Documentation
¶
Index ¶
- Constants
- Variables
- func CreateCodeChallenge(codeChallengeMethod, codeVerifier string) string
- func CreateCodeVerifier() (string, error)
- func ExtractJTI(dPopJWT string) (string, error)
- func ValidatePKCE(codeVerifier, codeChallenge, codeChallengeMethod string) error
- type AuthorizationServerMetadata
- type Client
- type ClientMetadata
- type Clients
- type DPoP
- func (c *DPoP) IsAccessTokenDPoP(token string) bool
- func (d *DPoP) Unmarshal(claims jwt.MapClaims) error
- func (d *DPoP) Validate() error
- func (d *DPoP) ValidateHTM() error
- func (d *DPoP) ValidateHTU() error
- func (d *DPoP) ValidateIAT() error
- func (d *DPoP) ValidateIATWithWindow(maxAge, clockSkew time.Duration) error
- func (d *DPoP) ValidateJTI() error
- func (d *DPoP) ValidateWithWindow(maxAge, clockSkew time.Duration) error
- type MetadataConfig
Examples ¶
Constants ¶
View Source
const ( ClientTypePublic = "public" ClientTypeConfidential = "confidential" )
ClientType constants for OAuth2 client types per RFC 6749 Section 2.1
View Source
const ( DefaultMaxAge = 60 * time.Second DefaultClockSkew = 5 * time.Second )
View Source
const ( // CodeChallengeMethodPlain no hash transformation CodeChallengeMethodPlain = "plain" // CodeChallengeMethodS256 SHA256 hash transformation CodeChallengeMethodS256 = "S256" )
Variables ¶
View Source
var ( ErrInvalidJTI = errors.New("invalid JTI: must be at least 12 characters") ErrMissingJTI = errors.New("missing required JTI claim") ErrJTIReplay = errors.New("JTI has already been used (replay attack detected)") ErrMissingHTM = errors.New("missing required HTM claim") ErrInvalidHTM = errors.New("invalid HTM: must be a valid HTTP method") ErrMissingHTU = errors.New("missing required HTU claim") ErrInvalidTokenType = errors.New("invalid token type: must be 'dpop+jwt'") ErrMissingJWK = errors.New("missing JWK in token header") ErrMissingIAT = errors.New("missing required IAT claim") ErrInvalidIAT = errors.New("invalid IAT: timestamp is malformed") ErrTokenTooOld = errors.New("token IAT is too old") ErrTokenFromFuture = errors.New("token IAT is in the future") ErrTokenExpired = errors.New("token has expired") )
View Source
var ( ErrInvalidClient = errors.New("invalid client") // 400 Bad Request ErrPKCERequired = errors.New("code_verifier required for public client") )
View Source
var ( // ErrInvalidRequest indicates invalid request parameters ErrInvalidRequest = errors.New("invalid_request") // ErrInvalidGrant indicates invalid grant ErrInvalidGrant = errors.New("invalid_grant") )
Functions ¶
func CreateCodeChallenge ¶
CreateCodeChallenge creates a code challenge. 4.2 Client Creates a Code Challenge
Example ¶
package main
import (
"fmt"
"github.com/SUNET/vc/pkg/oauth2"
)
func main() {
// Using a known verifier for deterministic output (S256 method)
verifier := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
challenge := oauth2.CreateCodeChallenge(oauth2.CodeChallengeMethodS256, verifier)
fmt.Println("challenge:", challenge)
}
Output: challenge: E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
Example (Plain) ¶
package main
import (
"fmt"
"github.com/SUNET/vc/pkg/oauth2"
)
func main() {
verifier := "my-plain-verifier"
challenge := oauth2.CreateCodeChallenge(oauth2.CodeChallengeMethodPlain, verifier)
fmt.Println("challenge:", challenge)
}
Output: challenge: my-plain-verifier
func CreateCodeVerifier ¶
CreateCodeVerifier creates a code verifier. 4.1 Client Creates a Code Verifier
func ExtractJTI ¶
ExtractJTI quickly extracts the JTI claim from a DPoP JWT without full validation This allows services to check for replay attacks before performing expensive validation
func ValidatePKCE ¶
ValidatePKCE validates the code verifier against the code challenge
Example ¶
package main
import (
"fmt"
"github.com/SUNET/vc/pkg/oauth2"
)
func main() {
verifier := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
challenge := oauth2.CreateCodeChallenge(oauth2.CodeChallengeMethodS256, verifier)
err := oauth2.ValidatePKCE(verifier, challenge, oauth2.CodeChallengeMethodS256)
fmt.Println("valid:", err == nil)
err = oauth2.ValidatePKCE("wrong-verifier", challenge, oauth2.CodeChallengeMethodS256)
fmt.Println("invalid:", err)
}
Output: valid: true invalid: invalid_grant
Types ¶
type AuthorizationServerMetadata ¶
