rp

package
v1.13.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 13, 2023 License: Apache-2.0 Imports: 17 Imported by: 12

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrUserInfoSubNotMatching = errors.New("sub from userinfo does not match the sub from the id_token")

Functions

func AuthURL

func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string

AuthURL returns the auth request url (wrapping the oauth2 `AuthCodeURL`)

func AuthURLHandler

func AuthURLHandler(stateFn func() string, rp RelyingParty, urlParam ...URLParamOpt) http.HandlerFunc

AuthURLHandler extends the `AuthURL` method with a http redirect handler including handling setting cookie for secure `state` transfer. Custom paramaters can optionally be set to the redirect URL.

func CodeExchange

func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error)

CodeExchange handles the oauth2 code exchange, extracting and validating the id_token returning it parsed together with the oauth2 tokens (access, refresh)

func CodeExchangeHandler

func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty, urlParam ...URLParamOpt) http.HandlerFunc

CodeExchangeHandler extends the `CodeExchange` method with a http handler including cookie handling for secure `state` transfer and optional PKCE code verifier checking. Custom paramaters can optionally be set to the token URL.

func DelegationTokenRequest

func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest

DelegationTokenRequest is an implementation of TokenExchangeRequest it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional "urn:ietf:params:oauth:token-type:access_token" actor token for an "urn:ietf:params:oauth:token-type:access_token" delegation token

func EndSession added in v1.10.0

func EndSession(rp RelyingParty, idToken, optionalRedirectURI, optionalState string) (*url.URL, error)

func GenerateAndStoreCodeChallenge

func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error)

GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie

func NewRemoteKeySet

func NewRemoteKeySet(client *http.Client, jwksURL string, opts ...func(*remoteKeySet)) oidc.KeySet

func RefreshAccessToken added in v1.7.0

func RefreshAccessToken(rp RelyingParty, refreshToken, clientAssertion, clientAssertionType string) (*oauth2.Token, error)

func RevokeToken added in v1.11.0

func RevokeToken(rp RelyingParty, token string, tokenTypeHint string) error

RevokeToken requires a RelyingParty that is also a client.RevokeCaller. The RelyingParty returned by NewRelyingPartyOIDC() meets that criteria, but the one returned by NewRelyingPartyOAuth() does not.

tokenTypeHint should be either "id_token" or "refresh_token".

func SkipRemoteCheck

func SkipRemoteCheck() func(set *remoteKeySet)

SkipRemoteCheck will suppress checking for new remote keys if signature validation fails with cached keys and no kid header is set in the JWT

this might be handy to save some unnecessary round trips in cases where the JWT does not contain a kid header and there is only a single remote key please notice that remote keys will then only be fetched if cached keys are empty

func Userinfo

func Userinfo(token, tokenType, subject string, rp RelyingParty) (oidc.UserInfo, error)

Userinfo will call the OIDC Userinfo Endpoint with the provided token

func VerifyAccessToken

func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error

VerifyAccessToken validates the access token according to https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation

func VerifyIDToken

func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error)

VerifyIDToken validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

func VerifyTokens

func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error)

VerifyTokens implement the Token Response Validation as defined in OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation

func WithIssuedAtMaxAge

func WithIssuedAtMaxAge(maxAge time.Duration) func(*idTokenVerifier)

WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now

func WithIssuedAtOffset

func WithIssuedAtOffset(offset time.Duration) func(*idTokenVerifier)

WithIssuedAtOffset mitigates the risk of iat to be in the future because of clock skews with the ability to add an offset to the current time

Types

type AuthURLOpt

type AuthURLOpt func() []oauth2.AuthCodeOption

func WithCodeChallenge

func WithCodeChallenge(codeChallenge string) AuthURLOpt

WithCodeChallenge sets the `code_challenge` params in the auth request

func WithPrompt

func WithPrompt(prompt ...string) AuthURLOpt

WithPrompt sets the `prompt` params in the auth request

type CodeExchangeCallback

type CodeExchangeCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty)

func UserinfoCallback

UserinfoCallback wraps the callback function of the CodeExchangeHandler and calls the userinfo endpoint with the access token on success it will pass the userinfo into its callback function as well

type CodeExchangeOpt

type CodeExchangeOpt func() []oauth2.AuthCodeOption

func WithClientAssertionJWT

func WithClientAssertionJWT(clientAssertion string) CodeExchangeOpt

WithClientAssertionJWT sets the `client_assertion` param in the token request

func WithCodeVerifier

func WithCodeVerifier(codeVerifier string) CodeExchangeOpt

WithCodeVerifier sets the `code_verifier` param in the token request

type CodeExchangeUserinfoCallback

type CodeExchangeUserinfoCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, provider RelyingParty, info oidc.UserInfo)

type DelegationTokenExchangeRP

type DelegationTokenExchangeRP interface {
	TokenExchangeRP

	// DelegationTokenExchange implement the `Token Exchange Grant`
	// providing an access token in request for a `delegation` token for a given resource / audience
	DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error)
}

DelegationTokenExchangeRP extends the `TokenExchangeRP` interface for the specific `delegation token` request

type Endpoints

type Endpoints struct {
	oauth2.Endpoint
	IntrospectURL string
	UserinfoURL   string
	JKWsURL       string
	EndSessionURL string
	RevokeURL     string
}

func Discover

func Discover(issuer string, httpClient *http.Client) (Endpoints, error)

Discover calls the discovery endpoint of the provided issuer and returns the found endpoints

deprecated: use client.Discover

func GetEndpoints

func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints

type ErrorHandler

type ErrorHandler func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string)
var DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
	http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError)
}

type IDTokenVerifier

type IDTokenVerifier interface {
	oidc.Verifier
	ClientID() string
	SupportedSignAlgs() []string
	KeySet() oidc.KeySet
	Nonce(context.Context) string
	ACR() oidc.ACRVerifier
	MaxAge() time.Duration
}

func NewIDTokenVerifier

func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) IDTokenVerifier

NewIDTokenVerifier returns an implementation of `IDTokenVerifier` for `VerifyTokens` and `VerifyIDToken`

type Option

type Option func(*relyingParty) error

Option is the type for providing dynamic options to the relyingParty

func WithClientKey

func WithClientKey(path string) Option

WithClientKey specifies the path to the key.json to be used for the JWT Profile Client Authentication on the token endpoint

deprecated: use WithJWTProfile(SignerFromKeyPath(path)) instead

func WithCookieHandler

func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option

WithCookieHandler set a `CookieHandler` for securing the various redirects

func WithCustomDiscoveryUrl

func WithCustomDiscoveryUrl(url string) Option

func WithErrorHandler

func WithErrorHandler(errorHandler ErrorHandler) Option

func WithHTTPClient

func WithHTTPClient(client *http.Client) Option

WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier

func WithJWTProfile

func WithJWTProfile(signerFromKey SignerFromKey) Option

WithJWTProfile creates a signer used for the JWT Profile Client Authentication on the token endpoint When creating the signer, be sure to include the KeyID in the SigningKey. See client.NewSignerFromPrivateKeyByte for an example.

func WithPKCE

func WithPKCE(cookieHandler *httphelper.CookieHandler) Option

WithPKCE sets the RP to use PKCE (oauth2 code challenge) it also sets a `CookieHandler` for securing the various redirects and exchanging the code challenge

func WithVerifierOpts

func WithVerifierOpts(opts ...VerifierOption) Option

type OptionFunc

type OptionFunc func(RelyingParty)

type RefreshTokenRequest added in v1.8.1

type RefreshTokenRequest struct {
	RefreshToken        string                   `schema:"refresh_token"`
	Scopes              oidc.SpaceDelimitedArray `schema:"scope"`
	ClientID            string                   `schema:"client_id"`
	ClientSecret        string                   `schema:"client_secret"`
	ClientAssertion     string                   `schema:"client_assertion"`
	ClientAssertionType string                   `schema:"client_assertion_type"`
	GrantType           oidc.GrantType           `schema:"grant_type"`
}

type RelyingParty

type RelyingParty interface {
	// OAuthConfig returns the oauth2 Config
	OAuthConfig() *oauth2.Config

	// Issuer returns the issuer of the oidc config
	Issuer() string

	// IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)`
	IsPKCE() bool

	// CookieHandler returns a http cookie handler used for various state transfer cookies
	CookieHandler() *httphelper.CookieHandler

	// HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
	HttpClient() *http.Client

	// IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls
	IsOAuth2Only() bool

	// Signer is used if the relaying party uses the JWT Profile
	Signer() jose.Signer

	// GetEndSessionEndpoint returns the endpoint to sign out on a IDP
	GetEndSessionEndpoint() string

	// UserinfoEndpoint returns the userinfo
	UserinfoEndpoint() string

	// IDTokenVerifier returns the verifier interface used for oidc id_token verification
	IDTokenVerifier() IDTokenVerifier

	ErrorHandler() func(http.ResponseWriter, *http.Request, string, string, string)
}

RelyingParty declares the minimal interface for oidc clients

func NewRelyingPartyOAuth

func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingParty, error)

NewRelyingPartyOAuth creates an (OAuth2) RelyingParty with the given OAuth2 Config and possible configOptions it will use the AuthURL and TokenURL set in config

func NewRelyingPartyOIDC

func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error)

NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions it will run discovery on the provided issuer and use the found endpoints

type SignerFromKey

type SignerFromKey func() (jose.Signer, error)

func SignerFromKeyAndKeyID

func SignerFromKeyAndKeyID(key []byte, keyID string) SignerFromKey

func SignerFromKeyFile

func SignerFromKeyFile(fileData []byte) SignerFromKey

func SignerFromKeyPath

func SignerFromKeyPath(path string) SignerFromKey

type TokenExchangeRP

type TokenExchangeRP interface {
	RelyingParty

	// TokenExchange implement the `Token Exchange Grant` exchanging some token for an other
	TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error)
}

TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`

type URLParamOpt added in v1.13.1

type URLParamOpt func() []oauth2.AuthCodeOption

func WithPromptURLParam added in v1.13.1

func WithPromptURLParam(prompt ...string) URLParamOpt

WithPromptURLParam sets the `prompt` parameter in a URL.

func WithURLParam added in v1.13.1

func WithURLParam(key, value string) URLParamOpt

WithURLParam allows setting custom key-vale pairs to an OAuth2 URL.

type VerifierOption

type VerifierOption func(*idTokenVerifier)

VerifierOption is the type for providing dynamic options to the IDTokenVerifier

func WithACRVerifier

func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption

WithACRVerifier sets the verifier for the acr claim

func WithAuthTimeMaxAge

func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption

WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now

func WithNonce

func WithNonce(nonce func(context.Context) string) VerifierOption

WithNonce sets the function to check the nonce

func WithSupportedSigningAlgorithms

func WithSupportedSigningAlgorithms(algs ...string) VerifierOption

WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm

Directories

Path Synopsis
Package mock is a generated GoMock package.
Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL