 2.0 | ✅ 配置 request_object_signing_alg 的 client |
| PAR 生命周期可配置 | RFC 9126 §2.2 | ✅ WithPARLifetime(),默认 90s |
| Sender-constrained Tokens (DPoP) | RFC 9449 + FAPI 2.0 | ✅ per-client RequireDPoP 或全局 WithRequireDPoP() |
| Sender-constrained Tokens (mTLS) | RFC 8705 + FAPI 2.0 | ✅ per-client RequireMtls 或全局 WithRequireMtls() |
| DPoP Code Binding | RFC 9449 §7.1 | ✅ authorization request 的 dpop_jkt 与 token 端点 DPoP proof JKT 必须匹配 |
| mTLS Certificate-Bound Access Tokens | RFC 8705 §3 | ✅ access token 绑定 client cert thumbprint |
| per-client ID Token 签名算法 | OIDC Core §5.1 + FAPI 2.0 | ✅ id_token_signed_response_alg(FAPI client 默认 PS256) |
| per-client Userinfo JWT 算法 | OIDC Core §5.3.2 | ✅ userinfo_signed_response_alg |
| JARM (JWT Secured Authorization Response) | RFC 9101 | ✅ FAPI 1.0 推荐的响应模式 |
iss in Authorization Response |
RFC 9207 | ✅ Mix-up defense |
| Private Key JWT Client Auth | RFC 7523 §2.2 | ✅ FAPI 推荐的 client 认证方式 |
| Authorization Code + PKCE | RFC 7636 + FAPI 2.0 | ✅ S256 强制 |
Known Conformance Suite Issues: StormEngine implements mTLS client certificate reading per RFC 8705 §2 (from
tls.PeerCertificates). The OIDF Conformance Suite has a bug whereenv.mapKey("mutual_tls_authentication")does not prevent the HTTP client from sending certificates in the TLS handshake, causingensure-holder-of-key-requiredandrefresh-tokentests to fail forclient_auth_type=mtls + sender_constrain=dpopvariants. This affects any implementation that reads certificates directly from the TLS layer. See example/testsuite/docs/issues.md for details and proposed fix.
Relying Party (/pkg/client)
| Feature | Specification | Status |
|---|---|---|
| Code Flow | OpenID Connect Core 1.0, Section 3.1 | ✅ |
| Client Credentials | OpenID Connect Core 1.0, Section 9 | ✅ |
| Refresh Token | OpenID Connect Core 1.0, Section 12 | ✅ |
| Discovery | OpenID Connect Discovery 1.0 | ✅ |
| JWT Profile | RFC 7523 | ✅ |
| PKCE | RFC 7636 | ✅ |
| Token Exchange | RFC 8693 | ✅ |
| Device Authorization | RFC 8628 | ✅ |
| JWE ID Token Encryption | JWE (RFC 7516) + GM/T 0125.3-2022 | ✅ dir mode (SM4-GCM/SM4-CCM/AES-GCM/AES-CBC) |
| Back-Channel Logout | OpenID Connect Back-Channel Logout 1.0 | ✅ |
| DPoP | RFC 9449 | planned |
| Auto-refresh | Token lifecycle management | planned |
Note on Chinese Commercial Cryptography (国密): This library supports SM2, SM3, SM4, and SM9 algorithms via the
SGD_SM3_SM2(SM2+SM3 signature),SGD_SM3_SM9(SM9 identity-based signature),SGD_SM2_3(SM2 key wrapping),SGD_SM9_3(SM9 key wrapping), andSGD_SM4_GCM/SGD_SM4_CCM(SM4 content encryption) identifiers per GM/T 0125.1-2022 and GM/T 0125.3-2022. These are not defined in RFC 7518 and therefore are not recognized by the OpenID Foundation (OIDF) Conformance Test Suite. When running OIDF certification tests, disable national-crypto algorithms by setting the environment variableSIGNING_ALGORITHMS=RS256,RS384,RS512,PS256,PS384,PS512,ES256,ES384,ES512,EdDSAso that the JWKS endpoint only returns standard JWKs.
Contributors
Made with contrib.rocks.
Resources
For your convenience you can find the relevant guides linked below.
Supported Go Versions
For security reasons, we only support and recommend the use of one of the latest two Go versions (✅). Versions that also build are marked with ⚠.
| Version | Supported |
|---|---|
| <1.26.3 | ❌ |
| 1.26.3 | ✅ |
Why another library
RP client based on zitadel/oidc. OP entirely self-developed with StormEngine plugin architecture.
Goals
- Certify this library as OP (incl. FAPI 2.0 Security Profile)
- Provide the most RFC-complete embeddable Go OIDC SDK
- First-class Chinese national standards (GM/T 0125) alongside international standards
- Storage-agnostic — never lock into a specific database
Other Go OpenID Connect libraries
| Library | OP | RP | Plugin-based | GM/T | FAPI 2.0 | DPoP | mTLS | PAR | JARM | RAR | Resource | WebFinger | CIBA |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| coreos/go-oidc | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| ory/fosite | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| ory/hydra | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| zitadel/oidc | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| kexcore-oidc | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
License
The full functionality of this library is and stays open source and free to use for everyone. Visit our website and get in touch.
