Documentation
¶
Index ¶
- Constants
- Variables
- type AccessToken
- type AccessTokenDatastore
- type AccessTokenType
- type AuthenticatedClient
- type AuthorizationCode
- type BasicClientAuthenticator
- type Client
- type ClientAuthenticator
- type ClientDatastore
- type ClientType
- type CodeDatastore
- type GrantType
- type HashedPassword
- type RawPassword
- type ResponseType
- type ResponseTypes
- type Scope
- type Scopes
- type SignedIDToken
- type UsedAuthorizationCode
Constants ¶
const (
PrivateKeySrc = `` /* 1762-byte string literal not displayed */
)
Variables ¶
var ( ErrNotIdenticalRedirectURI = errors.New("not identical redirect uri") ErrClientNotAuthenticated = errors.New("client not authenticated") ErrClientCredentialNotAllowed = errors.New("client credential not allowed") )
var ErrAccessTokenNotFound = errors.New("access token not found")
var ErrClientNotFound = errors.New("client not found")
var ErrCodeIsExpired = errors.New("code is expired")
var ErrCodeNotFound = errors.New("code not found")
var ErrMismatchedHashAndPassword = errors.New("password is not the hash of the given password")
ErrMismatchedHashAndPassword is returned from ComparePassword when a password and hash do not match.
Functions ¶
This section is empty.
Types ¶
type AccessToken ¶
type AccessToken struct {
Token string
// TokenType MUST be Bearer, as specified in Bearer Token Usage [RFC6750]
//
// [RFC6750]: https://www.rfc-editor.org/rfc/rfc6750
TokenType AccessTokenType
// contains filtered or unexported fields
}
AccessToken represents OAUth 2.0 access token.
func NewAccessToken ¶
func NewAccessToken(sub string, aud *AuthenticatedClient, scopes Scopes) (*AccessToken, error)
func (*AccessToken) Expired ¶
func (t *AccessToken) Expired() bool
func (*AccessToken) ExpiresInSec ¶
func (t *AccessToken) ExpiresInSec() uint32
type AccessTokenDatastore ¶
type AccessTokenDatastore interface {
// Fetch fetches AccessToken.
// If access token is not found, return ErrAccessTokenNotFound error.
Fetch(token string) (*AccessToken, error)
// Save saves a access token to datastore.
Save(accessToken *AccessToken) error
}
func NewInMemoryAccessTokenDatastore ¶
func NewInMemoryAccessTokenDatastore() AccessTokenDatastore
type AccessTokenType ¶
type AccessTokenType string
AccessTokenType represents OAuth 2.0 access token type.
const ( AccessTokenTypeUnknown AccessTokenType = "Unknown" AccessTokenTypeBearer AccessTokenType = "Bearer" )
type AuthenticatedClient ¶
type AuthenticatedClient struct {
*Client
}
AuthenticatedClient is a user authenticated client made from ClientAuthenticator#Authenticate method. It is used for preventing mistakes that we use client without client authentication.
type AuthorizationCode ¶
type AuthorizationCode struct {
Code string
// contains filtered or unexported fields
}
AuthorizationCode is a authorization code defined by RFC 6749 Section 4.1.2. For security consideration in RFC 6819 Section 5.2.4, authorization code binds to clientID and redirectURI.
func NewAuthorizationCode ¶
func NewAuthorizationCode(client *Client, redirectURI url.URL) *AuthorizationCode
func (*AuthorizationCode) Expired ¶
func (c *AuthorizationCode) Expired() bool
func (*AuthorizationCode) Use ¶
func (c *AuthorizationCode) Use() (*UsedAuthorizationCode, error)
TODO: implement.
type BasicClientAuthenticator ¶
type BasicClientAuthenticator struct {
// contains filtered or unexported fields
}
func NewBasicClientAuthenticator ¶
func NewBasicClientAuthenticator(datastore ClientDatastore) *BasicClientAuthenticator
func (*BasicClientAuthenticator) Authenticate ¶
func (a *BasicClientAuthenticator) Authenticate(ctx context.Context, header http.Header) (*AuthenticatedClient, error)
Authenticate authenticates client using Basic Authentication.
type Client ¶
type Client struct {
// ID is a unique string and is exposed to public.
ID string
Type ClientType
// contains filtered or unexported fields
}
Client represents OAuth 2.0 client.
func NewClient ¶
func NewClient(id string, clientType ClientType, hashedPassword *HashedPassword, redirectURIs []url.URL) (*Client, error)
func NewClientFixture ¶
func NewClientFixture() []*Client
NewClientFixture creates client fixture for local development.
type ClientAuthenticator ¶
type ClientAuthenticator interface {
// Authenticate authenticates client and returns AuthenticatedClient or error.
// If authentication fails, return ErrClientNotAuthenticated error.
// if ClientType is not ClientTypeConfidential, return ErrClientCredentialNotAllowed error.
Authenticate(ctx context.Context, header http.Header) (*AuthenticatedClient, error)
}
type ClientDatastore ¶
type ClientDatastore interface {
// FetchClient fetches a client. If not found, return ErrClientNotFound.
FetchClient(id string) (*Client, error)
SaveClient(client *Client) error
}
func NewInMemoryClientDatastore ¶
func NewInMemoryClientDatastore() ClientDatastore
type ClientType ¶
type ClientType string
const ( ClientTypeUnknown ClientType = "unknown" ClientTypeConfidential ClientType = "confidential" ClientTypePublic ClientType = "public" )
type CodeDatastore ¶
type CodeDatastore interface {
// Fetch fetches AuthorizationCode witch is not expired.
// When code is expired, returns ErrCodeIsExpired error.
Fetch(code, clientID string, redirectURI url.URL) (*AuthorizationCode, error)
Save(code *AuthorizationCode) error
}
func NewInMemoryCodeDatastore ¶
func NewInMemoryCodeDatastore() CodeDatastore
type GrantType ¶
type GrantType string
GrantType represents OAuth 2.0 grant_type.
func NewGrantType ¶
type HashedPassword ¶
type HashedPassword struct {
// contains filtered or unexported fields
}
HashedPassword is a base64 raw url encoded hashed password using Argon2id algorithm. Argon2id is the winner of the 2015 Password Hashing Competition and is recommended by OWASP Password Storage Cheat Sheet.
func NewHashedPassword ¶
func NewHashedPassword(rawPassword RawPassword) *HashedPassword
NewHashedPassword generates hashed password and salt.
func (HashedPassword) ComparePassword ¶
func (p HashedPassword) ComparePassword(other RawPassword) error
ComparePassword compares the given raw password with it. It returns nil on success, or an error on failure.
func (HashedPassword) GoString ¶
func (p HashedPassword) GoString() string
func (HashedPassword) String ¶
func (p HashedPassword) String() string
type RawPassword ¶
type RawPassword string
RawPassword is a non hashed password. RawPassword implements fmt.Stringer and fmt.GoStringer, so raw password is not exposed.
func (RawPassword) GoString ¶
func (p RawPassword) GoString() string
func (RawPassword) String ¶
func (p RawPassword) String() string
type ResponseType ¶
type ResponseType string
ResponseType represents OAuth 2.0 Response Type value that determines the authorization processing flow to be used.
const ( ResponseUnknown ResponseType = "unknown" ResponseTypeCode ResponseType = "code" ResponseTypeIDToken ResponseType = "id_token" ResponseTypeToken ResponseType = "token" )
func NewResponseType ¶
func NewResponseType(str string) (ResponseType, error)
type ResponseTypes ¶
type ResponseTypes []ResponseType
func NewResponseTypes ¶
func NewResponseTypes(strs []string) (ResponseTypes, error)
func (ResponseTypes) ContainsOnlyCode ¶
func (s ResponseTypes) ContainsOnlyCode() bool
ContainsOnlyCode checks if response types contains only ResponseTypeCode because we only support the Authorization Code Flow.
type Scope ¶
type Scope string
Scope represents OAuth 2.0 scope. The authorization server uses the "scope" response parameter to inform the client of the scope of the access token issued. Scope is expressed as a case-sensitive strings.
type Scopes ¶
type Scopes []Scope
func (Scopes) ContainsOpenID ¶
ContainsOpenID checks if scopes contains openid scope. OpenID Connect requests MUST contain the openid scope value. (If no openid scope value is present, the request may still be a valid OAuth 2.0 request, but is not an OpenID Connect request.)
type SignedIDToken ¶
type SignedIDToken struct {
// contains filtered or unexported fields
}
func NewSignedIDToken ¶
func NewSignedIDToken(sub string, client *AuthenticatedClient) (*SignedIDToken, error)
func (*SignedIDToken) Token ¶
func (t *SignedIDToken) Token() string
Token returns encoded id token.
type UsedAuthorizationCode ¶
type UsedAuthorizationCode struct{}
Source Files