oauth

package
v0.0.0-...-122f59b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2024 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const FullAccessScope = "https://authgear.com/scopes/full-access"
View Source 
const FullUserInfoScope = "https://authgear.com/scopes/full-userinfo"

Variables

View Source 
var ClientLikeNotFound = &ClientLike{
	IsFirstParty:        false,
	PIIAllowedInIDToken: false,
}
View Source 
var DependencySet = wire.NewSet(
	wire.Struct(new(MetadataProvider), "*"),
	wire.Struct(new(Resolver), "*"),
	wire.Struct(new(SessionManager), "*"),
	wire.Struct(new(OfflineGrantService), "*"),
	wire.Struct(new(PromptResolver), "*"),

	wire.Struct(new(AccessTokenEncoding), "*"),
	wire.Bind(new(AccessTokenDecoder), new(*AccessTokenEncoding)),
	wire.Struct(new(AuthorizationService), "*"),
	wire.Bind(new(OfflineGrantSessionManager), new(*SessionManager)),

	wire.Struct(new(AppSessionTokenService), "*"),
	wire.Bind(new(AppSessionTokenServiceOfflineGrantService), new(*OfflineGrantService)),
)
View Source 
var ErrAuthorizationNotFound = errors.New("oauth authorization not found")
View Source 
var ErrAuthorizationScopesNotGranted = errors.New("oauth authorization scopes not granted")
View Source 
var ErrGrantNotFound = errors.New("oauth grant not found")

Functions

func DecodeRefreshToken 

func DecodeRefreshToken(encodedToken string) (token string, grantID string, err error)

func EncodeRefreshToken 

func EncodeRefreshToken(token string, grantID string) string

func FormPost 

func FormPost(w http.ResponseWriter, r *http.Request, redirectURI *url.URL, response map[string]string)

func GenerateToken 

func GenerateToken() string

func HTMLRedirect 

func HTMLRedirect(rw http.ResponseWriter, r *http.Request, redirectURI string)

func HashToken 

func HashToken(token string) string

func RequireScope 

func RequireScope(scopes ...string) func(http.Handler) http.Handler

RequireScope allow request to pass if session contains one of the required scopes. If there is no required scopes, only validity of session is checked.

func SessionScopes 

func SessionScopes(s session.Session) []string

func WriteResponse 

func WriteResponse(w http.ResponseWriter, r *http.Request, redirectURI *url.URL, responseMode string, response map[string]string)

Types

type AccessGrant 

type AccessGrant struct {
	AppID           string           `json:"app_id"`
	AuthorizationID string           `json:"authz_id"`
	SessionID       string           `json:"session_id"`
	SessionKind     GrantSessionKind `json:"session_kind"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	Scopes    []string  `json:"scopes"`
	TokenHash string    `json:"token_hash"`
}

type AccessGrantStore 

type AccessGrantStore interface {
	GetAccessGrant(tokenHash string) (*AccessGrant, error)
	CreateAccessGrant(*AccessGrant) error
	DeleteAccessGrant(*AccessGrant) error
}

type AccessTokenDecoder 

type AccessTokenDecoder interface {
	DecodeAccessToken(encodedToken string) (tok string, isHash bool, err error)
}

type AccessTokenEncoding 

type AccessTokenEncoding struct {
	Secrets    *config.OAuthKeyMaterials
	Clock      clock.Clock
	UserClaims UserClaimsProvider
	BaseURL    BaseURLProvider
	Events     EventService
}

func (*AccessTokenEncoding) DecodeAccessToken 

func (e *AccessTokenEncoding) DecodeAccessToken(encodedToken string) (tok string, isHash bool, err error)

func (*AccessTokenEncoding) EncodeAccessToken 

func (e *AccessTokenEncoding) EncodeAccessToken(client *config.OAuthClientConfig, grant *AccessGrant, userID string, token string) (string, error)

type AppSession 

type AppSession struct {
	AppID          string `json:"app_id"`
	OfflineGrantID string `json:"offline_grant_id"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	TokenHash string    `json:"token_hash"`
}

type AppSessionStore 

type AppSessionStore interface {
	GetAppSession(tokenHash string) (*AppSession, error)
	CreateAppSession(*AppSession) error
	DeleteAppSession(*AppSession) error
}

type AppSessionToken 

type AppSessionToken struct {
	AppID          string `json:"app_id"`
	OfflineGrantID string `json:"offline_grant_id"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	TokenHash string    `json:"token_hash"`
}

type AppSessionTokenInput 

type AppSessionTokenInput struct {
	AppSessionToken string
	RedirectURI     string
}

type AppSessionTokenService 

type AppSessionTokenService struct {
	AppSessions         AppSessionStore
	AppSessionTokens    AppSessionTokenStore
	OfflineGrants       OfflineGrantStore
	OfflineGrantService AppSessionTokenServiceOfflineGrantService
	Cookies             AppSessionTokenServiceCookieManager
	Clock               clock.Clock
}

func (*AppSessionTokenService) Exchange 

func (s *AppSessionTokenService) Exchange(appSessionToken string) (string, error)

func (*AppSessionTokenService) Handle 

func (s *AppSessionTokenService) Handle(input AppSessionTokenInput) (httputil.Result, error)

type AppSessionTokenServiceCookieManager 

type AppSessionTokenServiceCookieManager interface {
	ValueCookie(def *httputil.CookieDef, value string) *http.Cookie
}

type AppSessionTokenServiceOfflineGrantService 

type AppSessionTokenServiceOfflineGrantService interface {
	IsValid(session *OfflineGrant) (valid bool, expiry time.Time, err error)
}

type AppSessionTokenStore 

type AppSessionTokenStore interface {
	GetAppSessionToken(tokenHash string) (*AppSessionToken, error)
	CreateAppSessionToken(*AppSessionToken) error
	DeleteAppSessionToken(*AppSessionToken) error
}

type Authorization 

type Authorization struct {
	ID        string
	AppID     string
	ClientID  string
	UserID    string
	CreatedAt time.Time
	UpdatedAt time.Time
	Scopes    []string
}

func ApplyAuthorizationFilters 

func ApplyAuthorizationFilters(authzs []*Authorization, filters ...AuthorizationFilter) (out []*Authorization)

func (Authorization) IsAuthorized 

func (z Authorization) IsAuthorized(scopes []string) bool

func (Authorization) ToAPIModel 

func (z Authorization) ToAPIModel() *model.Authorization

func (Authorization) WithScopesAdded 

func (z Authorization) WithScopesAdded(scopes []string) *Authorization

type AuthorizationFilter 

type AuthorizationFilter interface {
	Keep(authz *Authorization) bool
}

type AuthorizationFilterFunc 

type AuthorizationFilterFunc func(a *Authorization) bool

func (AuthorizationFilterFunc) Keep 

func (f AuthorizationFilterFunc) Keep(a *Authorization) bool

type AuthorizationService 

type AuthorizationService struct {
	AppID               config.AppID
	Store               AuthorizationStore
	Clock               clock.Clock
	OAuthSessionManager OfflineGrantSessionManager
}

func (*AuthorizationService) Check 

func (s *AuthorizationService) Check(
	clientID string,
	userID string,
	scopes []string,
) (*Authorization, error)

func (*AuthorizationService) CheckAndGrant 

func (s *AuthorizationService) CheckAndGrant(
	clientID string,
	userID string,
	scopes []string,
) (*Authorization, error)

func (*AuthorizationService) Delete 

func (s *AuthorizationService) Delete(a *Authorization) error

func (*AuthorizationService) GetByID 

func (s *AuthorizationService) GetByID(id string) (*Authorization, error)

func (*AuthorizationService) ListByUser 

func (s *AuthorizationService) ListByUser(userID string, filters ...AuthorizationFilter) ([]*Authorization, error)

type AuthorizationStore 

type AuthorizationStore interface {
	Get(userID, clientID string) (*Authorization, error)
	GetByID(id string) (*Authorization, error)
	ListByUserID(userID string) ([]*Authorization, error)
	Create(*Authorization) error
	Delete(*Authorization) error
	ResetAll(userID string) error
	UpdateScopes(*Authorization) error
}

type BaseURLProvider 

type BaseURLProvider interface {
	Origin() *url.URL
}

type ClientLike 

type ClientLike struct {
	IsFirstParty        bool
	PIIAllowedInIDToken bool
	Scopes              []string
}

func ClientClientLike 

func ClientClientLike(client *config.OAuthClientConfig, scopes []string) *ClientLike

func SessionClientLike 

func SessionClientLike(s session.Session, clientResolver OAuthClientResolver) *ClientLike

type CodeGrant 

type CodeGrant struct {
	AppID              string               `json:"app_id"`
	AuthorizationID    string               `json:"authz_id"`
	IDPSessionID       string               `json:"session_id"`
	AuthenticationInfo authenticationinfo.T `json:"authentication_info"`
	IDTokenHintSID     string               `json:"id_token_hint_sid"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	CodeHash  string    `json:"code_hash"`

	RedirectURI          string                        `json:"redirect_uri"`
	AuthorizationRequest protocol.AuthorizationRequest `json:"authorization_request"`
}

type CodeGrantStore 

type CodeGrantStore interface {
	GetCodeGrant(codeHash string) (*CodeGrant, error)
	CreateCodeGrant(*CodeGrant) error
	DeleteCodeGrant(*CodeGrant) error
}

type EndpointsProvider 

type EndpointsProvider interface {
	AuthorizeEndpointURL() *url.URL
	ConsentEndpointURL() *url.URL
	TokenEndpointURL() *url.URL
	RevokeEndpointURL() *url.URL
}

type EventService 

type EventService interface {
	DispatchEventOnCommit(payload event.Payload) error
}

type GrantSessionKind 

type GrantSessionKind string
const (
	GrantSessionKindOffline GrantSessionKind = "offline_grant"
	GrantSessionKindSession GrantSessionKind = "idp_session"
)

type KeepThirdPartyAuthorizationFilter 

type KeepThirdPartyAuthorizationFilter struct {
	ThirdPartyClientIDSet setutil.Set[string]
}

func NewKeepThirdPartyAuthorizationFilter 

func NewKeepThirdPartyAuthorizationFilter(oauthConfig *config.OAuthConfig) *KeepThirdPartyAuthorizationFilter

func (*KeepThirdPartyAuthorizationFilter) Keep 

func (f *KeepThirdPartyAuthorizationFilter) Keep(authz *Authorization) bool

type LoginHint 

type LoginHint struct {
	Type LoginHintType

	// Specific to LoginHintTypeAnonymous
	PromotionCode string
	JWT           string

	// Specific to LoginHintTypeAppSessionToken
	AppSessionToken string
}

func ParseLoginHint 

func ParseLoginHint(s string) (*LoginHint, error)

type LoginHintType 

type LoginHintType string
const (
	LoginHintTypeAnonymous LoginHintType = "anonymous"
	// nolint: gosec
	LoginHintTypeAppSessionToken LoginHintType = "app_session_token"
)

type MetadataProvider 

type MetadataProvider struct {
	Endpoints EndpointsProvider
}

func (*MetadataProvider) PopulateMetadata 

func (p *MetadataProvider) PopulateMetadata(meta map[string]interface{})

type OAuthClientResolver 

type OAuthClientResolver interface {
	ResolveClient(clientID string) *config.OAuthClientConfig
}

type OfflineGrant 

type OfflineGrant struct {
	AppID           string `json:"app_id"`
	ID              string `json:"id"`
	ClientID        string `json:"client_id"`
	AuthorizationID string `json:"authz_id"`
	// IDPSessionID refers to the IDP session.
	IDPSessionID string `json:"idp_session_id,omitempty"`
	// IdentityID refers to the identity.
	// It is only set for biometric authentication.
	IdentityID string `json:"identity_id,omitempty"`

	CreatedAt       time.Time `json:"created_at"`
	AuthenticatedAt time.Time `json:"authenticated_at"`
	Scopes          []string  `json:"scopes"`
	TokenHash       string    `json:"token_hash"`

	Attrs      session.Attrs `json:"attrs"`
	AccessInfo access.Info   `json:"access_info"`

	DeviceInfo map[string]interface{} `json:"device_info,omitempty"`

	SSOEnabled bool `json:"sso_enabled,omitempty"`

	App2AppDeviceKeyJWKJSON string `json:"app2app_device_key_jwk_json"`
}

func (*OfflineGrant) Equal 

func (g *OfflineGrant) Equal(ss session.Session) bool

func (*OfflineGrant) GetAccessInfo 

func (g *OfflineGrant) GetAccessInfo() *access.Info

func (*OfflineGrant) GetAuthenticatedAt 

func (g *OfflineGrant) GetAuthenticatedAt() time.Time

func (*OfflineGrant) GetAuthenticationInfo 

func (g *OfflineGrant) GetAuthenticationInfo() authenticationinfo.T

func (*OfflineGrant) GetClientID 

func (g *OfflineGrant) GetClientID() string

func (*OfflineGrant) GetCreatedAt 

func (g *OfflineGrant) GetCreatedAt() time.Time

func (*OfflineGrant) GetDeviceInfo 

func (g *OfflineGrant) GetDeviceInfo() (map[string]interface{}, bool)

func (*OfflineGrant) GetOIDCAMR 

func (g *OfflineGrant) GetOIDCAMR() ([]string, bool)

func (*OfflineGrant) GetUserID 

func (g *OfflineGrant) GetUserID() string

func (*OfflineGrant) IsSameSSOGroup 

func (g *OfflineGrant) IsSameSSOGroup(ss session.Session) bool

IsSameSSOGroup returns true when the session argument - is the same offline grant - is idp session in the same sso group (current offline grant needs to be sso enabled) - is offline grant in the same sso group (current offline grant needs to be sso enabled)

func (*OfflineGrant) SSOGroupIDPSessionID 

func (g *OfflineGrant) SSOGroupIDPSessionID() string

func (*OfflineGrant) SessionID 

func (g *OfflineGrant) SessionID() string

func (*OfflineGrant) SessionType 

func (g *OfflineGrant) SessionType() session.Type

func (*OfflineGrant) ToAPIModel 

func (g *OfflineGrant) ToAPIModel() *model.Session

type OfflineGrantService 

type OfflineGrantService struct {
	OAuthConfig    *config.OAuthConfig
	Clock          clock.Clock
	IDPSessions    ServiceIDPSessionProvider
	ClientResolver OAuthClientResolver
}

func (*OfflineGrantService) CheckSessionExpired 

func (s *OfflineGrantService) CheckSessionExpired(session *OfflineGrant) (bool, time.Time, error)

func (*OfflineGrantService) ComputeOfflineGrantExpiry 

func (s *OfflineGrantService) ComputeOfflineGrantExpiry(session *OfflineGrant) (expiry time.Time, err error)

func (*OfflineGrantService) IsValid 

func (s *OfflineGrantService) IsValid(session *OfflineGrant) (bool, time.Time, error)

type OfflineGrantSessionManager 

type OfflineGrantSessionManager interface {
	List(userID string) ([]session.Session, error)
	Delete(session session.Session) error
}

type OfflineGrantStore 

type OfflineGrantStore interface {
	GetOfflineGrant(id string) (*OfflineGrant, error)
	CreateOfflineGrant(offlineGrant *OfflineGrant, expireAt time.Time) error
	DeleteOfflineGrant(*OfflineGrant) error

	AccessWithID(id string, accessEvent access.Event, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantDeviceInfo(id string, deviceInfo map[string]interface{}, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantAuthenticatedAt(id string, authenticatedAt time.Time, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantApp2AppDeviceKey(id string, newKey string, expireAt time.Time) (*OfflineGrant, error)

	ListOfflineGrants(userID string) ([]*OfflineGrant, error)
	ListClientOfflineGrants(clientID string, userID string) ([]*OfflineGrant, error)
}

type PromptResolver 

type PromptResolver struct {
	Clock clock.Clock
}

func (*PromptResolver) ResolvePrompt 

func (r *PromptResolver) ResolvePrompt(req protocol.AuthorizationRequest, sidSession session.Session) (prompt []string)

type Resolver 

type Resolver struct {
	RemoteIP            httputil.RemoteIP
	UserAgentString     httputil.UserAgentString
	OAuthConfig         *config.OAuthConfig
	Authorizations      AuthorizationStore
	AccessGrants        AccessGrantStore
	OfflineGrants       OfflineGrantStore
	AppSessions         AppSessionStore
	AccessTokenDecoder  AccessTokenDecoder
	Sessions            ResolverSessionProvider
	Cookies             ResolverCookieManager
	Clock               clock.Clock
	OfflineGrantService OfflineGrantService
}

func (*Resolver) Resolve 

func (re *Resolver) Resolve(rw http.ResponseWriter, r *http.Request) (session.Session, error)

type ResolverCookieManager 

type ResolverCookieManager interface {
	GetCookie(r *http.Request, def *httputil.CookieDef) (*http.Cookie, error)
}

type ResolverSessionProvider 

type ResolverSessionProvider interface {
	AccessWithID(id string, accessEvent access.Event) (*idpsession.IDPSession, error)
}

type ServiceIDPSessionProvider 

type ServiceIDPSessionProvider interface {
	Get(id string) (*idpsession.IDPSession, error)
	CheckSessionExpired(session *idpsession.IDPSession) (expired bool)
}

type SessionManager 

type SessionManager struct {
	Store   OfflineGrantStore
	Config  *config.OAuthConfig
	Service OfflineGrantService
}

func (*SessionManager) ClearCookie 

func (m *SessionManager) ClearCookie() []*http.Cookie

func (*SessionManager) Delete 

func (m *SessionManager) Delete(session session.Session) error

func (*SessionManager) Get 

func (m *SessionManager) Get(id string) (session.Session, error)

func (*SessionManager) List 

func (m *SessionManager) List(userID string) ([]session.Session, error)

func (*SessionManager) TerminateAllExcept 

func (m *SessionManager) TerminateAllExcept(userID string, currentSession session.Session) ([]session.Session, error)

type SettingsActionGrant 

type SettingsActionGrant struct {
	AppID              string               `json:"app_id"`
	AuthorizationID    string               `json:"authz_id"`
	IDPSessionID       string               `json:"session_id"`
	AuthenticationInfo authenticationinfo.T `json:"authentication_info"`
	IDTokenHintSID     string               `json:"id_token_hint_sid"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	CodeHash  string    `json:"code_hash"`

	RedirectURI          string                        `json:"redirect_uri"`
	AuthorizationRequest protocol.AuthorizationRequest `json:"authorization_request"`
}

type SettingsActionGrantStore 

type SettingsActionGrantStore interface {
	GetSettingsActionGrant(codeHash string) (*SettingsActionGrant, error)
	CreateSettingsActionGrant(*SettingsActionGrant) error
	DeleteSettingsActionGrant(*SettingsActionGrant) error
}

type UserClaimsProvider 

type UserClaimsProvider interface {
	PopulateNonPIIUserClaims(token jwt.Token, userID string) error
}

Source Files

View all Source files

Directories

Path Synopsis
handler
protocol

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.