Documentation
¶
Index ¶
- func LegacyPKCEFactory(config fosite.Configurator, storage any, strategy any) any
- type Config
- type FositeStorage
- type Issuer
- func (i *Issuer) IssueAuthorizationCode(ctx context.Context, w http.ResponseWriter, ar fosite.AuthorizeRequester, ...) error
- func (i *Issuer) IssueFromFederationSession(ctx context.Context, w http.ResponseWriter, session *federation.Session, ...) error
- func (i *Issuer) WriteErrorFromFederationSession(ctx context.Context, w http.ResponseWriter, session *federation.Session, ...) error
- type LegacyPKCEHandler
- func (c *LegacyPKCEHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) bool
- func (c *LegacyPKCEHandler) CanSkipClientAuth(ctx context.Context, requester fosite.AccessRequester) bool
- func (c *LegacyPKCEHandler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, ...) error
- func (c *LegacyPKCEHandler) HandleTokenEndpointRequest(ctx context.Context, request fosite.AccessRequester) error
- func (c *LegacyPKCEHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, ...) error
- type Provider
- type Session
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LegacyPKCEFactory ¶
func LegacyPKCEFactory(config fosite.Configurator, storage any, strategy any) any
LegacyPKCEFactory satisfies the fosite compose.Factory signature. The storage and strategy parameters are interface{} because fosite's compose pipeline passes them untyped. The Factory signature does not allow returning an error, so incorrect wiring panics at startup with a clear message rather than silently producing a broken handler.
Types ¶
type Config ¶
type Config struct {
AccessTokenLifespan time.Duration
RefreshTokenLifespan time.Duration
AuthorizeCodeLifespan time.Duration
IDTokenLifespan time.Duration
HashCost int
HMACSecret []byte
AllowInsecureHTTP bool
EnforcePKCE bool
EnableOpenIDConnect bool
IssuerURL string
LoginURL string
ConsentURL string
// AccessTokenAudience identifies the resource server that consumes IAM-issued
// JWT access tokens. Set as the `aud` claim per RFC 9068 §2.2.
AccessTokenAudience string
ClientSecretsHasher fosite.Hasher
JwkProvider jwk.Provider
}
func NewOAuthConfigFromConfig ¶
func NewOAuthConfigFromConfig(cfg authconfig.OAuthServerConfig) *Config
type FositeStorage ¶
type FositeStorage interface {
fosite.ClientManager
oauth2.AuthorizeCodeStorage
oauth2.AccessTokenStorage
oauth2.RefreshTokenStorage
oauth2.TokenRevocationStorage
openid.OpenIDConnectRequestStorage
pkce.PKCERequestStorage
}
FositeStorage is the union of fosite storage interfaces that the OAuth provider needs to drive the authorize and token endpoints. It lives here (rather than in the concrete storage package) so the provider depends on the contract, not on a specific storage implementation.
type Issuer ¶
type Issuer struct {
// contains filtered or unexported fields
}
Issuer turns a resolved user identity into an OAuth authorization-code redirect. It is the small slice of the authorize flow that runs after the user has been authenticated — granting requested scopes, attaching a session to the request, and writing the response that carries the code back to the client.
Flows that already have a user identity in hand — notably the federated login callback — use the Issuer to emit a code directly, without round-tripping the user agent through /oauth2/authorize.
func (*Issuer) IssueAuthorizationCode ¶
func (i *Issuer) IssueAuthorizationCode(ctx context.Context, w http.ResponseWriter, ar fosite.AuthorizeRequester, userInfo identity.UserInfo) error
func (*Issuer) IssueFromFederationSession ¶
func (i *Issuer) IssueFromFederationSession(ctx context.Context, w http.ResponseWriter, session *federation.Session, userInfo identity.UserInfo, additionalParams map[string]string) error
IssueFromFederationSession synthesizes an authorize request from the stored federation session and issues an authorization code for userInfo. Callers use this to skip the extra /oauth2/authorize round trip that would otherwise be needed after a federated login completes.
func (*Issuer) WriteErrorFromFederationSession ¶ added in v1.10.0
func (i *Issuer) WriteErrorFromFederationSession(ctx context.Context, w http.ResponseWriter, session *federation.Session, err error) error
WriteErrorFromFederationSession synthesizes an authorize request from the stored federation session and asks fosite to write an RFC 6749 error response to w. In the normal case fosite emits a 303 redirect back to the session's redirect URI; if it cannot reconstruct a valid client and redirect URI on the AuthorizeRequester (e.g. the referenced client has since been removed), it degrades to a JSON body instead. That degradation is intentional — we accept it rather than re-implementing a parallel redirect path. The returned error, when non-nil, describes a failure encountered while preparing the response and is intended for the caller to log; the response itself is best-effort.
type LegacyPKCEHandler ¶
type LegacyPKCEHandler struct {
AuthorizeCodeStrategy oauth2.AuthorizeCodeStrategy
Storage pkce.PKCERequestStorage
// contains filtered or unexported fields
}
func (*LegacyPKCEHandler) CanHandleTokenEndpointRequest ¶
func (c *LegacyPKCEHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) bool
func (*LegacyPKCEHandler) CanSkipClientAuth ¶
func (c *LegacyPKCEHandler) CanSkipClientAuth(ctx context.Context, requester fosite.AccessRequester) bool
func (*LegacyPKCEHandler) HandleAuthorizeEndpointRequest ¶
func (c *LegacyPKCEHandler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error
func (*LegacyPKCEHandler) HandleTokenEndpointRequest ¶
func (c *LegacyPKCEHandler) HandleTokenEndpointRequest(ctx context.Context, request fosite.AccessRequester) error
func (*LegacyPKCEHandler) PopulateTokenEndpointResponse ¶
func (c *LegacyPKCEHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error
type Provider ¶
type Provider struct {
fosite.OAuth2Provider
// contains filtered or unexported fields
}
func NewOAuthProviderWithConfig ¶
func NewOAuthProviderWithConfig(store FositeStorage, oauthConfig *Config) (*Provider, error)
func (*Provider) AccessTokenAudience ¶ added in v1.10.0
AccessTokenAudience returns the resource-server identifier set as the `aud` claim on issued JWT access tokens (RFC 9068 §2.2).
func (*Provider) ClientSecretsHasher ¶ added in v1.2.1
ClientSecretsHasher returns the hasher used to verify client secrets.
func (*Provider) CreateSession ¶
type Session ¶
func NewEmptySession ¶
func NewEmptySession() *Session
NewEmptySession returns a zero-valued Session with nested pointer fields pre-allocated. It is used as the unmarshal target when restoring a stored session from the authorization-code store — the session type must implement JWTSessionContainer so fosite's JWT strategy can mint access tokens.
func NewSessionWithClaims ¶
func (*Session) GetJWTClaims ¶
func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer