Documentation ¶
Index ¶
- Constants
- Variables
- func Protect(discovery *oidc.Discovery, jwks *jwx.KeySet, opt *ProtectOpt) func(http.Handler) http.Handler
- type AccessToken
- type AccessTokenClaims
- type Authentication
- type Client
- type ConsentCallback
- type ErrorResponse
- type InteractionCallback
- type InteractionState
- type LoginCallback
- type OIDC
- type Option
- type ProtectOpt
- type SDK
- func (s *SDK) ConsentCallback(ctx context.Context, xid string, callback *ConsentCallback) (bool, error)
- func (s *SDK) ConsentState(ctx context.Context, xid string) (*InteractionState, error)
- func (s *SDK) Discovery() *oidc.Discovery
- func (s *SDK) LoginCallback(ctx context.Context, xid string, callback *LoginCallback) (bool, error)
- func (s *SDK) LoginState(ctx context.Context, xid string) (*InteractionState, error)
- func (s *SDK) Protect(opt *ProtectOpt) func(http.Handler) http.Handler
- func (s *SDK) ResumeAuthorize(rw http.ResponseWriter, r *http.Request, xid string)
- func (s *SDK) SelectAccountCallback(ctx context.Context, xid string, callback *SelectAccountCallback) (bool, error)
- func (s *SDK) SelectAccountState(ctx context.Context, xid string) (*InteractionState, error)
- func (s *SDK) TokenByClientCredentials(ctx context.Context, scopes []string) (*TokenResponse, error)
- func (s *SDK) TokenByCode(ctx context.Context, code string, redirectURI string, scopes []string) (*TokenResponse, error)
- func (s *SDK) TokenByRefreshToken(ctx context.Context, refreshToken string, scopes []string) (*TokenResponse, error)
- type ScopeData
- type SelectAccountCallback
- type Stub
- type TokenResponse
Constants ¶
const AccessTokenType = "Bearer"
const DefaultServiceBaseURL = "https://sso.elan-vision.com"
Variables ¶
var ( ErrAccessTokenNotSet = errors.New("access token not set on context") ErrMalformedAuthHeader = errors.New("authorization header is malformed") ErrInvalidAccessToken = errors.New("access token is invalid") ErrInsufficientScope = errors.New("insufficient scope") )
var ( // DefaultHTTPClient is the default http.Client used by the SDK if none is set. It uses a 10 second // timeout setting, does not follow redirects and skip TLS verification. DefaultHTTPClient = &http.Client{ Timeout: 10 * time.Second, CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, Transport: &http.Transport{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: true, }, }, } // WithServiceBaseURL sets the base Tiga url used by the sdk. By default, // DefaultServiceBaseURL is used. WithServiceBaseURL = func(url string) Option { return func(sdk *SDK) { sdk.serviceBaseURL = strings.TrimSuffix(url, "/") } } // WithClientSecretBasic sets the client id and client secret on the sdk object. The sdk will // use client_secret_basic method when requesting token endpoint. WithClientSecretBasic = func(clientId string, clientSecret string) Option { return func(sdk *SDK) { sdk.clientId = clientId sdk.clientSecret = clientSecret sdk.authMethod = oidc.ClientSecretBasic } } // WithClientSecretPost sets the client id and client secret on the sdk object. The sdk will // use client_secret_post method when requesting token endpoint. WithClientSecretPost = func(clientId string, clientSecret string) Option { return func(sdk *SDK) { sdk.clientId = clientId sdk.clientSecret = clientSecret sdk.authMethod = oidc.ClientSecretPost } } // WithPrivateKeyJwt sets the client id, client jwks and the signature algorithm to use // to sign the client_assertion parameter. The sdk will use private_key_jwt method when // requesting token endpoint. WithPrivateKeyJwt = func(clientId string, clientJwks *jwx.KeySet, signingAlg string) Option { return func(sdk *SDK) { sdk.clientId = clientId sdk.clientJwks = clientJwks sdk.authSigAlg = signingAlg } } // WithClientJwks sets the client jwks for the sdk. WithClientJwks = func(clientJwks *jwx.KeySet) Option { return func(sdk *SDK) { sdk.clientJwks = clientJwks } } // WithHTTPClient set the http client used by the sdk to make http request. // By default, if nothing is set, the sdk uses a default http client with // 10 second timeout and skips tls verification. WithHTTPClient = func(httpClient *http.Client) Option { return func(sdk *SDK) { sdk.httpClient = httpClient } } )
var (
ErrContextTooLarge = errors.New("context data exceeds discovery limit")
)
var (
ErrUnexpectedResponse = errors.New("sdk received unexpected response")
)
Functions ¶
func Protect ¶
func Protect(discovery *oidc.Discovery, jwks *jwx.KeySet, opt *ProtectOpt) func(http.Handler) http.Handler
Protect returns a HTTP middleware to require access token issued by Tiga service in order to access the resource. This function assumes the caller holds oidc.Discovery and the verifying jwx.KeySet.
