Documentation
¶
Overview ¶
Package pairwise implements Pairwise Subject Identifiers (OIDC Core §8.1).
When enabled, different clients receive different `sub` values for the same user, preventing cross-client user correlation.
The transformation is: sub = BASE64URL(HMAC-SHA256(salt, client_id || subject)) where salt is derived from the sector_identifier_uri or a server-wide secret.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type SubjectTransformer ¶
type SubjectTransformer struct {
// contains filtered or unexported fields
}
SubjectTransformer transforms a real subject into a pairwise subject.
func NewSubjectTransformer ¶
func NewSubjectTransformer(salt []byte) *SubjectTransformer
NewSubjectTransformer creates a new pairwise subject transformer. The salt should be a stable secret (e.g., derived from sector_identifier_uri or a server configuration).
func (*SubjectTransformer) IsPairwiseClient ¶
func (t *SubjectTransformer) IsPairwiseClient(clientID string) bool
IsPairwiseClient returns true if the client uses pairwise subject identifiers.
func (*SubjectTransformer) SetPairwiseClient ¶
func (t *SubjectTransformer) SetPairwiseClient(clientID string)
SetPairwiseClient marks a client as using pairwise subject identifiers.
func (*SubjectTransformer) Transform ¶
func (t *SubjectTransformer) Transform(clientID, subject string) string
Transform converts a real subject into a pairwise subject for a given client. The same (clientID, subject) pair always produces the same pairwise subject.
Source Files