oidc

package
v0.0.0-...-9e5aafb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 12, 2022 License: MIT Imports: 17 Imported by: 0

README

OpenID Connect (OIDC)

什么是 OIDC

OIDC是一个OAuth2上层的简单身份层协议。它允许客户端验证用户的身份并获取基本的用户配置信息。OIDC使用JSON Web Token(JWT)作为信息返回,通过符合OAuth2的流程来获取。

OAuth2与资源访问和共享有关,而OIDC与用户身份验证有关。

其目的是为您提供多个站点的登录名。每次需要使用OIDC登录网站时,都会被重定向到登录的OpenID网站,然后再回到该网站。例如,如果选择使用Google帐户登录Auth0,这就使用了OIDC。成功通过Google身份验证并授权Auth0访问您的信息后,Google会将有关用户和执行的身份验证的信息发送回Auth0。此信息在JWT中返回,包含ID Token或者Access Token。

JWT包含Claims,它们是有关实体(通常是用户)的Claims(例如名称或电子邮件地址)和其他元数据。OIDC规范定义了一组标准的权利要求。这组标准声明包括姓名,电子邮件,性别,出生日期等。但是,如果要获取有关用户的信息,并且当前没有最能反映此信息的标准声明,则可以创建自定义声明并将其添加到令牌中。

较OAuth2,OIDC有一些不同的概念:

  • OpenID Provider(OP),实现OIDC的OAuth2授权服务器
  • Relying Party(RP),使用OIDC的OAuth2客户端
  • End-User(EU),用户
  • ID Token,JWT格式的授权Claims
  • UserInfo Endpoint,用户信息接口,通过ID Token访问时返回用户信息,此端点必须为HTTPS

OpenID Connect Discovery

Documentation

Index

Constants

View Source 
const (
	RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
	RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
	RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
	ES256 = "ES256" // ECDSA using P-256 and SHA-256
	ES384 = "ES384" // ECDSA using P-384 and SHA-384
	ES512 = "ES512" // ECDSA using P-521 and SHA-512
	PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
	PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
	PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
)

JOSE asymmetric signing algorithm values as defined by RFC 7518

see: https://tools.ietf.org/html/rfc7518#section-3.1

Variables

This section is empty.

Functions

func NewAuthenticator 

func NewAuthenticator(issuerURL, audience, alg string) (authn.Authenticator, error)

Types

type Authenticator 

type Authenticator struct {
	IssuerURL string
	Audience  string

	JwksURI string
	JWKs    *keyfunc.JWKS
	// contains filtered or unexported fields
}

func (*Authenticator) Authenticate 

func (oidc *Authenticator) Authenticate(requestContext context.Context) (*authn.AuthClaims, error)

func (*Authenticator) Close 

func (oidc *Authenticator) Close()

func (*Authenticator) CreateIdentity 

func (oidc *Authenticator) CreateIdentity(ctx context.Context, claims authn.AuthClaims) (string, error)

func (*Authenticator) GetConfiguration 

func (oidc *Authenticator) GetConfiguration() (*ProviderConfig, error)

func (*Authenticator) GetKeys 

func (oidc *Authenticator) GetKeys() (*keyfunc.JWKS, error)

type IDToken 

type IDToken struct {
	// The URL of the server which issued this token. OpenID Connect
	// requires this value always be identical to the URL used for
	// initial discovery.
	//
	// Note: Because of a known issue with Google Accounts' implementation
	// this value may differ when using Google.
	//
	// See: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
	Issuer string

	// The client ID, or set of client IDs, that this token is issued for. For
	// common uses, this is the client that initialized the auth flow.
	//
	// This package ensures the audience contains an expected value.
	Audience []string

	// A unique string which identifies the end user.
	Subject string

	// Expiry of the token. Ths package will not process tokens that have
	// expired unless that validation is explicitly turned off.
	Expiry time.Time
	// When the token was issued by the provider.
	IssuedAt time.Time

	// Initial nonce provided during the authentication redirect.
	//
	// This package does NOT provide verification on the value of this field
	// and it's the user's responsibility to ensure it contains a valid value.
	Nonce string

	// at_hash claim, if set in the ID token. Callers can verify an access token
	// that corresponds to the ID token using the VerifyAccessToken method.
	AccessTokenHash string
	// contains filtered or unexported fields
}

IDToken is an OpenID Connect extension that provides a predictable representation of an authorization event.

The ID Token only holds fields OpenID Connect requires. To access additional claims returned by the server, use the Claims method.

func (*IDToken) Claims 

func (i *IDToken) Claims(v interface{}) error

Claims unmarshals the raw JSON payload of the ID Token into a provided struct. 

idToken, err := idTokenVerifier.Verify(rawIDToken)
if err != nil {
	// handle error
}
var claims struct {
	Email         string `json:"email"`
	EmailVerified bool   `json:"email_verified"`
}
if err := idToken.Claims(&claims); err != nil {
	// handle error
}

func (*IDToken) VerifyAccessToken 

func (i *IDToken) VerifyAccessToken(accessToken string) error

VerifyAccessToken verifies that the hash of the access token that corresponds to the iD token matches the hash in the id token. It returns an error if the hashes don't match. It is the caller's responsibility to ensure that the optional access token hash is present for the ID token before calling this method. See https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken

type OIDCAuthenticator 

type OIDCAuthenticator interface {
	GetConfiguration() (*ProviderConfig, error)
	GetKeys() (*keyfunc.JWKS, error)
}

type ProviderConfig 

type ProviderConfig struct {
	// IssuerURL is the identity of the provider, and the string it uses to sign
	// ID tokens with. For example "https://accounts.google.com". This value MUST
	// match ID tokens exactly.
	Issuer string `json:"issuer"`

	// AuthURL is the endpoint used by the provider to support the OAuth 2.0
	// authorization endpoint.
	AuthURL string `json:"authorization_endpoint"`

	// TokenURL is the endpoint used by the provider to support the OAuth 2.0
	// token endpoint.
	TokenURL string `json:"token_endpoint"`

	// UserInfoURL is the endpoint used by the provider to support the OpenID
	// Connect UserInfo flow.
	//
	// https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
	UserInfoURL string `json:"userinfo_endpoint"`

	// JWKSURL is the endpoint used by the provider to advertise public keys to
	// verify issued ID tokens. This endpoint is polled as new keys are made
	// available.
	JWKSURL string `json:"jwks_uri"`

	RevocationURL string `json:"revocation_endpoint"`

	// Algorithms, if provided, indicate a list of JWT algorithms allowed to sign
	// ID tokens. If not provided, this defaults to the algorithms advertised by
	// the JWK endpoint, then the set of algorithms supported by this package.
	Algorithms []string `json:"id_token_signing_alg_values_supported"`
}

ProviderConfig allows creating providers when discovery isn't supported. It's generally easier to use NewProvider directly. See https://datatracker.ietf.org/doc/html/rfc8414#section-2

type UserInfo 

type UserInfo struct {
	Subject       string `json:"sub"`
	Profile       string `json:"profile"`
	Email         string `json:"email"`
	EmailVerified bool   `json:"email_verified"`
	// contains filtered or unexported fields
}

UserInfo represents the OpenID Connect userinfo claims.

func (*UserInfo) Claims 

func (u *UserInfo) Claims(v interface{}) error

Claims unmarshal the raw JSON object claims into the provided object.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.