README
¶
oauth2
Package oauth2 is a server implementation of the OAuth 2.0 Authorization Framework written in Go.
Work in progress
Documentation
¶
Overview ¶
Package oauth2 is a server implementation of the OAuth 2.0 Authorization Framework (https://tools.ietf.org/html/rfc6749).
Index ¶
- Constants
- Variables
- type AccessResponse
- type AuthorizeGrantType
- type Client
- type ClientGrantTypeService
- type GrantType
- func NewClientGrantType(logger Log, service ClientGrantTypeService) GrantType
- func NewImplicitGrantType(logger Log, service ImplicitGrantTypeService) GrantType
- func NewPasswordGrantType(logger Log, service PasswordGrantTypeService) GrantType
- func NewRefreshGrantType(logger Log, service RefreshGrantTypeService) GrantType
- type Handler
- type ImplicitGrantTypeService
- type Log
- type PasswordGrantTypeService
- type RefreshGrantTypeService
- type Storer
- type TokenGrantType
Constants ¶
const ClientGrantType = "client"
ClientGrantType is used by the client using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).
https://tools.ietf.org/html/rfc6749#section-4.4
const ImplicitGrantType = "implicit"
ImplicitGrantType is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript.
https://tools.ietf.org/html/rfc6749#section-4.2
const PasswordGrantType = "password"
PasswordGrantType (resource owner password credentials grant type) is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
https://tools.ietf.org/html/rfc6749#section-4.3
const RefreshGrantType = "refresh"
RefreshGrantType is used for refreshing an access token.
Variables ¶
var ErrAccessDenied = errors.New("access_denied")
ErrAccessDenied is returned when:
The resource owner or authorization server denied the request.
https://tools.ietf.org/html/rfc6749#section-4.1.2.1 https://tools.ietf.org/html/rfc6749#section-4.2.2.1
var ErrInvalidClient = errors.New("invalid_client")
ErrInvalidClient is returned when:
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
https://tools.ietf.org/html/rfc6749#section-5.2
var ErrInvalidGrant = errors.New("invalid_grant")
ErrInvalidGrant is returned when:
The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
https://tools.ietf.org/html/rfc6749#section-5.2
var ErrInvalidRequest = errors.New("invalid_request")
ErrInvalidRequest is returned when:
The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
https://tools.ietf.org/html/rfc6749#section-5.2
var ErrInvalidScope = errors.New("invalid_scope")
ErrInvalidScope is returned when:
The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
https://tools.ietf.org/html/rfc6749#section-5.2
var ErrServerError = errors.New("server_error")
ErrServerError is returned when:
The authorization server encountered an unexpected condition that prevented it from fulfilling the request.
https://tools.ietf.org/html/rfc6749#section-4.1.2.1 https://tools.ietf.org/html/rfc6749#section-4.2.2.1
ErrUnauthorizedClient is returned when:
The authenticated client is not authorized to use this authorization grant type.
https://tools.ietf.org/html/rfc6749#section-5.2
var ErrUnsupportedGrantType = errors.New("unsupported_grant_type")
ErrUnsupportedGrantType is returned when:
The authorization grant type is not supported by the authorization server.
https://tools.ietf.org/html/rfc6749#section-5.2
var ErrUnsupportedResponseType = errors.New("unsupported_response_type")
ErrUnsupportedResponseType is returned when:
The authorization server does not support obtaining an authorization code / access token using this method.
https://tools.ietf.org/html/rfc6749#section-4.1.2.1 https://tools.ietf.org/html/rfc6749#section-4.2.2.1
Functions ¶
This section is empty.
Types ¶
type AccessResponse ¶
type AccessResponse struct {
AccessToken string
TokenType string
ExpiresIn int64
RefreshToken string
Info map[string]interface{}
}
AccessResponse holds a valid and authorized access response.
func (*AccessResponse) ToMap ¶
func (r *AccessResponse) ToMap() map[string]interface{}
ToMap converts the access response to a map.
func (*AccessResponse) ToValues ¶
func (r *AccessResponse) ToValues() url.Values
ToValues converts the access response to values.
type AuthorizeGrantType ¶
type AuthorizeGrantType interface {
GrantType
ResponseName() string
Respond(w http.ResponseWriter, req *http.Request, reqParams url.Values, client Client, redirectURI, state string)
}
AuthorizeGrantType is a grant type on the /authorize endpoint.
type Client ¶
type Client interface {
Identifier() string
IsAllowedRedirectURI(uri string) bool
IsAllowedGrantType(identifier string) bool
IsConfidential() bool
Authenticate(secret string) bool
}
Client is a oauth2 client:
An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
type ClientGrantTypeService ¶
type ClientGrantTypeService interface {
ClientGrantTypeResponse(ctx context.Context, client Client) (*AccessResponse, error)
}
ClientGrantTypeService returns an access response, if the access token request is valid and authorized.
The authorization server MUST authenticate the client.
A refresh token SHOULD NOT be included.
type GrantType ¶
type GrantType interface {
Identifier() string
}
GrantType is a oauth2 grant type.
func NewClientGrantType ¶
func NewClientGrantType(logger Log, service ClientGrantTypeService) GrantType
NewClientGrantType creates a new grant type.
func NewImplicitGrantType ¶
func NewImplicitGrantType(logger Log, service ImplicitGrantTypeService) GrantType
NewImplicitGrantType creates a new grant type.
func NewPasswordGrantType ¶
func NewPasswordGrantType(logger Log, service PasswordGrantTypeService) GrantType
NewPasswordGrantType creates a new grant type.
func NewRefreshGrantType ¶
func NewRefreshGrantType(logger Log, service RefreshGrantTypeService) GrantType
NewRefreshGrantType creates a new grant type.
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
Handler provides the oauth2 protocol endpoints:
The authorization process utilizes two authorization server endpoints (HTTP resources):
o Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.
o Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication.
https://tools.ietf.org/html/rfc6749#section-3
func NewHandler ¶
NewHandler creates a new oauth2 handler.
func (*Handler) Authorize ¶
func (h *Handler) Authorize(w http.ResponseWriter, req *http.Request)
Authorize is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies) is beyond the scope of this specification.
func (*Handler) Token ¶
func (h *Handler) Token(w http.ResponseWriter, req *http.Request)
Token is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly).
type ImplicitGrantTypeService ¶
type ImplicitGrantTypeService interface {
ImplicitGrantTypeResponse(w http.ResponseWriter, req *http.Request, client Client, params url.Values) (*AccessResponse, error)
}
ImplicitGrantTypeService returns an access response, if the resource owner grants the access request.
The authorization server MUST NOT issue a refresh token.
type PasswordGrantTypeService ¶
type PasswordGrantTypeService interface {
PasswordGrantTypeResponse(ctx context.Context, client Client, username, password string, issueRefreshToken bool) (*AccessResponse, error)
}
PasswordGrantTypeService returns an access response, if the access token request is valid and authorized.
The authorization server MUST validate the resource owner password credentials using its existing password validation algorithm.
Since this access token request utilizes the resource owner's password, the authorization server MUST protect the endpoint against brute force attacks (e.g., using rate-limitation or generating alerts).
type RefreshGrantTypeService ¶
type RefreshGrantTypeService interface {
RefreshGrantTypeResponse(ctx context.Context, client Client, refreshToken string) (*AccessResponse, error)
}
RefreshGrantTypeService returns an access response, if the access token request is valid and authorized.
Because refresh tokens are typically long-lasting credentials used to request additional access tokens, the refresh token is bound to the client to which it was issued.
The authorization server MUST validate the refresh token.
The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
type TokenGrantType ¶
type TokenGrantType interface {
GrantType
GrantName() string
Grant(req *http.Request, client Client) (*AccessResponse, error)
}
TokenGrantType is a grant type on the /token endpoint.
Source Files