Types ¶
type AccessToken ¶
type AccessToken struct { Value string Type string ExpiresIn int64 ClientId string Scopes []string UserInfoClaims map[string]interface{} }
AccessToken is the inflated representation of an access token.
func GetAccessToken ¶
func GetAccessToken(ctx context.Context) (*AccessToken, error)
GetAccessToken retrieves the grant.AccessToken from the context. If no token was set on context, or the object set on context was not grant.AccessToken, ErrAccessTokenNotSet is returned as error.
type AccessTokenClaims ¶
type AccessTokenClaims struct { jwt.Claims Client string `json:"client"` Scope string `json:"scope"` UserInfo map[string]interface{} `json:"userinfo,omitempty"` }
AccessTokenClaims is the payload of a JWT encoded AccessToken issued by Tiga.
func (*AccessTokenClaims) Get ¶
func (c *AccessTokenClaims) Get(name string) (interface{}, bool)
type Authentication ¶
type Authentication struct { Subject string `json:"subject"` IdpId string `json:"idp_id"` AuthTime int64 `json:"auth_time"` Context json.RawMessage `json:"context,omitempty"` }
Authentication is a End-User authentication record.
type Client ¶
type Client struct { Name string `json:"name"` Contacts []string `json:"contacts,omitempty"` LogoURI string `json:"logo_uri,omitempty"` PolicyURI string `json:"policy_uri,omitempty"` ClientURI string `json:"client_uri,omitempty"` TermsOfServiceURI string `json:"tos_uri,omitempty"` }
Client contains the publicly displayable data of the client.
type ConsentCallback ¶
type ConsentCallback struct { InteractionCallback // GrantedScopes are the list of scopes that the user has granted access // to the client. The OP must verify that these scopes had indeed been // requested. Scopes included here are those the End-User had explicitly // granted access to, no matter their previous status. These scopes will // be marked as granted in the session. GrantedScopes []string `json:"granted_scopes"` // RejectedScopes are the list of scopes that the user has rejected. The OP // must verify that these scopes had indeed been requested. Scope included // here are those the End-User had explicitly rejected access to, for instance, // by pressing the "Deny" button, or by unchecking the checkbox. These scopes // will be marked as rejected in the session. // // If a scope is both granted and rejected, rejection takes precedence. RejectedScopes []string `json:"rejected_scopes"` // Ephemeral marks this response as one-time only. By default, granted scopes // will be recorded and contributes to silent grant on subsequent requests. // By marking response as ephemeral, OP skips persistence. Ephemeral bool `json:"ephemeral"` }
ConsentCallback is the request payload of a callback made by consent interaction provider.
type ErrorResponse ¶
type ErrorResponse struct { Status int `json:"status"` Code string `json:"error,omitempty"` Reason string `json:"error_description,omitempty"` }
ErrorResponse is the response object when error has occurred at token endpoint.
func (*ErrorResponse) Error ¶
func (r *ErrorResponse) Error() string
type InteractionCallback ¶
type InteractionCallback struct { // Success is an indicator on if the interaction was positively successful. // If successful, operational data will be read from payload; otherwise, // error description will be read. Success bool `json:"success"` // Timestamp is the UNIX timestamp of the indicated event. Timestamp int64 `json:"timestamp"` // Nonce is the nonce parameter passed to the interaction provider // on the initial redirect. OP requires this piece of data in order // to prevent replay. Nonce string `json:"nonce"` // Error is the IDP specific error code indicating interaction failure. // It will not be returned to the client. The OP logs it for // debugging and auditing purposes. Error string `json:"error"` // ErrorDescription is the IDP specific description for the error // code. It will not be returned to the client. The OP logs it for // debugging and auditing purposes. ErrorDescription string `json:"error_description"` }
InteractionCallback is the common elements in an interaction callback request.
type InteractionState ¶
type InteractionState struct { // Subject is the subject identifier for the logged in End-User. // This field is optional when the login user had not be determined. // If OP had confirmed a login, this field will be shown along with // a Authentications map containing only that subject. Subject string `json:"subject,omitempty"` // Authentications contain zero or more candidates to be considered for // login. Login providers shall expect an empty map. Select account // providers shall expect a map containing one or more items. Consent // providers shall expect a single entry map whose key matches the Subject. Authentications map[string]*Authentication `json:"authentications"` // Scopes is the map of the requested scopes and their corresponding textual // status (granted|pending|rejected) and displayable detail. OP recommends // the consent provider display all scopes and their corresponding status to // the End-User so a conscious decision could be made. However, the consent // provider is at liberty to display any combination of the three categories. // Note scopes will not be shared unless Subject is determined. Scopes map[string]ScopeData `json:"scopes,omitempty"` // Client is the public sharable data about the client who made the initial // authorize request. OP encourages display of these data so the End-User is // aware which party are they granting access to. Client *Client `json:"client"` // OIDC is the public sharable data about the request itself. Interaction // providers are expected to adhere to the request parameters with their // best effort. OIDC *OIDC `json:"oidc"` }
InteractionState contains all data that an interaction provider may wish to know about the current state of the End-User interaction.
Some data are selectively not exposed at certain stage. For instance, before subject is confirmed, scope data is not exposed. And when subject is confirmed, all other candidates authentication sessions are hidden. Client and OIDC data is always returned.
type LoginCallback ¶
type LoginCallback struct { InteractionCallback // Subject is the IDP unique identifier for the logged in user. Subject string `json:"subject"` // Amr is the list of authentication methods Amr []string `json:"amr"` // Acr is the IDP determined authentication context // reference. Acr string `json:"acr"` // Context is the data that login provider wishes to // cache at the OP and shared back to it on the next // interaction involving this subject. Typical usage // includes user avatar, nickname, etc. The data in // this field will be size restricted to prevent abuse. // // Note that context is only meaningful when Remember // option is used. If not remembered, Context data is // lost. Context json.RawMessage `json:"context"` // Remember is the number of seconds to remember this // authentication, which directly translates to the // authentication session validity period. If it is // non-positive, it will be treated as not remembered. Remember int64 `json:"remember"` }
LoginCallback is the request payload of a callback made by login interaction provider.
type OIDC ¶
type OIDC struct { Display string `json:"display,omitempty"` UILocales string `json:"ui_locales,omitempty"` LoginHint string `json:"login_hint,omitempty"` AcrValues string `json:"acr_values,omitempty"` }
OIDC contains the publicly displayable data of the OIDC request.
