storage

package
v2.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 19, 2026 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CustomScope                  = "custom_scope"
	CustomClaim                  = "custom_claim"
	CustomScopeImpersonatePrefix = "custom_scope:impersonate:"
)
View Source 
const (
	// ServiceUserID is the ID of the service user.
	ServiceUserID = "service"
	// ServiceUserKeyID is the key ID of the service user.
	ServiceUserKeyID = "key1"
)

Variables

This section is empty.

Functions

func CodeChallengeToOIDC 

func CodeChallengeToOIDC(challenge *OIDCCodeChallenge) *protocol.CodeChallenge

func MaxAgeToInternal 

func MaxAgeToInternal(maxAge *uint) *time.Duration

func PromptToInternal 

func PromptToInternal(oidcPrompt protocol.SpaceDelimitedArray) []string

Types

type AuthRequest 

type AuthRequest struct {
	ID            string
	CreationDate  time.Time
	ApplicationID string
	CallbackURI   string
	TransferState string
	Prompt        []string
	UiLocales     []language.Tag
	LoginHint     string
	MaxAuthAge    *time.Duration
	UserID        string
	Scopes        []string
	ResponseType  protocol.ResponseType
	ResponseMode  protocol.ResponseMode
	Nonce         string
	CodeChallenge *OIDCCodeChallenge
	ACRValues     []string
	Claims        *protocol.ClaimsRequest
	Resources     []string // RFC 8707: Resource Indicators
	// contains filtered or unexported fields
}

func (*AuthRequest) Done 

func (a *AuthRequest) Done() bool

func (*AuthRequest) ExtraIDTokenClaims 

func (a *AuthRequest) ExtraIDTokenClaims() map[string]any

ExtraIDTokenClaims implements idTokenClaimsExtender for the token plugin. Returns claims requested via the OIDC §5.5 claims.id_token parameter.

func (*AuthRequest) GetACR 

func (a *AuthRequest) GetACR() string

func (*AuthRequest) GetAMR 

func (a *AuthRequest) GetAMR() []string

func (*AuthRequest) GetAudience 

func (a *AuthRequest) GetAudience() []string

func (*AuthRequest) GetAuthTime 

func (a *AuthRequest) GetAuthTime() time.Time

func (*AuthRequest) GetClaims 

func (a *AuthRequest) GetClaims() *protocol.ClaimsRequest

func (*AuthRequest) GetClientID 

func (a *AuthRequest) GetClientID() string

func (*AuthRequest) GetCodeChallenge 

func (a *AuthRequest) GetCodeChallenge() *protocol.CodeChallenge

func (*AuthRequest) GetID 

func (a *AuthRequest) GetID() string

func (*AuthRequest) GetNonce 

func (a *AuthRequest) GetNonce() string

func (*AuthRequest) GetRedirectURI 

func (a *AuthRequest) GetRedirectURI() string

func (*AuthRequest) GetResources 

func (a *AuthRequest) GetResources() []string

GetResources implements storm.ResourceIndicator (RFC 8707). Returns the resource indicator values from the authorization request.

func (*AuthRequest) GetResponseMode 

func (a *AuthRequest) GetResponseMode() protocol.ResponseMode

func (*AuthRequest) GetResponseType 

func (a *AuthRequest) GetResponseType() protocol.ResponseType

func (*AuthRequest) GetSID 

func (a *AuthRequest) GetSID() string

func (*AuthRequest) GetScopes 

func (a *AuthRequest) GetScopes() []string

func (*AuthRequest) GetState 

func (a *AuthRequest) GetState() string

func (*AuthRequest) GetSubject 

func (a *AuthRequest) GetSubject() string

func (*AuthRequest) LogValue 

func (a *AuthRequest) LogValue() slog.Value

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client represents an OAuth/OIDC client. It implements storm.Client and various optional interfaces checked via type assertions by plugins.

func BackChannelLogoutWebClient 

func BackChannelLogoutWebClient(id, secret, uri string, redirectURIs ...string) *Client

func DeviceClient 

func DeviceClient(id, secret string) *Client

func EncryptedWebClient 

func EncryptedWebClient(id, secret string, alg, enc string, redirectURIs ...string) *Client

func EncryptedWebClientWithKey 

func EncryptedWebClientWithKey(id, secret string, alg, enc string, key interface{}, redirectURIs ...string) *Client

EncryptedWebClientWithKey creates a web client with ID token encryption using the provided public key (RSA, ECDH, or symmetric key).

func FAPIClient 

func FAPIClient(id string, clientJWKS []jwk.Key, redirectURIs ...string) *Client

FAPIClient creates a FAPI-compliant client using private_key_jwt authentication. The client supports authorization_code and client_credentials grants, and uses the provided JWK set for JWT bearer verification.

func FAPIClientMTLS 

func FAPIClientMTLS(id string, clientJWKS []jwk.Key, redirectURIs ...string) *Client

FAPIClientMTLS creates a FAPI-compliant client using tls_client_auth authentication. This client is used for mtls CIBA variants where the client authenticates via TLS client certificate instead of client_assertion. clientJWKS is still needed for request object signature verification.

func FAPIClientMTLSDPoP 

func FAPIClientMTLSDPoP(id string, clientJWKS []jwk.Key, redirectURIs ...string) *Client

FAPIClientMTLSDPoP creates a FAPI-compliant client using tls_client_auth authentication with DPoP sender constraining only (requireDPoP=true, requireMtls=false). Used for sender_constrain=dpop variants where the server should reject requests without a DPoP proof, even if mTLS certificates are present.

func FAPIClientWithJWKSURI 

func FAPIClientWithJWKSURI(id, jwksURI string, redirectURIs ...string) *Client

FAPIClientWithJWKSURI creates a FAPI-compliant client using private_key_jwt authentication with a jwks_uri for key discovery.

func NativeClient 

func NativeClient(id string, redirectURIs ...string) *Client

func OIDFBackChannelLogoutEncryptedTestClient 

func OIDFBackChannelLogoutEncryptedTestClient(id, secret, backChannelLogoutURI, alg, enc string, key interface{}, redirectURIs ...string) *Client

OIDFBackChannelLogoutEncryptedTestClient creates an OIDF test client with back-channel logout and ID token encryption support.

func OIDFBackChannelLogoutTestClient 

func OIDFBackChannelLogoutTestClient(id, secret, backChannelLogoutURI string, redirectURIs ...string) *Client

func OIDFEncryptedTestClient 

func OIDFEncryptedTestClient(id, secret string, alg, enc string, key interface{}, redirectURIs ...string) *Client

OIDFEncryptedTestClient creates an OIDF test client with ID token encryption using jwk.Key (which includes kid in the JWE header per OIDCC-10.2.1).

func OIDFTestClient 

func OIDFTestClient(id, secret string, redirectURIs ...string) *Client

func OIDFTestClientSecretPost 

func OIDFTestClientSecretPost(id, secret string, redirectURIs ...string) *Client

func WebClient 

func WebClient(id, secret string, redirectURIs ...string) *Client

func (*Client) AuthMethod 

func (c *Client) AuthMethod() protocol.AuthMethod

func (*Client) BackChannelLogoutURI 

func (c *Client) BackChannelLogoutURI() string

func (*Client) ClientEncryptionKey 

func (c *Client) ClientEncryptionKey() interface{}

func (*Client) ClientJWKS 

func (c *Client) ClientJWKS() []jwk.Key

func (*Client) ClientJWKSURI 

func (c *Client) ClientJWKSURI() string

func (*Client) ClockSkew 

func (c *Client) ClockSkew() time.Duration

func (*Client) DevMode 

func (c *Client) DevMode() bool

func (*Client) FAPIProfile 

func (c *Client) FAPIProfile() bool

func (*Client) GetID 

func (c *Client) GetID() string

func (*Client) GrantTypes 

func (c *Client) GrantTypes() []protocol.GrantType

func (*Client) IDTokenEncryptionAlg 

func (c *Client) IDTokenEncryptionAlg() string

func (*Client) IDTokenEncryptionEnc 

func (c *Client) IDTokenEncryptionEnc() string

func (*Client) IDTokenLifetime 

func (c *Client) IDTokenLifetime() time.Duration

func (*Client) IDTokenSignedResponseAlg 

func (c *Client) IDTokenSignedResponseAlg() string

func (*Client) IDTokenUserinfoClaimsAssertion 

func (c *Client) IDTokenUserinfoClaimsAssertion() bool

func (*Client) IsScopeAllowed 

func (c *Client) IsScopeAllowed(scope string) bool

func (*Client) LoginURL 

func (c *Client) LoginURL(id string) string

func (*Client) LogoURI 

func (c *Client) LogoURI() string

func (*Client) NotificationEndpoint 

func (c *Client) NotificationEndpoint() string

NotificationEndpoint returns the client's CIBA notification endpoint (CIBA Core 1.0 §10). Implements storm.NotificationEndpointProvider for SSRF validation.

