oidc

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 5, 2020 License: MIT Imports: 7 Imported by: 0

Documentation

Overview

Parameters and core models used in the OpenID Connect processing.

Index

Constants

View Source 
const (
	AppTypeWeb    = AppType("web")
	AppTypeNative = AppType("native")
)
View Source 
const (
	AuthMethodClientSecretPost  = "client_secret_post"
	AuthMethodClientSecretBasic = "client_secret_basic"
	AuthMethodPrivateKeyJwt     = "private_key_jwt"
	AuthMethodNone              = "none"
)

Available client authentication methods. Note. "client_secret_jwt" is not supported.

View Source 
const (
	SubjectTypePairwise = "pairwise"
	SubjectTypePublic   = "public"
)

Available subject types

Variables

View Source 
var (
	// ErrInvalidRequest indicates the request is missing a required parameter, includes an invalid parameter value,
	// includes a parameter more than once, or is otherwise malformed.
	ErrInvalidRequest = errors.New("invalid_request")

	// ErrInvalidGrant indicates the provided authorization grant or refresh token is invalid, expired, revoked, does
	// not match the redirection URI used in the authorization request, or was issued to another client.
	ErrInvalidGrant = errors.New("invalid_grant")

	// ErrInvalidClient indicates client authentication failed (e.g. unknown client, no client authentication included,
	// or unsupported authentication method).
	ErrInvalidClient = errors.New("invalid_client")

	// ErrUnauthorizedClient indicates the client is not authorized to request an authorization code using this method.
	ErrUnauthorizedClient = errors.New("unauthorized_client")

	// ErrAccessDenied indicates the resource owner or authorization server denied the request.
	ErrAccessDenied = errors.New("access_denied")

	// ErrUnsupportedResponseType indicates the authorization server does not support obtaining and authorization code
	// using this method.
	ErrUnsupportedResponseType = errors.New("unsupported_response_type")

	// ErrUnsupportedGrantType indicates the authorization grant type is not supported by the authorization server.
	ErrUnsupportedGrantType = errors.New("unsupported_grant_type")

	// ErrInvalidScope indicates the request scope is invalid, unknown, or malformed.
	ErrInvalidScope = errors.New("invalid_scope")

	// ErrServerError indicates the authorization server encountered an unexpected condition that prevented it from
	// fulfilling the request.
	ErrServerError = errors.New("server_error")

	// ErrTemporarilyUnavailable indicates the authorization server is currently unable to handle the request due to a
	// temporary overloading or maintenance of the server.
	ErrTemporarilyUnavailable = errors.New("temporarily_unavailable")

	// ErrInteractionRequired indicates the authorization server requires some form of End-User interaction to proceed.
	// This error may be returned when prompt=none is requested, but the authentication request cannot complete without
	// user interaction.
	ErrInteractionRequired = errors.New("interaction_required")

	// ErrLoginRequired indicates the authorization server requires End-User authentication. This error may be returned
	// when prompt=none is requested, but the authentication request cannot complete without requesting user to login.
	ErrLoginRequired = errors.New("login_required")

	// ErrAccountSelectionRequired indicates the user is required to select a session at the authorization server. This
	// error may be returned when user has several live session at the authorization server, but prompt=none is requested,
	// hence the authentication request cannot proceed without asking user to select a session.
	ErrAccountSelectionRequired = errors.New("account_selection_required")

	// ErrConsentRequired indicates the authorization server requires End-User consent. This error may be returned when
	// prompt=none is requested, but the authentication request cannot complete without display an interface to user
	// and ask for consent.
	ErrConsentRequired = errors.New("consent_required")

	// ErrInvalidRequestUri indicates that the "request_uri" returns error or its content is invalid.
	ErrInvalidRequestUri = errors.New("invalid_request_uri")

	// ErrInvalidRequestObject indicates the "request" parameter contains an invalid request object.
	ErrInvalidRequestObject = errors.New("invalid_request_object")

	// ErrRequestNotSupported indicates the server does not support the use of "request" parameter.
	ErrRequestNotSupported = errors.New("request_not_supported")

	// ErrRequestUriNotSupported indicates the server does not support the use of "request_uri" parameter.
	ErrRequestUriNotSupported = errors.New("request_uri_not_supported")

	// ErrRegistrationNotSupported indicates the server does not support the use of "registration" parameter.
	ErrRegistrationNotSupported = errors.New("registration_not_supported")

	// ErrUnauthorized indicates client does not have enough permission to access the resource.
	ErrUnauthorized = errors.New("unauthorized")
)

Prototype errors. These error are used as roots to be wrapped in other errors.

View Source 
var (
	ErrInvalidRedirectUri  = fmt.Errorf(`%w: "redirect_uri" is invalid, relative or contains fragment`, ErrInvalidRequest)
	ErrInsecureRedirectUri = fmt.Errorf(`%w: "redirect_uri" is not secure`, ErrInvalidRequest)
)
View Source 
var (
	ErrInvalidAuthMethod = fmt.Errorf(`%w: "auth_method" is invalid`, ErrInvalidRequest)
)
View Source 
var ErrInvalidClaims = fmt.Errorf(`"%w: "claims" is invalid`, ErrInvalidRequest)

ErrInvalidClaims indicates that the claims parameter is malformed

View Source 
var (
	ErrInvalidCodeChallengeMethod = fmt.Errorf(`%w: "code_challenge_method" is invalid`, ErrInvalidRequest)
)
View Source 
var (
	ErrInvalidDisplay = fmt.Errorf(`%w: "display" is invalid`, ErrInvalidRequest)
)
View Source 
var (
	ErrInvalidGrantType = fmt.Errorf(`%w: "grant_type" is invalid`, ErrInvalidRequest)
)
View Source 
var ErrInvalidPrompt = fmt.Errorf(`%w: "prompt" is invalid`, ErrInvalidRequest)

ErrInvalidPrompt indicates "prompt" parameter is invalid.

View Source 
var (
	ErrInvalidResponseMode = fmt.Errorf(`%w: "response_mode" is invalid`, ErrInvalidRequest)
)
View Source 
var (
	ErrInvalidResponseType = fmt.Errorf(`%w: "response_type" is invalid`, ErrInvalidRequest)
)
View Source 
var (
	ErrInvalidSubjectType = fmt.Errorf("%w: subject type is invalid", ErrInvalidRequest)
)

Functions

func ParseGrantTypes 

func ParseGrantTypes(param string) (map[GrantType]struct{}, error)

ParseGrantTypes parses the space delimited param into a unique set of grant types.

func ParsePrompts 

func ParsePrompts(param string) (map[Prompt]struct{}, error)

ParsePrompts parses the space delimited prompt parameter into a unique prompt set. It also checks for the rule that none prompt should not be accompanied by other prompts.

func ParseScopes 

func ParseScopes(param string) (map[Scope]struct{}, error)

ParseScopes parses the space delimited param into a unique set of scopes.

Types

type AppType 

type AppType string

AppType is application type

type AuthMethod 

type AuthMethod string

authMethod is the client authentication method to be used at the token endpoint.

func (AuthMethod) CheckValid 

func (t AuthMethod) CheckValid() error

type ClaimOptions 

type ClaimOptions struct {
	Essential bool     `json:"essential"`
	Value     string   `json:"value,omitempty"`
	Values    []string `json:"values,omitempty"`
}

ClaimOptions represents the options for a single claim

type Claims 

type Claims struct {
	UserInfo map[string]*ClaimOptions `json:"userinfo"`
	IdToken  map[string]*ClaimOptions `json:"id_token"`
}

Claims represents the parsed "claims" parameter

func ParseClaims 

func ParseClaims(param string) (*Claims, error)

ParseClaims parses the "claims" parameter, or return ErrInvalidClaims

func (*Claims) HasClaim 

func (c *Claims) HasClaim(name string) bool

HasClaim returns true if the given claim is included in either userinfo claims or id_token claims

type CodeChallengeMethod 

type CodeChallengeMethod string
const (
	CodeChallengeMethodPlain CodeChallengeMethod = "plain"
	CodeChallengeMethodS256  CodeChallengeMethod = "S256"
)

func (CodeChallengeMethod) CheckValid 

func (m CodeChallengeMethod) CheckValid() error

type Display 

type Display string
const (
	DisplayPage  Display = "page"
	DisplayPopup Display = "popup"
	DisplayTouch Display = "touch"
	DisplayWap   Display = "wap"
)

func (Display) CheckValid 

func (d Display) CheckValid() error

type DisplaySet 

type DisplaySet map[Display]struct{}

func (DisplaySet) Contains 

func (s DisplaySet) Contains(t Display) bool

func (DisplaySet) MarshalJSON 

func (s DisplaySet) MarshalJSON() ([]byte, error)

func (DisplaySet) ToRawArray 

func (s DisplaySet) ToRawArray() []string

func (DisplaySet) UnmarshalJSON 

func (s DisplaySet) UnmarshalJSON(data []byte) error

type GrantType 

type GrantType string
const (
	GrantTypeAuthorizationCode GrantType = "authorization_code"
	GrantTypeImplicit          GrantType = "implicit"
	GrantTypeClientCredentials GrantType = "client_credentials"
	GrantTypeRefreshToken      GrantType = "refresh_token"
)

Defined values for grant types. Note: "password" grant type is not included as we do not support it.

func (GrantType) CheckValid 

func (t GrantType) CheckValid() error

type GrantTypeSet 

type GrantTypeSet map[GrantType]struct{}

func (GrantTypeSet) Contains 

func (s GrantTypeSet) Contains(u GrantType) bool

func (GrantTypeSet) Equals 

func (s GrantTypeSet) Equals(another GrantTypeSet) bool

func (GrantTypeSet) MarshalJSON 

func (s GrantTypeSet) MarshalJSON() ([]byte, error)

func (GrantTypeSet) ToRawArray 

func (s GrantTypeSet) ToRawArray() []string

func (GrantTypeSet) UnmarshalJSON 

func (s GrantTypeSet) UnmarshalJSON(data []byte) error

type MaxAge 

type MaxAge uint64

MaxAge represents the "max_age" parameter, the maximum number of seconds elapsed since the last successful authentication performed by OP. 

const NoMaxAge MaxAge = 0

Special MaxAge to indicate MaxAge was not provided, or there's no restriction on the auth time.

type Prompt 

type Prompt string

Prompt represents one of prompts in the space delimited "prompt" parameter. 

const (
	PromptNone          Prompt = "none"
	PromptLogin         Prompt = "login"
	PromptConsent       Prompt = "consent"
	PromptSelectAccount Prompt = "select_account"
)

func (Prompt) CheckValid 

func (p Prompt) CheckValid() error

CheckValid checks if the Prompt is valid. It returns oauth.ErrInvalidRequest error if value is not one of "none", "login", "consent" or "select_account".

type PromptSet 

type PromptSet map[Prompt]struct{}

A set of prompts

func (PromptSet) ToRawArray 

func (s PromptSet) ToRawArray() []string

type RawArray 

type RawArray []string

func (RawArray) ToDisplaySet 

func (arr RawArray) ToDisplaySet() DisplaySet

ToDisplaySet converts the underlying string array to a DisplaySet. Each element in the array is assumed to be a valid display and duplicate items are filtered out.

func (RawArray) ToGrantTypeSet 

func (arr RawArray) ToGrantTypeSet() GrantTypeSet

ToGrantTypeSet converts the underlying string array to a GrantTypeSet. Each element in the array is assumed to be a valid grant type and duplicate items are filtered out.

func (RawArray) ToPromptSet 

func (arr RawArray) ToPromptSet() PromptSet

ToPromptSet converts the underlying string array to a PromptSet. Each element in the array is assumed to be a valid prompt and duplicate items are filtered out.

func (RawArray) ToRawSet 

func (arr RawArray) ToRawSet() map[string]struct{}

func (RawArray) ToRedirectUriSet 

func (arr RawArray) ToRedirectUriSet() RedirectUriSet

ToRedirectUriSet converts the underlying string array to a RedirectUriSet. Each element in the array is assumed to be a valid redirect uri and duplicate items are filtered out.

func (RawArray) ToResponseModeSet 

func (arr RawArray) ToResponseModeSet() ResponseModeSet

ToResponseModeSet converts the underlying string array to a ResponseModeSet. Each element in the array is assumed to be a valid response mode and duplicate items are filtered out.

func (RawArray) ToResponseTypeSet 

func (arr RawArray) ToResponseTypeSet() ResponseTypeSet

ToResponseTypeSet converts the underlying string array to a ResponseTypeSet. Each element in the array is assumed to be a valid response type and duplicate items are filtered out.

func (RawArray) ToScopeSet 

func (arr RawArray) ToScopeSet() ScopeSet

ToScopeSet converts the underlying string array to a ScopeSet. Each element in the array is assumed to be a valid scope and duplicate items are filtered out.

type RawSet 

type RawSet map[string]struct{}

type RedirectUri 

type RedirectUri string

func (RedirectUri) CheckValid 

func (r RedirectUri) CheckValid() error

CheckValid checks if the redirect uri is well formed, absolute and contains no fragment. Otherwise, ErrInvalidRedirectUri is returned. In addition, redirect uris using "http" protocol must only be originated from localhost or 127.0.0.1, otherwise ErrInsecureRedirectUri is returned.

type RedirectUriSet 

type RedirectUriSet map[RedirectUri]struct{}

func (RedirectUriSet) Contains 

func (s RedirectUriSet) Contains(u RedirectUri) bool

func (RedirectUriSet) Equals 

func (s RedirectUriSet) Equals(another RedirectUriSet) bool

func (RedirectUriSet) MarshalJSON 

func (s RedirectUriSet) MarshalJSON() ([]byte, error)

func (RedirectUriSet) ToRawArray 

func (s RedirectUriSet) ToRawArray() []string

func (RedirectUriSet) UnmarshalJSON 

func (s RedirectUriSet) UnmarshalJSON(data []byte) error

type ResponseMode 

type ResponseMode string

ResponseMode represents the "response_mode" parameter 

const (
	ResponseModeQuery    ResponseMode = "query"
	ResponseModeFragment ResponseMode = "fragment"
	ResponseModePost     ResponseMode = "post"
)

func (ResponseMode) CheckValid 

func (r ResponseMode) CheckValid() error

type ResponseModeSet 

type ResponseModeSet map[ResponseMode]struct{}

ResponseMode represents the "response_mode" parameter

func (ResponseModeSet) Contains 

func (s ResponseModeSet) Contains(t ResponseMode) bool

func (ResponseModeSet) MarshalJSON 

func (s ResponseModeSet) MarshalJSON() ([]byte, error)

func (ResponseModeSet) ToRawArray 

func (s ResponseModeSet) ToRawArray() []string

func (ResponseModeSet) UnmarshalJSON 

func (s ResponseModeSet) UnmarshalJSON(data []byte) error

type ResponseType 

type ResponseType string
const (
	ResponseTypeCode             ResponseType = "code"
	ResponseTypeToken            ResponseType = "token"
	ResponseTypeIdToken          ResponseType = "id_token"
	ResponseTypeCodeIdToken      ResponseType = "code id_token"
	ResponseTypeTokenIdToken     ResponseType = "token id_token"
	ResponseTypeCodeTokenIdToken ResponseType = "code token id_token"
)

func (ResponseType) CheckValid 

func (t ResponseType) CheckValid() error

type ResponseTypeSet 

type ResponseTypeSet map[ResponseType]struct{}

func (ResponseTypeSet) Contains 

func (s ResponseTypeSet) Contains(t ResponseType) bool

func (ResponseTypeSet) Equals 

func (s ResponseTypeSet) Equals(another ResponseTypeSet) bool

func (ResponseTypeSet) MarshalJSON 

func (s ResponseTypeSet) MarshalJSON() ([]byte, error)

func (ResponseTypeSet) ToRawArray 

func (s ResponseTypeSet) ToRawArray() []string

func (ResponseTypeSet) UnmarshalJSON 

func (s ResponseTypeSet) UnmarshalJSON(data []byte) error

type Scope 

type Scope string

The "scope" parameter. Represents a single scope. 

const (
	// ScopeOfflineAccess triggers generation of refresh token.
	ScopeOfflineAccess Scope = "offline_access"
	// ScopeOpenId indicates the need for id token.
	ScopeOpenId Scope = "openid"
	// ScopeTigaInteraction allows access to the interaction endpoints of this application
	ScopeTigaInteraction Scope = "tiga:interaction"
	// ScopeDynaReadOnly grants access to all read only Dyna services
	ScopeDynaReadOnly Scope = "dyna:ro"
	// ScopeProfile requests to access End-User's default profile claims, including
	// name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender,
	// birthdate, zoneinfo, locale and updated_at.
	ScopeProfile Scope = "profile"
	// ScopeEmail requests to access End-User's email and email_verified claims.
	ScopeEmail Scope = "email"
	// ScopeAddress requests to access End-User's address claim.
	ScopeAddress Scope = "address"
	// ScopePhone requests to access End-User's phone_number and phone_number_verified claims.
	ScopePhone Scope = "phone"
)

Reserved scopes

func (Scope) CheckValid 

func (s Scope) CheckValid() error

CheckValid returns error if the Scope is invalid. A Scope must be a string consists of characters in the range of %x21 / %x23-5B / %x5D-7E. If the Scope is invalid, this method returns ErrInvalidScope.

type ScopeSet 

type ScopeSet map[Scope]struct{}

A set of scopes

func (ScopeSet) ToRawArray 

func (s ScopeSet) ToRawArray() []string

type SubjectType 

type SubjectType string

SubjectType is used in Pseudonymous Identifiers calculation

func (SubjectType) CheckValid 

func (t SubjectType) CheckValid() error

func (SubjectType) ComputePseudonymousSubject 

func (t SubjectType) ComputePseudonymousSubject(subject string, sectorIdentifierUri string, pairwiseSalt []byte) string

ComputePseudonymousSubject calculates the pseudo subject value.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.