See the exact licensing terms here
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package example contains some example of the various use of this library:
|
Package example contains some example of the various use of this library: |
|
client/api
command
|
|
|
client/app
command
|
|
|
client/device
command
Command device is an example Oauth2 Device Authorization Grant app.
|
Command device is an example Oauth2 Device Authorization Grant app. |
|
client/github
command
|
|
|
client/service
command
|
|
|
storm-server
command
|
|
|
internal
|
|
|
testutil
Package testutil helps setting up required data for testing, such as tokens, claims and verifiers.
|
Package testutil helps setting up required data for testing, such as tokens, claims and verifiers. |
|
testutil/gen
command
Package gen allows generating of example tokens and claims.
|
Package gen allows generating of example tokens and claims. |
|
pkg
|
|
|
crypto/provider/std
Package std provides standard (international) JWE algorithm implementations backed by lestrrat-go/jwx.
|
Package std provides standard (international) JWE algorithm implementations backed by lestrrat-go/jwx. |
|
crypto/util
Package util provides shared JWE types and parsing functions used by both the crypto package (public API) and crypto/provider/std (implementations).
|
Package util provides shared JWE types and parsing functions used by both the crypto package (public API) and crypto/provider/std (implementations). |
|
protocol/test/regression
Package regression provides JSON serialization stability tests for OIDC protocol types.
|
Package regression provides JSON serialization stability tests for OIDC protocol types. |
|
storm
Package storm provides the StormEngine plugin-based OIDC server framework.
|
Package storm provides the StormEngine plugin-based OIDC server framework. |
|
storm/plugins/authorization
Package authorization implements the OIDC Authorization endpoint plugin.
|
Package authorization implements the OIDC Authorization endpoint plugin. |
|
storm/plugins/backchannel
Package backchannel implements the OIDC Back-Channel Logout plugin.
|
Package backchannel implements the OIDC Back-Channel Logout plugin. |
|
storm/plugins/ciba
Package ciba implements the OpenID Connect Client-Initiated Backchannel Authentication (CIBA) plugin.
|
Package ciba implements the OpenID Connect Client-Initiated Backchannel Authentication (CIBA) plugin. |
|
storm/plugins/dcr
Package dcr implements the OAuth 2.0 Dynamic Client Registration plugin.
|
Package dcr implements the OAuth 2.0 Dynamic Client Registration plugin. |
|
storm/plugins/device
Package device implements the OAuth 2.0 Device Authorization Grant plugin.
|
Package device implements the OAuth 2.0 Device Authorization Grant plugin. |
|
storm/plugins/discovery
Package discovery implements the OIDC Discovery capability contributor plugin.
|
Package discovery implements the OIDC Discovery capability contributor plugin. |
|
storm/plugins/dpop
Package dpop implements Demonstrating Proof-of-Possession (DPoP) at the application layer (RFC 9449).
|
Package dpop implements Demonstrating Proof-of-Possession (DPoP) at the application layer (RFC 9449). |
|
storm/plugins/endsession
Package endsession implements the OIDC RP-Initiated Logout endpoint plugin.
|
Package endsession implements the OIDC RP-Initiated Logout endpoint plugin. |
|
storm/plugins/introspection
Package introspection implements the OAuth 2.0 Token Introspection endpoint plugin.
|
Package introspection implements the OAuth 2.0 Token Introspection endpoint plugin. |
|
storm/plugins/jarm
Package jarm implements JWT Secured Authorization Response Mode (RFC 9101).
|
Package jarm implements JWT Secured Authorization Response Mode (RFC 9101). |
|
storm/plugins/keys
Package keys implements the JWKS (JSON Web Key Set) endpoint plugin.
|
Package keys implements the JWKS (JSON Web Key Set) endpoint plugin. |
|
storm/plugins/mtls
Package mtls implements OAuth 2.0 Mutual-TLS client authentication and certificate-bound access tokens (RFC 8705).
|
Package mtls implements OAuth 2.0 Mutual-TLS client authentication and certificate-bound access tokens (RFC 8705). |
|
storm/plugins/pairwise
Package pairwise implements Pairwise Subject Identifiers (OIDC Core §8.1).
|
Package pairwise implements Pairwise Subject Identifiers (OIDC Core §8.1). |
|
storm/plugins/par
Package par implements the OAuth 2.0 Pushed Authorization Requests plugin.
|
Package par implements the OAuth 2.0 Pushed Authorization Requests plugin. |
|
storm/plugins/revocation
Package revocation implements the OAuth 2.0 Token Revocation endpoint plugin.
|
Package revocation implements the OAuth 2.0 Token Revocation endpoint plugin. |
|
storm/plugins/token
Package token implements the OIDC Token endpoint plugin.
|
Package token implements the OIDC Token endpoint plugin. |
|
storm/plugins/userinfo
Package userinfo implements the OIDC UserInfo endpoint plugin.
|
Package userinfo implements the OIDC UserInfo endpoint plugin. |
|
storm/plugins/webfinger
Package webfinger implements the WebFinger endpoint (RFC 7033).
|
Package webfinger implements the WebFinger endpoint (RFC 7033). |
|
storm/shared
Package shared provides cross-cutting concerns used by all StormEngine plugins.
|
Package shared provides cross-cutting concerns used by all StormEngine plugins. |
|
util/logctx
Package logctx provides helpers for storing and retrieving *slog.Logger in context.Context, replacing the deprecated github.com/zitadel/logging.
|
Package logctx provides helpers for storing and retrieving *slog.Logger in context.Context, replacing the deprecated github.com/zitadel/logging. |