Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AuthorizationServer ¶
type AuthorizationServer struct {
// REQUIRED
Issuer string `json:"issuer"` // Base URL
AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint,omitempty"`
JSONWebKeySetURI string `json:"jwks_uri,omitempty"`
// RECOMMENDED
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
// Common OPTIONAL sets
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
// RFC 8414 §2 – UI / policy pages
ServiceDocumentation string `json:"service_documentation,omitempty"`
UILocalesSupported []string `json:"ui_locales_supported,omitempty"`
OPPolicyURI string `json:"op_policy_uri,omitempty"`
OPTosURI string `json:"op_tos_uri,omitempty"`
// RFC 8414 §2 – Revocation & Introspection (RFC 7009 / RFC 7662)
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
RevocationEndpointAuthSigningAlgValues []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`
IntrospectionEndpointAuthSigningAlgValues []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
// JAR, PAR, Device Code, CIBA, etc. (registered extensions)
PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`
RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests,omitempty"`
RequestObjectSigningAlgsSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"`
BackchannelAuthenticationEndpoint string `json:"backchannel_authentication_endpoint,omitempty"`
BackchannelTokenDeliveryModes []string `json:"backchannel_token_delivery_modes_supported,omitempty"`
BackchannelAuthRequestSigningAlgs []string `json:"backchannel_authentication_request_signing_alg_values_supported,omitempty"`
BackchannelUserCodeParameter bool `json:"backchannel_user_code_parameter_supported,omitempty"`
// OpenID Connect (if the AS is also an OIDC OP)
IDTokenSigningAlgsSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
// Catch-all for undeclared / future metadata
Extra map[string]any `json:"-"`
}
AuthorizationServer models the JSON object defined in RFC 8414 (OAuth 2.0 Authorization Server Metadata).
func FetchAuthorizationServerMetadata ¶
func FetchAuthorizationServerMetadata(ctx context.Context, issuer string, client *http.Client) (*AuthorizationServer, error)
FetchAuthorizationServerMetadata fetches the Authorization Server
type JSONWebKey ¶
type JSONWebKey struct {
// REQUIRED
Kty string `json:"kty"` // Key Type (RSA, EC, oct, OKP …)
// Public-key use or permitted operations
Use string `json:"use,omitempty"` // "sig"|"enc"
KeyOps []string `json:"key_ops,omitempty"` // ["sign","verify", …]
Alg string `json:"alg,omitempty"` // Algorithm (e.g. "RS256")
Kid string `json:"kid,omitempty"` // Key ID (hint for key selection)
// ----- RSA fields (kty == "RSA") -----
N string `json:"n,omitempty"` // Modulus (base64url-encoded)
E string `json:"e,omitempty"` // Exponent (base64url-encoded)
// ----- EC fields (kty == "EC") -----
Crv string `json:"crv,omitempty"` // Curve ("P-256", "secp256k1", …)
X string `json:"x,omitempty"` // X coordinate (base64url)
Y string `json:"y,omitempty"` // Y coordinate (base64url)
// ----- Symmetric / octet fields (kty == "oct") -----
K string `json:"k,omitempty"` // Key material (base64url)
// ----- X.509 certificate chain / thumbprints -----
X5u string `json:"x5u,omitempty"` // URL for cert set
X5c []string `json:"x5c,omitempty"` // PEM-encoded cert chain
X5t string `json:"x5t,omitempty"` // SHA-1 thumbprint
X5tS256 string `json:"x5t#S256,omitempty"` // SHA-256 thumbprint
// Catch-all for any future / private parameters
Extra map[string]any `json:"-"`
}
JSONWebKey represents one JSON Web Key.
Supported key types (kty):
- "RSA" – modulus N, exponent E
- "EC" – curve crv, coordinates x & y
- "oct" – symmetric key material k
All common metadata fields are included; unknown members round-trip via Extra.
func (JSONWebKey) MarshalJSON ¶
func (j JSONWebKey) MarshalJSON() ([]byte, error)
MarshalJSON writes Extra back out.
func (*JSONWebKey) UnmarshalJSON ¶
func (j *JSONWebKey) UnmarshalJSON(data []byte) error
UnmarshalJSON custom unmarshal to preserve unknown members in Extra.
type JSONWebKeySet ¶
type JSONWebKeySet struct {
Keys []JSONWebKey `json:"keys"`
}
JSONWebKeySet represents a set of JSON Web Keys.
type OpenIDConfiguration ¶
type OpenIDConfiguration struct {
// REQUIRED
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
JwksURI string `json:"jwks_uri"`
ResponseTypesSupported []string `json:"response_types_supported"`
SubjectTypesSupported []string `json:"subject_types_supported"`
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
// RECOMMENDED
UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
ACRValuesSupported []string `json:"acr_values_supported,omitempty"`
ClaimsSupported []string `json:"claims_supported,omitempty"`
ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`
ClaimsLocalesSupported []string `json:"claims_locales_supported,omitempty"`
UILocalesSupported []string `json:"ui_locales_supported,omitempty"`
ServiceDocumentation string `json:"service_documentation,omitempty"`
OPPolicyURI string `json:"op_policy_uri,omitempty"`
OPTosURI string `json:"op_tos_uri,omitempty"`
// OPTIONAL
IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"`
IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"`
UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"`
UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"`
UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"`
RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
DisplayValuesSupported []string `json:"display_values_supported,omitempty"`
ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"`
RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`
RequestURIParameterSupported bool `json:"request_uri_parameter_supported,omitempty"`
RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
FrontchannelLogoutSupported bool `json:"frontchannel_logout_supported,omitempty"`
FrontchannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported,omitempty"`
BackchannelLogoutSupported bool `json:"backchannel_logout_supported,omitempty"`
BackchannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported,omitempty"`
// Extensions (not explicitly modeled)
Extra map[string]interface{} `json:"-"`
}
OpenIDConfiguration models the OpenID Provider Metadata as defined in OpenID Connect Discovery 1.0 (https://openid.net/specs/openid-connect-discovery-1_0.html)
NOTE:
- All slices are nil by default; add values as needed.
- The "Extra" map preserves extension parameters that are not explicitly modeled here.
type ProtectedResource ¶
type ProtectedResource struct {
// REQUIRED
Resource string `json:"resource"`
// OPTIONAL (but very common)
AuthorizationServers []string `json:"authorization_servers,omitempty"`
JSONWebKeySetURI string `json:"jwks_uri,omitempty"`
JSONWebKeySet *JSONWebKeySet `json:"jwks,omitempty"` // embedded JSONWebKey Set
ScopesSupported []string `json:"scopes_supported,omitempty"`
BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
ResourceSigningAlgValuesSupported []string `json:"resource_signing_alg_values_supported,omitempty"`
// Human-readable & docs (all OPTIONAL / i18n-capable)
ResourceName string `json:"resource_name,omitempty"`
ResourceDocumentation string `json:"resource_documentation,omitempty"`
ResourcePolicyURI string `json:"resource_policy_uri,omitempty"`
ResourceTOSURI string `json:"resource_tos_uri,omitempty"`
// MTLS / Authz-Details / DPoP (OPTIONAL feature flags)
TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"`
AuthorizationDetailsTypesSupported []string `json:"authorization_details_types_supported,omitempty"`
DPOPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported,omitempty"`
DPOPBoundAccessTokensRequired bool `json:"dpop_bound_access_tokens_required,omitempty"`
// Catch-all for any future or proprietary fields
Extra map[string]any `json:"-"`
}
ProtectedResource represents the full JSON object defined in RFC 9728 §2 “OAuth 2.0 Protected Resource Metadata”.
Notes
- Only the “resource” member is REQUIRED by the RFC; everything else is OPTIONAL.
- `omitempty` keeps absent OPTIONAL members out of the marshalled JSON.
- `JWKS` is a raw slice of bytes so you can unmarshal it into whatever JSONWebKey-Set library you prefer (e.g. go-jose/v4). `jwks_uri` and `jwks` MUST NOT both be present in the same document.
- `Extra` captures extension parameters so your code continues to round-trip unknown future fields.
func FetchProtectedResourceMetadata ¶
func FetchProtectedResourceMetadata(ctx context.Context, metadataURL string, client *http.Client) (*ProtectedResource, error)
FetchProtectedResourceMetadata fetches the protected resource metadata from the given URL.
Source Files
Click to show internal directories.
Click to hide internal directories.