oidc

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2016 License: Apache-2.0, Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Subject Identifier types defined by the OIDC spec. Specifies if the provider
	// should provide the same sub claim value to all clients (public) or a unique
	// value for each client (pairwise).
	//
	// See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
	SubjectTypePublic   = "public"
	SubjectTypePairwise = "pairwise"
)
View Source 
const (
	MaximumProviderConfigSyncInterval = 24 * time.Hour
	MinimumProviderConfigSyncInterval = time.Minute
)

Variables

View Source 
var (
	// Default values for omitted provider config fields.
	//
	// Use ProviderConfig's Defaults method to fill a provider config with these values.
	DefaultGrantTypesSupported               = []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit}
	DefaultResponseModesSupported            = []string{"query", "fragment"}
	DefaultTokenEndpointAuthMethodsSupported = []string{oauth2.AuthMethodClientSecretBasic}
	DefaultClaimTypesSupported               = []string{"normal"}
)
View Source 
var (
	DefaultScope = []string{"openid", "email", "profile"}
)

Functions

func ExtractBearerToken 

func ExtractBearerToken(r *http.Request) (string, error)

ExtractBearerToken is a RequestTokenExtractor which extracts a bearer token from a request's Authorization header.

func GenClientID 

func GenClientID(hostport string) (string, error)

func NewClaims 

func NewClaims(iss, sub string, aud interface{}, iat, exp time.Time) jose.Claims

func NewHTTPProviderConfigGetter 

func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProviderConfigGetter

func NewRemotePublicKeyRepo 

func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo

func VerifyClaims 

func VerifyClaims(jwt jose.JWT, issuer, clientID string) error

Verify claims in accordance with OIDC spec http://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation

func VerifyClientClaims 

func VerifyClientClaims(jwt jose.JWT, issuer string) (string, error)

VerifyClientClaims verifies all the required claims are valid for a "client credentials" JWT. Returns the client ID if valid, or an error if invalid.

func VerifySignature 

func VerifySignature(jwt jose.JWT, keys []key.PublicKey) (bool, error)

Types

type AuthenticatedTransport 

type AuthenticatedTransport struct {
	TokenRefresher
	http.RoundTripper
	// contains filtered or unexported fields
}

func (*AuthenticatedTransport) RoundTrip 

func (t *AuthenticatedTransport) RoundTrip(r *http.Request) (*http.Response, error)

type Client 

type Client struct {
	// contains filtered or unexported fields
}

func NewClient 

func NewClient(cfg ClientConfig) (*Client, error)

func (*Client) ClientCredsToken 

func (c *Client) ClientCredsToken(scope []string) (jose.JWT, error)

func (*Client) ExchangeAuthCode 

func (c *Client) ExchangeAuthCode(code string) (jose.JWT, error)

ExchangeAuthCode exchanges an OAuth2 auth code for an OIDC JWT ID token.

func (*Client) Healthy 

func (c *Client) Healthy() error

func (*Client) OAuthClient 

func (c *Client) OAuthClient() (*oauth2.Client, error)

func (*Client) RefreshToken 

func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error)

RefreshToken uses a refresh token to exchange for a new OIDC JWT ID Token.

func (*Client) SyncProviderConfig 

func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{}

SyncProviderConfig starts the provider config syncer

func (*Client) VerifyJWT 

func (c *Client) VerifyJWT(jwt jose.JWT) error

type ClientConfig 

type ClientConfig struct {
	HTTPClient     phttp.Client
	Credentials    ClientCredentials
	Scope          []string
	RedirectURL    string
	ProviderConfig ProviderConfig
	KeySet         key.PublicKeySet
}

type ClientCredentials 

type ClientCredentials oauth2.ClientCredentials

type ClientCredsTokenRefresher 

type ClientCredsTokenRefresher struct {
	Issuer     string
	OIDCClient *Client
}

func (*ClientCredsTokenRefresher) Refresh 

func (c *ClientCredsTokenRefresher) Refresh() (jwt jose.JWT, err error)

