upstream

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 22, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package upstream provides types and implementations for upstream Identity Provider communication in the OAuth authorization server.

Architecture

The package is designed around a core OAuth2Provider interface that abstracts upstream IDP operations. The interface captures essential OAuth/OIDC operations without leaking implementation details:

  • AuthorizationURL: Build redirect URL for user authentication
  • ExchangeCode: Exchange authorization code for tokens
  • RefreshTokens: Refresh expired tokens
  • ResolveIdentity: Resolve user identity from tokens
  • FetchUserInfo: Fetch user claims

Type Hierarchy 

OAuth2Provider (interface)
    |
BaseOAuth2Provider (pure OAuth 2.0 implementation)

Future: OIDCProvider will extend BaseOAuth2Provider with OIDC-specific features like ID token validation and nonce verification.

Value Objects

  • Tokens: Token response from upstream IDP
  • UserInfo: User claims from UserInfo endpoint
  • OAuth2Config: Configuration for OAuth 2.0 providers
  • IDTokenClaims: Parsed claims from ID token (for future OIDC support)

Usage 

config := &upstream.OAuth2Config{
    CommonOAuthConfig: upstream.CommonOAuthConfig{
        ClientID:     "your-client-id",
        ClientSecret: "your-client-secret",
        RedirectURI:  "https://your-app.com/callback",
        Scopes:       []string{"read", "write"},
    },
    AuthorizationEndpoint: "https://provider.com/authorize",
    TokenEndpoint:         "https://provider.com/token",
    UserInfo: &upstream.UserInfoConfig{
        EndpointURL: "https://provider.com/userinfo",
    },
}

provider, err := upstream.NewOAuth2Provider(config)
if err != nil {
    return err
}

// Build authorization URL
authURL, err := provider.AuthorizationURL(state, pkceChallenge)

// After callback, exchange code for tokens
tokens, err := provider.ExchangeCode(ctx, code, pkceVerifier)

// Resolve user identity
subject, err := provider.ResolveIdentity(ctx, tokens, "")

Extensibility

To add a new IDP type (e.g., SAML), implement the OAuth2Provider interface.

UserInfo Extensibility

The package supports flexible UserInfo fetching through the OAuth2Provider interface's FetchUserInfo method and UserInfoConfig. This enables:

  • Custom field mapping for non-standard provider responses
  • Additional headers for provider-specific requirements

All OAuth2Provider implementations support FetchUserInfo directly: 

userInfo, err := provider.FetchUserInfo(ctx, accessToken)

For custom provider configuration, use UserInfoConfig: 

config := &upstream.UserInfoConfig{
    EndpointURL: "https://api.example.com/user",
    HTTPMethod:  "GET",  // or "POST" per OIDC Core Section 5.3.1
    FieldMapping: &upstream.UserInfoFieldMapping{
        SubjectField: "user_id",  // custom field for non-OIDC providers
    },
}

Index

Constants

View Source 
const DefaultSubjectField = "sub"

DefaultSubjectField is the default field name for subject resolution.

Variables

View Source 
var ErrIdentityResolutionFailed = errors.New("failed to resolve user identity")

ErrIdentityResolutionFailed indicates identity could not be determined.

Functions

This section is empty.

Types

type AuthorizationOption added in v0.7.2 

type AuthorizationOption func(*authorizationOptions)

AuthorizationOption configures authorization URL generation.

func WithAdditionalParams added in v0.7.2 

func WithAdditionalParams(params map[string]string) AuthorizationOption

WithAdditionalParams adds custom parameters to the authorization URL.

type BaseOAuth2Provider added in v0.7.2 

type BaseOAuth2Provider struct {
	// contains filtered or unexported fields
}

BaseOAuth2Provider implements OAuth 2.0 flows for pure OAuth 2.0 providers. This can be used standalone for OAuth 2.0 providers without OIDC support, or embedded by OIDCProvider to share common OAuth 2.0 logic.

func NewOAuth2Provider added in v0.7.2 

func NewOAuth2Provider(config *OAuth2Config, opts ...OAuth2ProviderOption) (*BaseOAuth2Provider, error)

NewOAuth2Provider creates a new pure OAuth 2.0 provider. Use this for providers that don't support OIDC discovery. The config must include AuthorizationEndpoint and TokenEndpoint.

func (*BaseOAuth2Provider) AuthorizationURL added in v0.7.2 

func (p *BaseOAuth2Provider) AuthorizationURL(state, codeChallenge string, opts ...AuthorizationOption) (string, error)

AuthorizationURL builds the URL to redirect the user to the upstream IDP.

func (*BaseOAuth2Provider) ExchangeCode added in v0.7.2 

func (p *BaseOAuth2Provider) ExchangeCode(ctx context.Context, code, codeVerifier string) (*Tokens, error)

ExchangeCode exchanges an authorization code for tokens with the upstream IDP.

func (*BaseOAuth2Provider) FetchUserInfo added in v0.8.0 

func (p *BaseOAuth2Provider) FetchUserInfo(ctx context.Context, accessToken string) (*UserInfo, error)

FetchUserInfo fetches user information from the configured UserInfo endpoint. Returns an error if no UserInfo endpoint is configured. The field mapping from UserInfoConfig.FieldMapping is used to extract claims from non-standard provider responses.

func (*BaseOAuth2Provider) RefreshTokens added in v0.7.2 

func (p *BaseOAuth2Provider) RefreshTokens(ctx context.Context, refreshToken string) (*Tokens, error)

RefreshTokens refreshes the upstream IDP tokens.

func (*BaseOAuth2Provider) ResolveIdentity added in v0.8.0 

func (p *BaseOAuth2Provider) ResolveIdentity(ctx context.Context, tokens *Tokens, _ string) (string, error)

ResolveIdentity resolves the user's identity by fetching UserInfo. For pure OAuth2 providers, this fetches user information from the configured endpoint. OIDC-specific validation (ID token nonce, subject matching) will be added when OIDCProvider is implemented.

func (*BaseOAuth2Provider) Type added in v0.7.2 

func (*BaseOAuth2Provider) Type() ProviderType

Type returns the provider type.

type CommonOAuthConfig added in v0.7.2 

type CommonOAuthConfig struct {
	// ClientID is the OAuth client ID registered with the upstream IDP.
	ClientID string

	// ClientSecret is the OAuth client secret registered with the upstream IDP.
	// Optional for public clients (RFC 6749 Section 2.1) which authenticate using
	// PKCE instead of a client secret. Required for confidential clients.
	ClientSecret string

	// Scopes are the OAuth scopes to request from the upstream IDP.
	Scopes []string

	// RedirectURI is the callback URL where the upstream IDP will redirect
	// after authentication.
	RedirectURI string
}

CommonOAuthConfig contains fields shared by all OAuth provider types. This provides compile-time type safety by separating OIDC and OAuth2 configuration.

func (*CommonOAuthConfig) Validate added in v0.7.2 

func (c *CommonOAuthConfig) Validate() error

Validate checks that CommonOAuthConfig has all required fields.

type IDTokenClaims 

type IDTokenClaims struct {
	// Issuer is the issuer identifier (iss claim).
	Issuer string

	// Subject is the subject identifier (sub claim).
	Subject string

	// Audience contains the audience(s) this ID Token is intended for (aud claim).
	Audience []string

	// ExpiresAt is the expiration time (exp claim).
	ExpiresAt time.Time

	// IssuedAt is the time at which the ID Token was issued (iat claim).
	IssuedAt time.Time

	// Nonce is the value used to associate a client session with an ID Token (nonce claim).
	Nonce string

	// AuthTime is the time when the end-user authentication occurred (auth_time claim).
	AuthTime time.Time

	// AuthorizedParty is the party to which the ID Token was issued (azp claim).
	AuthorizedParty string

	// Email is the user's email address.
	Email string

	// EmailVerified indicates whether the user's email has been verified.
	EmailVerified bool

	// Name is the user's full name.
	Name string

	// RawClaims contains all claims from the ID Token payload.
	RawClaims map[string]any
}

IDTokenClaims contains the standard OIDC ID Token claims. See OIDC Core Section 2 for claim definitions.

type OAuth2Config added in v0.7.2 

type OAuth2Config struct {
	CommonOAuthConfig

	// AuthorizationEndpoint is the URL for the OAuth authorization endpoint.
	AuthorizationEndpoint string

	// TokenEndpoint is the URL for the OAuth token endpoint.
	TokenEndpoint string

	// UserInfo contains configuration for fetching user information (optional).
	// When nil, the provider does not support UserInfo fetching.
	UserInfo *UserInfoConfig
}

OAuth2Config contains configuration for pure OAuth 2.0 providers without OIDC discovery.

func (*OAuth2Config) Validate added in v0.7.2 

func (c *OAuth2Config) Validate() error

Validate checks that OAuth2Config has all required fields.

type OAuth2Provider added in v0.7.2 

type OAuth2Provider interface {
	// Type returns the provider type.
	Type() ProviderType

	// AuthorizationURL builds the URL to redirect the user to the upstream IDP.
	// state: our internal state to correlate callback
	// codeChallenge: PKCE challenge to send to upstream (if supported)
	// opts: optional configuration such as nonce or additional parameters
	AuthorizationURL(state, codeChallenge string, opts ...AuthorizationOption) (string, error)

	// ExchangeCode exchanges an authorization code for tokens with the upstream IDP.
	ExchangeCode(ctx context.Context, code, codeVerifier string) (*Tokens, error)

	// RefreshTokens refreshes the upstream IDP tokens.
	RefreshTokens(ctx context.Context, refreshToken string) (*Tokens, error)

	// ResolveIdentity validates tokens and returns the canonical subject.
	// For OIDC providers with ID tokens, it validates the token and nonce.
	// For OAuth2 providers or as fallback, it fetches UserInfo.
	ResolveIdentity(ctx context.Context, tokens *Tokens, nonce string) (subject string, err error)

