Documentation
¶
Overview ¶
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Index ¶
- func DiscoverActualIssuer(ctx context.Context, metadataURL string) (*oauthproto.OIDCDiscoveryDocument, error)
- func DiscoverOIDCEndpoints(ctx context.Context, issuer string) (*oauthproto.OIDCDiscoveryDocument, error)
- func NewResourceTokenSource(config *oauth2.Config, token *oauth2.Token, resource string) oauth2.TokenSource
- type Config
- type Flow
- type NonCachingRefresher
- type TokenResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DiscoverActualIssuer ¶ added in v0.3.0
func DiscoverActualIssuer(ctx context.Context, metadataURL string) (*oauthproto.OIDCDiscoveryDocument, error)
DiscoverActualIssuer discovers the actual issuer from a URL that might be different from the issuer itself This is useful when the resource metadata points to a URL that hosts the authorization server metadata but the actual issuer identifier is different (e.g., Stripe's case)
func DiscoverOIDCEndpoints ¶
func DiscoverOIDCEndpoints(ctx context.Context, issuer string) (*oauthproto.OIDCDiscoveryDocument, error)
DiscoverOIDCEndpoints discovers OAuth endpoints from an OIDC issuer
func NewResourceTokenSource ¶ added in v0.12.5
func NewResourceTokenSource(config *oauth2.Config, token *oauth2.Token, resource string) oauth2.TokenSource
NewResourceTokenSource creates a token source that includes the resource parameter in all token requests, including refresh requests. The resource parameter must be non-empty (caller should check before calling).
Types ¶
type Config ¶
type Config struct {
// ClientID is the OAuth client ID
ClientID string
// ClientSecret is the OAuth client secret (optional for PKCE flow)
ClientSecret string //nolint:gosec // G117: field legitimately holds sensitive data
// RedirectURL is the redirect URL for the OAuth flow
RedirectURL string
// AuthURL is the authorization endpoint URL
AuthURL string
// TokenURL is the token endpoint URL
TokenURL string
// Scopes are the OAuth scopes to request
Scopes []string
// UsePKCE enables PKCE (Proof Key for Code Exchange) for enhanced security
UsePKCE bool
// CallbackPort is the port for the OAuth callback server (optional, 0 means auto-select)
CallbackPort int
// IntrospectionEndpoint is the optional introspection endpoint for validating tokens
IntrospectionEndpoint string
// Resource is the OAuth 2.0 resource indicator (RFC 8707).
Resource string
// OAuthParams are additional parameters to pass to the authorization URL
OAuthParams map[string]string
// ScopeParamName overrides the query parameter name used to send scopes in the
// authorization URL. When empty (default), the standard "scope" parameter is used.
// Some providers use non-standard parameter names (e.g., Slack uses "user_scope"
// for user-token scopes). When set, scopes are sent under this parameter name
// instead of "scope", and the standard "scope" parameter is cleared.
ScopeParamName string
}
Config contains configuration for OAuth authentication
func CreateOAuthConfigFromOIDC ¶
func CreateOAuthConfigFromOIDC( ctx context.Context, issuer, clientID, clientSecret string, scopes []string, usePKCE bool, callbackPort int, resource string, ) (*Config, error)
CreateOAuthConfigFromOIDC creates an OAuth config from OIDC discovery
func CreateOAuthConfigManual ¶ added in v0.2.4
func CreateOAuthConfigManual( clientID, clientSecret string, authURL, tokenURL string, scopes []string, usePKCE bool, callbackPort int, resource string, oauthParams map[string]string, scopeParamName string, ) (*Config, error)
CreateOAuthConfigManual creates an OAuth config with manually provided endpoints
type Flow ¶
type Flow struct {
// contains filtered or unexported fields
}
Flow handles the OAuth authentication flow
func (*Flow) TokenSource ¶ added in v0.0.48
func (f *Flow) TokenSource() oauth2.TokenSource
TokenSource returns the OAuth2 token source for refreshing tokens
type NonCachingRefresher ¶ added in v0.25.0
type NonCachingRefresher struct {
// contains filtered or unexported fields
}
NonCachingRefresher is an oauth2.TokenSource that always performs a network refresh when Token() is called — it holds no internal token cache.
This is the correct innermost source for a preemptive-refresh chain: the outer oauth2.ReuseTokenSource provides caching; the inner source must always refresh when asked so that one network round-trip occurs per preemptive window instead of looping indefinitely.
It handles both standard OAuth 2.0 refresh (resource == "") and RFC 8707 resource-indicator refresh (resource != "") in a single type.
Token() is safe for concurrent use. mu serializes access to refreshToken, which is updated in place when the IdP rotates it.
When the IdP omits a new refresh token the previous token is preserved so the session survives providers that do not rotate on every refresh.
func NewNonCachingRefresher ¶ added in v0.25.0
func NewNonCachingRefresher(cfg *oauth2.Config, refreshToken, resource string) *NonCachingRefresher
NewNonCachingRefresher creates a NonCachingRefresher that refreshes using cfg and the given refresh token. resource is the RFC 8707 resource indicator; pass "" for standard OAuth 2.0 refresh.
type TokenResult ¶
type TokenResult struct {
AccessToken string //nolint:gosec // G117: field legitimately holds sensitive data
RefreshToken string //nolint:gosec // G117: field legitimately holds sensitive data
TokenType string
Expiry time.Time
Claims jwt.MapClaims
IDToken string // The OIDC ID token (JWT), if present
}
TokenResult contains the result of the OAuth flow
Source Files