Documentation ¶
Index ¶
- Constants
- Variables
- func CreateGQBoundToken(ctx context.Context, idToken []byte, op OpenIdProvider, cicHash string) ([]byte, error)
- func CreateGQToken(ctx context.Context, idToken []byte, op OpenIdProvider) ([]byte, error)
- func FindAvaliablePort(redirectURIs []string) (*url.URL, net.Listener, error)
- func GenCIC(t *testing.T) *clientinstance.Claims
- func GenCICExtra(t *testing.T, extraClaims map[string]any) *clientinstance.Claims
- type BrowserOpenIdProvider
- type CommitType
- type DefaultProviderVerifier
- type GithubOp
- func (g *GithubOp) Issuer() string
- func (g *GithubOp) PublicKeyByJTK(ctx context.Context, jtk string) (*discover.PublicKeyRecord, error)
- func (g *GithubOp) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)
- func (g *GithubOp) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)
- func (g *GithubOp) RequestTokens(ctx context.Context, cic *clientinstance.Claims) ([]byte, error)
- func (g *GithubOp) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error
- type GitlabOp
- func (g *GitlabOp) Issuer() string
- func (g *GitlabOp) PublicKeyByJTK(ctx context.Context, jtk string) (*discover.PublicKeyRecord, error)
- func (g *GitlabOp) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)
- func (g *GitlabOp) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)
- func (g *GitlabOp) RequestTokens(ctx context.Context, cic *clientinstance.Claims) ([]byte, error)
- func (g *GitlabOp) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error
- type GoogleOp
- func (g *GoogleOp) HookHTTPSession(h http.HandlerFunc)
- func (g *GoogleOp) Issuer() string
- func (g *GoogleOp) PublicKeyByJTK(ctx context.Context, jtk string) (*discover.PublicKeyRecord, error)
- func (g *GoogleOp) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)
- func (g *GoogleOp) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)
- func (g *GoogleOp) RequestTokens(ctx context.Context, cic *clientinstance.Claims) ([]byte, error)
- func (g *GoogleOp) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error
- type GoogleOptions
- type MockProvider
- func (m *MockProvider) Issuer() string
- func (m *MockProvider) PublicKeyByJTK(ctx context.Context, jtk string) (*discover.PublicKeyRecord, error)
- func (m *MockProvider) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)
- func (m *MockProvider) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)
- func (m *MockProvider) RequestTokens(ctx context.Context, cic *clientinstance.Claims) ([]byte, error)
- func (m *MockProvider) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error
- type MockProviderOpts
- type OpenIdProvider
- type ProviderVerifierOpts
Constants ¶
const AudPrefixForGQCommitment = "OPENPUBKEY-PKTOKEN:"
Variables ¶
var CommitTypesEnum = struct { NONCE_CLAIM CommitType AUD_CLAIM CommitType GQ_BOUND CommitType }{ NONCE_CLAIM: CommitType{Claim: "nonce", GQCommitment: false}, AUD_CLAIM: CommitType{Claim: "aud", GQCommitment: false}, GQ_BOUND: CommitType{Claim: "", GQCommitment: true}, }
Functions ¶
func CreateGQBoundToken ¶
func CreateGQToken ¶
func FindAvaliablePort ¶
FindAvaliablePort attempts to open a listener on localhost until it finds one or runs out of redirectURIs to try
func GenCICExtra ¶
Types ¶
type BrowserOpenIdProvider ¶
type BrowserOpenIdProvider interface { OpenIdProvider HookHTTPSession(h http.HandlerFunc) }
type CommitType ¶
type DefaultProviderVerifier ¶
type DefaultProviderVerifier struct {
// contains filtered or unexported fields
}
func NewProviderVerifier ¶
func NewProviderVerifier(issuer string, options ProviderVerifierOpts) *DefaultProviderVerifier
Creates a new ProviderVerifier with required fields
issuer: Is the OpenID provider issuer as seen in ID token e.g. "https://accounts.google.com" commitmentClaim: the ID token payload claim name where the cicHash was stored during issuance
func (*DefaultProviderVerifier) Issuer ¶
func (v *DefaultProviderVerifier) Issuer() string
func (*DefaultProviderVerifier) VerifyIDToken ¶
func (v *DefaultProviderVerifier) VerifyIDToken(ctx context.Context, idToken []byte, cic *clientinstance.Claims) error
type GithubOp ¶
type GithubOp struct {
// contains filtered or unexported fields
}
func NewGithubOp ¶
func (*GithubOp) PublicKeyByJTK ¶
func (*GithubOp) PublicKeyByKeyId ¶
func (*GithubOp) PublicKeyByToken ¶
func (*GithubOp) RequestTokens ¶
func (*GithubOp) VerifyIDToken ¶
type GitlabOp ¶
type GitlabOp struct {
// contains filtered or unexported fields
}
func NewGitlabOp ¶
func NewGitlabOpFromEnvironmentDefault ¶
func NewGitlabOpFromEnvironmentDefault() *GitlabOp
func (*GitlabOp) PublicKeyByJTK ¶
func (*GitlabOp) PublicKeyByKeyId ¶
func (*GitlabOp) PublicKeyByToken ¶
func (*GitlabOp) RequestTokens ¶
func (*GitlabOp) VerifyIDToken ¶
type GoogleOp ¶
type GoogleOp struct { ClientID string ClientSecret string Scopes []string RedirectURIs []string GQSign bool // contains filtered or unexported fields }
func (*GoogleOp) HookHTTPSession ¶
func (g *GoogleOp) HookHTTPSession(h http.HandlerFunc)
HookHTTPSession provides a means to hook the HTTP Server session resulting from the OpenID Provider sending an authcode to the OIDC client by redirecting the user's browser with the authcode supplied in the URI. If this hook is set, it will be called after the receiving the authcode but before send an HTTP response to the user. The code which sets this hook can choose what HTTP response to server to the user.
We use this so that we can redirect the user web browser window to the MFA Cosigner URI after the user finishes the OIDC Auth flow. This method is only available to browser based providers.
func (*GoogleOp) PublicKeyByJTK ¶
func (*GoogleOp) PublicKeyByKeyId ¶
func (*GoogleOp) PublicKeyByToken ¶
func (*GoogleOp) RequestTokens ¶
func (*GoogleOp) VerifyIDToken ¶
type GoogleOptions ¶
type GoogleOptions struct { ClientID string ClientSecret string Issuer string // This should almost always be "https://accounts.google.com" Scopes []string RedirectURIs []string GQSign bool }
func GetDefaultGoogleOpOptions ¶
func GetDefaultGoogleOpOptions() *GoogleOptions
type MockProvider ¶
type MockProvider struct {
// contains filtered or unexported fields
}
func (*MockProvider) Issuer ¶
func (m *MockProvider) Issuer() string
func (*MockProvider) PublicKeyByJTK ¶
func (m *MockProvider) PublicKeyByJTK(ctx context.Context, jtk string) (*discover.PublicKeyRecord, error)
func (*MockProvider) PublicKeyByKeyId ¶
func (m *MockProvider) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)
func (*MockProvider) PublicKeyByToken ¶
func (m *MockProvider) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)
func (*MockProvider) RequestTokens ¶
func (m *MockProvider) RequestTokens(ctx context.Context, cic *clientinstance.Claims) ([]byte, error)
func (*MockProvider) VerifyIDToken ¶
func (m *MockProvider) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error
type MockProviderOpts ¶
type MockProviderOpts struct { Issuer string ClientID string GQSign bool NumKeys int CommitType CommitType // We keep VerifierOpts as a variable separate to let us test failures // where the mock op does something which causes a verification failure VerifierOpts ProviderVerifierOpts }
func DefaultMockProviderOpts ¶
func DefaultMockProviderOpts() MockProviderOpts
type OpenIdProvider ¶
type OpenIdProvider interface { RequestTokens(ctx context.Context, cic *clientinstance.Claims) ([]byte, error) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error) PublicKeyByJTK(ctx context.Context, jtk string) (*discover.PublicKeyRecord, error) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error) // Returns the OpenID provider issuer as seen in ID token e.g. "https://accounts.google.com" Issuer() string VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error }
Interface for interacting with the OP (OpenID Provider)
func NewGoogleOp ¶
func NewGoogleOp() OpenIdProvider
NewGoogleOp creates a Google OP (OpenID Provider) using the default configurations options. It uses the OIDC Relying Party (Client) setup by the OpenPubkey project.
func NewGoogleOpWithOptions ¶
func NewGoogleOpWithOptions(opts *GoogleOptions) OpenIdProvider
NewGoogleOpWithOptions creates a Google OP with configuration specified using an options struct. This is useful if you want to use your own OIDC Client or override the configuration.
func NewMockProvider ¶
func NewMockProvider(opts MockProviderOpts) (OpenIdProvider, *mocks.MockProviderBackend, *mocks.IDTokenTemplate, error)
NewMockProvider creates a new mock provider with a random signing key and a random key ID. It returns the provider, the mock backend, and the ID token template. Tests can use the mock backend to look up keys issued by the mock provider. Tests can use the ID token template to create ID tokens and test the provider's behavior when verifying incorrectly set ID Tokens.
type ProviderVerifierOpts ¶
type ProviderVerifierOpts struct { // If ClientID is specified, then verification will require that the ClientID // be present in the audience ("aud") claim of the PK token payload ClientID string // Describes the place where the cicHash is committed to in the the ID token. // For instance the nonce payload claim name where the cicHash was stored during issuance CommitType CommitType // Specifies whether to skip the Client ID check, defaults to false SkipClientIDCheck bool // Custom function for discovering public key of Provider DiscoverPublicKey *discover.PublicKeyFinder // Allows for successful verification of expired tokens SkipExpirationCheck bool // Only allows GQ signatures, a provider signature under any other algorithm // is seen as an error GQOnly bool }