oidc

package module
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2023 License: Apache-2.0 Imports: 17 Imported by: 0

README

oidc

Golang OAuth2/OIDC Server Library.

OpenIDConnect-Map-4Feb2014.png

Our goals:

  • Security.
  • KISS.
  • Simple API.
Features
  • Grant Types Support:
    • Authorization Code
    • Refresh Token
    • Client Credentials
    • Password Legacy
    • Implicit Flow Legacy
    • Assertion:
      • JWT Bearer
      • Token Exchange
      • SAML2 Bearer
      • Device Code
  • PKCE For Public Cilents: plain, S256
  • Session Management:
    • Check Session
    • End Session: Front Channel, Back Channel
  • Token Revocation
  • Request Object
  • Dynamic Client Registration
  • Self Issued OP
  • Known Scopes: openid, email, profile, phone, address, offline_access
  • Token Type Support: Bearer, JWT
  • ID Token Signing Algo: HS256, RS256, ES256
  • Client Auth Method: client_secret_basic, client_secret_post
  • Hybrid Response Type: code, token, id_token
  • Response Mode Support: query, fragment, form_post

Have fun!

Building

This library uses Go modules and uses semantic versioning. Building is done with the go tool, so the following should work:

go get github.com/deepzz0/oidc
Examples

A short "how to use the API" is at the beginning of doc.go (this also will show when you call godoc github.com/deepzz0/oidc).

Example programs can be found in the Examples repository.

RFCs

Try our best, see https://oauth.net/specs/ and https://openid.net/developers/specs/.

OAuth2:

  • 6749 - OAuth 2.0 Authorization Framework

  • 6750 - OAuth 2.0 Authorization Framework: Bearer Token Usage

  • 6755 - An IETF URN Sub-Namespace for OAuth

  • 6819 - OAuth 2.0 Threat Model and Security Considerations

  • 7009 - OAuth 2.0 Token Revocation

  • 7519 - JSON Web Token (JWT)

  • 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants

  • 7522 - SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants

  • 7523 - JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants

  • 7591 - OAuth 2.0 Dynamic Client Registration Protocol

  • 7592 - OAuth 2.0 Dynamic Client Registration Management Protocol

  • 7636 - Proof Key for Code Exchange by OAuth Public Clients PKCE

  • 7662 - OAuth 2.0 Token Introspection

  • 7800 - Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)

  • 8176 - Authentication Method Reference Values

  • 8252 - OAuth 2.0 for Native Apps

  • 8414 - OAuth 2.0 Authorization Server Metadata

  • 8628 - OAuth 2.0 Device Authorization Grant

  • 8693 - OAuth 2.0 Token Exchange

  • 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

  • 8707 - Resource Indicators for OAuth 2.0

  • 8725 - JSON Web Token Best Current Practices

  • 9101 - The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)

  • 9126 - OAuth 2.0 Pushed Authorization Requests

  • 9207 - OAuth 2.0 Authorization Server Issuer Identification

  • 9278 - JWK Thumbprint URI

  • 9608 - JWT Profile for OAuth 2.0 Access Tokens

  • OAuth Parameters

  • WebAuthn

OIDC:

FAPI

MODRNA

Optional follow experimental and draft Specs:

OAuth 2.1?

See https://oauth.net/2.1/.

Documentation

Overview

Package oidc provides ...

Package oidc provides ...

Package oidc provides ...

Package oidc provides ...

Package oidc provides ...

Package oidc provides ...

Package oidc provides ...

Package oidc provides ...

Package oidc provides ...

Index

Constants

View Source 
const (
	TokenTypeBearer = "Bearer"
	TokenTypeJWT    = "JWT"
)

token type list

Variables

This section is empty.

