rfc8693

package
v0.2.20 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AccessTokenTypeHandler 

type AccessTokenTypeHandler struct {
	Config               oauth2.RFC8693ConfigProvider
	AccessTokenLifespan  time.Duration
	RefreshTokenLifespan time.Duration
	RefreshTokenScopes   []string
	hoauth2.CoreStrategy
	ScopeStrategy oauth2.ScopeStrategy
	Storage
}

func (*AccessTokenTypeHandler) CanHandleTokenEndpointRequest 

func (c *AccessTokenTypeHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester oauth2.AccessRequester) bool

CanHandleTokenEndpointRequest indicates if the token endpoint request can be handled.

func (*AccessTokenTypeHandler) CanSkipClientAuth 

func (c *AccessTokenTypeHandler) CanSkipClientAuth(ctx context.Context, requester oauth2.AccessRequester) bool

CanSkipClientAuth indicates if client auth can be skipped.

func (*AccessTokenTypeHandler) HandleTokenEndpointRequest 

func (c *AccessTokenTypeHandler) HandleTokenEndpointRequest(ctx context.Context, request oauth2.AccessRequester) (err error)

HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2

func (*AccessTokenTypeHandler) PopulateTokenEndpointResponse 

func (c *AccessTokenTypeHandler) PopulateTokenEndpointResponse(ctx context.Context, request oauth2.AccessRequester, responder oauth2.AccessResponder) (err error)

PopulateTokenEndpointResponse implements https://tools.ietf.org/html/rfc6749#section-4.3.3

type ActorTokenValidationHandler 

type ActorTokenValidationHandler struct{}

func (*ActorTokenValidationHandler) CanHandleTokenEndpointRequest 

func (c *ActorTokenValidationHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester oauth2.AccessRequester) bool

CanHandleTokenEndpointRequest indicates if the token endpoint request can be handled

func (*ActorTokenValidationHandler) CanSkipClientAuth 

func (c *ActorTokenValidationHandler) CanSkipClientAuth(ctx context.Context, requester oauth2.AccessRequester) bool

CanSkipClientAuth indicates if client auth can be skipped

func (*ActorTokenValidationHandler) HandleTokenEndpointRequest 

func (c *ActorTokenValidationHandler) HandleTokenEndpointRequest(ctx context.Context, request oauth2.AccessRequester) error

HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2

func (*ActorTokenValidationHandler) PopulateTokenEndpointResponse 

func (c *ActorTokenValidationHandler) PopulateTokenEndpointResponse(ctx context.Context, request oauth2.AccessRequester, responder oauth2.AccessResponder) error

PopulateTokenEndpointResponse implements https://tools.ietf.org/html/rfc6749#section-4.3.3

type Client 

type Client interface {
	// GetSupportedSubjectTokenTypes indicates the token types allowed for subject_token
	GetSupportedSubjectTokenTypes() (types []string)

	// GetSupportedActorTokenTypes indicates the token types allowed for subject_token
	GetSupportedActorTokenTypes() (types []string)

	// GetSupportedRequestTokenTypes indicates the token types allowed for requested_token_type
	GetSupportedRequestTokenTypes() (types []string)

	// GetTokenExchangePermitted checks if the subject token client allows the specified client
	// to perform the exchange
	GetTokenExchangePermitted(client oauth2.Client) (allowed bool)
}

Client is a representation of a client that may support RFC8693.

type CustomJWTTypeHandler 

type CustomJWTTypeHandler struct {
	Config oauth2.RFC8693ConfigProvider

	jwt.Strategy
	Storage
}

func (*CustomJWTTypeHandler) CanHandleTokenEndpointRequest 

func (c *CustomJWTTypeHandler) CanHandleTokenEndpointRequest(_ context.Context, requester oauth2.AccessRequester) bool

CanHandleTokenEndpointRequest indicates if the token endpoint request can be handled

func (*CustomJWTTypeHandler) CanSkipClientAuth 

func (c *CustomJWTTypeHandler) CanSkipClientAuth(_ context.Context, _ oauth2.AccessRequester) bool

CanSkipClientAuth indicates if client auth can be skipped

func (*CustomJWTTypeHandler) HandleTokenEndpointRequest 

func (c *CustomJWTTypeHandler) HandleTokenEndpointRequest(ctx context.Context, requester oauth2.AccessRequester) error

HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2

func (*CustomJWTTypeHandler) PopulateTokenEndpointResponse 

func (c *CustomJWTTypeHandler) PopulateTokenEndpointResponse(ctx context.Context, requester oauth2.AccessRequester, responder oauth2.AccessResponder) error

PopulateTokenEndpointResponse implements https://tools.ietf.org/html/rfc6749#section-4.3.3

type DefaultSession 

type DefaultSession struct {
	*openid.DefaultSession

	ActorToken   map[string]any `json:"-"`
	SubjectToken map[string]any `json:"-"`
	Extra        map[string]any `json:"extra,omitempty"`
}

func (*DefaultSession) AccessTokenClaimsMap 

func (s *DefaultSession) AccessTokenClaimsMap() map[string]any

func (*DefaultSession) GetActorToken 

func (s *DefaultSession) GetActorToken() map[string]any

func (*DefaultSession) GetSubjectToken 

func (s *DefaultSession) GetSubjectToken() map[string]any

func (*DefaultSession) SetAct 

func (s *DefaultSession) SetAct(act map[string]any)

func (*DefaultSession) SetActorToken 

func (s *DefaultSession) SetActorToken(token map[string]any)

func (*DefaultSession) SetSubjectToken 

func (s *DefaultSession) SetSubjectToken(token map[string]any)

type DefaultTokenType 

type DefaultTokenType struct {
	Name string
}

func (*DefaultTokenType) GetName 

func (c *DefaultTokenType) GetName(ctx context.Context) string

func (*DefaultTokenType) GetType 

func (c *DefaultTokenType) GetType(ctx context.Context) string

type IDTokenTypeHandler 

type IDTokenTypeHandler struct {
	Config             oauth2.Configurator
	Strategy           jwt.Strategy
	IssueStrategy      openid.OpenIDConnectTokenStrategy
	ValidationStrategy openid.TokenValidationStrategy
	Storage
}

IDTokenTypeHandler is a response handler for the ID Token grant using the implicit grant type as defined in RFC8693.

See: https://datatracker.ietf.org/doc/html/rfc8693

func (*IDTokenTypeHandler) CanHandleTokenEndpointRequest 

func (c *IDTokenTypeHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester oauth2.AccessRequester) bool

CanHandleTokenEndpointRequest indicates if the token endpoint request can be handled which is true only if the 'grant_type' is exactly and only 'urn:ietf:params:oauth:grant-type:token-exchange'.

See: https://datatracker.ietf.org/doc/html/rfc8693#section-2.1

func (*IDTokenTypeHandler) CanSkipClientAuth 

func (c *IDTokenTypeHandler) CanSkipClientAuth(ctx context.Context, requester oauth2.AccessRequester) bool

CanSkipClientAuth indicates if client auth can be skipped, which is not possible for RFC8693.

func (*IDTokenTypeHandler) HandleTokenEndpointRequest 

func (c *IDTokenTypeHandler) HandleTokenEndpointRequest(ctx context.Context, request oauth2.AccessRequester) error

HandleTokenEndpointRequest implements RFC8693 Section 2.1 and the oauth2.TokenEndpointHandler.

See: https://datatracker.ietf.org/doc/html/rfc8693#section-2.1

func (*IDTokenTypeHandler) PopulateTokenEndpointResponse 

func (c *IDTokenTypeHandler) PopulateTokenEndpointResponse(ctx context.Context, request oauth2.AccessRequester, responder oauth2.AccessResponder) error

PopulateTokenEndpointResponse implements RFC8693 Section 2.2 and the oauth2.TokenEndpointHandler.

See: https://datatracker.ietf.org/doc/html/rfc8693#section-2.2

type JWTIssueConfig 

type JWTIssueConfig struct {
	Audience []string      `json:"aud"`
	Expiry   time.Duration `json:"exp"`
}

type JWTType 

type JWTType struct {
	Name                string `json:"name"`
	Issuer              string `json:"iss"`
	JWTValidationConfig `json:"validate"`
	JWTIssueConfig      `json:"issue"`
}

func (*JWTType) GetName 

func (c *JWTType) GetName(ctx context.Context) string

func (*JWTType) GetType 

func (c *JWTType) GetType(ctx context.Context) string

type JWTValidationConfig 

type JWTValidationConfig struct {
	ValidateJTI                bool          `json:"validate_jti"`
	JWTLifetimeToleranceWindow time.Duration `json:"tolerance_window"`
	ValidateFunc               jwt.Keyfunc   `json:"-"`
}

type RefreshTokenTypeHandler 

type RefreshTokenTypeHandler struct {
	Config               oauth2.RFC8693ConfigProvider
	RefreshTokenLifespan time.Duration
	RefreshTokenScopes   []string
	hoauth2.CoreStrategy
	ScopeStrategy oauth2.ScopeStrategy
	Storage
}

func (*RefreshTokenTypeHandler) CanHandleTokenEndpointRequest 

func (c *RefreshTokenTypeHandler) CanHandleTokenEndpointRequest(_ context.Context, requester oauth2.AccessRequester) bool

CanHandleTokenEndpointRequest indicates if the token endpoint request can be handled

func (*RefreshTokenTypeHandler) CanSkipClientAuth 

func (c *RefreshTokenTypeHandler) CanSkipClientAuth(_ context.Context, _ oauth2.AccessRequester) bool

CanSkipClientAuth indicates if client auth can be skipped

func (*RefreshTokenTypeHandler) HandleTokenEndpointRequest 

func (c *RefreshTokenTypeHandler) HandleTokenEndpointRequest(ctx context.Context, request oauth2.AccessRequester) error

HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2

func (*RefreshTokenTypeHandler) PopulateTokenEndpointResponse 

func (c *RefreshTokenTypeHandler) PopulateTokenEndpointResponse(ctx context.Context, requester oauth2.AccessRequester, responder oauth2.AccessResponder) error

PopulateTokenEndpointResponse implements https://tools.ietf.org/html/rfc6749#section-4.3.3

type Session 

type Session interface {
	// SetSubject sets the session's subject.
	SetSubject(subject string)

	SetActorToken(token map[string]any)

	GetActorToken() map[string]any

	SetSubjectToken(token map[string]any)

	GetSubjectToken() map[string]any

	SetAct(act map[string]any)

	AccessTokenClaimsMap() map[string]any
}

Session is required to support token exchange

type Storage 

type Storage interface {
	hoauth2.CoreStorage

	// SetTokenExchangeCustomJWT marks a JTI as known for the given
	// expiry time. It should atomically check if the JTI
	// already exists and fail the request, if found.
	SetTokenExchangeCustomJWT(ctx context.Context, jti string, exp time.Time) error

	// GetSubjectForTokenExchange computes the session subject and is used for token types where there is no way
	// to know the subject value. For some token types, such as access and refresh tokens, the subject is well-defined
	// and this function is not called.
	GetSubjectForTokenExchange(ctx context.Context, requester oauth2.Requester, subjectToken map[string]any) (string, error)
}

type TokenExchangeGrantHandler 

type TokenExchangeGrantHandler struct {
	Config                   oauth2.RFC8693ConfigProvider
	ScopeStrategy            oauth2.ScopeStrategy
	AudienceMatchingStrategy oauth2.AudienceMatchingStrategy
}

TokenExchangeGrantHandler is the grant handler for RFC8693

func (*TokenExchangeGrantHandler) CanHandleTokenEndpointRequest 

func (c *TokenExchangeGrantHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester oauth2.AccessRequester) bool

CanHandleTokenEndpointRequest indicates if the token endpoint request can be handled

func (*TokenExchangeGrantHandler) CanSkipClientAuth 

func (c *TokenExchangeGrantHandler) CanSkipClientAuth(ctx context.Context, requester oauth2.AccessRequester) bool

CanSkipClientAuth indicates if client auth can be skipped

func (*TokenExchangeGrantHandler) HandleTokenEndpointRequest 

func (c *TokenExchangeGrantHandler) HandleTokenEndpointRequest(ctx context.Context, request oauth2.AccessRequester) (err error)

HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2

func (*TokenExchangeGrantHandler) PopulateTokenEndpointResponse 

func (c *TokenExchangeGrantHandler) PopulateTokenEndpointResponse(ctx context.Context, request oauth2.AccessRequester, responder oauth2.AccessResponder) error

PopulateTokenEndpointResponse implements https://tools.ietf.org/html/rfc6749#section-4.3.3

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.