rp

package
v3.23.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2024 License: Apache-2.0 Imports: 19 Imported by: 12

Documentation

Index

Examples

Constants

This section is empty.

Variables

View Source 
var ErrMissingIDToken = errors.New("id_token missing")

ErrMissingIDToken is returned when an id_token was expected, but not received in the token response.

View Source 
var ErrRelyingPartyNotSupportRevokeCaller = errors.New("RelyingParty does not support RevokeCaller")
View Source 
var ErrUserInfoSubNotMatching = errors.New("sub from userinfo does not match the sub from the id_token")

Functions

func AuthURL 

func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string

AuthURL returns the auth request url (wrapping the oauth2 `AuthCodeURL`)

func AuthURLHandler 

func AuthURLHandler(stateFn func() string, rp RelyingParty, urlParam ...URLParamOpt) http.HandlerFunc

AuthURLHandler extends the `AuthURL` method with a http redirect handler including handling setting cookie for secure `state` transfer. Custom parameters can optionally be set to the redirect URL.

func ClientCredentials added in v3.5.0 

func ClientCredentials(ctx context.Context, rp RelyingParty, endpointParams url.Values) (token *oauth2.Token, err error)

ClientCredentials requests an access token using the `client_credentials` grant, as defined in RFC 6749, section 4.4.

As there is no user associated to the request an ID Token can never be returned. Client Credentials are undefined in OpenID Connect and is a pure OAuth2 grant. Furthermore the server SHOULD NOT return a refresh token.

func CodeExchange 

func CodeExchange[C oidc.IDClaims](ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens[C], err error)

CodeExchange handles the oauth2 code exchange, extracting and validating the id_token returning it parsed together with the oauth2 tokens (access, refresh)

func CodeExchangeHandler 

func CodeExchangeHandler[C oidc.IDClaims](callback CodeExchangeCallback[C], rp RelyingParty, urlParam ...URLParamOpt) http.HandlerFunc

CodeExchangeHandler extends the `CodeExchange` method with a http handler including cookie handling for secure `state` transfer and optional PKCE code verifier checking. Custom parameters can optionally be set to the token URL.

func DelegationTokenRequest 

func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest

DelegationTokenRequest is an implementation of TokenExchangeRequest it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional "urn:ietf:params:oauth:token-type:access_token" actor token for an "urn:ietf:params:oauth:token-type:access_token" delegation token

func DeviceAccessToken 

func DeviceAccessToken(ctx context.Context, deviceCode string, interval time.Duration, rp RelyingParty) (resp *oidc.AccessTokenResponse, err error)

DeviceAccessToken attempts to obtain tokens from a Device Authorization, by means of polling as defined in RFC, section 3.3 and 3.4: https://www.rfc-editor.org/rfc/rfc8628#section-3.4

func DeviceAuthorization 

func DeviceAuthorization(ctx context.Context, scopes []string, rp RelyingParty, authFn any) (*oidc.DeviceAuthorizationResponse, error)

DeviceAuthorization starts a new Device Authorization flow as defined in RFC 8628, section 3.1 and 3.2: https://www.rfc-editor.org/rfc/rfc8628#section-3.1

func EndSession 

func EndSession(ctx context.Context, rp RelyingParty, idToken, optionalRedirectURI, optionalState string) (*url.URL, error)

func GenerateAndStoreCodeChallenge 

func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error)

GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie

func NewRemoteKeySet 

func NewRemoteKeySet(client *http.Client, jwksURL string, opts ...func(*remoteKeySet)) oidc.KeySet

func RefreshTokens 

func RefreshTokens[C oidc.IDClaims](ctx context.Context, rp RelyingParty, refreshToken, clientAssertion, clientAssertionType string) (*oidc.Tokens[C], error)

RefreshTokens performs a token refresh. If it doesn't error, it will always provide a new AccessToken. It may provide a new RefreshToken, and if it does, then the old one should be considered invalid.