func (*Client) PolicyURI 

func (c *Client) PolicyURI() string

func (*Client) PostLogoutRedirectURIs 

func (c *Client) PostLogoutRedirectURIs() []string

func (*Client) RedirectURIs 

func (c *Client) RedirectURIs() []string

func (*Client) RequestObjectSigningAlg 

func (c *Client) RequestObjectSigningAlg() string

func (*Client) RequireDPoP 

func (c *Client) RequireDPoP() bool

func (*Client) RequireMtls 

func (c *Client) RequireMtls() bool

func (*Client) ResponseTypes 

func (c *Client) ResponseTypes() []protocol.ResponseType

func (*Client) TOSURI 

func (c *Client) TOSURI() string

func (*Client) ValidateClientCert 

func (c *Client) ValidateClientCert(cert *x509.Certificate, clientID string) error

ValidateClientCert implements shared.ClientCertBoundAuthenticator. It checks that the presented TLS certificate's CN matches the expected value. This allows the SDK to distinguish between clients that share mTLS infrastructure but have different certificate identities (e.g. OIDF test suite mtls variants).

func (*Client) WithCertCN 

func (c *Client) WithCertCN(cn string) *Client

WithCertCN sets the expected TLS client certificate CN for tls_client_auth. When set, ValidateClientCert will reject certificates whose CN does not match.

func (*Client) WithIDTokenSignedResponseAlg 

func (c *Client) WithIDTokenSignedResponseAlg(alg string) *Client

WithIDTokenSignedResponseAlg sets the id_token_signed_response_alg for this client.

func (*Client) WithNotificationEndpoint 

func (c *Client) WithNotificationEndpoint(endpoint string) *Client

WithNotificationEndpoint sets the client_notification_endpoint for CIBA ping mode.

func (*Client) WithRequestObjectSigningAlg 

func (c *Client) WithRequestObjectSigningAlg(alg string) *Client

WithRequestObjectSigningAlg sets the request_object_signing_alg for this client and returns the client for chaining. Use "PS256" for FAPI 2.0 signed_non_repudiation.

func (*Client) WithRequireDPoP 

func (c *Client) WithRequireDPoP() *Client

WithRequireDPoP enables DPoP sender-constraining for this client.

func (*Client) WithRequireMtls 

func (c *Client) WithRequireMtls() *Client

WithRequireMtls enables mTLS sender-constraining for this client.

type DeviceAuthStore 

type DeviceAuthStore struct {
	// contains filtered or unexported fields
}

func (*DeviceAuthStore) ApproveDeviceAuthorization 

func (d *DeviceAuthStore) ApproveDeviceAuthorization(_ context.Context, userCode, subject string) error

func (*DeviceAuthStore) DenyDeviceAuthorization 

func (d *DeviceAuthStore) DenyDeviceAuthorization(_ context.Context, userCode string) error

func (*DeviceAuthStore) GetDeviceAuthorizationByUserCode 

func (d *DeviceAuthStore) GetDeviceAuthorizationByUserCode(_ context.Context, userCode string) (*storm.DeviceAuthorizationState, error)

func (*DeviceAuthStore) GetDeviceAuthorizationState 

func (d *DeviceAuthStore) GetDeviceAuthorizationState(_ context.Context, _, deviceCode string) (*storm.DeviceAuthorizationState, error)

func (*DeviceAuthStore) StartCleanup 

func (d *DeviceAuthStore) StartCleanup(interval time.Duration) *time.Ticker

StartCleanup starts a background goroutine that cleans up expired entries every interval.

func (*DeviceAuthStore) StoreDeviceAuthorization 

func (d *DeviceAuthStore) StoreDeviceAuthorization(_ context.Context, clientID, deviceCode, userCode string, expires time.Time, scopes []string) error

func (*DeviceAuthStore) UpdateDeviceAuthorizationInterval 

func (d *DeviceAuthStore) UpdateDeviceAuthorizationInterval(_ context.Context, _, deviceCode string, increment int) error

func (*DeviceAuthStore) UpdateDeviceAuthorizationPoll 

func (d *DeviceAuthStore) UpdateDeviceAuthorizationPoll(_ context.Context, _, deviceCode string, lastPoll time.Time) error

type OIDCCodeChallenge 

type OIDCCodeChallenge struct {
	Challenge string
	Method    string
}

type PARStore 

type PARStore struct {
	// contains filtered or unexported fields
}

PARStore implements storm.PARStore for in-memory pushed authorization requests.

func NewPARStore 

func NewPARStore() *PARStore

func (*PARStore) GetPushedAuthRequest 

func (s *PARStore) GetPushedAuthRequest(_ context.Context, requestURI string) (*protocol.AuthRequest, error)

func (*PARStore) StorePushedAuthRequest 

func (s *PARStore) StorePushedAuthRequest(_ context.Context, clientID string, req *protocol.AuthRequest, lifetime time.Duration) (string, error)

type RefreshToken 

type RefreshToken struct {
	ID            string
	Token         string
	AuthTime      time.Time
	AMR           []string
	Audience      []string
	UserID        string
	ApplicationID string
	Expiration    time.Time
	Scopes        []string
	AccessToken   string
	SessionID     string
	// DPoPJKT stores the JWK thumbprint bound to this refresh token.
	// Inherited from the associated access token's cnf.jkt when the token
	// is DPoP-bound (RFC 9449 §7.2).
	DPoPJKT string
}

type RefreshTokenRequest 

type RefreshTokenRequest struct {
	*RefreshToken
}

RefreshTokenRequest wraps a RefreshToken to implement storm.RefreshTokenRequest.

func (*RefreshTokenRequest) GetAMR 

func (r *RefreshTokenRequest) GetAMR() []string

func (*RefreshTokenRequest) GetAudience 

func (r *RefreshTokenRequest) GetAudience() []string

func (*RefreshTokenRequest) GetAuthTime 

func (r *RefreshTokenRequest) GetAuthTime() time.Time

func (*RefreshTokenRequest) GetClientID 

func (r *RefreshTokenRequest) GetClientID() string

func (*RefreshTokenRequest) GetCodeChallenge 

func (r *RefreshTokenRequest) GetCodeChallenge() *protocol.CodeChallenge

func (*RefreshTokenRequest) GetDPoPJKT 

func (r *RefreshTokenRequest) GetDPoPJKT() string

func (*RefreshTokenRequest) GetID 

func (r *RefreshTokenRequest) GetID() string

func (*RefreshTokenRequest) GetNonce 

func (r *RefreshTokenRequest) GetNonce() string

func (*RefreshTokenRequest) GetScopes 

func (r *RefreshTokenRequest) GetScopes() []string

func (*RefreshTokenRequest) GetSessionID 

func (r *RefreshTokenRequest) GetSessionID() string

func (*RefreshTokenRequest) GetSubject 

func (r *RefreshTokenRequest) GetSubject() string

func (*RefreshTokenRequest) SetCurrentScopes 

func (r *RefreshTokenRequest) SetCurrentScopes(scopes []string)

type Service 

type Service struct {
	// contains filtered or unexported fields
}

type Storage 

type Storage struct {

	// deviceAuthStore handles device authorization grant (RFC 8628).
	*DeviceAuthStore

	// parStore handles pushed authorization requests (RFC 9126).
	*PARStore
	// contains filtered or unexported fields
}

Storage implements storm.Storage and all capability interfaces.

func NewStorage 

func NewStorage(userStore UserStore, algorithms []string) *Storage

func (*Storage) AuthRequestByCode 

func (s *Storage) AuthRequestByCode(_ context.Context, code string) (storm.AuthRequest, error)

func (*Storage) AuthRequestByID 

func (s *Storage) AuthRequestByID(_ context.Context, id string) (storm.AuthRequest, error)

func (*Storage) AuthorizeClientIDSecret 

func (s *Storage) AuthorizeClientIDSecret(_ context.Context, clientID, clientSecret string) error

func (*Storage) CheckUsernamePassword 

func (s *Storage) CheckUsernamePassword(username, password, id string) error

func (*Storage) ClientCredentials 

func (s *Storage) ClientCredentials(_ context.Context, clientID, clientSecret string) (storm.Client, error)

func (*Storage) ClientCredentialsTokenRequest 

func (s *Storage) ClientCredentialsTokenRequest(_ context.Context, clientID string, scopes []string) (storm.TokenRequest, error)

func (*Storage) ClientsForSession 

func (s *Storage) ClientsForSession(_ context.Context, sub, sid string) ([]storm.Client, error)

ClientsForSession implements storm.BackChannelStore. Returns all clients that have active sessions for the given subject. If sid is provided, only returns clients with matching session ID.

func (*Storage) CompleteAuthRequest 

func (s *Storage) CompleteAuthRequest(_ context.Context, id string, subject string, authTime time.Time, sid string) error

CompleteAuthRequest implements storm.AutoCompleteAuthRequest. It marks an auth request as done with the given subject and the original authentication time, without going through the login UI. Used for prompt=none with active sessions.

func (*Storage) CreateAccessAndRefreshTokens 

func (s *Storage) CreateAccessAndRefreshTokens(ctx context.Context, req storm.TokenRequest, currentRefreshToken string, cnf map[string]any) (accessTokenID, newRefreshToken string, expiration time.Time, err error)

func (*Storage) CreateAccessToken 

func (s *Storage) CreateAccessToken(ctx context.Context, req storm.TokenRequest, cnf map[string]any) (string, time.Time, error)

func (*Storage) CreateAuthRequest 

func (s *Storage) CreateAuthRequest(_ context.Context, req *protocol.AuthRequest, userID string) (storm.AuthRequest, error)

func (*Storage) CreateClient 

func (s *Storage) CreateClient(_ context.Context, req *storm.RegistrationRequest, clientID, clientSecret, accessToken, uri string) (*storm.ClientRegistration, error)

func (*Storage) CreateSession 

func (s *Storage) CreateSession(subject string, authTime time.Time, sid string)

CreateSession records a subject as having an active session. The session is stored with the session ID as the key. Default session expiry is 24 hours.

func (*Storage) CreateSessionWithClient 

func (s *Storage) CreateSessionWithClient(subject, clientID string, authTime time.Time, sid string)

CreateSessionWithClient records a subject as having an active session for a specific client. The session is stored with the session ID as the key. Default session expiry is 24 hours.

func (*Storage) CreateTokenExchangeRequest 

func (s *Storage) CreateTokenExchangeRequest(_ context.Context, _ storm.TokenExchangeRequest) error

func (*Storage) DeleteAuthRequest 

func (s *Storage) DeleteAuthRequest(_ context.Context, id string) error

func (*Storage) DeleteCIBARequest 

func (s *Storage) DeleteCIBARequest(_ context.Context, authReqID string) error

func (*Storage) DeleteClientRegistration 

func (s *Storage) DeleteClientRegistration(_ context.Context, clientID string) error

func (*Storage) GetAuthRequestDPoPJKT 

func (s *Storage) GetAuthRequestDPoPJKT(_ context.Context, authRequestID string) (string, error)

GetAuthRequestDPoPJKT implements storm.DPoPCodeBindingStore.

func (*Storage) GetAuthRequestSessionID 

func (s *Storage) GetAuthRequestSessionID(id string) string

GetAuthRequestSessionID returns the session ID for the given auth request. Used by the login handler to set the session_id cookie after successful login.

func (*Storage) GetCIBARequestByAuthReqID 

func (s *Storage) GetCIBARequestByAuthReqID(_ context.Context, authReqID string) (*storm.CIBARequest, error)

func (*Storage) GetClientByClientID 

func (s *Storage) GetClientByClientID(_ context.Context, clientID string) (storm.Client, error)

func (*Storage) GetClientRegistration 

func (s *Storage) GetClientRegistration(_ context.Context, clientID string) (*storm.ClientRegistration, error)

func (*Storage) GetClientRegistrationByToken 

func (s *Storage) GetClientRegistrationByToken(_ context.Context, token string) (*storm.ClientRegistration, error)

func (*Storage) GetPendingCIBARequests 

func (s *Storage) GetPendingCIBARequests(_ context.Context, subject string) ([]*storm.CIBARequest, error)

func (*Storage) GetRefreshTokenInfo 

func (s *Storage) GetRefreshTokenInfo(_ context.Context, clientID, token string) (userID, tokenID string, err error)

func (*Storage) GetSession 

func (s *Storage) GetSession(_ context.Context, r *http.Request, clientID string) (string, time.Time, string, bool)

GetSession implements authorization.SessionProvider. It checks whether the given subject has an active session and returns the original authentication time and session ID. The session is identified by the "session_id" cookie in the request.

func (*Storage) GetSessionBySubject 

func (s *Storage) GetSessionBySubject(subject string, clientID ...string) (authTime time.Time, sid string, ok bool)

GetSessionBySubject returns the most recent active session for a given subject. Used by prompt=none when the caller provides id_token_hint or login_hint instead of a session cookie. If clientID is provided, only returns sessions for that client.

func (*Storage) Health 

func (s *Storage) Health(_ context.Context) error

func (*Storage) KeySet 

func (s *Storage) KeySet(_ context.Context) ([]storm.Key, error)

func (*Storage) OnCIBAStatusChange 

func (s *Storage) OnCIBAStatusChange(_ context.Context, req *storm.CIBARequest) error

OnCIBAStatusChange sends a ping notification to the client's notification endpoint when a CIBA request is approved or denied (CIBA Core 1.0 §10).

func (*Storage) RecordClientSession 

func (s *Storage) RecordClientSession(subject, clientID, sid string)

RecordClientSession records that a client has an active session for a subject. Call this when issuing tokens to a client. Only records sessions for clients that have a backchannel_logout_uri configured, since only those clients need to be notified on logout.

func (*Storage) RegisterClients 

func (s *Storage) RegisterClients(registerClients ...*Client)

func (*Storage) RemoveClientSession 

func (s *Storage) RemoveClientSession(subject, clientID string)

RemoveClientSession removes a client session for a subject.

func (*Storage) RevokeToken 

func (s *Storage) RevokeToken(_ context.Context, tokenOrTokenID, userID, clientID string) *protocol.Error

func (*Storage) RevokeTokensForUsedCode 

func (s *Storage) RevokeTokensForUsedCode(code string) string

RevokeTokensForUsedCode revokes all tokens that were issued for a used code. Returns the auth request ID if the code was found, or empty string if not.

func (*Storage) RotateSigningKey 

func (s *Storage) RotateSigningKey() error

RotateSigningKey generates a new RSA-2048/RS256 signing key and prepends it to the key set. Old keys remain in KeySet() for token verification. Note: this is an example server that restarts between test sessions, so unbounded key accumulation is not a concern in practice.

func (*Storage) SaveAuthCode 

func (s *Storage) SaveAuthCode(_ context.Context, id, code string) error

func (*Storage) SetAuthRequestDPoPJKT 

func (s *Storage) SetAuthRequestDPoPJKT(_ context.Context, authRequestID string, jkt string) error

SetAuthRequestDPoPJKT implements storm.DPoPCodeBindingStore.

func (*Storage) SetIntrospectionFromToken 

func (s *Storage) SetIntrospectionFromToken(_ context.Context, resp *protocol.IntrospectionResponse, tokenID, subject, clientID string) error

func (*Storage) SetTokenCNF 

func (s *Storage) SetTokenCNF(_ context.Context, tokenID string, cnf map[string]any) error

SetTokenCNF stores the cnf (confirmation) claim for a token (RFC 8705 / RFC 9449).

func (*Storage) SetUserinfoFromToken 

func (s *Storage) SetUserinfoFromToken(_ context.Context, userinfo *protocol.UserInfo, tokenID, subject, origin string) error

func (*Storage) SignatureAlgorithms 

func (s *Storage) SignatureAlgorithms(_ context.Context) ([]string, error)

func (*Storage) SigningKey 

func (s *Storage) SigningKey(_ context.Context) (storm.SigningKey, error)

func (*Storage) SigningKeyByAlg 

func (s *Storage) SigningKeyByAlg(_ context.Context, alg string) (storm.SigningKey, error)

SigningKeyByAlg returns a signing key matching the requested algorithm. Returns an error if no exact match is found — never silently falls back to the default signing key. Silent fallback masks misconfiguration (e.g. a client requesting PS256 silently getting RS256), which breaks FAPI/conformance tests and is the opposite of what Keycloak and other OPs do.

func (*Storage) SigningKeyCount 

func (s *Storage) SigningKeyCount() int

SigningKeyCount returns the number of signing keys.

func (*Storage) StoreCIBARequest 

func (s *Storage) StoreCIBARequest(_ context.Context, req *storm.CIBARequest) error

func (*Storage) TerminateSession 

func (s *Storage) TerminateSession(_ context.Context, userID, clientID string) error

func (*Storage) TokenCNF 

func (s *Storage) TokenCNF(_ context.Context, tokenID string) (map[string]any, error)

