authserver

package
v0.0.0-...-c0251f4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 23, 2022 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrInvalidatedAuthorizeCode is an error indicating that an authorization code has been
	// used previously.
	ErrInvalidatedAuthorizeCode = errors.New("Authorization code has ben invalidated")
	// ErrSerializationFailure is an error indicating that the transactional capable storage could not guarantee
	// consistency of Update & Delete operations on the same rows between multiple sessions.
	ErrSerializationFailure = errors.New("The request could not be completed due to concurrent access")
	ErrUnknownRequest       = &RFC6749Error{
		ErrorField:       errUnknownErrorName,
		DescriptionField: "The handler is not responsible for this request.",
		CodeField:        http.StatusBadRequest,
	}
	ErrRequestForbidden = &RFC6749Error{
		ErrorField:       errRequestForbidden,
		DescriptionField: "The request is not allowed.",
		HintField:        "You are not allowed to perform this action.",
		CodeField:        http.StatusForbidden,
	}
	ErrInvalidRequest = &RFC6749Error{
		ErrorField:       errInvalidRequestName,
		DescriptionField: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
		HintField:        "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
		CodeField:        http.StatusBadRequest,
	}
	ErrUnauthorizedClient = &RFC6749Error{
		ErrorField:       errUnauthorizedClientName,
		DescriptionField: "The client is not authorized to request a token using this method.",
		HintField:        "Make sure that client id and secret are correctly specified and that the client exists.",
		CodeField:        http.StatusBadRequest,
	}
	ErrAccessDenied = &RFC6749Error{
		ErrorField:       errAccessDeniedName,
		DescriptionField: "The resource owner or authorization server denied the request.",
		HintField:        "Make sure that the request you are making is valid. Maybe the credential or request parameters you are using are limited in scope or otherwise restricted.",
		CodeField:        http.StatusForbidden,
	}
	ErrUnsupportedResponseType = &RFC6749Error{
		ErrorField:       errUnsupportedResponseTypeName,
		DescriptionField: "The authorization server does not support obtaining a token using this method.",
		CodeField:        http.StatusBadRequest,
	}
	ErrUnsupportedResponseMode = &RFC6749Error{
		ErrorField:       errUnsupportedResponseModeName,
		DescriptionField: "The authorization server does not support obtaining a response using this response mode.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidScope = &RFC6749Error{
		ErrorField:       errInvalidScopeName,
		DescriptionField: "The requested scope is invalid, unknown, or malformed.",
		CodeField:        http.StatusBadRequest,
	}
	ErrServerError = &RFC6749Error{
		ErrorField:       errServerErrorName,
		DescriptionField: "The authorization server encountered an unexpected condition that prevented it from fulfilling the request.",
		CodeField:        http.StatusInternalServerError,
	}
	ErrTemporarilyUnavailable = &RFC6749Error{
		ErrorField:       errTemporarilyUnavailableName,
		DescriptionField: "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.",
		CodeField:        http.StatusServiceUnavailable,
	}
	ErrUnsupportedGrantType = &RFC6749Error{
		ErrorField:       errUnsupportedGrantTypeName,
		DescriptionField: "The authorization grant type is not supported by the authorization server.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidGrant = &RFC6749Error{
		ErrorField:       errInvalidGrantName,
		DescriptionField: "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidClient = &RFC6749Error{
		ErrorField:       errInvalidClientName,
		DescriptionField: "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).",
		CodeField:        http.StatusUnauthorized,
	}
	ErrInvalidState = &RFC6749Error{
		ErrorField:       errInvalidStateName,
		DescriptionField: "The state is missing or does not have enough characters and is therefore considered too weak.",
		CodeField:        http.StatusBadRequest,
	}
	ErrMisconfiguration = &RFC6749Error{
		ErrorField:       errMisconfigurationName,
		DescriptionField: "The request failed because of an internal error that is probably caused by misconfiguration.",
		CodeField:        http.StatusInternalServerError,
	}
	ErrInsufficientEntropy = &RFC6749Error{
		ErrorField:       errInsufficientEntropyName,
