Documentation
¶
Overview ¶
Package token implements the OIDC Token endpoint plugin.
It handles POST /token (RFC 6749 §3.2 / OIDC Core §3.1.3.1), supporting the following grant types:
Index ¶
- type Config
- type DPoPNonceSender
- type Plugin
- func (p *Plugin) Category() storm.PluginCategory
- func (p *Plugin) Contribute(ctx context.Context, cfg *protocol.DiscoveryConfiguration)
- func (p *Plugin) Name() string
- func (p *Plugin) Register(r chi.Router)
- func (p *Plugin) Requires() []string
- func (p *Plugin) SetDPoPNonceSender(sender DPoPNonceSender)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
TokenStore storm.TokenStore
ClientStore storm.ClientStore
AuthStore storm.AuthStore
CIBAStore storm.CIBAStore // optional, for CIBA grant type
Crypto storm.UniCrypto
KeyStore storm.KeyStore
Decoder *protocol.Decoder
Logger *slog.Logger
// AuditLogger receives structured audit events for token issuance and auth failures.
// When nil, events are logged via slog as a fallback.
AuditLogger storm.AuditLogger
// DevicePollInterval is the default polling interval for device_code grant (default: 5s).
DevicePollInterval time.Duration
// RequireDPoP when true requires a valid DPoP proof for all token requests.
// Requests without a DPoP proof are rejected with invalid_request.
// Use this for FAPI 2.0 compliance (sender-constrained tokens via DPoP).
RequireDPoP bool
// RequireMtls when true requires a valid mTLS client certificate for all token requests.
// Requests without a client certificate are rejected with invalid_request.
// Use this for FAPI 2.0 compliance (sender-constrained tokens via mTLS).
RequireMtls bool
// AllowPrivateIPs disables SSRF protection for jwks_uri fetches (testing only).
AllowPrivateIPs bool
// SkipTLSCertVerify disables TLS certificate verification on outbound HTTP (testing only).
SkipTLSCertVerify bool
// SessionRecorder records client sessions for back-channel logout (optional).
SessionRecorder storm.ClientSessionRecorder
// InvalidateRefreshOnUse when true passes the old refresh token to
// CreateAccessAndRefreshTokens so the storage can atomically invalidate it.
// This is required by RFC 6749 §10.4 (refresh token rotation) and prevents
// stolen refresh tokens from being reused. Default: false for backward
// compatibility with conformance tests. Enable for production deployments.
InvalidateRefreshOnUse bool
}
Config holds the dependencies for the Token plugin.
type DPoPNonceSender ¶
type DPoPNonceSender interface {
// WriteNonceHeader writes the DPoP-Nonce HTTP header to the response.
WriteNonceHeader(w http.ResponseWriter)
}
DPoPNonceSender is optionally implemented by a plugin to provide DPoP server-provided nonce support (RFC 9449 §8).
When implemented, the token endpoint includes a DPoP-Nonce header in successful token responses, allowing the server to rotate nonces.
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin implements the OIDC Token endpoint.
func New ¶
func New(ctx *storm.PluginContext) *Plugin
New creates a new Token plugin from a PluginContext.
func NewWithConfig ¶
NewWithConfig creates a new Token plugin with explicit config.
func (*Plugin) Category ¶
func (p *Plugin) Category() storm.PluginCategory
Category returns CategoryCore — token is a required OAuth 2.0 endpoint.
func (*Plugin) Contribute ¶
func (p *Plugin) Contribute(ctx context.Context, cfg *protocol.DiscoveryConfiguration)
Contribute returns the discovery fields for the token endpoint.
func (*Plugin) SetDPoPNonceSender ¶
func (p *Plugin) SetDPoPNonceSender(sender DPoPNonceSender)
SetDPoPNonceSender sets the DPoP nonce sender for server-provided nonces. Called by the Engine during Build when both token and dpop plugins are present.
Source Files