Functions

func ParseMatchURL 

func ParseMatchURL(baseURL, redirectURL string) (retBaseURL, retRedirectURL *url.URL, err error)

ParseMatchURL resolving uri references to base url

func ValidateClientSecret 

func ValidateClientSecret(client protocol.Client, secret string) bool

ValidateClientSecret determines whether the given secret matches a secret held by the client. Public clients return true for a secret of ""

func ValidateCodeChallenge 

func ValidateCodeChallenge(codeChall string, codeChallMethod protocol.CodeChallengeMethod) (protocol.CodeChallengeMethod, bool)

ValidateCodeChallenge validates the code challenge https://tools.ietf.org/html/rfc7636

func ValidateGrantType 

func ValidateGrantType(types []protocol.GrantType, ty protocol.GrantType) bool

ValidateGrantType validates the client grant type support

func ValidateIDTokenHint 

func ValidateIDTokenHint(idTokenHit string) (string, error)

ValidateIDTokenHint validates the id_token_hint (if passed as parameter in the request) and returns the `sub` claim

func ValidateOfflineAccess 

func ValidateOfflineAccess(prompt []string, scopes []string) ([]string, bool, error)

ValidateOfflineAccess validate offline_access

func ValidatePrompt 

func ValidatePrompt(prompts []string, maxAge int) (int, error)

ValidatePrompt validate prompt, set max_age=0 if prompt login is present

func ValidateScopes 

func ValidateScopes(cli protocol.Client, scopes []string, defaultScopes []string,
	respTypeCode bool, prompt []string) ([]string, bool, bool)

ValidateScopes validates the scopes & remove invalid scope

func ValidateTokenHint 

func ValidateTokenHint(hint protocol.TokenTypeHint) bool

ValidateTokenHint only support access_token & refresh_token

func ValidateURI 

func ValidateURI(baseURI, redirectURI string) (realRedirectURI string, err error)

ValidateURI validates that redirectURI is contained in baseURI

func ValidateURIList 

func ValidateURIList(baseURIList, redirectURI, separator string) (realRedirectURI string, err error)

ValidateURIList validates that redirectURI is contained in baseURIList.

Types

type BasicAuth 

type BasicAuth struct {
	Username string
	Password string
}

BasicAuth http basic auth

type Option 

type Option func(opts *Options)

Option custon option

func WithAllowClientSecretInParams 

func WithAllowClientSecretInParams(allow bool) Option

WithAllowClientSecretInParams whether client secret also in params

func WithAllowGetAccessRequest 

func WithAllowGetAccessRequest(allow bool) Option

WithAllowGetAccessRequest whether access request using GET

func WithDefaultScopes 

func WithDefaultScopes(scopes []protocol.Scope) Option

WithDefaultScopes set default scopes

func WithForcePKCEForPublicClients 

func WithForcePKCEForPublicClients(force bool) Option

WithForcePKCEForPublicClients PKCE for public clients

func WithRedirectURISeparator 

func WithRedirectURISeparator(s string) Option

WithRedirectURISeparator separator to support multiple URIs

func WithRetainTokenAfterRefresh 

func WithRetainTokenAfterRefresh(s bool) Option

WithRetainTokenAfterRefresh retain token afrer refresh until expired

func WithSession 

func WithSession(sess protocol.Session) Option

WithSession session management for check_session_iframe/end_session_endpoint

func WithStorage 

func WithStorage(storage protocol.Storage) Option

WithStorage implements protocol.Storage object

func WithSupportedRequestObject 

func WithSupportedRequestObject(s bool) Option

WithSupportedRequestObject the authorize request obj

func WithTokenType 

func WithTokenType(ty TokenType) Option

WithTokenType change default: Bearer to anothor

type Options 

type Options struct {
	// Token type access: default Bearer
	TokenType TokenType
	// If true allows client secret algo in params, it's not recommended: default false
	AllowClientSecretInParams bool
	// If true allows access request using GET, else only POST: default false
	AllowGetAccessRequest bool
	// Separator to support multiple URIs in Client.RedirectURI()
	RedirectURISeparator string
	// ForcePKCEForPublicClients  authoorize_code flow must be PKCE
	ForcePKCEForPublicClients bool
	// Supported request object
	SupportedRequestObject bool
	// Retain token after refresh
	RetainTokenAfrerRefresh bool
	// DefaultScopes is client request scope is empty
	DefaultScopes []protocol.Scope

	Storage protocol.Storage
	Session protocol.Session
}

Options oidc server options

type ResponseTypeOK 

type ResponseTypeOK struct {
	ResponseTypeCode    bool
	ResponseTypeToken   bool
	ResponseTypeIDToken bool
	ResponseTypeNone    bool
	ResponseTypeDevice  bool
}

ResponseTypeOK response type ok

func ValidateResponseType 

func ValidateResponseType(cli protocol.Client, reqTypes []string) (ResponseTypeOK, error)

ValidateResponseType validates the response type

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server OAuth2/OIDC

func NewServer 

func NewServer(options ...Option) *Server

NewServer new OAuth/OIDC server

func (*Server) FinishAuthorizeRequest 

func (s *Server) FinishAuthorizeRequest(resp *protocol.Response, r *http.Request, req *protocol.AuthorizeRequest)

FinishAuthorizeRequest finish authorize request

func (*Server) FinishCheckSessionRequest 

func (s *Server) FinishCheckSessionRequest(resp *protocol.Response, w http.ResponseWriter, req *protocol.CheckSessionRequest)

FinishCheckSessionRequest check_session_iframe request finish

func (*Server) FinishEndSessionRequest 

func (s *Server) FinishEndSessionRequest(resp *protocol.Response, r *http.Request, req *protocol.EndSessionRequest)

FinishEndSessionRequest end_session request finish

func (*Server) FinishRevocationRequest 

func (s *Server) FinishRevocationRequest(resp *protocol.Response, r *http.Request, req *protocol.RevocationRequest)

FinishRevocationRequest revocation request finish

func (*Server) FinishTokenRequest 

func (s *Server) FinishTokenRequest(resp *protocol.Response, r *http.Request, req *protocol.AccessRequest)

FinishTokenRequest token request finish

func (*Server) FinishUserInfoRequest 

func (s *Server) FinishUserInfoRequest(resp *protocol.Response, r *http.Request, req *protocol.UserInfoRequest)

FinishUserInfoRequest userinfo request finish The sub (subject) Claim MUST always be returned in the UserInfo Response. https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

func (*Server) GenerateAccessTokenAndSave 

func (s *Server) GenerateAccessTokenAndSave(req *protocol.AccessData,
	genRefresh bool) (token, refresh string, err error)

GenerateAccessTokenAndSave generate access token or refresh_token

func (*Server) GenerateAuthorizeCodeAndSave 

func (s *Server) GenerateAuthorizeCodeAndSave(req *protocol.AuthorizeData) (code string, err error)

GenerateAuthorizeCodeAndSave default authorize code generator

func (*Server) HandleAuthorizeRequest 

func (s *Server) HandleAuthorizeRequest(resp *protocol.Response, r *http.Request, issuer string) *protocol.AuthorizeRequest

HandleAuthorizeRequest authorization endpoint

func (*Server) HandleCheckSessionEndpoint 

func (s *Server) HandleCheckSessionEndpoint(resp *protocol.Response, r *http.Request, issuer string) *protocol.CheckSessionRequest

HandleCheckSessionEndpoint check_session endpoint https://technospace.medium.com/managing-sessions-with-openid-connect-d3b6fb4f552b

func (*Server) HandleEndSessionEndpoint 

func (s *Server) HandleEndSessionEndpoint(resp *protocol.Response, r *http.Request, issuer string) *protocol.EndSessionRequest

HandleEndSessionEndpoint end_session endpoint

func (*Server) HandleRevocationRequest 

func (s *Server) HandleRevocationRequest(resp *protocol.Response, r *http.Request, issuer string) *protocol.RevocationRequest

HandleRevocationRequest revocation endpoint, Implementations MUST support the revocation of refresh tokens and SHOULD support the revocation of access tokens (see Implementation Note).

func (*Server) HandleTokenRequest 

func (s *Server) HandleTokenRequest(resp *protocol.Response, r *http.Request, issuer string) *protocol.AccessRequest

HandleTokenRequest token endpoint

func (*Server) HandleUserInfoRequest 

func (s *Server) HandleUserInfoRequest(resp *protocol.Response, r *http.Request, issuer string) *protocol.UserInfoRequest

HandleUserInfoRequest userinfo endpoint, should support CORS https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

type TokenType 

type TokenType string

TokenType access token type

type URIValidationError 

type URIValidationError string

URIValidationError error returned when validation don't match

func (URIValidationError) Error 

func (e URIValidationError) Error() string

Error implement error

Source Files

View all Source files

Directories

Path Synopsis
Package examples provides ...
 Package examples provides ...
op
Package main provides ...
 Package main provides ...
rp
Package main provides ...
 Package main provides ...
pkg
crypto
Package crypto provides ...
 Package crypto provides ...
Package protocol provides ...
 Package protocol provides ...

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.