func (*ClientCredsTokenRefresher) Verify 

func (c *ClientCredsTokenRefresher) Verify(jwt jose.JWT) (err error)

type ClientIdentity 

type ClientIdentity struct {
	Credentials ClientCredentials
	Metadata    ClientMetadata
}

type ClientMetadata 

type ClientMetadata struct {
	RedirectURIs []url.URL // Required

	// A list of OAuth 2.0 "response_type" values that the client wishes to restrict
	// itself to. Either "code", "token", or another registered extension.
	//
	// If omitted, only "code" will be used.
	ResponseTypes []string
	// A list of OAuth 2.0 grant types the client wishes to restrict itself to.
	// The grant type values used by OIDC are "authorization_code", "implicit",
	// and "refresh_token".
	//
	// If ommitted, only "authorization_code" will be used.
	GrantTypes []string
	// "native" or "web". If omitted, "web".
	ApplicationType string

	// List of email addresses.
	Contacts []mail.Address
	// Name of client to be presented to the end-user.
	ClientName string
	// URL that references a logo for the Client application.
	LogoURI *url.URL
	// URL of the home page of the Client.
	ClientURI *url.URL
	// Profile data policies and terms of use to be provided to the end user.
	PolicyURI         *url.URL
	TermsOfServiceURI *url.URL

	// URL to or the value of the client's JSON Web Key Set document.
	JWKSURI *url.URL
	JWKS    *jose.JWKSet

	// URL referencing a flie with a single JSON array of redirect URIs.
	SectorIdentifierURI *url.URL

	SubjectType string

	// Options to restrict the JWS alg and enc values used for server responses and requests.
	IDTokenResponseOptions  JWAOptions
	UserInfoResponseOptions JWAOptions
	RequestObjectOptions    JWAOptions

	// Client requested authorization method and signing options for the token endpoint.
	//
	// Defaults to "client_secret_basic"
	TokenEndpointAuthMethod     string
	TokenEndpointAuthSigningAlg string

	// DefaultMaxAge specifies the maximum amount of time in seconds before an authorized
	// user must reauthroize.
	//
	// If 0, no limitation is placed on the maximum.
	DefaultMaxAge int64
	// RequireAuthTime specifies if the auth_time claim in the ID token is required.
	RequireAuthTime bool

	// Default Authentication Context Class Reference values for authentication requests.
	DefaultACRValues []string

	// URI that a third party can use to initiate a login by the relaying party.
	//
	// See: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
	InitiateLoginURI *url.URL
	// Pre-registered request_uri values that may be cached by the server.
	RequestURIs []url.URL
}

ClientMetadata holds metadata that the authorization server associates with a client identifier. The fields range from human-facing display strings such as client name, to items that impact the security of the protocol, such as the list of valid redirect URIs.

See http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata

TODO: support language specific claim representations http://openid.net/specs/openid-connect-registration-1_0.html#LanguagesAndScripts

func (ClientMetadata) Defaults added in v0.3.0 

func (m ClientMetadata) Defaults() ClientMetadata

Defaults returns a shallow copy of ClientMetadata with default values replacing omitted fields.

func (*ClientMetadata) MarshalJSON added in v0.3.0 

func (m *ClientMetadata) MarshalJSON() ([]byte, error)

func (*ClientMetadata) UnmarshalJSON added in v0.3.0 

func (m *ClientMetadata) UnmarshalJSON(data []byte) error

func (*ClientMetadata) Valid 

func (m *ClientMetadata) Valid() error

Valid determines if a ClientMetadata conforms with the OIDC specification.

Valid is called by UnmarshalJSON.

NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34

type ClientRegistrationResponse added in v0.3.0 

type ClientRegistrationResponse struct {
	ClientID                string // Required
	ClientSecret            string
	RegistrationAccessToken string
	RegistrationClientURI   string
	// If IsZero is true, unspecified.
	ClientIDIssuedAt time.Time
	// Time at which the client_secret will expire.
	// If IsZero is true, it will not expire.
	ClientSecretExpiresAt time.Time

	ClientMetadata
}

func (*ClientRegistrationResponse) MarshalJSON added in v0.3.0 

func (c *ClientRegistrationResponse) MarshalJSON() ([]byte, error)

func (*ClientRegistrationResponse) UnmarshalJSON added in v0.3.0 

func (c *ClientRegistrationResponse) UnmarshalJSON(data []byte) error

type Identity 

type Identity struct {
	ID        string
	Name      string
	Email     string
	ExpiresAt time.Time
}

func IdentityFromClaims 

func IdentityFromClaims(claims jose.Claims) (*Identity, error)

type JWAOptions added in v0.3.0 

type JWAOptions struct {
	// SigningAlg specifies an JWA alg for signing JWTs.
	//
	// Specifying this field implies different actions depending on the context. It may
	// require objects be serialized and signed as a JWT instead of plain JSON, or
	// require an existing JWT object use the specified alg.
	//
	// See: http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
	SigningAlg string
	// EncryptionAlg, if provided, specifies that the returned or sent object be stored
	// (or nested) within a JWT object and encrypted with the provided JWA alg.
	EncryptionAlg string
	// EncryptionEnc specifies the JWA enc algorithm to use with EncryptionAlg. If
	// EncryptionAlg is provided and EncryptionEnc is omitted, this field defaults
	// to A128CBC-HS256.
	//
	// If EncryptionEnc is provided EncryptionAlg must also be specified.
	EncryptionEnc string
}

type JWTVerifier 

type JWTVerifier struct {
	// contains filtered or unexported fields
}

func NewJWTVerifier 

func NewJWTVerifier(issuer, clientID string, syncFunc func() error, keysFunc func() []key.PublicKey) JWTVerifier

func (*JWTVerifier) Verify 

func (v *JWTVerifier) Verify(jwt jose.JWT) error

type LoginFunc 

type LoginFunc func(ident Identity, sessionKey string) (redirectURL string, err error)

type ProviderConfig 

type ProviderConfig struct {
	Issuer               *url.URL // Required
	AuthEndpoint         *url.URL // Required
	TokenEndpoint        *url.URL // Required if grant types other than "implicit" are supported
	UserInfoEndpoint     *url.URL
	KeysEndpoint         *url.URL // Required
	RegistrationEndpoint *url.URL

	// Servers MAY choose not to advertise some supported scope values even when this
	// parameter is used, although those defined in OpenID Core SHOULD be listed, if supported.
	ScopesSupported []string
	// OAuth2.0 response types supported.
	ResponseTypesSupported []string // Required
	// OAuth2.0 response modes supported.
	//
	// If omitted, defaults to DefaultResponseModesSupported.
	ResponseModesSupported []string
	// OAuth2.0 grant types supported.
	//
	// If omitted, defaults to DefaultGrantTypesSupported.
	GrantTypesSupported []string
	ACRValuesSupported  []string
	// SubjectTypesSupported specifies strategies for providing values for the sub claim.
	SubjectTypesSupported []string // Required

	// JWA signing and encryption algorith values supported for ID tokens.
	IDTokenSigningAlgValues    []string // Required
	IDTokenEncryptionAlgValues []string
	IDTokenEncryptionEncValues []string

	// JWA signing and encryption algorith values supported for user info responses.
	UserInfoSigningAlgValues    []string
	UserInfoEncryptionAlgValues []string
	UserInfoEncryptionEncValues []string

	// JWA signing and encryption algorith values supported for request objects.
	ReqObjSigningAlgValues    []string
	ReqObjEncryptionAlgValues []string
	ReqObjEncryptionEncValues []string

	TokenEndpointAuthMethodsSupported          []string
	TokenEndpointAuthSigningAlgValuesSupported []string
	DisplayValuesSupported                     []string
	ClaimTypesSupported                        []string
	ClaimsSupported                            []string
	ServiceDocs                                *url.URL
	ClaimsLocalsSupported                      []string
	UILocalsSupported                          []string
	ClaimsParameterSupported                   bool
	RequestParameterSupported                  bool
	RequestURIParamaterSupported               bool
	RequireRequestURIRegistration              bool

	Policy         *url.URL
	TermsOfService *url.URL

	// Not part of the OpenID Provider Metadata
	ExpiresAt time.Time
}

ProviderConfig represents the OpenID Provider Metadata specifying what configurations a provider supports.

See: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

func FetchProviderConfig 

func FetchProviderConfig(hc phttp.Client, issuerURL string) (ProviderConfig, error)

func WaitForProviderConfig 

func WaitForProviderConfig(hc phttp.Client, issuerURL string) (pcfg ProviderConfig)

func (ProviderConfig) Defaults added in v0.3.0 

func (p ProviderConfig) Defaults() ProviderConfig

Defaults returns a shallow copy of ProviderConfig with default values replacing omitted fields. 

var cfg oidc.ProviderConfig
// Fill provider config with default values for omitted fields.
cfg = cfg.Defaults()

func (ProviderConfig) Empty 

func (p ProviderConfig) Empty() bool

Empty returns if a ProviderConfig holds no information.

This case generally indicates a ProviderConfigGetter has experienced an error and has nothing to report.

func (*ProviderConfig) MarshalJSON added in v0.3.0 

func (p *ProviderConfig) MarshalJSON() ([]byte, error)

func (ProviderConfig) Supports added in v0.3.0 

func (p ProviderConfig) Supports(c ClientMetadata) error

Supports determines if provider supports a client given their respective metadata.

func (ProviderConfig) SupportsGrantType 

func (p ProviderConfig) SupportsGrantType(grantType string) bool

func (*ProviderConfig) UnmarshalJSON added in v0.3.0 

func (p *ProviderConfig) UnmarshalJSON(data []byte) error

func (ProviderConfig) Valid added in v0.3.0 

func (p ProviderConfig) Valid() error

Valid determines if a ProviderConfig conforms with the OIDC specification. If Valid returns successfully it guarantees required field are non-nil and URLs are well formed.

Valid is called by UnmarshalJSON.

NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34

type ProviderConfigGetter 

type ProviderConfigGetter interface {
	Get() (ProviderConfig, error)
}

type ProviderConfigSetter 

type ProviderConfigSetter interface {
	Set(ProviderConfig) error
}

type ProviderConfigSyncer 

type ProviderConfigSyncer struct {
	// contains filtered or unexported fields
}

func NewProviderConfigSyncer 

func NewProviderConfigSyncer(from ProviderConfigGetter, to ProviderConfigSetter) *ProviderConfigSyncer

func (*ProviderConfigSyncer) Run 

func (s *ProviderConfigSyncer) Run() chan struct{}

func (*ProviderConfigSyncer) WaitUntilInitialSync added in v0.2.1 

func (s *ProviderConfigSyncer) WaitUntilInitialSync()

type RequestTokenExtractor 

type RequestTokenExtractor func(r *http.Request) (string, error)

RequestTokenExtractor funcs extract a raw encoded token from a request.

func CookieTokenExtractor 

func CookieTokenExtractor(cookieName string) RequestTokenExtractor

CookieTokenExtractor returns a RequestTokenExtractor which extracts a token from the named cookie in a request.

type TokenRefresher 

type TokenRefresher interface {
	// Verify checks if the provided token is currently valid or not.
	Verify(jose.JWT) error

	// Refresh attempts to authenticate and retrieve a new token.
	Refresh() (jose.JWT, error)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.