Documentation ¶
Overview ¶
Parameters and core models used in the OpenID Connect processing.
Index ¶
- Constants
- Variables
- func ParseGrantTypes(param string) (map[GrantType]struct{}, error)
- func ParsePrompts(param string) (map[Prompt]struct{}, error)
- func ParseScopes(param string) (map[Scope]struct{}, error)
- type AppType
- type AuthMethod
- type ClaimOptions
- type Claims
- type CodeChallengeMethod
- type Display
- type DisplaySet
- type GrantType
- type GrantTypeSet
- type MaxAge
- type Prompt
- type PromptSet
- type RawArray
- func (arr RawArray) ToDisplaySet() DisplaySet
- func (arr RawArray) ToGrantTypeSet() GrantTypeSet
- func (arr RawArray) ToPromptSet() PromptSet
- func (arr RawArray) ToRawSet() map[string]struct{}
- func (arr RawArray) ToRedirectUriSet() RedirectUriSet
- func (arr RawArray) ToResponseModeSet() ResponseModeSet
- func (arr RawArray) ToResponseTypeSet() ResponseTypeSet
- func (arr RawArray) ToScopeSet() ScopeSet
- type RawSet
- type RedirectUri
- type RedirectUriSet
- type ResponseMode
- type ResponseModeSet
- type ResponseType
- type ResponseTypeSet
- type Scope
- type ScopeSet
- type SubjectType
Constants ¶
const ( AppTypeWeb = AppType("web") AppTypeNative = AppType("native") )
const ( AuthMethodClientSecretPost = "client_secret_post" AuthMethodClientSecretBasic = "client_secret_basic" AuthMethodPrivateKeyJwt = "private_key_jwt" AuthMethodNone = "none" )
Available client authentication methods. Note. "client_secret_jwt" is not supported.
const ( SubjectTypePairwise = "pairwise" SubjectTypePublic = "public" )
Available subject types
Variables ¶
var ( // ErrInvalidRequest indicates the request is missing a required parameter, includes an invalid parameter value, // includes a parameter more than once, or is otherwise malformed. ErrInvalidRequest = errors.New("invalid_request") // ErrInvalidGrant indicates the provided authorization grant or refresh token is invalid, expired, revoked, does // not match the redirection URI used in the authorization request, or was issued to another client. ErrInvalidGrant = errors.New("invalid_grant") // ErrInvalidClient indicates client authentication failed (e.g. unknown client, no client authentication included, // or unsupported authentication method). ErrInvalidClient = errors.New("invalid_client") ErrUnauthorizedClient = errors.New("unauthorized_client") // ErrAccessDenied indicates the resource owner or authorization server denied the request. ErrAccessDenied = errors.New("access_denied") // ErrUnsupportedResponseType indicates the authorization server does not support obtaining and authorization code // using this method. ErrUnsupportedResponseType = errors.New("unsupported_response_type") // ErrUnsupportedGrantType indicates the authorization grant type is not supported by the authorization server. ErrUnsupportedGrantType = errors.New("unsupported_grant_type") // ErrInvalidScope indicates the request scope is invalid, unknown, or malformed. ErrInvalidScope = errors.New("invalid_scope") // ErrServerError indicates the authorization server encountered an unexpected condition that prevented it from // fulfilling the request. ErrServerError = errors.New("server_error") // temporary overloading or maintenance of the server. ErrTemporarilyUnavailable = errors.New("temporarily_unavailable") // ErrInteractionRequired indicates the authorization server requires some form of End-User interaction to proceed. // This error may be returned when prompt=none is requested, but the authentication request cannot complete without // user interaction. ErrInteractionRequired = errors.New("interaction_required") // ErrLoginRequired indicates the authorization server requires End-User authentication. This error may be returned // when prompt=none is requested, but the authentication request cannot complete without requesting user to login. ErrLoginRequired = errors.New("login_required") // ErrAccountSelectionRequired indicates the user is required to select a session at the authorization server. This // error may be returned when user has several live session at the authorization server, but prompt=none is requested, // hence the authentication request cannot proceed without asking user to select a session. ErrAccountSelectionRequired = errors.New("account_selection_required") // ErrConsentRequired indicates the authorization server requires End-User consent. This error may be returned when // prompt=none is requested, but the authentication request cannot complete without display an interface to user // and ask for consent. ErrConsentRequired = errors.New("consent_required") // ErrInvalidRequestUri indicates that the "request_uri" returns error or its content is invalid. ErrInvalidRequestUri = errors.New("invalid_request_uri") // ErrInvalidRequestObject indicates the "request" parameter contains an invalid request object. ErrInvalidRequestObject = errors.New("invalid_request_object") // ErrRequestNotSupported indicates the server does not support the use of "request" parameter. ErrRequestNotSupported = errors.New("request_not_supported") // ErrRequestUriNotSupported indicates the server does not support the use of "request_uri" parameter. ErrRequestUriNotSupported = errors.New("request_uri_not_supported") // ErrRegistrationNotSupported indicates the server does not support the use of "registration" parameter. ErrRegistrationNotSupported = errors.New("registration_not_supported") ErrUnauthorized = errors.New("unauthorized") )
Prototype errors. These error are used as roots to be wrapped in other errors.
var ( ErrInvalidRedirectUri = fmt.Errorf(`%w: "redirect_uri" is invalid, relative or contains fragment`, ErrInvalidRequest) ErrInsecureRedirectUri = fmt.Errorf(`%w: "redirect_uri" is not secure`, ErrInvalidRequest) )
var (
ErrInvalidAuthMethod = fmt.Errorf(`%w: "auth_method" is invalid`, ErrInvalidRequest)
)
var ErrInvalidClaims = fmt.Errorf(`"%w: "claims" is invalid`, ErrInvalidRequest)
ErrInvalidClaims indicates that the claims parameter is malformed
var (
ErrInvalidCodeChallengeMethod = fmt.Errorf(`%w: "code_challenge_method" is invalid`, ErrInvalidRequest)
)
var (
ErrInvalidDisplay = fmt.Errorf(`%w: "display" is invalid`, ErrInvalidRequest)
)
var (
ErrInvalidGrantType = fmt.Errorf(`%w: "grant_type" is invalid`, ErrInvalidRequest)
)
var ErrInvalidPrompt = fmt.Errorf(`%w: "prompt" is invalid`, ErrInvalidRequest)
ErrInvalidPrompt indicates "prompt" parameter is invalid.
var (
ErrInvalidResponseMode = fmt.Errorf(`%w: "response_mode" is invalid`, ErrInvalidRequest)
)
var (
ErrInvalidResponseType = fmt.Errorf(`%w: "response_type" is invalid`, ErrInvalidRequest)
)
var (
ErrInvalidSubjectType = fmt.Errorf("%w: subject type is invalid", ErrInvalidRequest)
)
Functions ¶
func ParseGrantTypes ¶
ParseGrantTypes parses the space delimited param into a unique set of grant types.
func ParsePrompts ¶
ParsePrompts parses the space delimited prompt parameter into a unique prompt set. It also checks for the rule that none prompt should not be accompanied by other prompts.
func ParseScopes ¶
ParseScopes parses the space delimited param into a unique set of scopes.
Types ¶
type AuthMethod ¶
type AuthMethod string
authMethod is the client authentication method to be used at the token endpoint.
func (AuthMethod) CheckValid ¶
func (t AuthMethod) CheckValid() error
type ClaimOptions ¶
type ClaimOptions struct { Essential bool `json:"essential"` Value string `json:"value,omitempty"` Values []string `json:"values,omitempty"` }
ClaimOptions represents the options for a single claim
type Claims ¶
type Claims struct { UserInfo map[string]*ClaimOptions `json:"userinfo"` IdToken map[string]*ClaimOptions `json:"id_token"` }
Claims represents the parsed "claims" parameter
func ParseClaims ¶
ParseClaims parses the "claims" parameter, or return ErrInvalidClaims
type CodeChallengeMethod ¶
type CodeChallengeMethod string
const ( CodeChallengeMethodPlain CodeChallengeMethod = "plain" CodeChallengeMethodS256 CodeChallengeMethod = "S256" )
func (CodeChallengeMethod) CheckValid ¶
func (m CodeChallengeMethod) CheckValid() error
type DisplaySet ¶
type DisplaySet map[Display]struct{}
func (DisplaySet) Contains ¶
func (s DisplaySet) Contains(t Display) bool
func (DisplaySet) MarshalJSON ¶
func (s DisplaySet) MarshalJSON() ([]byte, error)
func (DisplaySet) ToRawArray ¶
func (s DisplaySet) ToRawArray() []string
func (DisplaySet) UnmarshalJSON ¶
func (s DisplaySet) UnmarshalJSON(data []byte) error
type GrantType ¶
type GrantType string
const ( GrantTypeAuthorizationCode GrantType = "authorization_code" GrantTypeImplicit GrantType = "implicit" GrantTypeClientCredentials GrantType = "client_credentials" GrantTypeRefreshToken GrantType = "refresh_token" )
Defined values for grant types. Note: "password" grant type is not included as we do not support it.
func (GrantType) CheckValid ¶
type GrantTypeSet ¶
type GrantTypeSet map[GrantType]struct{}
func (GrantTypeSet) Contains ¶
func (s GrantTypeSet) Contains(u GrantType) bool
func (GrantTypeSet) Equals ¶
func (s GrantTypeSet) Equals(another GrantTypeSet) bool
func (GrantTypeSet) MarshalJSON ¶
func (s GrantTypeSet) MarshalJSON() ([]byte, error)
func (GrantTypeSet) ToRawArray ¶
func (s GrantTypeSet) ToRawArray() []string
func (GrantTypeSet) UnmarshalJSON ¶
func (s GrantTypeSet) UnmarshalJSON(data []byte) error
type MaxAge ¶
type MaxAge uint64
MaxAge represents the "max_age" parameter, the maximum number of seconds elapsed since the last successful authentication performed by OP.
const NoMaxAge MaxAge = 0
Special MaxAge to indicate MaxAge was not provided, or there's no restriction on the auth time.
type Prompt ¶
type Prompt string
Prompt represents one of prompts in the space delimited "prompt" parameter.
func (Prompt) CheckValid ¶
CheckValid checks if the Prompt is valid. It returns oauth.ErrInvalidRequest error if value is not one of "none", "login", "consent" or "select_account".
type RawArray ¶
type RawArray []string
func (RawArray) ToDisplaySet ¶
func (arr RawArray) ToDisplaySet() DisplaySet
ToDisplaySet converts the underlying string array to a DisplaySet. Each element in the array is assumed to be a valid display and duplicate items are filtered out.
func (RawArray) ToGrantTypeSet ¶
func (arr RawArray) ToGrantTypeSet() GrantTypeSet
ToGrantTypeSet converts the underlying string array to a GrantTypeSet. Each element in the array is assumed to be a valid grant type and duplicate items are filtered out.
func (RawArray) ToPromptSet ¶
ToPromptSet converts the underlying string array to a PromptSet. Each element in the array is assumed to be a valid prompt and duplicate items are filtered out.
func (RawArray) ToRedirectUriSet ¶
func (arr RawArray) ToRedirectUriSet() RedirectUriSet
ToRedirectUriSet converts the underlying string array to a RedirectUriSet. Each element in the array is assumed to be a valid redirect uri and duplicate items are filtered out.
func (RawArray) ToResponseModeSet ¶
func (arr RawArray) ToResponseModeSet() ResponseModeSet
ToResponseModeSet converts the underlying string array to a ResponseModeSet. Each element in the array is assumed to be a valid response mode and duplicate items are filtered out.
func (RawArray) ToResponseTypeSet ¶
func (arr RawArray) ToResponseTypeSet() ResponseTypeSet
ToResponseTypeSet converts the underlying string array to a ResponseTypeSet. Each element in the array is assumed to be a valid response type and duplicate items are filtered out.
func (RawArray) ToScopeSet ¶
ToScopeSet converts the underlying string array to a ScopeSet. Each element in the array is assumed to be a valid scope and duplicate items are filtered out.
type RedirectUri ¶
type RedirectUri string
func (RedirectUri) CheckValid ¶
func (r RedirectUri) CheckValid() error
CheckValid checks if the redirect uri is well formed, absolute and contains no fragment. Otherwise, ErrInvalidRedirectUri is returned. In addition, redirect uris using "http" protocol must only be originated from localhost or 127.0.0.1, otherwise ErrInsecureRedirectUri is returned.
type RedirectUriSet ¶
type RedirectUriSet map[RedirectUri]struct{}
func (RedirectUriSet) Contains ¶
func (s RedirectUriSet) Contains(u RedirectUri) bool
func (RedirectUriSet) Equals ¶
func (s RedirectUriSet) Equals(another RedirectUriSet) bool
func (RedirectUriSet) MarshalJSON ¶
func (s RedirectUriSet) MarshalJSON() ([]byte, error)
func (RedirectUriSet) ToRawArray ¶
func (s RedirectUriSet) ToRawArray() []string
func (RedirectUriSet) UnmarshalJSON ¶
func (s RedirectUriSet) UnmarshalJSON(data []byte) error
type ResponseMode ¶
type ResponseMode string
ResponseMode represents the "response_mode" parameter
const ( ResponseModeQuery ResponseMode = "query" ResponseModeFragment ResponseMode = "fragment" ResponseModePost ResponseMode = "post" )
func (ResponseMode) CheckValid ¶
func (r ResponseMode) CheckValid() error
type ResponseModeSet ¶
type ResponseModeSet map[ResponseMode]struct{}
ResponseMode represents the "response_mode" parameter
func (ResponseModeSet) Contains ¶
func (s ResponseModeSet) Contains(t ResponseMode) bool
func (ResponseModeSet) MarshalJSON ¶
func (s ResponseModeSet) MarshalJSON() ([]byte, error)
func (ResponseModeSet) ToRawArray ¶
func (s ResponseModeSet) ToRawArray() []string
func (ResponseModeSet) UnmarshalJSON ¶
func (s ResponseModeSet) UnmarshalJSON(data []byte) error
type ResponseType ¶
type ResponseType string
const ( ResponseTypeCode ResponseType = "code" ResponseTypeToken ResponseType = "token" ResponseTypeIdToken ResponseType = "id_token" ResponseTypeCodeIdToken ResponseType = "code id_token" ResponseTypeTokenIdToken ResponseType = "token id_token" ResponseTypeCodeTokenIdToken ResponseType = "code token id_token" )
func (ResponseType) CheckValid ¶
func (t ResponseType) CheckValid() error
type ResponseTypeSet ¶
type ResponseTypeSet map[ResponseType]struct{}
func (ResponseTypeSet) Contains ¶
func (s ResponseTypeSet) Contains(t ResponseType) bool
func (ResponseTypeSet) Equals ¶
func (s ResponseTypeSet) Equals(another ResponseTypeSet) bool
func (ResponseTypeSet) MarshalJSON ¶
func (s ResponseTypeSet) MarshalJSON() ([]byte, error)
func (ResponseTypeSet) ToRawArray ¶
func (s ResponseTypeSet) ToRawArray() []string
func (ResponseTypeSet) UnmarshalJSON ¶
func (s ResponseTypeSet) UnmarshalJSON(data []byte) error
type Scope ¶
type Scope string
The "scope" parameter. Represents a single scope.
const ( // ScopeOfflineAccess triggers generation of refresh token. ScopeOfflineAccess Scope = "offline_access" // ScopeOpenId indicates the need for id token. ScopeOpenId Scope = "openid" // ScopeTigaInteraction allows access to the interaction endpoints of this application ScopeTigaInteraction Scope = "tiga:interaction" // ScopeDynaReadOnly grants access to all read only Dyna services ScopeDynaReadOnly Scope = "dyna:ro" // ScopeProfile requests to access End-User's default profile claims, including // name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, // birthdate, zoneinfo, locale and updated_at. ScopeProfile Scope = "profile" // ScopeEmail requests to access End-User's email and email_verified claims. ScopeEmail Scope = "email" // ScopeAddress requests to access End-User's address claim. ScopeAddress Scope = "address" // ScopePhone requests to access End-User's phone_number and phone_number_verified claims. ScopePhone Scope = "phone" )
Reserved scopes
func (Scope) CheckValid ¶
CheckValid returns error if the Scope is invalid. A Scope must be a string consists of characters in the range of %x21 / %x23-5B / %x5D-7E. If the Scope is invalid, this method returns ErrInvalidScope.
type SubjectType ¶
type SubjectType string
SubjectType is used in Pseudonymous Identifiers calculation
func (SubjectType) CheckValid ¶
func (t SubjectType) CheckValid() error
func (SubjectType) ComputePseudonymousSubject ¶
func (t SubjectType) ComputePseudonymousSubject(subject string, sectorIdentifierUri string, pairwiseSalt []byte) string
ComputePseudonymousSubject calculates the pseudo subject value.