In case the RP is not OAuth2 only and an IDToken was part of the response, the IDToken and AccessToken will be verified and the IDToken and IDTokenClaims fields will be populated in the returned object.

func RevokeToken 

func RevokeToken(ctx context.Context, rp RelyingParty, token string, tokenTypeHint string) error

RevokeToken requires a RelyingParty that is also a client.RevokeCaller. The RelyingParty returned by NewRelyingPartyOIDC() meets that criteria, but the one returned by NewRelyingPartyOAuth() does not.

tokenTypeHint should be either "id_token" or "refresh_token".

func SkipRemoteCheck 

func SkipRemoteCheck() func(set *remoteKeySet)

SkipRemoteCheck will suppress checking for new remote keys if signature validation fails with cached keys and no kid header is set in the JWT

this might be handy to save some unnecessary round trips in cases where the JWT does not contain a kid header and there is only a single remote key please notice that remote keys will then only be fetched if cached keys are empty

func Userinfo 

func Userinfo[U SubjectGetter](ctx context.Context, token, tokenType, subject string, rp RelyingParty) (userinfo U, err error)

Userinfo will call the OIDC UserInfo Endpoint with the provided token and returns the response in an instance of type U. *oidc.UserInfo can be used as a good example, or use a custom type if type-safe access to custom claims is needed.

Example (Custom) 
package main

import (
	"context"
	"fmt"

	"github.com/zitadel/oidc/v3/pkg/client/rp"
	"github.com/zitadel/oidc/v3/pkg/oidc"
)

type UserInfo struct {
	Subject string `json:"sub,omitempty"`
	oidc.UserInfoProfile
	oidc.UserInfoEmail
	oidc.UserInfoPhone
	Address *oidc.UserInfoAddress `json:"address,omitempty"`

	// Foo and Bar are custom claims
	Foo string `json:"foo,omitempty"`
	Bar struct {
		Val1 string `json:"val_1,omitempty"`
		Val2 string `json:"val_2,omitempty"`
	} `json:"bar,omitempty"`

	// Claims are all the combined claims, including custom.
	Claims map[string]any `json:"-,omitempty"`
}

func (u *UserInfo) GetSubject() string {
	return u.Subject
}

func main() {
	rpo, err := rp.NewRelyingPartyOIDC(context.TODO(), "http://localhost:8080", "clientid", "clientsecret", "http://example.com/redirect", []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone})
	if err != nil {
		panic(err)
	}

	info, err := rp.Userinfo[*UserInfo](context.TODO(), "accesstokenstring", "Bearer", "userid", rpo)
	if err != nil {
		panic(err)
	}

	fmt.Println(info)
}

Output:

func VerifyAccessToken 

func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error

VerifyAccessToken validates the access token according to https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation

func VerifyIDToken 

func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenVerifier) (claims C, err error)

VerifyIDToken validates the id token according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

func VerifyTokens 

func VerifyTokens[C oidc.IDClaims](ctx context.Context, accessToken, idToken string, v *IDTokenVerifier) (claims C, err error)

VerifyTokens implement the Token Response Validation as defined in OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation

Example (CustomClaims) 
package main

import (
	"context"
	"fmt"

	tu "github.com/zitadel/oidc/v3/internal/testutil"
	"github.com/zitadel/oidc/v3/pkg/client/rp"
	"github.com/zitadel/oidc/v3/pkg/oidc"
)

// MyCustomClaims extends the TokenClaims base,
// so it implmeents the oidc.Claims interface.
// Instead of carrying a map, we add needed fields// to the struct for type safe access.
type MyCustomClaims struct {
	oidc.TokenClaims
	NotBefore       oidc.Time `json:"nbf,omitempty"`
	AccessTokenHash string    `json:"at_hash,omitempty"`
	Foo             string    `json:"foo,omitempty"`
	Bar             *Nested   `json:"bar,omitempty"`
}

// GetAccessTokenHash is required to implement
// the oidc.IDClaims interface.
func (c *MyCustomClaims) GetAccessTokenHash() string {
	return c.AccessTokenHash
}

// Nested struct types are also possible.
type Nested struct {
	Count int      `json:"count,omitempty"`
	Tags  []string `json:"tags,omitempty"`
}