type AuthorizationServerMetadata struct {
// Issuer REQUIRED. The authorization server's issuer identifier, which is a URL that uses the "https" scheme and has no query or fragment components. Authorization server metadata is published at a location that is ".well-known" according to RFC 5785 [RFC5785] derived from this issuer identifier, as described in Section 3. The issuer identifier is used to prevent authorization server mix- up attacks, as described in "OAuth 2.0 Mix-Up Mitigation".
Issuer string `json:"issuer" validate:"required"`
// AuthorizationEndpoint URL of the authorization server's authorization endpoint [RFC6749]. This is REQUIRED unless no grant types are supported that use the authorization endpoint.
AuthorizationEndpoint string `json:"authorization_endpoint" validate:"required"`
// TokenEndpoint URL of the authorization server's token endpoint [RFC6749]. This is REQUIRED unless only the implicit grant type is supported.
TokenEndpoint string `json:"token_endpoint" validate:"required"`
// JWKSURI OPTIONAL. URL of the authorization server's JWK Set [JWK] document. The referenced document contains the signing key(s) the client uses to validate signatures from the authorization server. This URL MUST use the "https" scheme. The JWK Set MAY also contain the server's encryption key or keys, which are used by clients to encrypt requests to the server. When both signing and encryption keys are made available, a "use" (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
JWKSURI string `json:"jwks_uri,omitempty"`
// RegistrationEndpoint OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591].
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
//ScopesSupported RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] "scope" values that this authorization server supports. Servers MAY choose not to advertise some supported scope values even when this parameter is used.
ScopesSupported []string `json:"scopes_supported,omitempty"`
// ResponseTypesSupported REQUIRED. JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports. The array values used are the same as those used with the "response_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591].
ResponseTypesSupported []string `json:"response_types_supported" validate:"required"`
//response_modes_supported OPTIONAL. JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports, as specified in "OAuth 2.0 Multiple Response Type Encoding Practices" [OAuth.Responses]. If omitted, the default is "["query","fragment"]". The response mode value "form_post" is also defined in "OAuth 2.0 Form Post Response Mode" [OAuth.Post].
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
// grant_types_supported OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the "grant_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591]. If omitted, the default value is "["authorization_code", "implicit"]".
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
// TokenEndpointAuthMethodsSupported OPTIONAL. JSON array containing a list of client authentication methods supported by this token endpoint. Client authentication method values are used in the "token_endpoint_auth_method" parameter defined in Section 2 of [RFC7591]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
// TokenEndpointAuthSigningALGValuesSupported OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the token endpoint for the signature on the JWT [JWT] used to authenticate the client at the token endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "token_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. Servers SHOULD support "RS256". The value "none" MUST NOT be used.
TokenEndpointAuthSiningALGValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
// ServiceDocumentation OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the authorization server. In particular, if the authorization server does not support Dynamic Client Registration, then information on how to register clients needs to be provided in this documentation.
ServiceDocumentation string `json:"service_documentation,omitempty"`
// ui_locales_supported OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of language tag values from BCP 47 [RFC5646]. If omitted, the set of supported languages and scripts is unspecified.
