shared

func CertThumbprint ¶

func CertThumbprint(cert *x509.Certificate) string

CertThumbprint computes the SHA-256 thumbprint of a certificate as a base64url-encoded string (RFC 8705 §3.1, x5t#S256).

func ClientCertFromContext ¶

func ClientCertFromContext(ctx context.Context) *x509.Certificate

ClientCertFromContext retrieves the TLS client certificate from the context. Returns nil if no certificate was presented.

func ContextWithAuthenticatedClient ¶

func ContextWithAuthenticatedClient(ctx context.Context, client AuthenticatedClient) context.Context

ContextWithAuthenticatedClient stores a pre-authenticated client in the context.

func ContextWithClientCert ¶

func ContextWithClientCert(ctx context.Context, cert *x509.Certificate) context.Context

ContextWithClientCert stores the TLS client certificate in the request context.

func ContextWithDPoP ¶

func ContextWithDPoP(ctx context.Context, proof DPoPProof) context.Context

ContextWithDPoP stores a DPoP proof in the request context.

func ContextWithIssuer ¶

func ContextWithIssuer(ctx context.Context, issuer string) context.Context

func ContextWithJARMPreferredAlg ¶

func ContextWithJARMPreferredAlg(ctx context.Context, alg string) context.Context

ContextWithJARMPreferredAlg stores the client's preferred signing algorithm in the context so the JARM plugin can use it for signing.

func CopyRequestObjectToAuthRequest ¶

func CopyRequestObjectToAuthRequest(authReq *protocol.AuthRequest, requestObject *protocol.RequestObject)

CopyRequestObjectToAuthRequest copies request object claims into the authorization request, overriding any existing values.

FAPI 2.0 §5.3.1: when a request object is present, the authorization server SHALL NOT use any parameter values from the query string and SHALL only use parameter values from the request object. Most fields are therefore unconditionally assigned from the request object — any query-string-only values (e.g. state) that are absent from the request object are cleared. RequestURI is preserved when the request object does not carry one, because it is needed downstream as a sentinel (e.g. to skip the signed-request-object-required check for request_uri-based JAR).

Per OIDC Core §6.1 and RFC 9101, the request object is a transport envelope for authorization request parameters. Once the signature is verified and the claims are copied, the original RequestParam (the raw JWT string) has no further use — no downstream flow reads it. Clearing it avoids accidentally re-processing the same JWT and keeps the AuthRequest semantically clean.

func EndpointURL ¶

func EndpointURL(ctx context.Context, ep *protocol.Endpoint) string

EndpointURL converts a protocol.Endpoint into an absolute URL using the issuer from context, applying the same TrimRight logic as IssuerURL.

This allows plugins to declare their paths as *protocol.Endpoint and reuse the built-in Absolute() logic instead of hand-joining strings.

Example:

ep := protocol.NewEndpoint("/authorize")
EndpointURL(ctx, ep) → "http://localhost:9998/authorize"

func ExtractBearerToken ¶

func ExtractBearerToken(r *http.Request) string

ExtractBearerToken extracts a Bearer token from the Authorization header. Returns the token string, or empty string if not present or not a Bearer token.

func FetchJWKSFromURI ¶

func FetchJWKSFromURI(uri string, skipTLSVerify, allowPrivateIPs bool) ([]jwk.Key, error)

FetchJWKSFromURI fetches and parses a JWKS from a remote URI. If allowPrivateIPs is false, the URI is validated to prevent SSRF attacks.

func HTTPLoopbackOrLocalhost ¶

func HTTPLoopbackOrLocalhost(rawURL string) (*url.URL, bool)

HTTPLoopbackOrLocalhost parses a URL and returns true if it uses HTTP/HTTPS and points to a loopback address.

func IsLocalhost ¶

func IsLocalhost(host string) bool

IsLocalhost returns true if the hostname is a loopback address. Per RFC 8252 §7.3, only 127.0.0.1 and ::1 are loopback addresses.

func IssuerFromContext ¶

func IssuerFromContext(ctx context.Context) string

func IssuerMiddleware ¶

func IssuerMiddleware(fn IssuerFromRequest) func(http.Handler) http.Handler

IssuerMiddleware injects the issuer into the request context. This is the only middleware that Engine itself needs to install.

func JARMPreferredAlgFromContext ¶

func JARMPreferredAlgFromContext(ctx context.Context) string

JARMPreferredAlgFromContext retrieves the client's preferred signing algorithm.

func JSONResponse ¶

func JSONResponse(w http.ResponseWriter, data any, statusCode int)

JSONResponse writes a JSON response with the given status code. If data is nil, only the status code is written. Delegates to util/http.MarshalJSONWithStatus for the actual encoding. Sets Cache-Control and Pragma headers per RFC 6749 §5.1.

func NewHTTPClient ¶

func NewHTTPClient(skipTLSVerify bool) *http.Client

NewHTTPClient creates an HTTP client for outbound requests (JWKS fetches, request_uri, backchannel_logout, etc.).

Options (all disabled by default):

• skipTLSVerify: skips TLS certificate verification. Use ONLY for testing with self-signed certificates. NEVER enable in production.

func NoContentResponse ¶

func NoContentResponse(w http.ResponseWriter)

NoContentResponse sends a 204 No Content response.

func ParseAndValidateRequestObject ¶

func ParseAndValidateRequestObject(ctx context.Context, authReq *protocol.AuthRequest, lookupClient RequestObjectClientLookup, skipTLSVerify, allowPrivateIPs bool) error

ParseAndValidateRequestObject parses and validates a JWT request object (OIDC Core §6.1, RFC 9101). It:

1. Parses the JWT without verification to extract claims
2. Validates iss == client_id and aud contains the issuer
3. Looks up the client and verifies the JWT signature
4. Validates time claims (exp, nbf)
5. Copies request object claims into the auth request

skipTLSVerify controls whether TLS certificate verification is skipped when fetching the client's JWKS from jwks_uri (testing only). allowPrivateIPs controls whether SSRF validation is skipped for private IPs.

Returns protocol.ErrInvalidRequestObject on any validation failure.

func ParseClientCredentials ¶

func ParseClientCredentials(r *http.Request) (clientID, clientSecret string, err error)

ParseClientCredentials extracts client credentials from the request without verifying them against the store. Returns protocol.ErrInvalidRequest if no credentials are found.

func RedirectResponse ¶

func RedirectResponse(w http.ResponseWriter, r *http.Request, url string)

RedirectResponse sends a 302 Found redirect.

func ResolveCNF ¶

func ResolveCNF(ctx context.Context) map[string]any

ResolveCNF builds the cnf (confirmation) claim from mTLS and DPoP context. mTLS: cnf.x5t#S256 (RFC 8705 §3.1) DPoP: cnf.jkt (RFC 9449 §7.1) If both are present, both keys are included. Returns nil if neither mTLS nor DPoP context is present.

func ResolvePreferredSigningAlg ¶

func ResolvePreferredSigningAlg(client interface{}) string

ResolvePreferredSigningAlg returns the client's preferred signing algorithm for JARM authorization responses. It checks:

1. The client's id_token_signed_response_alg (explicit configuration)
2. FAPI 2.0 profile fallback: PS256 (FAPI 2.0 §5.3.2.2)

Returns empty string if the client has no preference (server default will be used).

func SetUserInfoHeaders ¶

func SetUserInfoHeaders(w http.ResponseWriter)

SetUserInfoHeaders sets the headers required by OIDC Core §5.3.2 and RFC 6750.

func TracerSpan ¶

func TracerSpan(ctx context.Context, tracer trace.Tracer, name string) (context.Context, trace.Span)

TracerSpan starts a span from a trace.Tracer. If the tracer is nil, it returns a no-op span from the context. This is the recommended way to start spans in plugins to avoid nil-pointer panics in tests.

func ValidateAuthRequestParams ¶

func ValidateAuthRequestParams(client AuthRequestClient, authReq *protocol.AuthRequest, defaultScopes ...string) error

ValidateAuthRequestParams validates all authorization request parameters. defaultScopes are applied when the client omits the scope parameter (optional).

func ValidateAuthRequestParamsExceptRedirectURI ¶

func ValidateAuthRequestParamsExceptRedirectURI(client AuthRequestClient, authReq *protocol.AuthRequest, defaultScopes ...string) error

ValidateAuthRequestParamsExceptRedirectURI validates all params except redirect_uri. This is called after redirect_uri has been validated separately, so that remaining errors can be safely redirected to the registered URI. defaultScopes are applied when the client omits the scope parameter (optional).

func ValidateDPoPProofATH ¶

func ValidateDPoPProofATH(proof DPoPProof, accessToken string) error

ValidateDPoPProofATH validates the ath (access token hash) claim in a DPoP proof against the actual access token (RFC 9449 §7.1). The ath claim MUST equal base64url(SHA-256(access_token)).

func ValidateNonce ¶

func ValidateNonce(authReq *protocol.AuthRequest) error

ValidateNonce enforces that nonce is present for implicit and hybrid flows (OIDC Core §3.2.2.1, §3.3.2.1).

func ValidatePKCE ¶

func ValidatePKCE(authReq *protocol.AuthRequest) error

ValidatePKCE checks that code_challenge_method is valid when code_challenge is present.

func ValidatePrompt ¶

func ValidatePrompt(authReq *protocol.AuthRequest) error

ValidatePrompt validates the prompt parameter and mutates authReq accordingly. Per OIDC Core §3.1.2.1:

• "none" MUST NOT be combined with other values.
• "login" forces re-authentication by setting max_age to 0.

func ValidateRedirectURI ¶

func ValidateRedirectURI(client AuthRequestClient, uri string, responseType protocol.ResponseType) error

ValidateRedirectURI validates the redirect_uri parameter.

func ValidateRemoteURL ¶

func ValidateRemoteURL(rawURL string) error

ValidateRemoteURL validates a user-provided URL to prevent SSRF attacks. Rules:

• Scheme must be https (or http for localhost only)
• For non-localhost URLs, DNS is resolved and private/link-local/loopback IPs are blocked

func ValidateResponseType ¶

func ValidateResponseType(client AuthRequestClient, responseType protocol.ResponseType) error

ValidateResponseType validates the response_type parameter.

func ValidateScopes ¶

func ValidateScopes(client AuthRequestClient, authReq *protocol.AuthRequest, defaultScopes ...string) error

ValidateScopes validates the scope parameter. If the client omits the scope parameter, defaultScopes are applied when provided. Per RFC 6749 §4.1.1: "If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope."

func ValidateSenderConstraining ¶

func ValidateSenderConstraining(client interface{}, globalDPoP, globalMtls bool, r *http.Request) error

ValidateSenderConstraining verifies that the client's sender-constraining requirements are met for the incoming token endpoint request.

Per-client configuration takes precedence over global flags. When both DPoP and mTLS are required, the client supports sender-constraining via either mechanism and at least one proof-of-possession MUST be presented (this is the common FAPI 2.0 case where the actual mechanism is chosen by the conformance variant / client request).

func ValidateSignedRequestObjectRequired ¶

func ValidateSignedRequestObjectRequired(client interface{}, hasRequestObject bool) error

ValidateSignedRequestObjectRequired returns an error if the client is configured to require signed request objects but the request does not contain one. It is used by both the PAR and authorization endpoints.

A signed request object is required when the client has request_object_signing_alg configured.

Note: FAPI 2.0 Security Profile does NOT mandate signed request objects. Only FAPI 2.0 Message Signing (a separate profile) does, and that is enforced via the client's request_object_signing_alg setting.

func VerifyTokenBinding ¶

func VerifyTokenBinding(ctx context.Context, cnf map[string]any) error

VerifyTokenBinding verifies that the current request proves possession of the key bound to the token via cnf claim (RFC 8705 §5, RFC 9449 §7.2).

This is a stateless function that checks:

• cnf.jkt against DPoP proof in context
• cnf.x5t#S256 against TLS client certificate in context

Returns nil if the token is not sender-constrained (no cnf) or if verification succeeds. Returns a protocol error otherwise.

func WriteError ¶

func WriteError(w http.ResponseWriter, r *http.Request, err error, logger *slog.Logger)

WriteError writes an OIDC error response to the response writer. It inspects the error chain for StatusError and oidc.Error to determine the correct HTTP status code and JSON body.

This is a shared utility; plugins may choose to use it or implement their own error handling.