oauth

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 22, 2026 License: Apache-2.0 Imports: 1 Imported by: 0

Documentation

Overview

Package oauth provides RFC-defined types and constants for OAuth 2.0 and OpenID Connect. This package contains ONLY protocol-level definitions with no business logic. It serves as a shared foundation for both OAuth clients (consumers) and servers (producers).

Package oauth provides shared RFC-defined types and constants for OAuth 2.0 and OpenID Connect. It contains only protocol-level definitions with no business logic, serving as a shared foundation for both OAuth clients and servers.

Index

Constants

View Source 
const (
	// WellKnownOIDCPath is the standard OIDC discovery endpoint path
	// per OpenID Connect Discovery 1.0 specification.
	WellKnownOIDCPath = "/.well-known/openid-configuration"

	// WellKnownOAuthServerPath is the standard OAuth authorization server metadata endpoint path
	// per RFC 8414 (OAuth 2.0 Authorization Server Metadata).
	WellKnownOAuthServerPath = "/.well-known/oauth-authorization-server"

	// WellKnownOAuthResourcePath is the RFC 9728 standard path for OAuth Protected Resource metadata.
	// Per RFC 9728 Section 3, this endpoint and any subpaths under it should be accessible
	// without authentication to enable OIDC/OAuth discovery.
	WellKnownOAuthResourcePath = "/.well-known/oauth-protected-resource"
)

Well-known endpoint paths as defined by RFC 8414, OpenID Connect Discovery 1.0, and RFC 9728.

View Source 
const (
	// GrantTypeAuthorizationCode is the authorization code grant type (RFC 6749 Section 4.1).
	GrantTypeAuthorizationCode = "authorization_code"

	// GrantTypeRefreshToken is the refresh token grant type (RFC 6749 Section 6).
	GrantTypeRefreshToken = "refresh_token"
)

Grant types as defined by RFC 6749.

View Source 
const (
	// PKCEMethodS256 uses SHA-256 hash of the code verifier (recommended).
	PKCEMethodS256 = "S256"
)

PKCE (Proof Key for Code Exchange) methods as defined by RFC 7636.

View Source 
const (
	// ResponseTypeCode is the authorization code response type (RFC 6749 Section 4.1.1).
	ResponseTypeCode = "code"
)

Response types as defined by RFC 6749.

View Source 
const (
	// TokenEndpointAuthMethodNone indicates no client authentication (public clients).
	// Typically used with PKCE for native/mobile applications.
	TokenEndpointAuthMethodNone = "none"
)

Token endpoint authentication methods as defined by RFC 7591.

Variables

View Source 
var (
	// ErrMissingIssuer indicates the issuer field is missing from the discovery document.
	ErrMissingIssuer = errors.New("missing issuer")

	// ErrMissingAuthorizationEndpoint indicates the authorization_endpoint field is missing.
	ErrMissingAuthorizationEndpoint = errors.New("missing authorization_endpoint")

	// ErrMissingTokenEndpoint indicates the token_endpoint field is missing.
	ErrMissingTokenEndpoint = errors.New("missing token_endpoint")

	// ErrMissingJWKSURI indicates the jwks_uri field is missing (required for OIDC).
	ErrMissingJWKSURI = errors.New("missing jwks_uri")

	// ErrMissingResponseTypesSupported indicates the response_types_supported field is missing (required for OIDC).
	ErrMissingResponseTypesSupported = errors.New("missing response_types_supported")
)

Validation errors for discovery documents.

Functions

This section is empty.

Types

type AuthorizationServerMetadata added in v0.8.0 

type AuthorizationServerMetadata struct {
	// Issuer is the authorization server's issuer identifier (REQUIRED per RFC 8414).
	Issuer string `json:"issuer"`

	// AuthorizationEndpoint is the URL of the authorization endpoint (RECOMMENDED).
	// Note: No omitempty to maintain backward compatibility with existing JSON serialization.
	AuthorizationEndpoint string `json:"authorization_endpoint"`

	// TokenEndpoint is the URL of the token endpoint (RECOMMENDED).
	// Note: No omitempty to maintain backward compatibility with existing JSON serialization.
	TokenEndpoint string `json:"token_endpoint"`

	// JWKSURI is the URL of the JSON Web Key Set document (RECOMMENDED).
	// Note: No omitempty to maintain backward compatibility with existing JSON serialization.
	JWKSURI string `json:"jwks_uri"`

	// RegistrationEndpoint is the URL of the Dynamic Client Registration endpoint (OPTIONAL).
	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`

	// IntrospectionEndpoint is the URL of the token introspection endpoint (OPTIONAL, RFC 7662).
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`

	// UserinfoEndpoint is the URL of the UserInfo endpoint (OPTIONAL, OIDC specific).
	// Note: No omitempty to maintain backward compatibility with existing JSON serialization.
	UserinfoEndpoint string `json:"userinfo_endpoint"`

	// ResponseTypesSupported lists the response types supported (RECOMMENDED).
	ResponseTypesSupported []string `json:"response_types_supported,omitempty"`

	// GrantTypesSupported lists the grant types supported (OPTIONAL).
	GrantTypesSupported []string `json:"grant_types_supported,omitempty"`

	// CodeChallengeMethodsSupported lists the PKCE code challenge methods supported (OPTIONAL).
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`

	// TokenEndpointAuthMethodsSupported lists the authentication methods supported at the token endpoint (OPTIONAL).
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
}

AuthorizationServerMetadata represents the OAuth 2.0 Authorization Server Metadata per RFC 8414. This is the base structure that OIDC Discovery extends.

type OIDCDiscoveryDocument added in v0.8.0 

type OIDCDiscoveryDocument struct {
	// Embed OAuth 2.0 AS Metadata (RFC 8414) as the base
	AuthorizationServerMetadata

	// SubjectTypesSupported lists the subject identifier types supported (REQUIRED for OIDC).
	SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`

	// IDTokenSigningAlgValuesSupported lists the JWS algorithms supported for ID tokens (REQUIRED for OIDC).
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`

	// ScopesSupported lists the OAuth 2.0 scope values supported (RECOMMENDED for OIDC).
	ScopesSupported []string `json:"scopes_supported,omitempty"`

	// ClaimsSupported lists the claims that can be returned (RECOMMENDED for OIDC).
	ClaimsSupported []string `json:"claims_supported,omitempty"`
}

OIDCDiscoveryDocument represents the OpenID Connect Discovery 1.0 document. It extends OAuth 2.0 Authorization Server Metadata (RFC 8414) with OIDC-specific fields. This unified type supports both producer (server) and consumer (client) use cases.

func (*OIDCDiscoveryDocument) SupportsGrantType added in v0.8.0 

func (d *OIDCDiscoveryDocument) SupportsGrantType(grantType string) bool

SupportsGrantType returns true if the authorization server supports the given grant type.

func (*OIDCDiscoveryDocument) SupportsPKCE added in v0.8.0 

func (d *OIDCDiscoveryDocument) SupportsPKCE() bool

SupportsPKCE returns true if the authorization server supports PKCE with S256.

func (*OIDCDiscoveryDocument) Validate added in v0.8.0 

func (d *OIDCDiscoveryDocument) Validate(isOIDC bool) error

Validate performs basic validation on the discovery document. It checks for required fields based on whether this is an OIDC or pure OAuth document.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.