UILocalesSupported []string `json:"ui_locales_supported,omitempty"`
// OPPolicyUri OPTIONAL. URL that the authorization server provides to the person registering the client to read about the authorization server's requirements on how the client can use the data provided by the authorization server. The registration process SHOULD display this URL to the person registering the client if it is given. As described in Section 5, despite the identifier "op_policy_uri" appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect.
OPPolicyURI string `json:"op_policy_uri,omitempty"`
//OPTOSURI OPTIONAL. URL that the authorization server provides to the person registering the client to read about the authorization server's terms of service. The registration process SHOULD display this URL to the person registering the client if it is given. As described in Section 5, despite the identifier "op_tos_uri", appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect.
OPTOSURI string `json:"op_tos_uri,omitempty"`
// revocation_endpoint OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint [RFC7009].
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
//RevocationEndpointAuthMethodsSupported OPTIONAL. JSON array containing a list of client authentication methods supported by this revocation endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
//RevocationEndpointAuthSigningALGValuesSupported OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
RevocationEndpointAuthSigningALGValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
//IntrospectionEndpoint OPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662].
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
//IntrospectionEndpointAuthMethodsSupported OPTIONAL. JSON array containing a list of client authentication methods supported by this introspection endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means.
IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`
// IntrospectionEndpointAuthSigningALGValuesSupported OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
IntrospectionEndpointAuthSigningALGValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
// CodeChallengeMethodsSupported OPTIONAL. JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported by this authorization server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE.
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
SignedMetadata string `json:"signed_metadata,omitempty"`
// PushedAuthorizationRequestEndpoint from GUNET issuer
PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`
// require_pushed_authorization_requests from GUNET issuer
RequiredPushedAuthorizationRequests bool `json:"require_pushed_authorization_requests,omitempty"`
// DPOPSigningALGValuesSupported from GUNET issuer
DPOPSigningALGValuesSupported []string `json:"dpop_signing_alg_values_supported,omitempty"`
// PreAuthorizedGrantAnonymousAccessSupported OPTIONAL OPTIONAL. A boolean indicating whether the Credential Issuer accepts a Token Request with a Pre-Authorized Code but without a client_id. The default is false.
PreAuthorizedGrantAnonymousAccessSupported bool `json:"pre-authorized_grant_anonymous_access_supported,omitempty"`
}
func GenerateMetadata ¶
func GenerateMetadata(cfg *MetadataConfig) *AuthorizationServerMetadata
GenerateMetadata creates OAuth2 Authorization Server Metadata from configuration. This eliminates the need for separate JSON files and ensures all options are derived from configuration.
func (*AuthorizationServerMetadata) Marshal ¶
func (c *AuthorizationServerMetadata) Marshal() (jwt.MapClaims, error)
func (*AuthorizationServerMetadata) Sign ¶
func (c *AuthorizationServerMetadata) Sign(ctx context.Context, signer pki.Signer, x5c []string) (*AuthorizationServerMetadata, error)
Sign creates a signed JWT of the metadata using pki.Signer. The pki.Signer interface supports both software keys and HSM.
type Client ¶
type Client struct {
// Type is the client type per RFC 6749 Section 2.1 ("public" or "confidential").
// Defaults to "public" since registered clients are wallets (native/web apps)
// that cannot securely store credentials and rely on PKCE instead.
Type string `json:"type" yaml:"type" validate:"required,oneof=public confidential" default:"public"`
// RedirectURI is the allowed redirect URI for the client
RedirectURI string `json:"redirect_uri" yaml:"redirect_uri" validate:"required" doc_example:"\"https://example.com/callback\""`
// Scopes is the list of OAuth2 scopes allowed for the client
Scopes []string `json:"scopes" yaml:"scopes" validate:"required"`
}
Client holds the configuration for a single OAuth2 client
type ClientMetadata ¶
type ClientMetadata struct {
// ClientID REQUIRED. OAuth 2.0 client identifier string.
ClientID string `json:"client_id" validate:"required"`
// ClientName OPTIONAL. Human-readable string name of the client to be presented to the end-user during authorization.
ClientName string `json:"client_name,omitempty"`
// ClientURI OPTIONAL. URL string of a web page providing information about the client.
ClientURI string `json:"client_uri,omitempty"`
// LogoURI OPTIONAL. URL string that references a logo for the client.
LogoURI string `json:"logo_uri,omitempty"`
// RedirectURIs REQUIRED. Array of redirection URI strings for use in redirect-based flows.
RedirectURIs []string `json:"redirect_uris,omitempty"`
// ResponseTypes OPTIONAL. JSON array containing a list of the OAuth 2.0 response_type values that the client will restrict itself to using.
ResponseTypes []string `json:"response_types,omitempty"`
// GrantTypes OPTIONAL. JSON array containing a list of the OAuth 2.0 grant types that the client will restrict itself to using.
GrantTypes []string `json:"grant_types,omitempty"`
// Scope OPTIONAL. String containing a space-separated list of scope values that the client can use when requesting access tokens.
Scope string `json:"scope,omitempty"`
// Contacts OPTIONAL. Array of strings representing ways to contact people responsible for this client, typically email addresses.
Contacts []string `json:"contacts,omitempty"`
// JWKSURI OPTIONAL. URL string referencing the client's JSON Web Key (JWK) Set document.
JWKSURI string `json:"jwks_uri,omitempty"`
// VPFormatsSupported OPTIONAL. Object defining the formats and algorithms the client (verifier) supports.
// Per OpenID4VP spec section on Verifier Metadata.
VPFormatsSupported *openid4vp.VPFormatsSupported `json:"vp_formats_supported,omitempty"`
// SignedMetadata OPTIONAL. A JWT containing the client metadata values as claims.
SignedMetadata string `json:"signed_metadata,omitempty"`
}
ClientMetadata represents OAuth 2.0 client metadata Extended for OpenID4VP with vp_formats_supported per https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-verifier-metadata-client-me
type Clients ¶
Clients maps client IDs to their OAuth2 client configuration
func (*Clients) Allow ¶
Allow validates the client request and returns the Client configuration if allowed. The caller can inspect the returned Client (e.g. Type) to enforce additional constraints.
Example ¶
package main
import (
"fmt"
"github.com/SUNET/vc/pkg/oauth2"
)
func main() {
clients := oauth2.Clients{
"wallet-app": &oauth2.Client{
Type: oauth2.ClientTypePublic,
RedirectURI: "https://wallet.example.com/callback",
Scopes: []string{"openid", "pid"},
},
}
client, err := clients.Allow("wallet-app", "https://wallet.example.com/callback", "openid")
if err != nil {
fmt.Println("error:", err)
return
}
fmt.Println("allowed type:", client.Type)
_, err = clients.Allow("wallet-app", "https://wallet.example.com/callback", "admin")
fmt.Println("disallowed scope:", err)
}
Output: allowed type: public disallowed scope: requested scope is not allowed for this client
func (*Clients) Get ¶
Get returns the Client for the given clientID, or an error if not found.
Example ¶
package main
import (
"fmt"
"github.com/SUNET/vc/pkg/oauth2"
)
func main() {
clients := oauth2.Clients{
"wallet-app": &oauth2.Client{
Type: oauth2.ClientTypePublic,
RedirectURI: "https://wallet.example.com/callback",
Scopes: []string{"openid", "pid"},
},
}
client, err := clients.Get("wallet-app")
if err != nil {
fmt.Println("error:", err)
return
}
fmt.Println("type:", client.Type)
fmt.Println("redirect_uri:", client.RedirectURI)
_, err = clients.Get("unknown")
fmt.Println("unknown client:", err)
}
Output: type: public redirect_uri: https://wallet.example.com/callback unknown client: client not found in config
type DPoP ¶
type DPoP struct {
// JTI Unique identifier for the DPoP proof JWT. The value MUST be assigned such that there is a negligible probability that the same value will be assigned to any other DPoP proof used in the same context during the time window of validity. Such uniqueness can be accomplished by encoding (base64url or any other suitable encoding) at least 96 bits of pseudorandom data or by using a version 4 Universally Unique Identifier (UUID) string according to [RFC4122]. The jti can be used by the server for replay detection and prevention; see Section 11.1.
