Documentation ¶
Overview ¶
Package oauth provides a barebone implementation of an OAuth2 with JWT
Index ¶
- Constants
- func MakeJWT(claims interface{}, signer Signer) (string, error)
- func ValidateAuthorizationCodeGrant(params url.Values) (code string, err error)
- func ValidatePasswordGrant(params url.Values) (username string, password string, err error)
- func ValidateRefreshGrant(params url.Values) (refreshToken string, err error)
- type Auth
- type BaseClient
- func (c *BaseClient) BaseClaims() *Claims
- func (c *BaseClient) GetEntity() string
- func (c *BaseClient) GetID() string
- func (c *BaseClient) GetScope(grantType GrantType) []string
- func (c *BaseClient) GetSlug() string
- func (c *BaseClient) Validate() error
- func (c *BaseClient) Verify(secret string) bool
- type Claims
- type Client
- type GrantType
- type Signer
- type TokenClaim
- type TokenResponse
Constants ¶
const ( InternalError errors.Code = "internal_error" InvalidRequest errors.Code = "invalid_request" InvalidClient errors.Code = "invalid_client" InvalidGrant errors.Code = "invalid_grant" UnsupportedGrantType errors.Code = "unsupported_grant_type" InvalidScope errors.Code = "invalid_scope" )
The possible error codes
Variables ¶
This section is empty.
Functions ¶
func ValidateAuthorizationCodeGrant ¶
ValidateAuthorizationCodeGrant checks or an authorization_code grant type
func ValidatePasswordGrant ¶
ValidatePasswordGrant checks for a password grant type
Types ¶
type Auth ¶
Auth is the base struct
func (*Auth) FindClient ¶
FindClient returns a client using a BasicAuth string the string must start with Basic
func (*Auth) GetTokenResponse ¶
func (a *Auth) GetTokenResponse(claims TokenClaim, refreshToken string) (*TokenResponse, error)
GetTokenResponse returns a token response or an error
func (*Auth) SetClients ¶
SetClients validates the unicity of IDs and Slugs and calls the `Validate` function for each client
type BaseClient ¶
type BaseClient struct { // client_id for OAuth2 purposes ID string `json:"id"` // client_secret for OAuth2 purposes Secret string `json:"secret"` // A slug to uniquely identify the client. For example: `iota-android` Slug string `json:"slug"` // An entity to group clients together. For example: `iota` Entity string `json:"entity"` // A map grant_type / roles Scopes map[GrantType][]string `json:"scopes"` }
BaseClient provides the base implementation for a Client
func (*BaseClient) BaseClaims ¶
func (c *BaseClient) BaseClaims() *Claims
BaseClaims instantiates a claim object with client properties prefilled It tries to find the issuer in a JWT_ISS env variable and applies a default lifetime of 1h
func (*BaseClient) GetEntity ¶
func (c *BaseClient) GetEntity() string
GetEntity is a friendly name for a group of clients
func (*BaseClient) GetID ¶
func (c *BaseClient) GetID() string
GetID returns the client_id for OAuth2 purposes
func (*BaseClient) GetScope ¶
func (c *BaseClient) GetScope(grantType GrantType) []string
GetScope returns the client scope for a given grant type
func (*BaseClient) GetSlug ¶
func (c *BaseClient) GetSlug() string
GetSlug is a friendly name for the client that will be used as the aud claim
func (*BaseClient) Validate ¶
func (c *BaseClient) Validate() error
Validate checks that a client is valid
func (*BaseClient) Verify ¶
func (c *BaseClient) Verify(secret string) bool
Verify tries and match the client secret with the provided
type Claims ¶
type Claims struct { TokenID uuid.UUID `json:"tid"` Issuer string `json:"iss"` Audience string `json:"aud"` Entity string `json:"ent,omitempty"` Subject string `json:"sub,omitempty"` Scope []string `json:"scope,omitempty"` IssuedAt int64 `json:"iat"` ExpiresAt int64 `json:"exp"` }
Claims reprensent the main part of the JWT
func AuthenticateClient ¶
AuthenticateClient returns claims for a client grant Default implementation returns a claim with
func (*Claims) ApplyLifetime ¶
ApplyLifetime sets the issuedAt and ExpiresAt accordingly
func (*Claims) LimitScope ¶
LimitScope removes all scope that are not in array This method is used when authenticating, to make sure that a token does not have more privileges than the client that generated it.
func (*Claims) SetIssuerIfNeeded ¶
SetIssuerIfNeeded sets the issuer if it is empty
type Client ¶
type Client interface { GetID() string GetSlug() string GetEntity() string GetScope(GrantType) []string Verify(string) bool Validate() error BaseClaims() *Claims }
Client is a base interface for an OAuth client
type GrantType ¶
type GrantType string
GrantType is an enum for OAuth2 grant types
const ( ClientCredentials GrantType = "client_credentials" Password GrantType = "password" RefreshToken GrantType = "refresh_token" AuthorizationCode GrantType = "authorization_code" )
All allowed grant types
func GetGrantType ¶
GetGrantType retrieves the grant type from url values
type Signer ¶
type Signer interface { // Returns how long a token signed with this can live TokenLifetime() int64 // Returns the active key ID // This method should ensure that the key is valid KeyID() (string, error) // Sign returns a cryptographic signature // The KeyID should be retrieved right before this call using KeyID() Sign(string, []byte) ([]byte, error) // PublicKeys return the authorized public keys, it also rotates the keys if required // Also returns the remaining time for which the keys will be valid PublicKeys() ([]keys.PublicKey, int64, error) }
Signer is the interface for a key manager that rotates keys and signs tokens
type TokenClaim ¶
type TokenClaim interface {
SetIssuerIfNeeded(string)
}
TokenClaim is base interface for what is used in GetTokenResponse
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package keys provides a signer implementation that relies on a key ring that can be rotated in a thread / instance safe manner
|
Package keys provides a signer implementation that relies on a key ring that can be rotated in a thread / instance safe manner |
jwks
Package jwks allows converting keys to JSON Web Key Sets
|
Package jwks allows converting keys to JSON Web Key Sets |
providers/bucket
Package bucket stores keys in a google bucket
|
Package bucket stores keys in a google bucket |
providers/database
Package database stores keys in a gorm.db
|
Package database stores keys in a gorm.db |
providers/local
Package local stores keys locally
|
Package local stores keys locally |
providers/redis
Package redis stores keys on a redis
|
Package redis stores keys on a redis |
providers/utils
Package utils has functions used to store and retrieve keys
|
Package utils has functions used to store and retrieve keys |
Package utils contains utils functions that are used throughout the library
|
Package utils contains utils functions that are used throughout the library |