heart

package module
v0.0.0-...-0c46b43 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 25, 2016 License: Apache-2.0 Imports: 15 Imported by: 12

README

Go HEART

This library provides tools for clients to conform to the HEART Working Group profiles. Specifically, it provides tools for creating HEART compliant OAuth 2.0 clients, services that utilize HEART compliant OAuth 2.0 token introspection to allow access as well as HEART compliant OpenID Connect relying parties.

License

Copyright 2016 The MITRE Corporation

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LogoutHandler 

func LogoutHandler(c *gin.Context)

LogoutHandler allows users to log out by clearing all values from their session

func OAuthIntrospectionHandler 

func OAuthIntrospectionHandler(endpoint, iss, aud string, pk jose.JsonWebKey) gin.HandlerFunc

OAuthIntrospectionHandler creates a gin.HandlerFunc that can be used to introspect OAuth 2.0 tokens provided in the request. endpoint is the address of the authorization server token introspection service. iss is the client id for the introspection client. aud is the audience, which should be the identifier for the authorization server. pk is the private key for the client, so it can sign a JWT to authenticate to the introspection endpoint.

This middleware will abort any requests that do not have an Authorization header. It will also halt requests if the provided bearer token is inactive or expired.

If a valid token is provided, the gin.Context is augmented by setting the following variables: scopes will be a []string containing all scopes valid for the provided token. subject will be an identifier for the user who delegated the authority represented by the token. clientID will contain the identifier for the client issuing the request.

func OIDCAuthenticationHandler 

func OIDCAuthenticationHandler(client Client, op *OpenIDProvider) gin.HandlerFunc

OIDCAuthenticationHandler is a middleware that will check for the presence of a session with a UserInfo value set. If it exists, it will assume that the has logged in at some point. It will then check the session for a token, which will be an OpenIDTokenResponse. If it has not expired, it will set the UserInfo in a UserInfo value on the gin Context. If there is no UserInfo value present in the session or if the OpenIDTokenResponse has expired, the user will be redirected to the provided redirectURI.

func RedirectHandler 

func RedirectHandler(client Client, op *OpenIDProvider, successfulAuthRedirectURL string) gin.HandlerFunc

RedirectHandler provides a gin.HandlerFunc to process the authentication response from an Open ID Provider.

func SetUpRoutes 

func SetUpRoutes(jwkPath, clientID, opURL, serverURL, cookieSecret string, engine *gin.Engine) error

func SignJWT 

func SignJWT(jwt ClientJWT, pk jose.JsonWebKey) (string, error)

SignJWT takes a ClientJWT, marshals it into JSON, signs the JSON with the JWK provided and then returns the blob as a string.

Types

type Client 

type Client struct {
	ISS         string
	AUD         string
	Endpoint    oauth2.Endpoint
	Scopes      []string
	PrivateKey  jose.JsonWebKey
	RedirectURI string
}

Client represents an OAuth 2.0 client that conforms with the HEART profile.

func (Client) AuthURL 

func (c Client) AuthURL(state string) string

AuthURL provides a URL to redirect the client for authorization at the authorization server

func (Client) Exchange 

func (c Client) Exchange(code string) (*oauth2.Token, error)

Exchange swaps an authorization code for a token. This exchange is compliant with the HEART profile for requests to the token endpoint as defined by: http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#rfc.section.2.2

type ClientJWT 

type ClientJWT struct {
	ISS string `json:"iss"`
	SUB string `json:"sub"`
	AUD string `json:"aud"`
	IAT int64  `json:"iat"`
	EXP int64  `json:"exp"`
	JTI string `json:"jti"`
}

ClientJWT represents the JWT used to authenticate a client to a token endpoint as specified in Health Relationship Trust Profile for OAuth 2.0 - Section 2.2: http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#rfc.section.2.2

func NewClientJWT 

func NewClientJWT(iss string, aud string) ClientJWT

NewClientJWT creates a ClientJWT. ISS and SUB are set to the same thing. IAT is set to the current time and EXP is set 60 seconds later.

type IntrospectionResponse 

type IntrospectionResponse struct {
	Active   bool   `json:"active"`
	Scope    string `json:"scope"`
	EXP      int64  `json:"exp"`
	SUB      string `json:"sub"`
	ClientID string `json:"client_id"`
}

IntrospectionResponse is the response provided by a HEART compliant OAuth 2.0 token introspection endpoint as defined at: http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#rfc.section.4.4

func IntrospectToken 

func IntrospectToken(endpoint, token, clientID, clientAssertion string) (IntrospectionResponse, error)

IntrospectToken provides a way to contact the introspection endpoint specified in the endpoint parameter. Token is the opaque token provided by a client attempting to access a resource. clientID is the identifier for the introspection client, not the if for the client attempting to access the resource. clientAssertion is the signed JWT that will be used to assert the identity of this introspection client.

func (IntrospectionResponse) ExpirationTime 

func (ir IntrospectionResponse) ExpirationTime() time.Time

ExpirationTime converts the EXP value from seconds since the epoch into a Time struct

func (IntrospectionResponse) SplitScope 

func (ir IntrospectionResponse) SplitScope() []string

SplitScope is a convenience function to split the scope value on spaces to get a list of scopes for the provided token

type OPConfig 

type OPConfig struct {
	IntrospectionEndpoint string `json:"introspection_endpoint"`
	Issuer                string `json:"issuer"`
	AuthorizationEndpoint string `json:"authorization_endpoint"`
	TokenEndpoint         string `json:"token_endpoint"`
	JWKSURI               string `json:"jwks_uri"`
	UserInfoEndpoint      string `json:"userinfo_endpoint"`
}

OPConfig represents the configuration information for an OpenID Connect Provider. It is specified here: http://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata

type OpenIDProvider 

type OpenIDProvider struct {
	Config OPConfig
	Keys   jose.JsonWebKeySet
}

OpenIDProvider is a representation of an OpenID Connect Provider. It is expected that one will be created using NewOpenIDProvider

func NewOpenIDProvider 

func NewOpenIDProvider(issuerURL string) (*OpenIDProvider, error)

NewOpenIDProvider creates an OpenIDProvider by retrieving its configuration information using OpenID Connect Discovery. See http://openid.net/specs/openid-connect-discovery-1_0-21.html for details

func (*OpenIDProvider) AuthURL 

func (op *OpenIDProvider) AuthURL(c Client, state string) string

AuthURL generates the URL to redirect a client to start the authentication process as described here: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func (*OpenIDProvider) Exchange 

func (op *OpenIDProvider) Exchange(code string, c Client) (*OpenIDTokenResponse, error)

Exchange takes the authorization code and swaps it for the various sets of token that an OpenIDProvider can return

func (*OpenIDProvider) FetchKey 

func (op *OpenIDProvider) FetchKey() error

FetchKey looks at the JWKSURI in the OPConfig, pulls down the key set and parses the keys

func (*OpenIDProvider) UserInfo 

func (op *OpenIDProvider) UserInfo(accessToken string) (*UserInfo, error)

UserInfo retrieves information about the user from the OpenIDProvider

func (*OpenIDProvider) Validate 

func (op *OpenIDProvider) Validate(token string) (bool, error)

Validate checks the token against the Keys for this OpenIDProvider. It is assumed that a user will invoke FetchKey before calling this function.

type OpenIDTokenResponse 

type OpenIDTokenResponse struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	RefreshToken string `json:"refresh_token"`
	ExpiresIn    int64  `json:"expires_in"`
	Expiration   time.Time
	IDToken      string `json:"id_token"`
}

OpenIDTokenResponse represents the response from and OpenIDProvider's token endpoint when exchanging an authorization code

func (*OpenIDTokenResponse) UnmarshalJSON 

func (resp *OpenIDTokenResponse) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON sets the Expiration to a Time based on the current time and the expires_in passed in

type UserInfo 

type UserInfo struct {
	SUB               string `json:"sub"`
	Name              string `json:"name"`
	PreferredUsername string `json:"preferred_username"`
	Email             string `json:"email"`
	EmailVerified     bool   `json:"email_verified"`
}

UserInfo represents the information provided by an OpenID Connect UserInfo endpoint

Source Files

View all Source files

Directories

Path Synopsis
examples
oidc-rp

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.