o2pro: github.com/jmcvetta/o2pro Index | Files | Directories

package o2pro

import "github.com/jmcvetta/o2pro"

Package o2pro is an OAuth2 provider. It currently implements only a subset of the full OAuth2 specification:

- Resource Owner Password Credentials Grant: http://tools.ietf.org/html/rfc6749#section-4.3

- Bearer Tokens: https://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-16


Package Files

access.go authz.go client.go code.go doc.go endpoint.go errors.go mongo.go password.go provider.go response.go util.go


const (
    PublicClient       = "public"
    ConfidentialClient = "confidential"


var (
    ErrInvalidRequest = errors.New("" /* 212 byte string literal not displayed */)

    ErrNotAuthorized = errors.New("Authorization not granted.")
    ErrInvalidToken  = errors.New("The access token provided is expired, revoked, malformed, or invalid for other reasons.")

    ErrInsufficientScope = errors.New("The request requires higher privileges than provided by the access token.")

Standard Oauth2 error types https://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-16#section-3.1

var (
    ErrNotImplemented = errors.New("Not Implemented")
    ErrNoToken        = errors.New("Request does not contain an access token.")

Internal errors

var (
    DefaultExpireAfter = "8h" // Duration string for time.ParseDuration()
    DefaultLogger      = log.New(os.Stdout, "[o2pro] ", log.Ltime|log.Ldate|log.Lshortfile)
    DefaultScopes      = []string{"all"}

func GrantAll Uses

func GrantAll(user, scope string, c *Client) (bool, error)

GrantAll is a Grantor that always returns true.

type Authenticator Uses

type Authenticator func(user, password string) (bool, error)

An Authenticator authenticates a user's credentials.

type Authz Uses

type Authz struct {
    Id         int64 `bson:",omitempty`
    Uuid       string
    Token      string
    User       string
    ClientId   int64
    Client     *Client
    Issued     time.Time
    Expiration time.Time
    Note       string
    Scopes     []string

An Authz is an authorization.

func (*Authz) ScopeString Uses

func (a *Authz) ScopeString() string

func (*Authz) ScopesMap Uses

func (a *Authz) ScopesMap() map[string]bool

ScopesMap returns a map of the scopes in this authorization, for easy look up. Bool is always true.

type Client Uses

type Client struct {
    Id          int64  `bson:",omitempty`
    ClientType  string // "public" or "confidential"
    RedirectUri string
    AppName     string
    WebSite     string
    Description string

A Client is an application making protected resource requests on behalf of the resource owner and with its authorization.

type Code Uses

type Code struct {
    Id int64 `bson:",omitempty`

A Code is an authorization code, entitling its holder to be issued an authorization.

type ErrorResponse Uses

type ErrorResponse struct {
    Error string `json:"error"`                       // REQUIRED.  A single ASCII error code from the Error Codes constants.
    Desc  string `json:"error_description,omitempty"` // OPTIONAL.  Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.
    Uri   string `json:"error_uri,omitempty"`         // OPTIONAL.  A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.


An ErrorResponse is sent with HTTP status code 400.

type Grantor Uses

type Grantor func(user, scope string, c *Client) (bool, error)

A Grantor decides whether to grant access for a given user, scope, and client. Client is optional.

type PasswordRequest Uses

type PasswordRequest struct {
    GrantType string `json:"grant_type"` // REQUIRED.  Value MUST be set to "password".
    Username  string `json:"username"`   // REQUIRED.  The resource owner username.
    Password  string `json:"password"`   // REQUIRED.  The resource owner password.
    Scope     string `json:"scope"`      // OPTIONAL.  The scope of the access request as described by http://tools.ietf.org/html/rfc6749#section-3.3
    Note      string `json:"note"`       // OPTIONAL.  Not part of RFC spec - inspired by Github.

A PasswordRequest is submitted by a client requesting authorization using the Resource Owner Password Credentials Grant flow.

type Provider Uses

type Provider struct {
    Scopes        []string      // All scopes supported by this server
    DefaultScopes []string      // Issued if no specific scope(s) requested
    Duration      time.Duration // Lifetime for an authorization
    Logger        *log.Logger
    // contains filtered or unexported fields

A Provider is an OAuth2 authorization server.

func NewProvider Uses

func NewProvider(s Storage, a Authenticator, g Grantor) *Provider

NewProvider initializes a new OAuth2 provider server.

func (*Provider) Authenticate Uses

func (p *Provider) Authenticate(user, password string) (bool, error)

Authenticate validates a user's credentials.

func (*Provider) Authz Uses

func (p *Provider) Authz(token string) (*Authz, error)

Authz looks up an authorization based on its token.

func (*Provider) Grant Uses

func (p *Provider) Grant(user, scope string, c *Client) (bool, error)

Grant decides whether to grant an authorization.

func (*Provider) Initialize Uses

func (p *Provider) Initialize() error

Initialize prepares a fresh database, creating necessary schema, indexes, etc. Behavior is undefined if called with an already-initialized db.

func (*Provider) Migrate Uses

func (p *Provider) Migrate() error

Migrate attempts to update the database to use the latest schema, indexes, etc. Some storage implementations may return ErrNotImplemented.

func (*Provider) NewAuthz Uses

func (p *Provider) NewAuthz(user, note string, scopes []string) (*Authz, error)

NewAuth issues a new authorization.

func (*Provider) PasswordGrantHandler Uses

func (p *Provider) PasswordGrantHandler() http.HandlerFunc

func (*Provider) RequireAuthc Uses

func (p *Provider) RequireAuthc(fn http.HandlerFunc) http.HandlerFunc

RequireAuthc wraps a HandlerFunc, restricting access to authenticated users.

func (*Provider) RequireScope Uses

func (p *Provider) RequireScope(fn http.HandlerFunc, scope string) http.HandlerFunc

RequireScope wraps a HandlerFunc, restricting access to authenticated users with the specified scope.

type Storage Uses

type Storage interface {
    // contains filtered or unexported methods

A Storage back end saves and retrieves authorizations to persistent storage.

func NewMongoStorage Uses

func NewMongoStorage(db *mgo.Database, dur time.Duration) Storage

NewMongoStorage constructs a new mongoStorage.

type TokenResponse Uses

type TokenResponse struct {
    AccessToken  string `json:"access_token"`            // REQUIRED.  The access token issued by the authorization server.
    TokenType    string `json:"token_type"`              // REQUIRED.  The type of the token issued as described in Section 7.1.  Value is case insensitive.
    ExpiresIn    int    `json:"expires_in,omitempty"`    // RECOMMENDED.  The lifetime in seconds of the access token.  For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.
    RefreshToken string `json:"refresh_token,omitempty"` //  OPTIONAL.  The refresh token, which can be used to obtain new access tokens using the same authorization grant as described in Section 6.
    Scope        string `json:"scope"`                   //  OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED.  The scope of the access token as described by Section 3.3.

A TokenResponse is sent on a successful authorization request.



Package o2pro imports 15 packages (graph) and is imported by 3 packages. Updated 2016-07-15. Refresh now. Tools for package owners.