/*
idToken carries the following claims. foo and bar are custom claims

	{
		"acr": "something",
		"amr": [
			"foo",
			"bar"
		],
		"at_hash": "2dzbm_vIxy-7eRtqUIGPPw",
		"aud": [
			"unit",
			"test",
			"555666"
		],
		"auth_time": 1678100961,
		"azp": "555666",
		"bar": {
			"count": 22,
			"tags": [
				"some",
				"tags"
			]
		},
		"client_id": "555666",
		"exp": 4802238682,
		"foo": "Hello, World!",
		"iat": 1678101021,
		"iss": "local.com",
		"jti": "9876",
		"nbf": 1678101021,
		"nonce": "12345",
		"sub": "tim@local.com"
	}
*/
const idToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhY3IiOiJzb21ldGhpbmciLCJhbXIiOlsiZm9vIiwiYmFyIl0sImF0X2hhc2giOiIyZHpibV92SXh5LTdlUnRxVUlHUFB3IiwiYXVkIjpbInVuaXQiLCJ0ZXN0IiwiNTU1NjY2Il0sImF1dGhfdGltZSI6MTY3ODEwMDk2MSwiYXpwIjoiNTU1NjY2IiwiYmFyIjp7ImNvdW50IjoyMiwidGFncyI6WyJzb21lIiwidGFncyJdfSwiY2xpZW50X2lkIjoiNTU1NjY2IiwiZXhwIjo0ODAyMjM4NjgyLCJmb28iOiJIZWxsbywgV29ybGQhIiwiaWF0IjoxNjc4MTAxMDIxLCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc4MTAxMDIxLCJub25jZSI6IjEyMzQ1Iiwic3ViIjoidGltQGxvY2FsLmNvbSJ9.t3GXSfVNNwiW1Suv9_84v0sdn2_-RWHVxhphhRozDXnsO7SDNOlGnEioemXABESxSzMclM7gB7mYy5Qah2ZUNx7eP5t2njoxEYfavgHwx7UJZ2NCg8NDPQyr-hlxelEcfdXK-I0oTd-FRDvF4rqPkD9Us52IpnplChCxnHFgh4wKwPqZZjv2IXVCtn0ilKW3hff1rMOYKEuLRcN2YP0gkyuqyHvcf2dMmjod0t4sLOTJ82rsCbMBC5CLpqv3nIC9HOGITkt1Kd-Am0n1LrdZvWwTo6RFe8AnzF0gpqjcB5Wg4Qeh58DIjZOz4f_8wnmJ_gCqyRh5vfSW4XHdbum0Tw`
const accessToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhdWQiOlsidW5pdCIsInRlc3QiXSwiYmFyIjp7ImNvdW50IjoyMiwidGFncyI6WyJzb21lIiwidGFncyJdfSwiZXhwIjo0ODAyMjM4NjgyLCJmb28iOiJIZWxsbywgV29ybGQhIiwiaWF0IjoxNjc4MTAxMDIxLCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc4MTAxMDIxLCJzdWIiOiJ0aW1AbG9jYWwuY29tIn0.Zrz3LWSRjCMJZUMaI5dUbW4vGdSmEeJQ3ouhaX0bcW9rdFFLgBI4K2FWJhNivq8JDmCGSxwLu3mI680GWmDaEoAx1M5sCO9lqfIZHGZh-lfAXk27e6FPLlkTDBq8Bx4o4DJ9Fw0hRJGjUTjnYv5cq1vo2-UqldasL6CwTbkzNC_4oQFfRtuodC4Ql7dZ1HRv5LXuYx7KPkOssLZtV9cwtJp5nFzKjcf2zEE_tlbjcpynMwypornRUp1EhCWKRUGkJhJeiP71ECY5pQhShfjBu9Nc5wDpSnZmnk2S4YsPrRK3QkE-iEkas8BfsOCrGoErHjEJexAIDjasGO5PFLWfCA`

func main() {
	v := rp.NewIDTokenVerifier("local.com", "555666", tu.KeySet{},
		rp.WithNonce(func(ctx context.Context) string { return "12345" }),
	)

	// VerifyAccessToken can be called with the *MyCustomClaims.
	claims, err := rp.VerifyTokens[*MyCustomClaims](context.TODO(), accessToken, idToken, v)
	if err != nil {
		panic(err)
	}
	// Here we have typesafe access to the custom claims
	fmt.Println(claims.Foo, claims.Bar.Count, claims.Bar.Tags)
}

Output:

Hello, World! 22 [some tags]

Types

type AuthURLOpt 

type AuthURLOpt func() []oauth2.AuthCodeOption

func WithCodeChallenge 

func WithCodeChallenge(codeChallenge string) AuthURLOpt

WithCodeChallenge sets the `code_challenge` params in the auth request

func WithPrompt 

func WithPrompt(prompt ...string) AuthURLOpt

WithPrompt sets the `prompt` params in the auth request

type CodeExchangeCallback 

type CodeExchangeCallback[C oidc.IDClaims] func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[C], state string, rp RelyingParty)

func UserinfoCallback 

func UserinfoCallback[C oidc.IDClaims, U SubjectGetter](f CodeExchangeUserinfoCallback[C, U]) CodeExchangeCallback[C]