	// FetchUserInfo retrieves user information using the provided access token.
	// Returns an error if the provider is not configured for UserInfo fetching.
	FetchUserInfo(ctx context.Context, accessToken string) (*UserInfo, error)
}

OAuth2Provider handles communication with an upstream Identity Provider. This is the base interface for all provider types.

type OAuth2ProviderOption added in v0.7.2 

type OAuth2ProviderOption func(*BaseOAuth2Provider)

OAuth2ProviderOption configures a BaseOAuth2Provider.

func WithOAuth2HTTPClient added in v0.7.2 

func WithOAuth2HTTPClient(client *http.Client) OAuth2ProviderOption

WithOAuth2HTTPClient sets a custom HTTP client.

type OIDCEndpoints 

type OIDCEndpoints struct {
	// Issuer is the issuer identifier.
	Issuer string `json:"issuer"`

	// AuthorizationEndpoint is the URL for the authorization endpoint.
	AuthorizationEndpoint string `json:"authorization_endpoint"`

	// TokenEndpoint is the URL for the token endpoint.
	TokenEndpoint string `json:"token_endpoint"`

	// UserInfoEndpoint is the URL for the userinfo endpoint.
	UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"`

	// JWKSEndpoint is the URL for the JWKS endpoint.
	JWKSEndpoint string `json:"jwks_uri,omitempty"`

	// CodeChallengeMethodsSupported lists the supported PKCE code challenge methods.
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
}

OIDCEndpoints contains the discovered endpoints for an OIDC provider.

type ProviderType added in v0.7.2 

type ProviderType string

ProviderType identifies the type of upstream Identity Provider. 

const (
	// ProviderTypeOAuth2 is for pure OAuth 2.0 providers with explicit endpoints.
	ProviderTypeOAuth2 ProviderType = "oauth2"
)

type Tokens 

type Tokens struct {
	// AccessToken is the access token from the upstream IDP.
	AccessToken string

	// RefreshToken is the refresh token from the upstream IDP (if provided).
	RefreshToken string

	// IDToken is the ID token from the upstream IDP (for OIDC).
	IDToken string

	// ExpiresAt is when the access token expires.
	ExpiresAt time.Time
}

Tokens represents the tokens obtained from an upstream Identity Provider. This type is used for token exchange with the IDP, but stored separately (see storage.IDPTokens for the storage representation).

func (*Tokens) IsExpired 

func (t *Tokens) IsExpired() bool

IsExpired returns true if the access token has expired or will expire within the buffer period. Returns true for nil receivers (treating nil tokens as expired).

type UserInfo 

type UserInfo struct {
	// Subject is the unique identifier for the user (sub claim).
	Subject string `json:"sub"`

	// Email is the user's email address.
	Email string `json:"email,omitempty"`

	// Name is the user's full name.
	Name string `json:"name,omitempty"`

	// Claims contains all claims returned by the userinfo endpoint.
	Claims map[string]any `json:"-"`
}

UserInfo contains user information retrieved from the upstream IDP.

type UserInfoConfig added in v0.7.2 

type UserInfoConfig struct {
	// EndpointURL is the URL of the userinfo endpoint (required).
	EndpointURL string

	// HTTPMethod is the HTTP method to use (default: GET).
	HTTPMethod string

	// AdditionalHeaders contains extra headers to include in the request.
	AdditionalHeaders map[string]string

	// FieldMapping contains custom field mapping configuration.
	// If nil, standard OIDC field names are used ("sub", "name", "email").
	FieldMapping *UserInfoFieldMapping
}

UserInfoConfig contains configuration for fetching user information from an upstream provider. This supports both standard OIDC UserInfo endpoints and custom provider-specific endpoints. Authentication is always performed using Bearer token in the Authorization header.

func (*UserInfoConfig) Validate added in v0.7.2 

func (c *UserInfoConfig) Validate() error

Validate checks that UserInfoConfig has all required fields and valid values.

type UserInfoFieldMapping added in v0.7.2 

type UserInfoFieldMapping struct {
	// SubjectField is the field name for the user ID (e.g., "sub" for OIDC, "id" for GitHub).
	// Default: "sub"
	SubjectField string
}

UserInfoFieldMapping maps provider-specific field names to standard UserInfo fields. This allows adapting non-standard provider responses to the canonical UserInfo structure.

Example for GitHub: 

mapping := &UserInfoFieldMapping{
    SubjectField: "id",
}

func (*UserInfoFieldMapping) GetSubjectField added in v0.8.0 

func (m *UserInfoFieldMapping) GetSubjectField() string

GetSubjectField returns the configured subject field or the default.

func (*UserInfoFieldMapping) ResolveSubject added in v0.8.0 

func (m *UserInfoFieldMapping) ResolveSubject(claims map[string]any) (string, error)

ResolveSubject extracts the subject (user ID) from claims using the configured mapping. Returns an error if no subject can be resolved (subject is required).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.