JTI string `json:"jti" validate:"required"`
//HTM The value of the HTTP method (Section 9.1 of [RFC9110]) of the request to which the JWT is attached.¶
HTM string `json:"htm" validate:"required,oneof=POST GET PUT DELETE PATCH OPTIONS HEAD"`
// HTU The HTTP target URI (Section 7.1 of [RFC9110]) of the request to which the JWT is attached, without query and fragment parts.¶
HTU string `json:"htu" validate:"required,url"`
// IAT Creation timestamp of the JWT (Section 4.1.6 of [RFC7519]).¶
IAT int64 `json:"iat" validate:"required"`
// ATH Hash of the access token. The value MUST be the result of a base64url encoding (as defined in Section 2 of [RFC7515]) the SHA-256 [SHS] hash of the ASCII encoding of the associated access token's value.¶
ATH string `json:"ath"`
Thumbprint string `json:"thumbprint,omitempty"` // Optional, used for JWK thumbprint
JWK *jose.JWKWithMetadata `json:"jwk,omitempty"` // JWK claim, optional
}
func ValidateAndParseDPoPJWT ¶
func (*DPoP) IsAccessTokenDPoP ¶
func (*DPoP) ValidateHTM ¶
ValidateHTM validates the HTTP method claim
Example ¶
package main
import (
"fmt"
"github.com/SUNET/vc/pkg/oauth2"
)
func main() {
dpop := &oauth2.DPoP{HTM: "POST"}
fmt.Println("POST valid:", dpop.ValidateHTM() == nil)
dpop.HTM = "GET"
fmt.Println("GET valid:", dpop.ValidateHTM() == nil)
dpop.HTM = ""
fmt.Println("empty:", dpop.ValidateHTM())
}
Output: POST valid: true GET valid: true empty: missing required HTM claim
func (*DPoP) ValidateHTU ¶
ValidateHTU validates the HTTP URI claim
Example ¶
package main
import (
"fmt"
"github.com/SUNET/vc/pkg/oauth2"
)
func main() {
dpop := &oauth2.DPoP{HTU: "https://server.example.com/token"}
fmt.Println("valid HTU:", dpop.ValidateHTU() == nil)
dpop.HTU = ""
fmt.Println("empty:", dpop.ValidateHTU())
}
Output: valid HTU: true empty: missing required HTU claim
func (*DPoP) ValidateIAT ¶
ValidateIAT validates the issued-at timestamp claim Ensures the token is not too old and not from the future
func (*DPoP) ValidateIATWithWindow ¶
ValidateIATWithWindow validates IAT with custom time windows
func (*DPoP) ValidateJTI ¶
ValidateJTI validates the JTI claim for proper format and length
Example ¶
package main
import (
"fmt"
"time"
"github.com/SUNET/vc/pkg/oauth2"
)
func main() {
dpop := &oauth2.DPoP{
JTI: "abcdefghijklmnop",
HTM: "POST",
HTU: "https://server.example.com/token",
IAT: time.Now().Unix(),
}
err := dpop.ValidateJTI()
fmt.Println("valid JTI:", err == nil)
short := &oauth2.DPoP{JTI: "short"}
err = short.ValidateJTI()
fmt.Println("short JTI:", err)
}
Output: valid JTI: true short JTI: invalid JTI: must be at least 12 characters
type MetadataConfig ¶
MetadataConfig holds the configuration parameters needed to generate OAuth2 Authorization Server Metadata
Source Files
Click to show internal directories.
Click to hide internal directories.