UserinfoCallback wraps the callback function of the CodeExchangeHandler and calls the userinfo endpoint with the access token on success it will pass the userinfo into its callback function as well

type CodeExchangeOpt 

type CodeExchangeOpt func() []oauth2.AuthCodeOption

func WithClientAssertionJWT 

func WithClientAssertionJWT(clientAssertion string) CodeExchangeOpt

WithClientAssertionJWT sets the `client_assertion` param in the token request

func WithCodeVerifier 

func WithCodeVerifier(codeVerifier string) CodeExchangeOpt

WithCodeVerifier sets the `code_verifier` param in the token request

type CodeExchangeUserinfoCallback 

type CodeExchangeUserinfoCallback[C oidc.IDClaims, U SubjectGetter] func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[C], state string, provider RelyingParty, info U)

type DelegationTokenExchangeRP 

type DelegationTokenExchangeRP interface {
	TokenExchangeRP

	// DelegationTokenExchange implement the `Token Exchange Grant`
	// providing an access token in request for a `delegation` token for a given resource / audience
	DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error)
}

DelegationTokenExchangeRP extends the `TokenExchangeRP` interface for the specific `delegation token` request

type Endpoints 

type Endpoints struct {
	oauth2.Endpoint
	IntrospectURL          string
	UserinfoURL            string
	JKWsURL                string
	EndSessionURL          string
	RevokeURL              string
	DeviceAuthorizationURL string
}

func GetEndpoints 

func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints

type ErrorHandler 

type ErrorHandler func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string)
var DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
	http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError)
}

type HasUnauthorizedHandler added in v3.10.0 

type HasUnauthorizedHandler interface {
	// UnauthorizedHandler returns the handler used for unauthorized errors
	UnauthorizedHandler() func(w http.ResponseWriter, r *http.Request, desc string, state string)
}

type IDTokenVerifier 

type IDTokenVerifier oidc.Verifier

func NewIDTokenVerifier 

func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) *IDTokenVerifier

NewIDTokenVerifier returns a oidc.Verifier suitable for ID token verification.

type Option 

type Option func(*relyingParty) error

Option is the type for providing dynamic options to the relyingParty

func WithAuthStyle added in v3.12.0 

func WithAuthStyle(oauthAuthStyle oauth2.AuthStyle) Option

func WithClientKey 

func WithClientKey(path string) Option

WithClientKey specifies the path to the key.json to be used for the JWT Profile Client Authentication on the token endpoint

deprecated: use WithJWTProfile(SignerFromKeyPath(path)) instead

func WithCookieHandler 

func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option

WithCookieHandler set a `CookieHandler` for securing the various redirects

func WithCustomDiscoveryUrl 

func WithCustomDiscoveryUrl(url string) Option

func WithErrorHandler 

func WithErrorHandler(errorHandler ErrorHandler) Option

func WithHTTPClient 

func WithHTTPClient(client *http.Client) Option

WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier

func WithJWTProfile 

func WithJWTProfile(signerFromKey SignerFromKey) Option

WithJWTProfile creates a signer used for the JWT Profile Client Authentication on the token endpoint When creating the signer, be sure to include the KeyID in the SigningKey. See client.NewSignerFromPrivateKeyByte for an example.

func WithLogger 

func WithLogger(logger *slog.Logger) Option

WithLogger sets a logger that is used in case the request context does not contain a logger.

func WithPKCE 

func WithPKCE(cookieHandler *httphelper.CookieHandler) Option

WithPKCE sets the RP to use PKCE (oauth2 code challenge) it also sets a `CookieHandler` for securing the various redirects and exchanging the code challenge

func WithSigningAlgsFromDiscovery added in v3.22.0 

func WithSigningAlgsFromDiscovery() Option

WithSigningAlgsFromDiscovery appends the WithSupportedSigningAlgorithms option to the Verifier Options. The algorithms returned in the `id_token_signing_alg_values_supported` from the discovery response will be set.

func WithUnauthorizedHandler added in v3.10.0 

func WithUnauthorizedHandler(unauthorizedHandler UnauthorizedHandler) Option

func WithVerifierOpts 

func WithVerifierOpts(opts ...VerifierOption) Option

type OptionFunc 

type OptionFunc func(RelyingParty)

type RefreshTokenRequest 

type RefreshTokenRequest struct {
	RefreshToken        string                   `schema:"refresh_token"`
	Scopes              oidc.SpaceDelimitedArray `schema:"scope"`
	ClientID            string                   `schema:"client_id"`
	ClientSecret        string                   `schema:"client_secret"`
	ClientAssertion     string                   `schema:"client_assertion"`
	ClientAssertionType string                   `schema:"client_assertion_type"`
	GrantType           oidc.GrantType           `schema:"grant_type"`
}

type RelyingParty 

type RelyingParty interface {
	// OAuthConfig returns the oauth2 Config
	OAuthConfig() *oauth2.Config

	// Issuer returns the issuer of the oidc config
	Issuer() string

	// IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)`
	IsPKCE() bool

	// CookieHandler returns a http cookie handler used for various state transfer cookies
	CookieHandler() *httphelper.CookieHandler

	// HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
	HttpClient() *http.Client

	// IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls
	IsOAuth2Only() bool

	// Signer is used if the relaying party uses the JWT Profile
	Signer() jose.Signer

	// GetEndSessionEndpoint returns the endpoint to sign out on a IDP
	GetEndSessionEndpoint() string

	// GetRevokeEndpoint returns the endpoint to revoke a specific token
	GetRevokeEndpoint() string

	// UserinfoEndpoint returns the userinfo
	UserinfoEndpoint() string

	// GetDeviceAuthorizationEndpoint returns the endpoint which can
	// be used to start a DeviceAuthorization flow.
	GetDeviceAuthorizationEndpoint() string

	// IDTokenVerifier returns the verifier used for oidc id_token verification
	IDTokenVerifier() *IDTokenVerifier

	// ErrorHandler returns the handler used for callback errors
	ErrorHandler() func(http.ResponseWriter, *http.Request, string, string, string)

	// Logger from the context, or a fallback if set.
	Logger(context.Context) (logger *slog.Logger, ok bool)
}

RelyingParty declares the minimal interface for oidc clients

func NewRelyingPartyOAuth 

func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingParty, error)

NewRelyingPartyOAuth creates an (OAuth2) RelyingParty with the given OAuth2 Config and possible configOptions it will use the AuthURL and TokenURL set in config

func NewRelyingPartyOIDC 

func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error)

NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions it will run discovery on the provided issuer and use the found endpoints

type SignerFromKey 

type SignerFromKey func() (jose.Signer, error)

func SignerFromKeyAndKeyID 

func SignerFromKeyAndKeyID(key []byte, keyID string) SignerFromKey

func SignerFromKeyFile 

func SignerFromKeyFile(fileData []byte) SignerFromKey

func SignerFromKeyPath 

func SignerFromKeyPath(path string) SignerFromKey

type SubjectGetter 

type SubjectGetter interface {
	GetSubject() string
}

type TokenExchangeRP 

type TokenExchangeRP interface {
	RelyingParty

	// TokenExchange implement the `Token Exchange Grant` exchanging some token for an other
	TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error)
}

TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`

type URLParamOpt 

type URLParamOpt func() []oauth2.AuthCodeOption

func WithPromptURLParam 

func WithPromptURLParam(prompt ...string) URLParamOpt

WithPromptURLParam sets the `prompt` parameter in a URL.

func WithResponseModeURLParam 

func WithResponseModeURLParam(mode oidc.ResponseMode) URLParamOpt

WithResponseModeURLParam sets the `response_mode` parameter in a URL.

func WithURLParam 

func WithURLParam(key, value string) URLParamOpt

WithURLParam allows setting custom key-vale pairs to an OAuth2 URL.

type UnauthorizedHandler added in v3.10.0 

type UnauthorizedHandler func(w http.ResponseWriter, r *http.Request, desc string, state string)
var DefaultUnauthorizedHandler UnauthorizedHandler = func(w http.ResponseWriter, r *http.Request, desc string, state string) {
	http.Error(w, desc, http.StatusUnauthorized)
}

type VerifierOption 

type VerifierOption func(*IDTokenVerifier)

VerifierOption is the type for providing dynamic options to the IDTokenVerifier

func WithACRVerifier 

func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption

WithACRVerifier sets the verifier for the acr claim

func WithAuthTimeMaxAge 

func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption

WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now

func WithIssuedAtMaxAge 

func WithIssuedAtMaxAge(maxAge time.Duration) VerifierOption

WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now

func WithIssuedAtOffset 

func WithIssuedAtOffset(offset time.Duration) VerifierOption

WithIssuedAtOffset mitigates the risk of iat to be in the future because of clock skews with the ability to add an offset to the current time

func WithNonce 

func WithNonce(nonce func(context.Context) string) VerifierOption

WithNonce sets the function to check the nonce

func WithSupportedSigningAlgorithms 

func WithSupportedSigningAlgorithms(algs ...string) VerifierOption

WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.