Documentation
¶
Overview ¶
Package authorization implements the OIDC Authorization endpoint plugin.
It handles the /authorize route (RFC 6749 Section 3.1 / OpenID Connect Core Section 3.1.1), covering:
- Parsing and validating authorization requests
- Redirecting to the login UI
- Processing the callback after authentication
- Generating authorization codes or implicit tokens
The callback path (/authorize/callback) is an internal route for the login UI to redirect back to after user authentication. This is not part of the OIDC standard but is a common implementation pattern.
Index ¶
- Constants
- type ApplicationType
- type ApplicationTypeClient
- type AuthorizeValidator
- type AuthorizeValidatorClient
- type Config
- type DevModeClient
- type IDTokenClaimsExtender
- type IDTokenLifetimeProvider
- type JARMSigner
- type Plugin
- type RedirectURIClient
- type RedirectURIGlobClient
- type SessionProvider
- type SessionStateClient
Constants ¶
const ( ApplicationTypeWeb = shared.ApplicationTypeWeb // web ApplicationTypeUserAgent = shared.ApplicationTypeUserAgent // user_agent ApplicationTypeNative = shared.ApplicationTypeNative // native )
Application type constants (re-exported from shared package).
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ApplicationType ¶
type ApplicationType = int
ApplicationType defines the type of OAuth 2.0 / OIDC client.
type ApplicationTypeClient ¶
type ApplicationTypeClient interface {
storm.Client
ApplicationType() ApplicationType
}
ApplicationTypeClient is optionally implemented by clients that declare their application type (web, user_agent, native).
type AuthorizeValidator ¶
type AuthorizeValidator interface {
// ValidateAuthRequest performs custom validation of the authorization
// request. It receives the resolved client and parsed request, and
// should return an error if validation fails.
ValidateAuthRequest(client storm.Client, authReq *protocol.AuthRequest) error
}
AuthorizeValidator is an optional interface that can be implemented by the plugin's storage (or another component) to provide custom authorization request validation.
When implemented, ValidateAuthRequest is called after default validation in handleAuthorize, allowing additional checks.
type AuthorizeValidatorClient ¶
type AuthorizeValidatorClient interface {
storm.Client
AuthorizeValidator() AuthorizeValidator
}
AuthorizeValidatorClient is optionally implemented by clients that provide a custom AuthorizeValidator for per-client validation logic.
type Config ¶
type Config struct {
AuthStore storm.AuthStore
ClientStore storm.ClientStore
Crypto storm.UniCrypto
KeyStore storm.KeyStore
TokenStore storm.TokenStore
Decoder *protocol.Decoder
// EnableImplicit enables the Implicit Flow (response_type=id_token,
// id_token token). Disabled by default per OAuth 2.1.
EnableImplicit bool
// AllowPlainPKCE enables the "plain" code_challenge_method (RFC 7636).
// Disabled by default per OAuth 2.1 §4.1.1. Clients must explicitly
// opt-in by setting this to true. When false, only S256 is accepted.
AllowPlainPKCE bool
// PARStore enables Pushed Authorization Requests (RFC 9101).
// When set, request_uri references are resolved from this store.
PARStore storm.PARStore
// CreateAuthCode is an optional hook to customize authorization code
// generation (Tenant-level). When nil, the default implementation
// encrypts the auth request ID using the configured Crypto.
CreateAuthCode func(ctx context.Context, authReq storm.AuthRequest, store storm.AuthStore, enc storm.UniCrypto) (string, error)
// SessionProvider is an optional session checker for prompt=none
// enforcement. When nil, prompt=none is not enforced at the
// authorization endpoint (the login UI is always shown).
SessionProvider SessionProvider
// AuthorizationDetailsTypes lists the authorization_details type values
// this OP supports. When non-empty, the discovery document includes
// authorization_details_types_supported (RFC 9396 §6).
// Example: []string{"payment_initiation", "account_information"}
AuthorizationDetailsTypes []string
}
Config holds the dependencies for the Authorization plugin.
type DevModeClient ¶
DevModeClient is optionally implemented by clients that enable development mode, which relaxes certain security checks.
type IDTokenClaimsExtender ¶
IDTokenClaimsExtender is optionally implemented by AuthRequest to provide additional claims for the ID token (e.g. acr, amr, c_hash).
When implemented, the returned claims are merged into the ID token's payload. Standard claims (iss, sub, aud, iat, exp, nonce, at_hash) set by the plugin take precedence and cannot be overridden.
type IDTokenLifetimeProvider ¶
IDTokenLifetimeProvider is optionally implemented by Client to control the lifetime of issued ID tokens.
When not implemented, the default lifetime (1 hour) is used.
type JARMSigner ¶
type JARMSigner = storm.JARMSigner
JARMSigner is an alias for storm.JARMSigner. Kept for backward compatibility with plugins that reference this type.
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin implements the OIDC Authorization endpoint.
func New ¶
func New(ctx *storm.PluginContext) *Plugin
New creates a new Authorization plugin from a PluginContext. Storage must implement AuthStore, ClientStore, and KeyStore. If Storage also implements TokenStore, it is used for Implicit Flow access token generation. If Storage implements PARStore, Pushed Authorization Requests are enabled.
func NewWithConfig ¶
NewWithConfig creates a new Authorization plugin with explicit config. Use this when you need to override defaults (e.g., enable implicit flow).
func (*Plugin) Category ¶
func (p *Plugin) Category() storm.PluginCategory
Category returns CategoryCore — authorization is a required OAuth 2.0 endpoint.
func (*Plugin) Contribute ¶
func (p *Plugin) Contribute(ctx context.Context, cfg *protocol.DiscoveryConfiguration)
Contribute populates the discovery fields for the authorization endpoint.
func (*Plugin) Register ¶
Register installs the authorization routes.
OIDC standard endpoint: GET /authorize (RFC 6749 §3.1, OIDC Core §3.1.1) POST /authorize is also supported for form-based requests.
Internal callback: GET /authorize/callback This is NOT an OIDC standard endpoint. It is the URL the login UI redirects to after successful user authentication.
func (*Plugin) SetJARMSigner ¶
func (p *Plugin) SetJARMSigner(signer JARMSigner)
SetJARMSigner sets the JARM signer for JWT-secured authorization responses. Called by the Engine during Build when both authorization and jarm plugins are present.
type RedirectURIClient ¶
RedirectURIClient is optionally implemented by clients that need redirect URI validation beyond the basic check.
type RedirectURIGlobClient ¶
RedirectURIGlobClient is optionally implemented by clients that need glob/wildcard redirect URI matching.
type SessionProvider ¶
type SessionProvider interface {
GetSession(ctx context.Context, r *http.Request, clientID string) (subject string, authTime time.Time, sid string, ok bool)
}
SessionProvider is an optional interface for checking whether an end-user session exists. When the client storage implements this, the Authorization plugin uses it to enforce prompt=none (OIDC Core §3.1.2.6): if no session exists the endpoint returns login_required immediately instead of redirecting to the login UI.
When a session exists, GetSession returns the subject and the original authentication time (auth_time). The auth_time is used to populate the auth_time claim in ID tokens, ensuring consistency across multiple token issuances for the same session.
type SessionStateClient ¶
SessionStateClient is optionally implemented by clients that support OpenID Connect Session Management. When implemented, session_state is included in authorization responses.
Source Files