		DescriptionField: "The request used a security parameter (e.g., anti-replay, anti-csrf) with insufficient entropy.",
		CodeField:        http.StatusBadRequest,
	}
	ErrNotFound = &RFC6749Error{
		ErrorField:       errNotFoundName,
		DescriptionField: "Could not find the requested resource(s).",
		CodeField:        http.StatusNotFound,
	}
	ErrRequestUnauthorized = &RFC6749Error{
		ErrorField:       errRequestUnauthorizedName,
		DescriptionField: "The request could not be authorized.",
		HintField:        "Check that you provided valid credentials in the right format.",
		CodeField:        http.StatusUnauthorized,
	}
	ErrTokenSignatureMismatch = &RFC6749Error{
		ErrorField:       errTokenSignatureMismatchName,
		DescriptionField: "Token signature mismatch.",
		HintField:        "Check that you provided  a valid token in the right format.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidTokenFormat = &RFC6749Error{
		ErrorField:       errInvalidTokenFormatName,
		DescriptionField: "Invalid token format.",
		HintField:        "Check that you provided a valid token in the right format.",
		CodeField:        http.StatusBadRequest,
	}
	ErrTokenExpired = &RFC6749Error{
		ErrorField:       errTokenExpiredName,
		DescriptionField: "Token expired.",
		HintField:        "The token expired.",
		CodeField:        http.StatusUnauthorized,
	}
	ErrScopeNotGranted = &RFC6749Error{
		ErrorField:       errScopeNotGrantedName,
		DescriptionField: "The token was not granted the requested scope.",
		HintField:        "The resource owner did not grant the requested scope.",
		CodeField:        http.StatusForbidden,
	}
	ErrTokenClaim = &RFC6749Error{
		ErrorField:       errTokenClaimName,
		DescriptionField: "The token failed validation due to a claim mismatch.",
		HintField:        "One or more token claims failed validation.",
		CodeField:        http.StatusUnauthorized,
	}
	ErrInactiveToken = &RFC6749Error{
		ErrorField:       errTokenInactiveName,
		DescriptionField: "Token is inactive because it is malformed, expired or otherwise invalid.",
		HintField:        "Token validation failed.",
		CodeField:        http.StatusUnauthorized,
	}
	ErrLoginRequired = &RFC6749Error{
		ErrorField:       errLoginRequired,
		DescriptionField: "The Authorization Server requires End-User authentication.",
		CodeField:        http.StatusBadRequest,
	}
	ErrInteractionRequired = &RFC6749Error{
		DescriptionField: "The Authorization Server requires End-User interaction of some form to proceed.",
		ErrorField:       errInteractionRequired,
		CodeField:        http.StatusBadRequest,
	}
	ErrConsentRequired = &RFC6749Error{
		DescriptionField: "The Authorization Server requires End-User consent.",
		ErrorField:       errConsentRequired,
		CodeField:        http.StatusBadRequest,
	}
	ErrRequestNotSupported = &RFC6749Error{
		DescriptionField: "The OP does not support use of the request parameter.",
		ErrorField:       errRequestNotSupportedName,
		CodeField:        http.StatusBadRequest,
	}
	ErrRequestURINotSupported = &RFC6749Error{
		DescriptionField: "The OP does not support use of the request_uri parameter.",
		ErrorField:       errRequestURINotSupportedName,
		CodeField:        http.StatusBadRequest,
	}
	ErrRegistrationNotSupported = &RFC6749Error{
		DescriptionField: "The OP does not support use of the registration parameter.",
		ErrorField:       errRegistrationNotSupportedName,
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidRequestURI = &RFC6749Error{
		DescriptionField: "The request_uri in the Authorization Request returns an error or contains invalid data.",
		ErrorField:       errInvalidRequestURI,
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidRequestObject = &RFC6749Error{
		DescriptionField: "The request parameter contains an invalid Request Object.",
		ErrorField:       errInvalidRequestObject,
		CodeField:        http.StatusBadRequest,
	}
	ErrJTIKnown = &RFC6749Error{
		DescriptionField: "The jti was already used.",
		ErrorField:       errJTIKnownName,
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidRedirectURI = &RFC6749Error{
		DescriptionField: "The redirect_uri was invalid.",
		ErrorField:       errInvalidRedirectURI,
		CodeField:        http.StatusBadRequest,
	}
	ErrInvalidClientMetadata = &RFC6749Error{
		DescriptionField: "The redirect_uri was invalid.",
		ErrorField:       errInvalidClientMetadata,
		CodeField:        http.StatusBadRequest,
	}
)

Functions

func CreateCodeChallenge 

func CreateCodeChallenge(codeVerifier string) (codeChallenge string)

func VerifyCodeChallenge 

func VerifyCodeChallenge(codeChallenge, codeVerifier string) error

Types

type AMR 

type AMR string
const (
	HardwareKey AMR = "hwk"
	SoftwareKey AMR = "swk"
	PIN         AMR = "pin"
	Fingerprint AMR = "fpt"
	MultiFactor AMR = "mfa"
)

type AuthorizationServer 

type AuthorizationServer struct {
	http.ServeMux
}

func New 

func New(rpID string, origin string, privateECDSAKey *ecdsa.PrivateKey, clientSecretKey []byte, firesstoreClient *firestore.Client) AuthorizationServer

TODO because we are dynamic we must support implict and code grant

type AuthorizeRequest 

type AuthorizeRequest struct {
	Request             string `json:"request,omitempty"`
	ResponseType        string `json:"response_type,omitempty"`
	ClientID            string `json:"client_id,omitempty"`
	RedirectURI         string `json:"redirect_uri,omitempty"`
	RequestURI          string `json:"request_uri,omitempty"`
	Prompt              string `json:"prompt,omitempty"`
	State               string `json:"state,omitempty"`
	Scope               string `json:"scope,omitempty"`
	CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
	CodeChallenge       string `json:"code_challenge,omitempty"`
	Nonce               string `json:"nonce,omitempty"`
	MaxAge              string `json:"max_age,omitempty"`
	AttestationResponse string `json:"attestation_response,omitempty"`
	AssertionResponse   string `json:"assertion_response,omitempty"`
}

func AuthorizeRequestFromValues 

func AuthorizeRequestFromValues(values url.Values) AuthorizeRequest

type AuthorizeResource 

type AuthorizeResource struct {
	// contains filtered or unexported fields
}

func (*AuthorizeResource) BeginAuthenticate 

func (res *AuthorizeResource) BeginAuthenticate(w http.ResponseWriter, req *http.Request, authorizeRequest AuthorizeRequest, redirectURI *url.URL, query url.Values)

func (*AuthorizeResource) ServeHTTP 

func (server *AuthorizeResource) ServeHTTP(w http.ResponseWriter, req *http.Request)

type JWKSResource 

type JWKSResource struct {
	// contains filtered or unexported fields
}

func (*JWKSResource) ServeHTTP 

func (r *JWKSResource) ServeHTTP(rw http.ResponseWriter, req *http.Request)

type OpenidConfiguration 

type OpenidConfiguration struct {
	Issuer                            string   `json:"issuer"`
	RegistrationEndpoint              string   `json:"registration_endpoint"`
	AuthEndpoint                      string   `json:"authorization_endpoint"`
	TokenEndpoint                     string   `json:"token_endpoint"`
	JWKSURI                           string   `json:"jwks_uri"`
	UserinfoEndpoint                  string   `json:"userinfo_endpoint,omitempty"`
	SupportedAlgs                     []string `json:"id_token_signing_alg_values_supported"`
	SupportedScopes                   []string `json:"scopes_supported"`
	SubjectTypesSupported             []string `json:"subject_types_supported"`
	ResponseTypesSupported            []string `json:"response_types_supported"`
	GrantTypesSupported               []string `json:"grant_types_supported"`
	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
	ACRValuesSupported                []string `json:"acr_values_supported"`
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
}

func (*OpenidConfiguration) ServeHTTP 

func (r *OpenidConfiguration) ServeHTTP(w http.ResponseWriter, _ *http.Request)

type RFC6749Error 

type RFC6749Error struct {
	ErrorField       string
	DescriptionField string
	HintField        string
	CodeField        int
	DebugField       string
	// contains filtered or unexported fields
}

func ErrorToRFC6749Error 

func ErrorToRFC6749Error(err error) *RFC6749Error

func FinishAuthenticate 

func FinishAuthenticate(challenge string, authorizeRequest AuthorizeRequest, redirectURI *url.URL, query url.Values, rpID, origin string) (*webauthn.Credential, *RFC6749Error)

func (*RFC6749Error) Cause 

func (e *RFC6749Error) Cause() error

func (*RFC6749Error) Debug 

func (e *RFC6749Error) Debug() string

func (RFC6749Error) Error 

func (e RFC6749Error) Error() string

func (*RFC6749Error) GetDescription 

func (e *RFC6749Error) GetDescription() string

GetDescription returns a more description description, combined with hint and debug (when available).

func (RFC6749Error) Is 

func (e RFC6749Error) Is(err error) bool

func (RFC6749Error) MarshalJSON 

func (e RFC6749Error) MarshalJSON() ([]byte, error)

func (*RFC6749Error) Reason 

func (e *RFC6749Error) Reason() string

func (*RFC6749Error) RequestID 

func (e *RFC6749Error) RequestID() string

func (*RFC6749Error) RespondJSON 

func (e *RFC6749Error) RespondJSON(w http.ResponseWriter)

func (*RFC6749Error) RespondRedirect 

func (e *RFC6749Error) RespondRedirect(w http.ResponseWriter, redirectURI *url.URL, query url.Values)

func (*RFC6749Error) Sanitize deprecated 

func (e *RFC6749Error) Sanitize() *RFC6749Error

Sanitize strips the debug field

Deprecated: Use WithExposeDebug instead.

func (*RFC6749Error) StackTrace 

func (e *RFC6749Error) StackTrace() (trace errors.StackTrace)

StackTrace returns the error's stack trace.

func (*RFC6749Error) Status 

func (e *RFC6749Error) Status() string

func (*RFC6749Error) StatusCode 

func (e *RFC6749Error) StatusCode() int

func (*RFC6749Error) ToValues 

func (e *RFC6749Error) ToValues() url.Values

func (*RFC6749Error) UnmarshalJSON 

func (e *RFC6749Error) UnmarshalJSON(b []byte) error

func (RFC6749Error) Unwrap 

func (e RFC6749Error) Unwrap() error

func (*RFC6749Error) WithDebug 

func (e *RFC6749Error) WithDebug(debug string) *RFC6749Error

func (*RFC6749Error) WithDebugf 

func (e *RFC6749Error) WithDebugf(debug string, args ...interface{}) *RFC6749Error

func (*RFC6749Error) WithDescription 

func (e *RFC6749Error) WithDescription(description string) *RFC6749Error

func (*RFC6749Error) WithExposeDebug 

func (e *RFC6749Error) WithExposeDebug(exposeDebug bool) *RFC6749Error

WithExposeDebug if set to true exposes debug messages

func (*RFC6749Error) WithHint 

func (e *RFC6749Error) WithHint(hint string) *RFC6749Error

func (*RFC6749Error) WithHintf 

func (e *RFC6749Error) WithHintf(hint string, args ...interface{}) *RFC6749Error

func (RFC6749Error) WithLegacyFormat 

func (e RFC6749Error) WithLegacyFormat(useLegacyFormat bool) *RFC6749Error

func (RFC6749Error) WithWrap 

func (e RFC6749Error) WithWrap(cause error) *RFC6749Error

func (*RFC6749Error) Wrap 

func (e *RFC6749Error) Wrap(err error)

type RFC6749ErrorJson 

type RFC6749ErrorJson struct {
	Name        string `json:"error"`
	Description string `json:"error_description"`
	Hint        string `json:"error_hint,omitempty"`
	Code        int    `json:"status_code,omitempty"`
	Debug       string `json:"error_debug,omitempty"`
}

RFC6749ErrorJson is a helper struct for JSON encoding/decoding of RFC6749Error.

type RegistrationRequest 

type RegistrationRequest struct {
	RedirectURIs []string `json:"redirect_uris"`
}

type RegistrationResource 

type RegistrationResource struct {
	// contains filtered or unexported fields
}

func (*RegistrationResource) RegisterClient 

func (r *RegistrationResource) RegisterClient(req RegistrationRequest) (*RegistrationResponse, error)

func (*RegistrationResource) ServeHTTP 

func (r *RegistrationResource) ServeHTTP(w http.ResponseWriter, req *http.Request)

type RegistrationResponse 

type RegistrationResponse struct {
	ClientID     string `json:"client_id,omitempty"`
	ClientSecret string `json:"client_secret,omitempty"`
}

func RegisterClient 

func RegisterClient(clientSecretKey []byte, redirectURI string) (*RegistrationResponse, error)

type TokenRequest 

type TokenRequest struct {
	Code         string // a time-bound use-once code
	CodeVerifier string // must check with previous code_challenge in authorize step
	GrantType    string // must check with previous redirect_uri in authorize step
	RedirectURI  string // must check with previous client_id in authorize stestirng
	ClientID     string
	ClientSecret string
}

func ParseTokenRequest 

func ParseTokenRequest(req *http.Request) TokenRequest

func TokenRequestFromValues 

func TokenRequestFromValues(values url.Values) TokenRequest

type TokenResource 

type TokenResource struct {
	// contains filtered or unexported fields
}

func (*TokenResource) Handle 

func (t *TokenResource) Handle(tokenRequest TokenRequest) (*TokenResponse, *RFC6749Error)

func (*TokenResource) ServeHTTP 

func (t *TokenResource) ServeHTTP(w http.ResponseWriter, req *http.Request)

type TokenResponse 

type TokenResponse struct {
	AccessToken string `json:"access_token,omitempty"`
	IDToken     string `json:"id_token,omitempty"`
	TokenType   string `json:"token_type,omitempty"`
	ExpiresIn   int64  `json:"expires_in,omitempty"`
}

type UserInfoResource 

type UserInfoResource struct {
	// contains filtered or unexported fields
}

func (*UserInfoResource) ServeHTTP 

func (r *UserInfoResource) ServeHTTP(w http.ResponseWriter, req *http.Request)

type UserinfoResponse 

type UserinfoResponse struct {
	Subject string `json:"sub"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.