TokenCNF retrieves the cnf (confirmation) claim for a token (RFC 8705 / RFC 9449). Returns nil map if the token has no cnf (not sender-constrained).

func (*Storage) TokenClientID 

func (s *Storage) TokenClientID(_ context.Context, tokenID string) (string, error)

TokenClientID returns the client_id that the token was issued to. Implements storm.TokenClientProvider for UserInfo JWT response (OIDC Core §5.3.2).

func (*Storage) TokenRequestByRefreshToken 

func (s *Storage) TokenRequestByRefreshToken(_ context.Context, refreshToken string) (storm.RefreshTokenRequest, error)

func (*Storage) TrackTokenForAuthRequest 

func (s *Storage) TrackTokenForAuthRequest(authRequestID, tokenID string)

TrackTokenForAuthRequest records that a token was issued for an auth request. This is used to revoke tokens when an authorization code is reused.

func (*Storage) UpdateCIBAInterval 

func (s *Storage) UpdateCIBAInterval(_ context.Context, authReqID string, increment int) error

func (*Storage) UpdateCIBAPoll 

func (s *Storage) UpdateCIBAPoll(_ context.Context, authReqID string, lastPoll time.Time) error

func (*Storage) UpdateCIBARequestStatus 

func (s *Storage) UpdateCIBARequestStatus(_ context.Context, authReqID string, status protocol.CIBAStatus, approvedScopes []string) error

func (*Storage) UpdateClientRegistration 

func (s *Storage) UpdateClientRegistration(_ context.Context, clientID string, update *storm.RegistrationRequest) (*storm.ClientRegistration, error)

func (*Storage) UserInfoResponseAlg 

func (s *Storage) UserInfoResponseAlg(_ context.Context, clientID string) (string, error)

UserInfoResponseAlg returns the client's registered userinfo_signed_response_alg. Implements storm.UserInfoResponseAlgProvider for OIDC Core §5.3.2.

func (*Storage) ValidateJWTProfileScopes 

func (s *Storage) ValidateJWTProfileScopes(_ context.Context, userID string, scopes []string) ([]string, error)

func (*Storage) ValidateTokenExchangeRequest 

func (s *Storage) ValidateTokenExchangeRequest(_ context.Context, req storm.TokenExchangeRequest) error

type Token 

type Token struct {
	ID             string
	ApplicationID  string
	Subject        string
	RefreshTokenID string
	Audience       []string
	Expiration     time.Time
	Scopes         []string
	Claims         *protocol.ClaimsRequest
	CNF            map[string]any
}

type TokenCrypto 

type TokenCrypto struct {
	// contains filtered or unexported fields
}

func NewTokenCrypto 

func NewTokenCrypto(key [32]byte, method string) *TokenCrypto

func (*TokenCrypto) AlgorithmSuite 

func (c *TokenCrypto) AlgorithmSuite() string

AlgorithmSuite implements storm.UniCrypto.AlgorithmSuite.

func (*TokenCrypto) Decrypt 

func (c *TokenCrypto) Decrypt(_ context.Context, ciphertext []byte) ([]byte, error)

func (*TokenCrypto) Encrypt 

func (c *TokenCrypto) Encrypt(_ context.Context, plaintext []byte) ([]byte, error)

func (*TokenCrypto) EncryptToken 

func (c *TokenCrypto) EncryptToken(tokenID string) string

func (*TokenCrypto) Hash 

func (c *TokenCrypto) Hash(_ context.Context, sigAlgorithm string, data []byte) ([]byte, error)

Hash implements storm.UniCrypto.Hash for token hashing (at_hash, c_hash).

func (*TokenCrypto) Sign 

func (c *TokenCrypto) Sign(_ context.Context, keyID string, payload []byte) (string, error)

Sign implements storm.UniCrypto.Sign (not used in this example).

type User 

type User struct {
	ID                string
	Username          string
	Password          string
	FirstName         string
	LastName          string
	Email             string
	EmailVerified     bool
	Phone             string
	PhoneVerified     bool
	PreferredLanguage language.Tag
	IsAdmin           bool
	UpdatedAt         int64 // Unix timestamp of last profile update
}

type UserStore 

type UserStore interface {
	GetUserByID(string) *User
	GetUserByUsername(string) *User
	ExampleClientID() string
}

func NewUserStore 

func NewUserStore(issuer string) UserStore

func StoreFromFile 

func StoreFromFile(path string) (UserStore, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.