oidc

package

v0.9.0 Latest Latest Go to latest Published: May 28, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/mirendev/runtime

Links

Open Source Insights

Documentation ¶

Index ¶

type Client
- func NewClient(providerURL, clientID, clientSecret, redirectURL string, scopes []string, ...) *Client
type SessionData
type SessionManager
- func NewSessionManager(cookieSecure bool, cookieDomain string, key []byte) *SessionManager
type StateData

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

Client handles OIDC authentication flows with OAuth2 providers. It implements the authorization code flow with PKCE (RFC 7636).

func NewClient ¶

func NewClient(providerURL, clientID, clientSecret, redirectURL string, scopes []string, logger *slog.Logger) *Client

NewClient creates a new OIDC client

func (*Client) AuthorizationURL ¶

func (c *Client) AuthorizationURL(state, pkceVerifier, resource string) (string, error)

AuthorizationURL generates the URL to redirect users to for authentication. It includes PKCE challenge for added security and a resource indicator (RFC 8707).

func (*Client) ExchangeCode ¶

func (c *Client) ExchangeCode(ctx context.Context, code, pkceVerifier string) (*oauth2.Token, error)

ExchangeCode exchanges an authorization code for tokens using PKCE

func (*Client) ParseIDToken ¶

func (c *Client) ParseIDToken(ctx context.Context, idToken string) (map[string]interface{}, error)

ParseIDToken validates an ID token's signature via the provider's JWKS and checks standard claims (issuer, audience).

type SessionData ¶

type SessionData struct {
	// IDToken is the raw ID token JWT from the OIDC provider
	IDToken string `json:"id_token"`

	// AccessToken is the OAuth2 access token (optional)
	AccessToken string `json:"access_token,omitempty"`

	// RefreshToken is the OAuth2 refresh token (optional)
	RefreshToken string `json:"refresh_token,omitempty"`

	// Claims are the parsed JWT claims
	Claims map[string]interface{} `json:"claims"`

	// ExpiresAt is when this session expires
	ExpiresAt time.Time `json:"expires_at"`
}

SessionData contains the authenticated session information

type SessionManager ¶

type SessionManager struct {
	// contains filtered or unexported fields
}

SessionManager handles OIDC session lifecycle using encrypted cookies. Cookie values are encrypted and authenticated with XChaCha20-Poly1305.

func NewSessionManager ¶

func NewSessionManager(cookieSecure bool, cookieDomain string, key []byte) *SessionManager

NewSessionManager creates a new session manager. If key is nil, a random 32-byte key is generated. This means sessions won't survive server restarts; pass a persistent key for durable sessions.

func (*SessionManager) ClearNamedCookie ¶ added in v0.8.0

func (sm *SessionManager) ClearNamedCookie(w http.ResponseWriter, name string)

ClearNamedCookie removes a cookie by name.

func (*SessionManager) ClearSession ¶

func (sm *SessionManager) ClearSession(w http.ResponseWriter)

ClearSession removes the session cookie

func (*SessionManager) ClearState ¶

func (sm *SessionManager) ClearState(w http.ResponseWriter)

ClearState removes the state cookie

func (*SessionManager) GenerateState ¶

func (sm *SessionManager) GenerateState(returnPath string) (*StateData, error)

GenerateState creates a new OIDC flow state with PKCE

func (*SessionManager) GetNamedCookie ¶ added in v0.8.0

func (sm *SessionManager) GetNamedCookie(r *http.Request, name string) ([]byte, error)

GetNamedCookie reads and decrypts a cookie by name, returning the raw plaintext. Returns nil, nil if the cookie is not present.

func (*SessionManager) GetSession ¶

func (sm *SessionManager) GetSession(r *http.Request) (*SessionData, error)

GetSession retrieves the current session from cookies

func (*SessionManager) GetState ¶

func (sm *SessionManager) GetState(r *http.Request) (*StateData, error)

GetState retrieves OIDC flow state from cookies

func (*SessionManager) SetNamedCookie ¶ added in v0.8.0

func (sm *SessionManager) SetNamedCookie(w http.ResponseWriter, name string, data []byte, expiry time.Time) error

SetNamedCookie encrypts data and stores it in a cookie with the given name and expiry.

func (*SessionManager) SetSecure ¶

func (sm *SessionManager) SetSecure(secure bool)

SetSecure updates whether cookies should be marked Secure.

func (*SessionManager) SetSession ¶

func (sm *SessionManager) SetSession(w http.ResponseWriter, session *SessionData) error

SetSession stores a new session in an encrypted cookie

func (*SessionManager) SetState ¶

func (sm *SessionManager) SetState(w http.ResponseWriter, state *StateData) error

SetState stores OIDC flow state in an encrypted cookie

type StateData ¶

type StateData struct {
	// State is the random state parameter
	State string `json:"state"`

	// PKCEVerifier is the PKCE code verifier (RFC 7636)
	PKCEVerifier string `json:"pkce_verifier"`

	// ReturnPath is where to redirect after auth
	ReturnPath string `json:"return_path"`

	// ExpiresAt is when this state expires (short-lived)
	ExpiresAt time.Time `json:"expires_at"`
}

StateData contains OIDC flow state for CSRF protection

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL