op

package
v1.13.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 13, 2023 License: Apache-2.0 Imports: 25 Imported by: 12

Documentation

Index

Constants

View Source
const (
	OidcDevMode = "ZITADEL_OIDC_DEV"
)

Variables

View Source
var DefaultEndpoints = &endpoints{
	Authorization: NewEndpoint(defaultAuthorizationEndpoint),
	Token:         NewEndpoint(defaultTokenEndpoint),
	Introspection: NewEndpoint(defaultIntrospectEndpoint),
	Userinfo:      NewEndpoint(defaultUserinfoEndpoint),
	Revocation:    NewEndpoint(defaultRevocationEndpoint),
	EndSession:    NewEndpoint(defaultEndSessionEndpoint),
	JwksURI:       NewEndpoint(defaultKeysEndpoint),
}
View Source
var ErrInvalidRefreshToken = errors.New("invalid_refresh_token")

Functions

func AccessTokenTypeStrings added in v1.6.1

func AccessTokenTypeStrings() []string

AccessTokenTypeStrings returns a slice of all String values of the enum

func ApplicationTypeStrings added in v1.6.1

func ApplicationTypeStrings() []string

ApplicationTypeStrings returns a slice of all String values of the enum

func AuthCallbackURL

func AuthCallbackURL(o OpenIDProvider) func(string) string

AuthCallbackURL builds the url for the redirect (with the requestID) after a successful login

func AuthMethodsIntrospectionEndpoint

func AuthMethodsIntrospectionEndpoint(c Configuration) []oidc.AuthMethod

func AuthMethodsRevocationEndpoint

func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod

func AuthMethodsTokenEndpoint

func AuthMethodsTokenEndpoint(c Configuration) []oidc.AuthMethod

func AuthRequestError

func AuthRequestError(w http.ResponseWriter, r *http.Request, authReq ErrAuthRequest, err error, encoder httphelper.Encoder)

func AuthResponse

func AuthResponse(authReq AuthRequest, authorizer Authorizer, w http.ResponseWriter, r *http.Request)

AuthResponse creates the successful authentication response (either code or tokens)

func AuthResponseCode

func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer)

AuthResponseCode creates the successful code authentication response

func AuthResponseToken

func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client)

AuthResponseToken creates the successful token(s) authentication response

func AuthResponseURL

func AuthResponseURL(redirectURI string, responseType oidc.ResponseType, responseMode oidc.ResponseMode, response interface{}, encoder httphelper.Encoder) (string, error)

AuthResponseURL encodes the authorization response (successful and error) and sets it as query or fragment values depending on the response_mode and response_type

func Authorize

func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer)

Authorize handles the authorization request, including parsing, validating, storing and finally redirecting to the login handler

func AuthorizeCallback

func AuthorizeCallback(w http.ResponseWriter, r *http.Request, authorizer Authorizer)

AuthorizeCallback handles the callback after authentication in the Login UI

func AuthorizeClientIDSecret

func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error

AuthorizeClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)

func AuthorizeCodeChallenge

func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error

AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent code_challenge of the auth request (PKCE)

func AuthorizeCodeClient

func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error)

AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. It than returns the auth request corresponding to the auth code

func AuthorizeRefreshClient

func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (request RefreshTokenRequest, client Client, err error)

AuthorizeRefreshClient checks the authorization of the client and that the used method was the one previously registered. It than returns the data representing the original auth request corresponding to the refresh_token

func BuildAuthRequestCode

func BuildAuthRequestCode(authReq AuthRequest, crypto Crypto) (string, error)

BuildAuthRequestCode builds the string representation of the auth code

func ClientCredentialsExchange added in v1.4.0

func ClientCredentialsExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)

ClientCredentialsExchange handles the OAuth 2.0 client_credentials grant, including parsing, validating, authorizing the client and finally returning a token

func CodeChallengeMethods

func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod

func CodeExchange

func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)

CodeExchange handles the OAuth 2.0 authorization_code grant, including parsing, validating, authorizing the client and finally exchanging the code for tokens

func ContainsResponseType

func ContainsResponseType(types []oidc.ResponseType, responseType oidc.ResponseType) bool

func CopyRequestObjectToAuthRequest

func CopyRequestObjectToAuthRequest(authReq *oidc.AuthRequest, requestObject *oidc.RequestObject)

CopyRequestObjectToAuthRequest overwrites present values from the Request Object into the auth request and clears the `RequestParam` of the auth request

func CreateAccessToken

func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTokenType AccessTokenType, creator TokenCreator, client Client, refreshToken string) (accessToken, newRefreshToken string, validity time.Duration, err error)

func CreateAuthRequestCode

func CreateAuthRequestCode(ctx context.Context, authReq AuthRequest, storage Storage, crypto Crypto) (string, error)

CreateAuthRequestCode creates and stores a code for the auth code response

func CreateBearerToken

func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error)

func CreateClientCredentialsTokenResponse added in v1.4.0

func CreateClientCredentialsTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, client Client) (*oidc.AccessTokenResponse, error)

func CreateDiscoveryConfig

func CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfiguration

func CreateIDToken

func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, client Client) (string, error)

func CreateJWT

func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, signer Signer, client Client, storage Storage) (string, error)

func CreateJWTTokenResponse

func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error)

CreateJWTTokenResponse creates

func CreateRouter

func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router

func CreateTokenResponse

func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Client, creator TokenCreator, createAccessToken bool, code, refreshToken string) (*oidc.AccessTokenResponse, error)

func Discover

func Discover(w http.ResponseWriter, config *oidc.DiscoveryConfiguration)

func EndSession

func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder)

func Exchange added in v1.9.0

func Exchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)

Exchange performs a token exchange appropriate for the grant type

func GrantTypes

func GrantTypes(c Configuration) []oidc.GrantType

func HTTPLoopbackOrLocalhost

func HTTPLoopbackOrLocalhost(rawurl string) (*url.URL, bool)

func Introspect

func Introspect(w http.ResponseWriter, r *http.Request, introspector Introspector)

func IntrospectionSigAlgorithms

func IntrospectionSigAlgorithms(c Configuration) []string

func IsConfidentialType

func IsConfidentialType(c Client) bool

func JWTProfile

func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger)

JWTProfile handles the OAuth 2.0 JWT Profile Authorization Grant https://tools.ietf.org/html/rfc7523#section-2.1

func Keys

func ParseAccessTokenRequest

func ParseAccessTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AccessTokenRequest, error)

ParseAccessTokenRequest parsed the http request into a oidc.AccessTokenRequest

func ParseAuthenticatedTokenRequest

func ParseAuthenticatedTokenRequest(r *http.Request, decoder httphelper.Decoder, request AuthenticatedTokenRequest) error

ParseAuthenticatedTokenRequest parses the client_id and client_secret from the HTTP request from either HTTP Basic Auth header or form body and sets them into the provided authenticatedTokenRequest interface

func ParseAuthorizeRequest

func ParseAuthorizeRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.AuthRequest, error)

ParseAuthorizeRequest parsed the http request into an oidc.AuthRequest

func ParseClientCredentialsRequest added in v1.4.0

func ParseClientCredentialsRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.ClientCredentialsRequest, error)

ParseClientCredentialsRequest parsed the http request into a oidc.ClientCredentialsRequest

func ParseEndSessionRequest

func ParseEndSessionRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.EndSessionRequest, error)

func ParseJWTProfileGrantRequest

func ParseJWTProfileGrantRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)

func ParseJWTProfileRequest

func ParseJWTProfileRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.JWTProfileGrantRequest, error)

ParseJWTProfileRequest has been renamed to ParseJWTProfileGrantRequest

deprecated: use ParseJWTProfileGrantRequest

func ParseRefreshTokenRequest

func ParseRefreshTokenRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.RefreshTokenRequest, error)

ParseRefreshTokenRequest parsed the http request into a oidc.RefreshTokenRequest

func ParseRequestObject

func ParseRequestObject(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, issuer string) (*oidc.AuthRequest, error)

ParseRequestObject parse the `request` parameter, validates the token including the signature and copies the token claims into the auth request

func ParseTokenIntrospectionRequest

func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector) (token, clientID string, err error)

func ParseTokenRevocationRequest

func ParseTokenRevocationRequest(r *http.Request, revoker Revoker) (token, tokenTypeHint, clientID string, err error)

func ParseUserinfoRequest

func ParseUserinfoRequest(r *http.Request, decoder httphelper.Decoder) (string, error)

func Readiness

func Readiness(w http.ResponseWriter, r *http.Request, probes ...ProbesFn)

func RedirectToLogin

func RedirectToLogin(authReqID string, client Client, w http.ResponseWriter, r *http.Request)

RedirectToLogin redirects the end user to the Login UI for authentication

func RefreshTokenExchange

func RefreshTokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)

RefreshTokenExchange handles the OAuth 2.0 refresh_token grant, including parsing, validating, authorizing the client and finally exchanging the refresh_token for new tokens

func RequestError

func RequestError(w http.ResponseWriter, r *http.Request, err error)

func RequestObjectSigAlgorithms

func RequestObjectSigAlgorithms(c Configuration) []string

func ResponseTypes

func ResponseTypes(c Configuration) []string

func RevocationRequestError

func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error)

func RevocationSigAlgorithms

func RevocationSigAlgorithms(c Configuration) []string

func Revoke

func Revoke(w http.ResponseWriter, r *http.Request, revoker Revoker)

func Scopes

func Scopes(c Configuration) []string

func SigAlgorithms

func SigAlgorithms(s Signer) []string

func SubjectIsIssuer

func SubjectIsIssuer(request *oidc.JWTTokenRequest) error

func SubjectTypes

func SubjectTypes(c Configuration) []string

func SupportedClaims

func SupportedClaims(c Configuration) []string

func TokenExchange

func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger)

TokenExchange will handle the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange")

func TokenSigAlgorithms

func TokenSigAlgorithms(c Configuration) []string

func Userinfo

func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoProvider)

func ValidateAccessTokenRequest

func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error)

ValidateAccessTokenRequest validates the token request parameters including authorization check of the client and returns the previous created auth request corresponding to the auth code

func ValidateAuthReqIDTokenHint

func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifier IDTokenHintVerifier) (string, error)

ValidateAuthReqIDTokenHint validates the id_token_hint (if passed as parameter in the request) and returns the `sub` claim

func ValidateAuthReqPrompt

func ValidateAuthReqPrompt(prompts []string, maxAge *uint) (_ *uint, err error)

ValidateAuthReqPrompt validates the passed prompt values and sets max_age to 0 if prompt login is present

func ValidateAuthReqRedirectURI

func ValidateAuthReqRedirectURI(client Client, uri string, responseType oidc.ResponseType) error

ValidateAuthReqRedirectURI validates the passed redirect_uri and response_type to the registered uris and client type

func ValidateAuthReqResponseType

func ValidateAuthReqResponseType(client Client, responseType oidc.ResponseType) error

ValidateAuthReqResponseType validates the passed response_type to the registered response types

func ValidateAuthReqScopes

func ValidateAuthReqScopes(client Client, scopes []string) ([]string, error)

ValidateAuthReqScopes validates the passed scopes

func ValidateAuthRequest

func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, verifier IDTokenHintVerifier) (sub string, err error)

ValidateAuthRequest validates the authorize parameters and returns the userID of the id_token_hint if passed

func ValidateClientCredentialsRequest added in v1.4.0

func ValidateClientCredentialsRequest(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (TokenRequest, Client, error)

ValidateClientCredentialsRequest validates the refresh_token request parameters including authorization check of the client and returns the data representing the original auth request corresponding to the refresh_token

func ValidateEndSessionPostLogoutRedirectURI added in v1.6.1

func ValidateEndSessionPostLogoutRedirectURI(postLogoutRedirectURI string, client Client) error

func ValidateGrantType

func ValidateGrantType(client Client, grantType oidc.GrantType) bool

ValidateGrantType ensures that the requested grant_type is allowed by the Client

func ValidateIssuer

func ValidateIssuer(issuer string) error

func ValidateRefreshTokenRequest

func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error)

ValidateRefreshTokenRequest validates the refresh_token request parameters including authorization check of the client and returns the data representing the original auth request corresponding to the refresh_token

func ValidateRefreshTokenScopes

func ValidateRefreshTokenScopes(requestedScopes []string, authRequest RefreshTokenRequest) error

ValidateRefreshTokenScopes validates that the requested scope is a subset of the original auth request scope it will set the requested scopes as current scopes onto RefreshTokenRequest if empty the original scopes will be used

func VerifyAccessToken

func VerifyAccessToken(ctx context.Context, token string, v AccessTokenVerifier) (oidc.AccessTokenClaims, error)

VerifyAccessToken validates the access token (issuer, signature and expiration)

func VerifyIDTokenHint

func VerifyIDTokenHint(ctx context.Context, token string, v IDTokenHintVerifier) (oidc.IDTokenClaims, error)

VerifyIDTokenHint validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

func VerifyJWTAssertion

func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTProfileVerifier) (*oidc.JWTTokenRequest, error)

VerifyJWTAssertion verifies the assertion string from JWT Profile (authorization grant and client authentication)

checks audience, exp, iat, signature and that issuer and sub are the same

Types

type AccessTokenType

type AccessTokenType int
const (
	AccessTokenTypeBearer AccessTokenType = iota // bearer
	AccessTokenTypeJWT                           // JWT
)

func AccessTokenTypeString added in v1.6.1

func AccessTokenTypeString(s string) (AccessTokenType, error)

AccessTokenTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func AccessTokenTypeValues added in v1.6.1

func AccessTokenTypeValues() []AccessTokenType

AccessTokenTypeValues returns all values of the enum

func (AccessTokenType) IsAAccessTokenType added in v1.6.1

func (i AccessTokenType) IsAAccessTokenType() bool

IsAAccessTokenType returns "true" if the value is listed in the enum definition. "false" otherwise

func (AccessTokenType) MarshalGQL added in v1.6.1

func (i AccessTokenType) MarshalGQL(w io.Writer)

MarshalGQL implements the graphql.Marshaler interface for AccessTokenType

func (AccessTokenType) MarshalJSON added in v1.6.1

func (i AccessTokenType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for AccessTokenType

func (AccessTokenType) MarshalText added in v1.6.1

func (i AccessTokenType) MarshalText() ([]byte, error)

MarshalText implements the encoding.TextMarshaler interface for AccessTokenType

func (AccessTokenType) MarshalYAML added in v1.6.1

func (i AccessTokenType) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for AccessTokenType

func (*AccessTokenType) Scan added in v1.6.1

func (i *AccessTokenType) Scan(value interface{}) error

func (AccessTokenType) String added in v1.6.1

func (i AccessTokenType) String() string

func (*AccessTokenType) UnmarshalGQL added in v1.6.1

func (i *AccessTokenType) UnmarshalGQL(value interface{}) error

UnmarshalGQL implements the graphql.Unmarshaler interface for AccessTokenType

func (*AccessTokenType) UnmarshalJSON added in v1.6.1

func (i *AccessTokenType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for AccessTokenType

func (*AccessTokenType) UnmarshalText added in v1.6.1

func (i *AccessTokenType) UnmarshalText(text []byte) error

UnmarshalText implements the encoding.TextUnmarshaler interface for AccessTokenType

func (*AccessTokenType) UnmarshalYAML added in v1.6.1

func (i *AccessTokenType) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for AccessTokenType

func (AccessTokenType) Value added in v1.6.1

func (i AccessTokenType) Value() (driver.Value, error)

type AccessTokenVerifier

type AccessTokenVerifier interface {
	oidc.Verifier
	SupportedSignAlgs() []string
	KeySet() oidc.KeySet
}

func NewAccessTokenVerifier

func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) AccessTokenVerifier

type AccessTokenVerifierOpt added in v1.9.0

type AccessTokenVerifierOpt func(*accessTokenVerifier)

func WithSupportedAccessTokenSigningAlgorithms added in v1.9.0

func WithSupportedAccessTokenSigningAlgorithms(algs ...string) AccessTokenVerifierOpt

type ApplicationType

type ApplicationType int
const (
	ApplicationTypeWeb       ApplicationType = iota // web
	ApplicationTypeUserAgent                        // user_agent
	ApplicationTypeNative                           // native
)

func ApplicationTypeString added in v1.6.1

func ApplicationTypeString(s string) (ApplicationType, error)

ApplicationTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func ApplicationTypeValues added in v1.6.1

func ApplicationTypeValues() []ApplicationType

ApplicationTypeValues returns all values of the enum

func (ApplicationType) IsAApplicationType added in v1.6.1

func (i ApplicationType) IsAApplicationType() bool

IsAApplicationType returns "true" if the value is listed in the enum definition. "false" otherwise

func (ApplicationType) MarshalGQL added in v1.6.1

func (i ApplicationType) MarshalGQL(w io.Writer)

MarshalGQL implements the graphql.Marshaler interface for ApplicationType

func (ApplicationType) MarshalJSON added in v1.6.1

func (i ApplicationType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for ApplicationType

func (ApplicationType) MarshalText added in v1.6.1

func (i ApplicationType) MarshalText() ([]byte, error)

MarshalText implements the encoding.TextMarshaler interface for ApplicationType

func (ApplicationType) MarshalYAML added in v1.6.1

func (i ApplicationType) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for ApplicationType

func (*ApplicationType) Scan added in v1.6.1

func (i *ApplicationType) Scan(value interface{}) error

func (ApplicationType) String added in v1.6.1

func (i ApplicationType) String() string

func (*ApplicationType) UnmarshalGQL added in v1.6.1

func (i *ApplicationType) UnmarshalGQL(value interface{}) error

UnmarshalGQL implements the graphql.Unmarshaler interface for ApplicationType

func (*ApplicationType) UnmarshalJSON added in v1.6.1

func (i *ApplicationType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for ApplicationType

func (*ApplicationType) UnmarshalText added in v1.6.1

func (i *ApplicationType) UnmarshalText(text []byte) error

UnmarshalText implements the encoding.TextUnmarshaler interface for ApplicationType

func (*ApplicationType) UnmarshalYAML added in v1.6.1

func (i *ApplicationType) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for ApplicationType

func (ApplicationType) Value added in v1.6.1

func (i ApplicationType) Value() (driver.Value, error)

type AuthMethod

type AuthMethod string

type AuthRequest

type AuthRequest interface {
	GetID() string
	GetACR() string
	GetAMR() []string
	GetAudience() []string
	GetAuthTime() time.Time
	GetClientID() string
	GetCodeChallenge() *oidc.CodeChallenge
	GetNonce() string
	GetRedirectURI() string
	GetResponseType() oidc.ResponseType
	GetResponseMode() oidc.ResponseMode
	GetScopes() []string
	GetState() string
	GetSubject() string
	Done() bool
}

func AuthRequestByCode

func AuthRequestByCode(ctx context.Context, storage Storage, code string) (AuthRequest, error)

AuthRequestByCode returns the AuthRequest previously created from Storage corresponding to the auth code or an error

type AuthStorage

type AuthStorage interface {
	CreateAuthRequest(context.Context, *oidc.AuthRequest, string) (AuthRequest, error)
	AuthRequestByID(context.Context, string) (AuthRequest, error)
	AuthRequestByCode(context.Context, string) (AuthRequest, error)
	SaveAuthCode(context.Context, string, string) error
	DeleteAuthRequest(context.Context, string) error

	// The TokenRequest parameter of CreateAccessToken can be any of:
	//
	// * TokenRequest as returned by ClientCredentialsStorage.ClientCredentialsTokenRequest,
	//
	// * AuthRequest as returned by AuthRequestByID or AuthRequestByCode (above)
	//
	// * *oidc.JWTTokenRequest from a JWT that is the assertion value of a JWT Profile
	//   Grant: https://datatracker.ietf.org/doc/html/rfc7523#section-2.1
	CreateAccessToken(context.Context, TokenRequest) (accessTokenID string, expiration time.Time, err error)

	// The TokenRequest parameter of CreateAccessAndRefreshTokens can be any of:
	//
	// * TokenRequest as returned by ClientCredentialsStorage.ClientCredentialsTokenRequest
	//
	// * RefreshTokenRequest as returned by AuthStorage.TokenRequestByRefreshToken
	//
	// * AuthRequest as by returned by the AuthRequestByID or AuthRequestByCode (above).
	//   Used for the authorization code flow which requested offline_access scope and
	//   registered the refresh_token grant type in advance
	CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshTokenID string, expiration time.Time, err error)
	TokenRequestByRefreshToken(ctx context.Context, refreshTokenID string) (RefreshTokenRequest, error)

	TerminateSession(ctx context.Context, userID string, clientID string) error

	// RevokeToken should revoke a token. In the situation that the original request was to
	// revoke an access token, then tokenOrTokenID will be a tokenID and userID will be set
	// but if the original request was for a refresh token, then userID will be empty and
	// tokenOrTokenID will be the refresh token, not its ID.
	RevokeToken(ctx context.Context, tokenOrTokenID string, userID string, clientID string) *oidc.Error

	GetSigningKey(context.Context, chan<- jose.SigningKey)
	GetKeySet(context.Context) (*jose.JSONWebKeySet, error)
}

type AuthenticatedTokenRequest

type AuthenticatedTokenRequest interface {
	SetClientID(string)
	SetClientSecret(string)
}

AuthenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest

type AuthorizeValidator

type AuthorizeValidator interface {
	Authorizer
	ValidateAuthRequest(context.Context, *oidc.AuthRequest, Storage, IDTokenHintVerifier) (string, error)
}

AuthorizeValidator is an extension of Authorizer interface implementing its own validation mechanism for the auth request

type Authorizer

type Authorizer interface {
	Storage() Storage
	Decoder() httphelper.Decoder
	Encoder() httphelper.Encoder
	Signer() Signer
	IDTokenHintVerifier() IDTokenHintVerifier
	Crypto() Crypto
	Issuer() string
	RequestObjectSupported() bool
}

type CanRefreshTokenInfo added in v1.13.0

type CanRefreshTokenInfo interface {
	// GetRefreshTokenInfo must return ErrInvalidRefreshToken when presented
	// with a token that is not a refresh token.
	GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error)
}

CanRefreshTokenInfo is an optional additional interface that Storage can support. Supporting CanRefreshTokenInfo is required to be able to (revoke) a refresh token that is neither an encrypted string of <tokenID>:<userID> nor a JWT.

type Client

type Client interface {
	GetID() string
	RedirectURIs() []string
	PostLogoutRedirectURIs() []string
	ApplicationType() ApplicationType
	AuthMethod() oidc.AuthMethod
	ResponseTypes() []oidc.ResponseType
	GrantTypes() []oidc.GrantType
	LoginURL(string) string
	AccessTokenType() AccessTokenType
	IDTokenLifetime() time.Duration
	DevMode() bool
	RestrictAdditionalIdTokenScopes() func(scopes []string) []string
	RestrictAdditionalAccessTokenScopes() func(scopes []string) []string
	IsScopeAllowed(scope string) bool
	IDTokenUserinfoClaimsAssertion() bool
	ClockSkew() time.Duration
}

func AuthorizeClientCredentialsClient added in v1.4.0

func AuthorizeClientCredentialsClient(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (Client, error)

func AuthorizePrivateJWTKey

func AuthorizePrivateJWTKey(ctx context.Context, clientAssertion string, exchanger JWTAuthorizationGrantExchanger) (Client, error)

AuthorizePrivateJWTKey authorizes a client by validating the client_assertion's signature with a previously registered public key (JWT Profile)

type ClientCredentialsStorage added in v1.4.0

type ClientCredentialsStorage interface {
	ClientCredentialsTokenRequest(ctx context.Context, clientID string, scopes []string) (TokenRequest, error)
}

type Config

type Config struct {
	Issuer                   string
	CryptoKey                [32]byte
	DefaultLogoutRedirectURI string
	CodeMethodS256           bool
	AuthMethodPost           bool
	AuthMethodPrivateKeyJWT  bool
	GrantTypeRefreshToken    bool
	RequestObjectSupported   bool
	SupportedUILocales       []language.Tag
}

type Configuration

type Configuration interface {
	Issuer() string
	AuthorizationEndpoint() Endpoint
	TokenEndpoint() Endpoint
	IntrospectionEndpoint() Endpoint
	UserinfoEndpoint() Endpoint
	RevocationEndpoint() Endpoint
	EndSessionEndpoint() Endpoint
	KeysEndpoint() Endpoint

	AuthMethodPostSupported() bool
	CodeMethodS256Supported() bool
	AuthMethodPrivateKeyJWTSupported() bool
	TokenEndpointSigningAlgorithmsSupported() []string
	GrantTypeRefreshTokenSupported() bool
	GrantTypeTokenExchangeSupported() bool
	GrantTypeJWTAuthorizationSupported() bool
	GrantTypeClientCredentialsSupported() bool
	IntrospectionAuthMethodPrivateKeyJWTSupported() bool
	IntrospectionEndpointSigningAlgorithmsSupported() []string
	RevocationAuthMethodPrivateKeyJWTSupported() bool
	RevocationEndpointSigningAlgorithmsSupported() []string
	RequestObjectSupported() bool
	RequestObjectSigningAlgorithmsSupported() []string

	SupportedUILocales() []language.Tag
}

type Crypto

type Crypto interface {
	Encrypt(string) (string, error)
	Decrypt(string) (string, error)
}

func NewAESCrypto

func NewAESCrypto(key [32]byte) Crypto

type EndSessionRequest

type EndSessionRequest struct {
	UserID      string
	ClientID    string
	RedirectURI string
}

func ValidateEndSessionRequest

func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest, ender SessionEnder) (*EndSessionRequest, error)

type Endpoint

type Endpoint struct {
	// contains filtered or unexported fields
}

func NewEndpoint

func NewEndpoint(path string) Endpoint

func NewEndpointWithURL

func NewEndpointWithURL(path, url string) Endpoint

func (Endpoint) Absolute

func (e Endpoint) Absolute(host string) string

func (Endpoint) Relative

func (e Endpoint) Relative() string

func (Endpoint) Validate

func (e Endpoint) Validate() error

type ErrAuthRequest

type ErrAuthRequest interface {
	GetRedirectURI() string
	GetResponseType() oidc.ResponseType
	GetState() string
}

type Exchanger

type Exchanger interface {
	Issuer() string
	Storage() Storage
	Decoder() httphelper.Decoder
	Signer() Signer
	Crypto() Crypto
	AuthMethodPostSupported() bool
	AuthMethodPrivateKeyJWTSupported() bool
	GrantTypeRefreshTokenSupported() bool
	GrantTypeTokenExchangeSupported() bool
	GrantTypeJWTAuthorizationSupported() bool
	GrantTypeClientCredentialsSupported() bool
}

type HasRedirectGlobs added in v1.13.1

type HasRedirectGlobs interface {
	RedirectURIGlobs() []string
	PostLogoutRedirectURIGlobs() []string
}

HasRedirectGlobs is an optional interface that can be implemented by implementors of Client. See https://pkg.go.dev/path#Match for glob interpretation. Redirect URIs that match either the non-glob version or the glob version will be accepted. Glob URIs are only partially supported for native clients: "http://" is not allowed except for loopback or in dev mode.

type HttpInterceptor

type HttpInterceptor func(http.Handler) http.Handler

type IDTokenHintVerifier

type IDTokenHintVerifier interface {
	oidc.Verifier
	SupportedSignAlgs() []string
	KeySet() oidc.KeySet
	ACR() oidc.ACRVerifier
	MaxAge() time.Duration
}

func NewIDTokenHintVerifier

func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) IDTokenHintVerifier

type IDTokenHintVerifierOpt added in v1.10.0

type IDTokenHintVerifierOpt func(*idTokenHintVerifier)

func WithSupportedIDTokenHintSigningAlgorithms added in v1.10.0

func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifierOpt

type IDTokenRequest

type IDTokenRequest interface {
	GetAMR() []string
	GetAudience() []string
	GetAuthTime() time.Time
	GetClientID() string
	GetScopes() []string
	GetSubject() string
}

type Introspector

type Introspector interface {
	Decoder() httphelper.Decoder
	Crypto() Crypto
	Storage() Storage
	AccessTokenVerifier() AccessTokenVerifier
}

type IntrospectorJWTProfile

type IntrospectorJWTProfile interface {
	Introspector
	JWTProfileVerifier() JWTProfileVerifier
}

type JWTAuthorizationGrantExchanger

type JWTAuthorizationGrantExchanger interface {
	Exchanger
	JWTProfileVerifier() JWTProfileVerifier
}

type JWTProfileVerifier

type JWTProfileVerifier interface {
	oidc.Verifier
	Storage() jwtProfileKeyStorage
	CheckSubject(request *oidc.JWTTokenRequest) error
}

func NewJWTProfileVerifier

func NewJWTProfileVerifier(storage jwtProfileKeyStorage, issuer string, maxAgeIAT, offset time.Duration, opts ...JWTProfileVerifierOption) JWTProfileVerifier

NewJWTProfileVerifier creates a oidc.Verifier for JWT Profile assertions (authorization grant and client authentication)

type JWTProfileVerifierOption

type JWTProfileVerifierOption func(*jwtProfileVerifier)

func SubjectCheck

func SubjectCheck(check func(request *oidc.JWTTokenRequest) error) JWTProfileVerifierOption

type KeyProvider

type KeyProvider interface {
	GetKeySet(context.Context) (*jose.JSONWebKeySet, error)
}

type OPStorage

type OPStorage interface {
	// GetClientByClientID loads a Client. The returned Client is never cached and is only used to
	// handle the current request.
	GetClientByClientID(ctx context.Context, clientID string) (Client, error)
	AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error
	SetUserinfoFromScopes(ctx context.Context, userinfo oidc.UserInfoSetter, userID, clientID string, scopes []string) error
	SetUserinfoFromToken(ctx context.Context, userinfo oidc.UserInfoSetter, tokenID, subject, origin string) error
	SetIntrospectionFromToken(ctx context.Context, userinfo oidc.IntrospectionResponse, tokenID, subject, clientID string) error
	GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (map[string]interface{}, error)

	// GetKeyByIDAndUserID is mis-named.  It does not pass userID.  Instead
	// it passes the clientID.
	GetKeyByIDAndUserID(ctx context.Context, keyID, clientID string) (*jose.JSONWebKey, error)
	ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error)
}

type OpenIDProvider

type OpenIDProvider interface {
	Configuration
	Storage() Storage
	Decoder() httphelper.Decoder
	Encoder() httphelper.Encoder
	IDTokenHintVerifier() IDTokenHintVerifier
	AccessTokenVerifier() AccessTokenVerifier
	Crypto() Crypto
	DefaultLogoutRedirectURI() string
	Signer() Signer
	Probes() []ProbesFn
	HttpHandler() http.Handler
}

func NewOpenIDProvider

func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opOpts ...Option) (OpenIDProvider, error)

NewOpenIDProvider creates a provider. The provider provides (with HttpHandler()) a http.Router that handles a suite of endpoints (some paths can be overridden):

/healthz
/ready
/.well-known/openid-configuration
/oauth/token
/oauth/introspect
/callback
/authorize
/userinfo
/revoke
/end_session
/keys

This does not include login. Login is handled with a redirect that includes the request ID. The redirect for logins is specified per-client by Client.LoginURL(). Successful logins should mark the request as authorized and redirect back to to op.AuthCallbackURL(provider) which is probably /callback. On the redirect back to the AuthCallbackURL, the request id should be passed as the "id" parameter.

type Option

type Option func(o *openidProvider) error

func WithAccessTokenVerifierOpts added in v1.9.0

func WithAccessTokenVerifierOpts(opts ...AccessTokenVerifierOpt) Option

func WithCustomAuthEndpoint

func WithCustomAuthEndpoint(endpoint Endpoint) Option

func WithCustomEndSessionEndpoint

func WithCustomEndSessionEndpoint(endpoint Endpoint) Option

func WithCustomEndpoints

func WithCustomEndpoints(auth, token, userInfo, revocation, endSession, keys Endpoint) Option

func WithCustomIntrospectionEndpoint

func WithCustomIntrospectionEndpoint(endpoint Endpoint) Option

func WithCustomKeysEndpoint

func WithCustomKeysEndpoint(endpoint Endpoint) Option

func WithCustomRevocationEndpoint

func WithCustomRevocationEndpoint(endpoint Endpoint) Option

func WithCustomTokenEndpoint

func WithCustomTokenEndpoint(endpoint Endpoint) Option

func WithCustomUserinfoEndpoint

func WithCustomUserinfoEndpoint(endpoint Endpoint) Option

func WithHttpInterceptors

func WithHttpInterceptors(interceptors ...HttpInterceptor) Option

func WithIDTokenHintVerifierOpts added in v1.10.0

func WithIDTokenHintVerifierOpts(opts ...IDTokenHintVerifierOpt) Option

type ProbesFn

type ProbesFn func(context.Context) error

func ReadySigner

func ReadySigner(s Signer) ProbesFn

func ReadyStorage

func ReadyStorage(s Storage) ProbesFn

type RefreshTokenRequest

type RefreshTokenRequest interface {
	GetAMR() []string
	GetAudience() []string
	GetAuthTime() time.Time
	GetClientID() string
	GetScopes() []string
	GetSubject() string
	SetCurrentScopes(scopes []string)
}

func RefreshTokenRequestByRefreshToken

func RefreshTokenRequestByRefreshToken(ctx context.Context, storage Storage, refreshToken string) (RefreshTokenRequest, error)

RefreshTokenRequestByRefreshToken returns the RefreshTokenRequest (data representing the original auth request) corresponding to the refresh_token from Storage or an error

type Revoker

type Revoker interface {
	Decoder() httphelper.Decoder
	Crypto() Crypto
	Storage() Storage
	AccessTokenVerifier() AccessTokenVerifier
	AuthMethodPrivateKeyJWTSupported() bool
	AuthMethodPostSupported() bool
}

type RevokerJWTProfile

type RevokerJWTProfile interface {
	Revoker
	JWTProfileVerifier() JWTProfileVerifier
}

type SessionEnder

type SessionEnder interface {
	Decoder() httphelper.Decoder
	Storage() Storage
	IDTokenHintVerifier() IDTokenHintVerifier
	DefaultLogoutRedirectURI() string
}

type Signer

type Signer interface {
	Health(ctx context.Context) error
	Signer() jose.Signer
	SignatureAlgorithm() jose.SignatureAlgorithm
}

func NewSigner

func NewSigner(ctx context.Context, storage AuthStorage, keyCh <-chan jose.SigningKey) Signer

type Storage

type Storage interface {
	AuthStorage
	OPStorage
	Health(context.Context) error
}

Storage is a required parameter for NewOpenIDProvider(). In addition to the embedded interfaces below, if the passed Storage implements ClientCredentialsStorage then the grant type "client_credentials" will be supported. In that case, the access token returned by CreateAccessToken should be a JWT. See https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4 for context.

type StorageNotFoundError

type StorageNotFoundError interface {
	IsNotFound()
}

type TokenCreator

type TokenCreator interface {
	Issuer() string
	Signer() Signer
	Storage() Storage
	Crypto() Crypto
}

type TokenRequest

type TokenRequest interface {
	GetSubject() string
	GetAudience() []string
	GetScopes() []string
}

type UserinfoProvider

type UserinfoProvider interface {
	Decoder() httphelper.Decoder
	Crypto() Crypto
	Storage() Storage
	AccessTokenVerifier() AccessTokenVerifier
}

Directories

Path Synopsis
Package mock is a generated GoMock package.
Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL