providers

package
v0.8.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2025 License: Apache-2.0 Imports: 30 Imported by: 3

Documentation

Index

Constants

View Source 
const AudPrefixForGQCommitment = "OPENPUBKEY-PKTOKEN:"

Variables

View Source 
var CommitTypesEnum = struct {
	NONCE_CLAIM CommitType
	AUD_CLAIM   CommitType
	GQ_BOUND    CommitType
}{
	NONCE_CLAIM: CommitType{Claim: "nonce", GQCommitment: false},
	AUD_CLAIM:   CommitType{Claim: "aud", GQCommitment: false},
	GQ_BOUND:    CommitType{Claim: "", GQCommitment: true},
}

Functions

func CreateGQBoundToken 

func CreateGQBoundToken(ctx context.Context, idToken []byte, op OpenIdProvider, cicHash string) ([]byte, error)

func CreateGQToken 

func CreateGQToken(ctx context.Context, idToken []byte, op OpenIdProvider) ([]byte, error)

func FindAvailablePort 

func FindAvailablePort(redirectURIs []string) (*url.URL, net.Listener, error)

FindAvailablePort attempts to open a listener on localhost until it finds one or runs out of redirectURIs to try

func GenCIC 

func GenCIC(t *testing.T) *clientinstance.Claims

func GenCICExtra 

func GenCICExtra(t *testing.T, extraClaims map[string]any) *clientinstance.Claims

Types

type AzureOp 

type AzureOp = StandardOp

type AzureOptions 

type AzureOptions struct {
	// ClientID is the client ID of the OIDC application. It should be the
	// expected "aud" claim in received ID tokens from the OP.
	ClientID string
	// Issuer is the OP's issuer URI for performing OIDC authorization and
	// discovery.
	Issuer string
	// Scopes is the list of scopes to send to the OP in the initial
	// authorization request.
	Scopes []string
	// RedirectURIs is the list of authorized redirect URIs that can be
	// redirected to by the OP after the user completes the authorization code
	// flow exchange. Ensure that your OIDC application is configured to accept
	// these URIs otherwise an error may occur.
	RedirectURIs []string
	// GQSign denotes if the received ID token should be upgraded to a GQ token
	// using GQ signatures.
	GQSign bool
	// OpenBrowser denotes if the client's default browser should be opened
	// automatically when performing the OIDC authorization flow. This value
	// should typically be set to true, unless performing some headless
	// automation (e.g. integration tests) where you don't want the browser to
	// open.
	OpenBrowser bool
	// HttpClient is the http.Client to use when making queries to the OP (OIDC
	// code exchange, refresh, verification of ID token, fetch of JWKS endpoint,
	// etc.). If nil, then http.DefaultClient is used.
	HttpClient *http.Client
	// IssuedAtOffset configures the offset to add when validating the "iss" and
	// "exp" claims of received ID tokens from the OP.
	IssuedAtOffset time.Duration
	// TenantID is the GUID  of the Azure tenant/organization. Azure has a
	// different issuer URI for each tenant. Users that are not part of Azure
	// organization, which microsoft nicknames consumers have a default
	// tenant ID of "9188040d-6c67-4c5b-b112-36a304b66dad"
	// More details can be found at
	// https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens
	TenantID string
}

AzureOptions is an options struct that configures how providers.AzureOp operates. See providers.GetDefaultAzureOpOptions for the recommended default values to use when interacting with Azure as the OpenIdProvider.

func GetDefaultAzureOpOptions 

func GetDefaultAzureOpOptions() *AzureOptions

type BrowserOpenIdProvider 

type BrowserOpenIdProvider interface {
	OpenIdProvider
	ClientID() string
	HookHTTPSession(h http.HandlerFunc)
	RefreshTokens(ctx context.Context, refreshToken []byte) (*simpleoidc.Tokens, error)
	VerifyRefreshedIDToken(ctx context.Context, origIdt []byte, reIdt []byte) error
	ReuseBrowserWindowHook(chan string)
}

func NewAzureOp 

func NewAzureOp() BrowserOpenIdProvider

NewAzureOp creates a Azure OP (OpenID Provider) using the default configurations options. It uses the OIDC Relying Party (Client) setup by the OpenPubkey project.

func NewAzureOpWithOptions 

func NewAzureOpWithOptions(opts *AzureOptions) BrowserOpenIdProvider

NewAzureOpWithOptions creates a Azure OP with configuration specified using an options struct. This is useful if you want to use your own OIDC Client or override the configuration.

func NewGitlabOpWithOptions 

func NewGitlabOpWithOptions(opts *GitlabOptions) BrowserOpenIdProvider

func NewGoogleOp 

func NewGoogleOp() BrowserOpenIdProvider

NewGoogleOp creates a Google OP (OpenID Provider) using the default configurations options. It uses the OIDC Relying Party (Client) setup by the OpenPubkey project.

func NewGoogleOpWithOptions 

func NewGoogleOpWithOptions(opts *GoogleOptions) BrowserOpenIdProvider

NewGoogleOpWithOptions creates a Google OP with configuration specified using an options struct. This is useful if you want to use your own OIDC Client or override the configuration.

type CommitType 

type CommitType struct {
	Claim        string
	GQCommitment bool
}

type Config 

type Config interface {
	// ClientID returns the registered client identifier that is valid at the OP
	// issuer
	ClientID() string
	// Issuer returns the OP's issuer URL identifier
	Issuer() string
}

Config declares the minimal interface for an OP (OpenID provider) config. It provides methods to get configuration values for a specific OIDC client implementation.

type DefaultProviderVerifier 

type DefaultProviderVerifier struct {
	// contains filtered or unexported fields
}

func NewProviderVerifier 

func NewProviderVerifier(issuer string, options ProviderVerifierOpts) *DefaultProviderVerifier

Creates a new ProviderVerifier with required fields

issuer: Is the OpenID provider issuer as seen in ID token e.g. "https://accounts.google.com" commitmentClaim: the ID token payload claim name where the cicHash was stored during issuance

func (*DefaultProviderVerifier) Issuer 

func (v *DefaultProviderVerifier) Issuer() string

func (*DefaultProviderVerifier) VerifyIDToken 

func (v *DefaultProviderVerifier) VerifyIDToken(ctx context.Context, idToken []byte, cic *clientinstance.Claims) error

type GithubOp 

type GithubOp struct {
	// contains filtered or unexported fields
}

func NewGithubOp 

func NewGithubOp(tokenURL string, token string) *GithubOp

func NewGithubOpFromEnvironment 

func NewGithubOpFromEnvironment() (*GithubOp, error)

func (*GithubOp) Issuer 

func (g *GithubOp) Issuer() string

func (*GithubOp) PublicKeyByKeyId 

func (g *GithubOp) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)

func (*GithubOp) PublicKeyByToken 

func (g *GithubOp) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)

func (*GithubOp) RequestTokens 

func (g *GithubOp) RequestTokens(ctx context.Context, cic *clientinstance.Claims) (*simpleoidc.Tokens, error)

func (*GithubOp) VerifyIDToken 

func (g *GithubOp) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error

type GitlabOp 

type GitlabOp struct {
	// contains filtered or unexported fields
}

func NewGitlabOp 

func NewGitlabOp(issuer string, tokenEnvVar string) *GitlabOp

func NewGitlabOpFromEnvironment 

func NewGitlabOpFromEnvironment(tokenEnvVar string) *GitlabOp

func NewGitlabOpFromEnvironmentDefault 

func NewGitlabOpFromEnvironmentDefault() *GitlabOp

func (*GitlabOp) Issuer 

func (g *GitlabOp) Issuer() string

func (*GitlabOp) PublicKeyByKeyId 

func (g *GitlabOp) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)

func (*GitlabOp) PublicKeyByToken 

func (g *GitlabOp) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)

func (*GitlabOp) RequestTokens 

func (g *GitlabOp) RequestTokens(ctx context.Context, cic *clientinstance.Claims) (*simpleoidc.Tokens, error)

func (*GitlabOp) VerifyIDToken 

func (g *GitlabOp) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error

type GitlabOptions 

type GitlabOptions struct {
	// ClientID is the client ID of the OIDC application. It should be the
	// expected "aud" claim in received ID tokens from the OP.
	ClientID string
	// ClientSecret is the client secret of the OIDC application. Some OPs do
	// not require that this value is set.
	ClientSecret string
	// Issuer is the OP's issuer URI for performing OIDC authorization and
	// discovery.
	Issuer string
	// Scopes is the list of scopes to send to the OP in the initial
	// authorization request.
	Scopes []string
	// RedirectURIs is the list of authorized redirect URIs that can be
	// redirected to by the OP after the user completes the authorization code
	// flow exchange. Ensure that your OIDC application is configured to accept
	// these URIs otherwise an error may occur.
	RedirectURIs []string
	// GQSign denotes if the received ID token should be upgraded to a GQ token
	// using GQ signatures.
	GQSign bool
	// OpenBrowser denotes if the client's default browser should be opened
	// automatically when performing the OIDC authorization flow. This value
	// should typically be set to true, unless performing some headless
	// automation (e.g. integration tests) where you don't want the browser to
	// open.
	OpenBrowser bool
	// HttpClient is the http.Client to use when making queries to the OP (OIDC
	// code exchange, refresh, verification of ID token, fetch of JWKS endpoint,
	// etc.). If nil, then http.DefaultClient is used.
	HttpClient *http.Client
	// IssuedAtOffset configures the offset to add when validating the "iss" and
	// "exp" claims of received ID tokens from the OP.
	IssuedAtOffset time.Duration
}

func GetDefaultGitlabOpOptions 

func GetDefaultGitlabOpOptions() *GitlabOptions

type GoogleOp 

type GoogleOp = StandardOp

type GoogleOptions 

type GoogleOptions struct {
	// ClientID is the client ID of the OIDC application. It should be the
	// expected "aud" claim in received ID tokens from the OP.
	ClientID string
	// ClientSecret is the client secret of the OIDC application. Some OPs do
	// not require that this value is set.
	ClientSecret string
	// Issuer is the OP's issuer URI for performing OIDC authorization and
	// discovery.
	Issuer string
	// Scopes is the list of scopes to send to the OP in the initial
	// authorization request.
	Scopes []string
	// RedirectURIs is the list of authorized redirect URIs that can be
	// redirected to by the OP after the user completes the authorization code
	// flow exchange. Ensure that your OIDC application is configured to accept
	// these URIs otherwise an error may occur.
	RedirectURIs []string
	// GQSign denotes if the received ID token should be upgraded to a GQ token
	// using GQ signatures.
	GQSign bool
	// OpenBrowser denotes if the client's default browser should be opened
	// automatically when performing the OIDC authorization flow. This value
	// should typically be set to true, unless performing some headless
	// automation (e.g. integration tests) where you don't want the browser to
	// open.
	OpenBrowser bool
	// HttpClient is the http.Client to use when making queries to the OP (OIDC
	// code exchange, refresh, verification of ID token, fetch of JWKS endpoint,
	// etc.). If nil, then http.DefaultClient is used.
	HttpClient *http.Client
	// IssuedAtOffset configures the offset to add when validating the "iss" and
	// "exp" claims of received ID tokens from the OP.
	IssuedAtOffset time.Duration
}

GoogleOptions is an options struct that configures how providers.GoogleOp operates. See providers.GetDefaultGoogleOpOptions for the recommended default values to use when interacting with Google as the OpenIdProvider.

func GetDefaultGoogleOpOptions 

func GetDefaultGoogleOpOptions() *GoogleOptions

type MockProvider 

type MockProvider struct {
	// contains filtered or unexported fields
}

func NewMockProvider 

func NewMockProvider(opts MockProviderOpts) (*MockProvider, *mocks.MockProviderBackend, *mocks.IDTokenTemplate, error)

NewMockProvider creates a new mock provider with a random signing key and a random key ID. It returns the provider, the mock backend, and the ID token template. Tests can use the mock backend to look up keys issued by the mock provider. Tests can use the ID token template to create ID tokens and test the provider's behavior when verifying incorrectly set ID Tokens.

func (*MockProvider) ClientID 

func (m *MockProvider) ClientID() string

func (*MockProvider) Issuer 

func (m *MockProvider) Issuer() string

func (*MockProvider) PublicKeyByKeyId 

func (m *MockProvider) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)

func (*MockProvider) PublicKeyByToken 

func (m *MockProvider) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)

func (*MockProvider) RefreshTokens 

func (m *MockProvider) RefreshTokens(ctx context.Context, _ []byte) (*simpleoidc.Tokens, error)

func (*MockProvider) RequestTokens 

func (m *MockProvider) RequestTokens(ctx context.Context, cic *clientinstance.Claims) (*simpleoidc.Tokens, error)

func (*MockProvider) VerifyIDToken 

func (m *MockProvider) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error

func (*MockProvider) VerifyRefreshedIDToken 

func (m *MockProvider) VerifyRefreshedIDToken(ctx context.Context, origIdt []byte, reIdt []byte) error

type MockProviderOpts 

type MockProviderOpts struct {
	Issuer     string
	ClientID   string
	GQSign     bool
	NumKeys    int
	CommitType CommitType
	// We keep VerifierOpts as a variable separate to let us test failures
	// where the mock op does something which causes a verification failure
	VerifierOpts ProviderVerifierOpts
}

func DefaultMockProviderOpts 

func DefaultMockProviderOpts() MockProviderOpts

type NonRefreshableOp 

type NonRefreshableOp struct {
	// contains filtered or unexported fields
}

Mock provider that does not support refresh

func NewNonRefreshableOp 

func NewNonRefreshableOp(op *MockProvider) *NonRefreshableOp

func (*NonRefreshableOp) Issuer 

func (nro *NonRefreshableOp) Issuer() string

func (*NonRefreshableOp) PublicKeyByKeyId 

func (nro *NonRefreshableOp) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)

func (*NonRefreshableOp) PublicKeyByToken 

func (nro *NonRefreshableOp) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)

func (*NonRefreshableOp) RequestTokens 

func (nro *NonRefreshableOp) RequestTokens(ctx context.Context, cic *clientinstance.Claims) (*simpleoidc.Tokens, error)

func (*NonRefreshableOp) VerifyIDToken 

func (nro *NonRefreshableOp) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error

type OpenIdProvider 

type OpenIdProvider interface {
	RequestTokens(ctx context.Context, cic *clientinstance.Claims) (*simpleoidc.Tokens, error)
	PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)
	PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)
	// Returns the OpenID provider issuer as seen in ID token e.g. "https://accounts.google.com"
	Issuer() string
	VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error
}

Interface for interacting with the OP (OpenID Provider) that only returns an ID Token

type ProviderVerifierOpts 

type ProviderVerifierOpts struct {
	// If ClientID is specified, then verification will require that the ClientID
	// be present in the audience ("aud") claim of the PK token payload
	ClientID string
	// Describes the place where the cicHash is committed to in the the ID token.
	// For instance the nonce payload claim name where the cicHash was stored during issuance
	CommitType CommitType
	// Specifies whether to skip the Client ID check, defaults to false
	SkipClientIDCheck bool
	// Custom function for discovering public key of Provider
	DiscoverPublicKey *discover.PublicKeyFinder
	// Only allows GQ signatures, a provider signature under any other algorithm
	// is seen as an error
	GQOnly bool
}

type RefreshableOpenIdProvider 

type RefreshableOpenIdProvider interface {
	OpenIdProvider
	RefreshTokens(ctx context.Context, refreshToken []byte) (*simpleoidc.Tokens, error)
	VerifyRefreshedIDToken(ctx context.Context, origIdt []byte, reIdt []byte) error
}

Interface for an OpenIdProvider that returns an ID Token, Refresh Token and Access Token

type StandardOp 

type StandardOp struct {
	Scopes         []string
	RedirectURIs   []string
	GQSign         bool
	OpenBrowser    bool
	HttpClient     *http.Client
	IssuedAtOffset time.Duration
	// contains filtered or unexported fields
}

func (*StandardOp) ClientID 

func (s *StandardOp) ClientID() string

func (*StandardOp) HookHTTPSession 

func (s *StandardOp) HookHTTPSession(h http.HandlerFunc)

HookHTTPSession provides a means to hook the HTTP Server session resulting from the OpenID Provider sending an authcode to the OIDC client by redirecting the user's browser with the authcode supplied in the URI. If this hook is set, it will be called after the receiving the authcode but before send an HTTP response to the user. The code which sets this hook can choose what HTTP response to server to the user.

We use this so that we can redirect the user web browser window to the MFA Cosigner URI after the user finishes the OIDC Auth flow. This method is only available to browser based providers.

func (*StandardOp) Issuer 

func (s *StandardOp) Issuer() string

func (*StandardOp) PublicKeyByKeyId 

func (s *StandardOp) PublicKeyByKeyId(ctx context.Context, keyID string) (*discover.PublicKeyRecord, error)

func (*StandardOp) PublicKeyByToken 

func (s *StandardOp) PublicKeyByToken(ctx context.Context, token []byte) (*discover.PublicKeyRecord, error)

func (*StandardOp) RefreshTokens 

func (s *StandardOp) RefreshTokens(ctx context.Context, refreshToken []byte) (*simpleoidc.Tokens, error)

func (*StandardOp) RequestTokens 

func (s *StandardOp) RequestTokens(ctx context.Context, cic *clientinstance.Claims) (*simpleoidc.Tokens, error)

func (*StandardOp) ReuseBrowserWindowHook 

func (s *StandardOp) ReuseBrowserWindowHook(h chan string)

ReuseBrowserWindow is needed so that do not open more than one browser window. If we are using a web based OpenID Provider chooser, we have already opened one window on the user's browser. We should reuse that window here rather than opening a second browser window.

func (*StandardOp) TriggerBrowserWindowHook 

func (s *StandardOp) TriggerBrowserWindowHook(uri string)

GetBrowserWindowHook ris used by testing to trigger the redirect without calling out the OP. This is hidden by not including in the interface.

func (*StandardOp) VerifyIDToken 

func (s *StandardOp) VerifyIDToken(ctx context.Context, idt []byte, cic *clientinstance.Claims) error

func (*StandardOp) VerifyRefreshedIDToken 

func (s *StandardOp) VerifyRefreshedIDToken(ctx context.Context, origIdt []byte, reIdt []byte) error

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.