core

package
v1.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 25, 2026 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LegacyPKCEFactory

func LegacyPKCEFactory(config fosite.Configurator, storage any, strategy any) any

LegacyPKCEFactory satisfies the fosite compose.Factory signature. The storage and strategy parameters are interface{} because fosite's compose pipeline passes them untyped. The Factory signature does not allow returning an error, so incorrect wiring panics at startup with a clear message rather than silently producing a broken handler.

Types

type Config

type Config struct {
	AccessTokenLifespan   time.Duration
	RefreshTokenLifespan  time.Duration
	AuthorizeCodeLifespan time.Duration
	IDTokenLifespan       time.Duration

	HashCost            int
	HMACSecret          []byte
	AllowInsecureHTTP   bool
	EnforcePKCE         bool
	EnableOpenIDConnect bool

	IssuerURL  string
	LoginURL   string
	ConsentURL string

	// AccessTokenAudience identifies the resource server that consumes IAM-issued
	// JWT access tokens. Set as the `aud` claim per RFC 9068 §2.2.
	AccessTokenAudience string

	ClientSecretsHasher fosite.Hasher
	JwkProvider         jwk.Provider
}

func NewOAuthConfigFromConfig

func NewOAuthConfigFromConfig(cfg authconfig.OAuthServerConfig) *Config

type FositeStorage

FositeStorage is the union of fosite storage interfaces that the OAuth provider needs to drive the authorize and token endpoints. It lives here (rather than in the concrete storage package) so the provider depends on the contract, not on a specific storage implementation.

type Issuer

type Issuer struct {
	// contains filtered or unexported fields
}

Issuer turns a resolved user identity into an OAuth authorization-code redirect. It is the small slice of the authorize flow that runs after the user has been authenticated — granting requested scopes, attaching a session to the request, and writing the response that carries the code back to the client.

Flows that already have a user identity in hand — notably the federated login callback — use the Issuer to emit a code directly, without round-tripping the user agent through /oauth2/authorize.

func (*Issuer) IssueAuthorizationCode

func (i *Issuer) IssueAuthorizationCode(ctx context.Context, w http.ResponseWriter, ar fosite.AuthorizeRequester, userInfo identity.UserInfo) error

func (*Issuer) IssueFromFederationSession

func (i *Issuer) IssueFromFederationSession(ctx context.Context, w http.ResponseWriter, session *federation.Session, userInfo identity.UserInfo, additionalParams map[string]string) error

IssueFromFederationSession synthesizes an authorize request from the stored federation session and issues an authorization code for userInfo. Callers use this to skip the extra /oauth2/authorize round trip that would otherwise be needed after a federated login completes.

func (*Issuer) WriteErrorFromFederationSession added in v1.10.0

func (i *Issuer) WriteErrorFromFederationSession(ctx context.Context, w http.ResponseWriter, session *federation.Session, err error) error

WriteErrorFromFederationSession synthesizes an authorize request from the stored federation session and asks fosite to write an RFC 6749 error response to w. In the normal case fosite emits a 303 redirect back to the session's redirect URI; if it cannot reconstruct a valid client and redirect URI on the AuthorizeRequester (e.g. the referenced client has since been removed), it degrades to a JSON body instead. That degradation is intentional — we accept it rather than re-implementing a parallel redirect path. The returned error, when non-nil, describes a failure encountered while preparing the response and is intended for the caller to log; the response itself is best-effort.

type LegacyPKCEHandler

type LegacyPKCEHandler struct {
	AuthorizeCodeStrategy oauth2.AuthorizeCodeStrategy
	Storage               pkce.PKCERequestStorage
	// contains filtered or unexported fields
}

func (*LegacyPKCEHandler) CanHandleTokenEndpointRequest

func (c *LegacyPKCEHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) bool

func (*LegacyPKCEHandler) CanSkipClientAuth

func (c *LegacyPKCEHandler) CanSkipClientAuth(ctx context.Context, requester fosite.AccessRequester) bool

func (*LegacyPKCEHandler) HandleAuthorizeEndpointRequest

func (c *LegacyPKCEHandler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error

func (*LegacyPKCEHandler) HandleTokenEndpointRequest

func (c *LegacyPKCEHandler) HandleTokenEndpointRequest(ctx context.Context, request fosite.AccessRequester) error

func (*LegacyPKCEHandler) PopulateTokenEndpointResponse

func (c *LegacyPKCEHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error

type Provider

type Provider struct {
	fosite.OAuth2Provider
	// contains filtered or unexported fields
}

func NewOAuthProviderWithConfig

func NewOAuthProviderWithConfig(store FositeStorage, oauthConfig *Config) (*Provider, error)

func (*Provider) AccessTokenAudience added in v1.10.0

func (p *Provider) AccessTokenAudience() string

AccessTokenAudience returns the resource-server identifier set as the `aud` claim on issued JWT access tokens (RFC 9068 §2.2).

func (*Provider) ClientSecretsHasher added in v1.2.1

func (p *Provider) ClientSecretsHasher() fosite.Hasher

ClientSecretsHasher returns the hasher used to verify client secrets.

func (*Provider) CreateSession

func (p *Provider) CreateSession(userInfo identity.UserInfo, scopes []string) *Session

func (*Provider) GetConfig

func (p *Provider) GetConfig() *fosite.Config

func (*Provider) NewIssuer

func (p *Provider) NewIssuer() *Issuer

NewIssuer returns an authorization-code issuer wired up against this provider. The handler packages call this so they don't need to construct the issuer (or know how this provider builds sessions) themselves.

type Session

type Session struct {
	*openid.DefaultSession

	JWTClaims *jwt.JWTClaims
	JWTHeader *jwt.Headers
}

func NewEmptySession

func NewEmptySession() *Session

NewEmptySession returns a zero-valued Session with nested pointer fields pre-allocated. It is used as the unmarshal target when restoring a stored session from the authorization-code store — the session type must implement JWTSessionContainer so fosite's JWT strategy can mint access tokens.

func NewSessionWithClaims

func NewSessionWithClaims(userInfo identity.UserInfo, scopes []string, kid string) *Session

func (*Session) GetJWTClaims

func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer

func (*Session) GetJWTHeader

func (s *Session) GetJWTHeader() *jwt.Headers

func (*Session) SetExtraClaim

func (s *Session) SetExtraClaim(key string, value any)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL