Documentation ¶
Index ¶
- Constants
- func NewAuthenticator(issuerURL, audience, alg string) (authn.Authenticator, error)
- type Authenticator
- func (oidc *Authenticator) Authenticate(requestContext context.Context) (*authn.AuthClaims, error)
- func (oidc *Authenticator) Close()
- func (oidc *Authenticator) CreateIdentity(ctx context.Context, claims authn.AuthClaims) (string, error)
- func (oidc *Authenticator) GetConfiguration() (*ProviderConfig, error)
- func (oidc *Authenticator) GetKeys() (*keyfunc.JWKS, error)
- type IDToken
- type OIDCAuthenticator
- type ProviderConfig
- type UserInfo
Constants ¶
const ( RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256 RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384 RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512 ES256 = "ES256" // ECDSA using P-256 and SHA-256 ES384 = "ES384" // ECDSA using P-384 and SHA-384 ES512 = "ES512" // ECDSA using P-521 and SHA-512 PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256 PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384 PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512 )
JOSE asymmetric signing algorithm values as defined by RFC 7518
Variables ¶
This section is empty.
Functions ¶
func NewAuthenticator ¶
Types ¶
type Authenticator ¶
type Authenticator struct { IssuerURL string Audience string JwksURI string JWKs *keyfunc.JWKS // contains filtered or unexported fields }
func (*Authenticator) Authenticate ¶
func (oidc *Authenticator) Authenticate(requestContext context.Context) (*authn.AuthClaims, error)
func (*Authenticator) Close ¶
func (oidc *Authenticator) Close()
func (*Authenticator) CreateIdentity ¶
func (oidc *Authenticator) CreateIdentity(ctx context.Context, claims authn.AuthClaims) (string, error)
func (*Authenticator) GetConfiguration ¶
func (oidc *Authenticator) GetConfiguration() (*ProviderConfig, error)
type IDToken ¶
type IDToken struct { // The URL of the server which issued this token. OpenID Connect // requires this value always be identical to the URL used for // initial discovery. // // Note: Because of a known issue with Google Accounts' implementation // this value may differ when using Google. // // See: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo Issuer string // The client ID, or set of client IDs, that this token is issued for. For // common uses, this is the client that initialized the auth flow. // // This package ensures the audience contains an expected value. Audience []string // A unique string which identifies the end user. Subject string // Expiry of the token. Ths package will not process tokens that have // expired unless that validation is explicitly turned off. Expiry time.Time // When the token was issued by the provider. IssuedAt time.Time // Initial nonce provided during the authentication redirect. // // This package does NOT provide verification on the value of this field // and it's the user's responsibility to ensure it contains a valid value. Nonce string // at_hash claim, if set in the ID token. Callers can verify an access token // that corresponds to the ID token using the VerifyAccessToken method. AccessTokenHash string // contains filtered or unexported fields }
IDToken is an OpenID Connect extension that provides a predictable representation of an authorization event.
The ID Token only holds fields OpenID Connect requires. To access additional claims returned by the server, use the Claims method.
func (*IDToken) Claims ¶
Claims unmarshals the raw JSON payload of the ID Token into a provided struct.
idToken, err := idTokenVerifier.Verify(rawIDToken) if err != nil { // handle error } var claims struct { Email string `json:"email"` EmailVerified bool `json:"email_verified"` } if err := idToken.Claims(&claims); err != nil { // handle error }
func (*IDToken) VerifyAccessToken ¶
VerifyAccessToken verifies that the hash of the access token that corresponds to the iD token matches the hash in the id token. It returns an error if the hashes don't match. It is the caller's responsibility to ensure that the optional access token hash is present for the ID token before calling this method. See https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
type OIDCAuthenticator ¶
type OIDCAuthenticator interface { GetConfiguration() (*ProviderConfig, error) GetKeys() (*keyfunc.JWKS, error) }
type ProviderConfig ¶
type ProviderConfig struct { // IssuerURL is the identity of the provider, and the string it uses to sign // ID tokens with. For example "https://accounts.google.com". This value MUST // match ID tokens exactly. Issuer string `json:"issuer"` // AuthURL is the endpoint used by the provider to support the OAuth 2.0 // authorization endpoint. AuthURL string `json:"authorization_endpoint"` // TokenURL is the endpoint used by the provider to support the OAuth 2.0 // token endpoint. TokenURL string `json:"token_endpoint"` // UserInfoURL is the endpoint used by the provider to support the OpenID // Connect UserInfo flow. // // https://openid.net/specs/openid-connect-core-1_0.html#UserInfo UserInfoURL string `json:"userinfo_endpoint"` // JWKSURL is the endpoint used by the provider to advertise public keys to // verify issued ID tokens. This endpoint is polled as new keys are made // available. JWKSURL string `json:"jwks_uri"` RevocationURL string `json:"revocation_endpoint"` // Algorithms, if provided, indicate a list of JWT algorithms allowed to sign // ID tokens. If not provided, this defaults to the algorithms advertised by // the JWK endpoint, then the set of algorithms supported by this package. Algorithms []string `json:"id_token_signing_alg_values_supported"` }
ProviderConfig allows creating providers when discovery isn't supported. It's generally easier to use NewProvider directly. See https://datatracker.ietf.org/doc/html/rfc8414#section-2