Documentation ¶
Overview ¶
Package oidc provides OpenID Connect wrapper that implements message level encryption using the optional encrypted request object.
Index ¶
- Constants
- type Config
- type OIDCClient
- func (o *OIDCClient) AuthRequestURL(state string, options map[string]interface{}) (string, error)
- func (o *OIDCClient) Exchange(code string, options map[string]string) (*Tokens, error)
- func (o *OIDCClient) ExchangeWithNonce(code, nonce string, options map[string]string) (*Tokens, error)
- func (o *OIDCClient) HandleCallback(state, nonce string, queryParams url.Values, user interface{}) error
- func (o *OIDCClient) UserInfo(token oauth2.TokenSource, user interface{}) error
- func (o *OIDCClient) Verify(token string) (*oidc.IDToken, error)
- type OIDCClientEncrypted
- func (o *OIDCClientEncrypted) AuthRequestURL(state string, opts map[string]interface{}) (string, error)
- func (o *OIDCClientEncrypted) Exchange(code string, options map[string]string) (*Tokens, error)
- func (o *OIDCClientEncrypted) ExchangeWithNonce(code, nonce string, options map[string]string) (*Tokens, error)
- func (o *OIDCClientEncrypted) HandleCallback(state, nonce string, queryParams url.Values, user interface{}) error
- func (o *OIDCClientEncrypted) UserInfo(tokenSource oauth2.TokenSource, destination interface{}) error
- func (o *OIDCClientEncrypted) Verify(token string) (*oidc.IDToken, error)
- type OIDCInterface
- type RemoteKeyStore
- type Tokens
Constants ¶
const EncrypterContextKey string = "EncrypterContextKey"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct { ClientId string ClientSecret string Endpoint string RedirectUri string LocalJWK string Scopes []string }
Config represents the configuration parameters needed for initialising OIDCClient or OIDClientEncrypted.
ClientId is the client id received from the OIDC provider. ClientSecret is the client secret received from the OIDC provider. Endpoint is the OIDC provider's service endpoint. RedirectUri is the redirect uri the provider will redirect the user after authorization. LocalJWK is the JWK we'll use to encrypt the authorization request. It's not needed if MLE is not used. The public must be sent to OIDC provider. Scopes is a list of values that specify which access privileges are being requested from the access token. Must include openid!
type OIDCClient ¶
type OIDCClient struct {
// contains filtered or unexported fields
}
OIDCClient wraps oauth2 and go-oidc libraries and provides convenience functions for implementing OIDC authorization code flow.
func NewClient ¶
func NewClient(ctx context.Context, config *Config) (*OIDCClient, error)
NewClient initializes and returns OIDClient that can be used to implement OIDC authorization code flow. Discovery is used to read the provider's oidc configuration.
func (*OIDCClient) AuthRequestURL ¶
func (o *OIDCClient) AuthRequestURL(state string, options map[string]interface{}) (string, error)
AuthRequestURL returns the URL for authorization request.
func (*OIDCClient) ExchangeWithNonce ¶
func (o *OIDCClient) ExchangeWithNonce(code, nonce string, options map[string]string) (*Tokens, error)
ExchangeWithNonce exchanges the authorization code to a token and verifies the nonce
func (*OIDCClient) HandleCallback ¶
func (o *OIDCClient) HandleCallback(state, nonce string, queryParams url.Values, user interface{}) error
HandleCallback is a convenience function which exchanges the authorization code to token and then uses the token to request user information from user info endpoint. The implementation does not use message level encryption.
func (*OIDCClient) UserInfo ¶
func (o *OIDCClient) UserInfo(token oauth2.TokenSource, user interface{}) error
UserInfo fetches user information from provider's user info endpoint.
type OIDCClientEncrypted ¶
type OIDCClientEncrypted struct {
// contains filtered or unexported fields
}
OIDCClientEncrypted wraps oauth2 and oidc libraries and provides convenience functions for implementing OIDC authentication. The difference between OIDCClientEncrypted and OIDCClient is that the former uses message level encryption when communicating with the service provider.
func NewClientMLE ¶
func NewClientMLE(ctx context.Context, config *Config) (*OIDCClientEncrypted, error)
NewClientMLE initialises and returns OIDClientEncrypted which can be used to implement OIDC authorization code flow with message level encryption. Discovery is used to read the provider's oidc configuration.
func (*OIDCClientEncrypted) AuthRequestURL ¶
func (o *OIDCClientEncrypted) AuthRequestURL(state string, opts map[string]interface{}) (string, error)
AuthRequestURL returns the authorization request URL with encrypted request object.
func (*OIDCClientEncrypted) ExchangeWithNonce ¶
func (o *OIDCClientEncrypted) ExchangeWithNonce(code, nonce string, options map[string]string) (*Tokens, error)
ExchangeWithNonce Exchanges the authorization code to a token and verifies nonce
func (*OIDCClientEncrypted) HandleCallback ¶
func (o *OIDCClientEncrypted) HandleCallback(state, nonce string, queryParams url.Values, user interface{}) error
HandleCallback is a convenience function which exchanges the authorization code to token and then uses the token to request user information from user info endpoint. The implementation uses message level encryption.
func (*OIDCClientEncrypted) UserInfo ¶
func (o *OIDCClientEncrypted) UserInfo(tokenSource oauth2.TokenSource, destination interface{}) error
UserInfo fetches user information from provider's user info endpoint.
type OIDCInterface ¶
type OIDCInterface interface { Exchange(string, map[string]string) (*Tokens, error) ExchangeWithNonce(string, string, map[string]string) (*Tokens, error) AuthRequestURL(string, map[string]interface{}) (string, error) Verify(string) (*oidc.IDToken, error) UserInfo(oauth2.TokenSource, interface{}) error HandleCallback(string, string, url.Values, interface{}) error }
OIDCInterface defines the functions that the clients must implement.
func Must ¶
func Must(client OIDCInterface, err error) OIDCInterface
Must is a convenience function to make sure that the OIDC client is successfully initialised. If the client initialization fails the function panics.
type RemoteKeyStore ¶
type RemoteKeyStore struct { jose.JSONWebKeySet Context context.Context JwksURI string Expiry time.Time // contains filtered or unexported fields }
RemoteKeyStore Stores OIDC provider's JWKs and caches them for the duration specified in the cache-control header. Keys will be refreshed upon expiry.
func (*RemoteKeyStore) ById ¶
func (r *RemoteKeyStore) ById(kid string) (*jose.JSONWebKey, error)
ById returns a key from RemoteKeyStore by key id. If the RemoteKeyStore contains multiple keys with same id then first matching key is returned.
func (*RemoteKeyStore) ByUse ¶
func (r *RemoteKeyStore) ByUse(use string) (*jose.JSONWebKey, error)
ByUse returns a key from RemoteKeyStore by use. If the keystore contains multiple keys with same use then first key will be returned.