sso

package
v0.0.15 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 11, 2026 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	// Protocol enablement
	AllowSAML bool `json:"allowSAML"`
	AllowOIDC bool `json:"allowOIDC"`

	// JIT (Just-in-Time) user provisioning
	AutoProvision    bool   `json:"autoProvision"`    // Automatically create users on first SSO login
	UpdateAttributes bool   `json:"updateAttributes"` // Update existing user attributes from SSO
	DefaultRole      string `json:"defaultRole"`      // Default role for provisioned users (e.g., "member")

	// Attribute mapping from user fields to SSO attribute names
	// Example: {"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"}
	AttributeMapping map[string]string `json:"attributeMapping"`

	// SAML configuration
	SAMLMetadataURL   string `json:"samlMetadataURL"`
	SAMLACS           string `json:"samlACS"`           // Assertion Consumer Service URL
	RequireEncryption bool   `json:"requireEncryption"` // Require encrypted SAML assertions

	// OIDC configuration
	OIDCRedirectURL string `json:"oidcRedirectURL"`
}

Config holds the SSO plugin configuration.

func DefaultConfig 

func DefaultConfig() Config

DefaultConfig returns the default SSO plugin configuration.

type DiscoverProviderRequest 

type DiscoverProviderRequest struct {
	Email string `json:"email" validate:"required,email"`
}

DiscoverProviderRequest represents a request to discover SSO provider by email.

type ErrorResponse 

type ErrorResponse = responses.ErrorResponse

ErrorResponse types - use shared responses from core.

type Handler 

type Handler struct {
	// contains filtered or unexported fields
}

func NewHandler 

func NewHandler(svc *Service) *Handler

func NewHandlerWithLogger 

func NewHandlerWithLogger(svc *Service, logger forge.Logger) *Handler

func (*Handler) OIDCCallback 

func (h *Handler) OIDCCallback(c forge.Context) error

OIDCCallback handles OIDC callback and provisions user.

func (*Handler) OIDCLogin 

func (h *Handler) OIDCLogin(c forge.Context) error

OIDCLogin initiates OIDC authentication flow with PKCE.

func (*Handler) RegisterProvider 

func (h *Handler) RegisterProvider(c forge.Context) error

RegisterProvider registers a new SSO provider (SAML or OIDC).

func (*Handler) SAMLCallback 

func (h *Handler) SAMLCallback(c forge.Context) error

SAMLCallback handles SAML response callback and provisions user.

func (*Handler) SAMLLogin 

func (h *Handler) SAMLLogin(c forge.Context) error

SAMLLogin initiates SAML authentication by generating AuthnRequest.

func (*Handler) SAMLSPMetadata 

func (h *Handler) SAMLSPMetadata(c forge.Context) error

SAMLSPMetadata returns Service Provider metadata.

type MessageResponse 

type MessageResponse = responses.MessageResponse

type MetadataResponse 

type MetadataResponse struct {
	Metadata string `json:"metadata"`
}

MetadataResponse represents SAML SP metadata.

type OIDCLoginRequest 

type OIDCLoginRequest struct {
	RedirectURI string `json:"redirectUri"`
	State       string `json:"state"`
	Nonce       string `json:"nonce"`
	Scope       string `json:"scope"` // Optional custom scope
}

OIDCLoginRequest represents a request to initiate OIDC login.

type OIDCLoginResponse 

type OIDCLoginResponse struct {
	AuthURL    string `json:"authUrl"`
	State      string `json:"state"`
	Nonce      string `json:"nonce"`
	ProviderID string `json:"providerId"`
}

OIDCLoginResponse represents the response to OIDC login initiation.

type OIDCState 

type OIDCState struct {
	State        string
	Nonce        string
	CodeVerifier string
	ProviderID   string
	RedirectURI  string
	CreatedAt    time.Time
	ExpiresAt    time.Time
}

OIDCState represents OIDC flow state data.

type Plugin 

type Plugin struct {
	// contains filtered or unexported fields
}

Plugin wires the SSO service and registers routes.

func NewPlugin 

func NewPlugin(opts ...PluginOption) *Plugin

NewPlugin creates a new SSO plugin instance with optional configuration.

func (*Plugin) ID 

func (p *Plugin) ID() string

func (*Plugin) Init 

func (p *Plugin) Init(authInst core.Authsome) error

Init accepts auth instance with GetDB method.

func (*Plugin) Migrate 

func (p *Plugin) Migrate() error

Migrate creates required tables and indexes for SSO providers.

func (*Plugin) RegisterHooks 

func (p *Plugin) RegisterHooks(_ *hooks.HookRegistry) error

func (*Plugin) RegisterRoutes 

func (p *Plugin) RegisterRoutes(router forge.Router) error

RegisterRoutes mounts SSO endpoints under /api/auth/sso.

func (*Plugin) RegisterServiceDecorators 

func (p *Plugin) RegisterServiceDecorators(_ *registry.ServiceRegistry) error

type PluginOption 

type PluginOption func(*Plugin)

PluginOption is a functional option for configuring the SSO plugin.

func WithAllowOIDC 

func WithAllowOIDC(allow bool) PluginOption

WithAllowOIDC sets whether OIDC is enabled.

func WithAllowSAML 

func WithAllowSAML(allow bool) PluginOption

WithAllowSAML sets whether SAML is enabled.

func WithAutoProvision 

func WithAutoProvision(enable bool) PluginOption

WithAutoProvision sets whether auto-provisioning is enabled.

func WithDefaultConfig 

func WithDefaultConfig(cfg Config) PluginOption

WithDefaultConfig sets the default configuration for the plugin.

func WithOIDCRedirectURL 

func WithOIDCRedirectURL(url string) PluginOption

WithOIDCRedirectURL sets the OIDC redirect URL.

func WithRequireEncryption 

func WithRequireEncryption(require bool) PluginOption

WithRequireEncryption sets whether encrypted assertions are required.

func WithSAMLACS 

func WithSAMLACS(acs string) PluginOption

WithSAMLACS sets the SAML assertion consumer service URL.

func WithSAMLMetadataURL 

func WithSAMLMetadataURL(url string) PluginOption

WithSAMLMetadataURL sets the SAML metadata URL.

type ProviderDetailResponse 

type ProviderDetailResponse struct {
	ProviderID       string            `json:"providerId"`
	Type             string            `json:"type"`
	Domain           string            `json:"domain,omitempty"`
	AttributeMapping map[string]string `json:"attributeMapping,omitempty"`

	// SAML info (without sensitive data)
	SAMLEntryPoint string `json:"samlEntryPoint,omitempty"`
	SAMLIssuer     string `json:"samlIssuer,omitempty"`
	HasSAMLCert    bool   `json:"hasSamlCert,omitempty"`

	// OIDC info (without sensitive data)
	OIDCClientID    string `json:"oidcClientID,omitempty"`
	OIDCIssuer      string `json:"oidcIssuer,omitempty"`
	OIDCRedirectURI string `json:"oidcRedirectURI,omitempty"`

	CreatedAt string `json:"createdAt"`
	UpdatedAt string `json:"updatedAt"`
}

ProviderDetailResponse represents detailed SSO provider information.

type ProviderDiscoveredResponse 

type ProviderDiscoveredResponse struct {
	Found      bool   `json:"found"`
	ProviderID string `json:"providerId,omitempty"`
	Type       string `json:"type,omitempty"`
}

ProviderDiscoveredResponse represents the result of provider discovery.

type ProviderInfo 

type ProviderInfo struct {
	ProviderID string `json:"providerId"`
	Type       string `json:"type"`
	Domain     string `json:"domain,omitempty"`
	CreatedAt  string `json:"createdAt"`
}

ProviderInfo represents basic SSO provider information.

type ProviderListResponse 

type ProviderListResponse struct {
	Providers []ProviderInfo `json:"providers"`
	Total     int            `json:"total"`
}

ProviderListResponse represents a list of SSO providers.

type ProviderRegisteredResponse 

type ProviderRegisteredResponse struct {
	ProviderID string `json:"providerId"`
	Type       string `json:"type"`
	Status     string `json:"status"`
}

ProviderRegisteredResponse represents a successful provider registration.

type RedisStateStore 

type RedisStateStore struct {
}

RedisStateStore is a production-ready state store backed by Redis This is a placeholder interface for future implementation.

type RegisterProviderRequest 

type RegisterProviderRequest struct {
	ProviderID string `json:"providerId" validate:"required"`
	Type       string `json:"type"       validate:"required,oneof=saml oidc"`
	Domain     string `json:"domain"`

	// Attribute mapping from user fields to SSO attribute names
	AttributeMapping map[string]string `json:"attributeMapping"`

	// SAML configuration
	SAMLEntryPoint string `json:"samlEntryPoint"`
	SAMLIssuer     string `json:"samlIssuer"`
	SAMLCert       string `json:"samlCert"`

	// OIDC configuration
	OIDCClientID     string `json:"oidcClientID"`
	OIDCClientSecret string `json:"oidcClientSecret"`
	OIDCIssuer       string `json:"oidcIssuer"`
	OIDCRedirectURI  string `json:"oidcRedirectURI"`
}

RegisterProviderRequest represents a request to register a new SSO provider.

type SAMLLoginRequest 

type SAMLLoginRequest struct {
	RelayState string `json:"relayState"`
}

SAMLLoginRequest represents a request to initiate SAML login.

type SAMLLoginResponse 

type SAMLLoginResponse struct {
	RedirectURL string `json:"redirectUrl"`
	RequestID   string `json:"requestId"`
	ProviderID  string `json:"providerId"`
}

SAMLLoginResponse represents the response to SAML login initiation.

type SSOAuthResponse 

type SSOAuthResponse struct {
	User    *user.User       `json:"user"`
	Session *session.Session `json:"session"`
	Token   string           `json:"token"`
}

SSOAuthResponse represents a successful SSO authentication response.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service provides SSO operations (registration, callbacks, metadata).

func NewService 

func NewService(r *repo.SSOProviderRepository, cfg Config, userSvc user.ServiceInterface, sessionSvc session.ServiceInterface) *Service

func (*Service) CreateSSOSession 

func (s *Service) CreateSSOSession(
	ctx context.Context,
	userID xid.ID,
	provider *schema.SSOProvider,
) (*session.Session, string, error)

CreateSSOSession creates a session after successful SSO authentication.

func (*Service) ExchangeOIDCCode 

func (s *Service) ExchangeOIDCCode(ctx context.Context, provider *schema.SSOProvider, code, redirectURI, codeVerifier string) (*oidcsvc.OIDCTokenResponse, error)

ExchangeOIDCCode exchanges authorization code for tokens with PKCE support.

func (*Service) GeneratePKCEChallenge 

func (s *Service) GeneratePKCEChallenge() (*oidcsvc.PKCEChallenge, error)

GeneratePKCEChallenge generates PKCE challenge for OIDC flow.

func (*Service) GetOIDCUserInfo 

func (s *Service) GetOIDCUserInfo(ctx context.Context, provider *schema.SSOProvider, accessToken string) (*oidcsvc.OIDCUserInfo, error)

GetOIDCUserInfo fetches user information from userinfo endpoint.

func (*Service) GetProvider 

func (s *Service) GetProvider(ctx context.Context, providerID string) (*schema.SSOProvider, error)

func (*Service) InitiateOIDCLogin 

func (s *Service) InitiateOIDCLogin(
	ctx context.Context,
	provider *schema.SSOProvider,
	redirectURI, state, nonce string,
) (string, *oidcsvc.PKCEChallenge, error)

InitiateOIDCLogin generates an OIDC authorization URL with PKCE.

func (*Service) InitiateSAMLLogin 

func (s *Service) InitiateSAMLLogin(idpURL, relayState string) (string, string, error)

InitiateSAMLLogin generates an AuthnRequest and returns the redirect URL.

func (*Service) ProvisionUser 

func (s *Service) ProvisionUser(
	ctx context.Context,
	email string,
	attributes map[string][]string,
	provider *schema.SSOProvider,
) (*user.User, error)

ProvisionUser finds or creates a user from SSO assertion Implements Just-in-Time (JIT) user provisioning.

func (*Service) RegisterProvider 

func (s *Service) RegisterProvider(ctx context.Context, p *schema.SSOProvider) error

func (*Service) SPMetadata 

func (s *Service) SPMetadata() string

SPMetadata returns a minimal placeholder SP metadata string.

func (*Service) ValidateOIDCIDToken 

func (s *Service) ValidateOIDCIDToken(ctx context.Context, provider *schema.SSOProvider, idToken, nonce string) (*oidcsvc.OIDCUserInfo, error)

ValidateOIDCIDToken validates an OIDC ID token.

func (*Service) ValidateSAMLResponse 

func (s *Service) ValidateSAMLResponse(b64Response, expectedIssuer, relayState string) (*samsvc.SAMLAssertion, error)

ValidateSAMLResponse performs full SAML response validation.

type StateStore 

type StateStore struct {
	// contains filtered or unexported fields
}

StateStore provides temporary storage for OIDC flow state In production, this should be backed by Redis or similar distributed cache.

func NewStateStore 

func NewStateStore() *StateStore

NewStateStore creates a new state store.

func (*StateStore) Delete 

func (s *StateStore) Delete(ctx context.Context, state string) error

Delete removes OIDC state data (should be called after successful callback).

func (*StateStore) Get 

func (s *StateStore) Get(ctx context.Context, state string) (*OIDCState, error)

Get retrieves OIDC state data by state parameter.

func (*StateStore) Store 

func (s *StateStore) Store(ctx context.Context, state *OIDCState) error

Store saves OIDC state data.

type StatusResponse 

type StatusResponse = responses.StatusResponse

type SuccessResponse 

type SuccessResponse = responses.SuccessResponse

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.