type ProtectOpt ¶
type ProtectOpt struct { // Audience is the expected "aud" in the access token claims. // When empty or nil, "aud" validation is not performed. Audience []string // Subject is the expected "sub" in the access token claims. // When empty or nil, "sub" validation is not performed. Subject string // Scopes is the list of required scopes in the access token claims. // When empty or nil, "scope" validation is not performed. Scopes []string // Leeway is the time skew tolerance Leeway time.Duration // RenderError is the function that is called in case of error. If not // provided, the middleware just write 401 status. RenderError func(http.ResponseWriter, *http.Request, error) }
ProtectOpt is the options for Protect middleware.
type SDK ¶
type SDK struct {
// contains filtered or unexported fields
}
SDK is the entrypoint of the kit.
func New ¶
New creates a new sdk object to expose various features. A series of Option can be applied to customize its parameters.
func (*SDK) ConsentCallback ¶
func (*SDK) ConsentState ¶
func (*SDK) LoginCallback ¶
func (*SDK) LoginState ¶
func (*SDK) Protect ¶
Protect returns a HTTP middleware to require access token issued by Tiga service in order to access the resource.
func (*SDK) ResumeAuthorize ¶
func (*SDK) SelectAccountCallback ¶
func (*SDK) SelectAccountState ¶
func (*SDK) TokenByClientCredentials ¶
func (*SDK) TokenByCode ¶
func (*SDK) TokenByRefreshToken ¶
type ScopeData ¶
type ScopeData struct { // Status is the textual description of spec.ScopeStatus. // See scopeStatusMap Status string `json:"status"` // Detail is the raw data of this scope, usually describing // the scope of access in various displayable locales. Scope // detail registered with the client takes precedence, followed // by the default detail data about some common scopes prepared // by OP. // // Client registration is expected to consult consent provider // about the format of this data, hence, the consent provider // should understand the data here. Detail json.RawMessage `json:"detail"` }
ScopeData describes status and details about a scope.
type SelectAccountCallback ¶
type SelectAccountCallback struct { InteractionCallback // SelectId is the id of the selected authentication. SelectedId string `json:"subject"` }
SelectAccountCallback is the request payload of a callback made by select account interaction provider.
type Stub ¶ added in v0.4.0
type Stub interface { // TokenByClientCredentials acquire access tokens using the client_credentials flow. TokenByClientCredentials(ctx context.Context, scopes []string) (*TokenResponse, error) // TokenByCode acquire access tokens, and optionally refresh token and id_token using the authorization_code flow. TokenByCode(ctx context.Context, code string, redirectURI string, scopes []string) (*TokenResponse, error) // TokenByRefreshToken acquire access tokens and refresh token by exchanging in existing refresh token. TokenByRefreshToken(ctx context.Context, refreshToken string, scopes []string) (*TokenResponse, error) // LoginState gets the InteractionState of the login challenge. LoginState(ctx context.Context, xid string) (*InteractionState, error) // SelectAccountState gets the InteractionState of the select account challenge. SelectAccountState(ctx context.Context, xid string) (*InteractionState, error) // ConsentState gets the InteractionState of the consent challenge. ConsentState(ctx context.Context, xid string) (*InteractionState, error) // LoginCallback posts the End-User's LoginCallback response back to Tiga. LoginCallback(ctx context.Context, xid string, callback *LoginCallback) (bool, error) // SelectAccountCallback posts the End-User's SelectAccountCallback response back to Tiga. SelectAccountCallback(ctx context.Context, xid string, callback *SelectAccountCallback) (bool, error) // ConsentCallback posts the End-User's ConsentCallback response back to Tiga. ConsentCallback(ctx context.Context, xid string, callback *ConsentCallback) (bool, error) // ResumeAuthorize redirects the http response back to the authorize resume endpoint. ResumeAuthorize(rw http.ResponseWriter, r *http.Request, xid string) }
Stub describes the client side functions provided by the SDK to communicate with the Tiga instance. It is included in the SDK so that client side code can implement it to mock Tiga during development and testing.
type TokenResponse ¶
type TokenResponse struct { AccessToken string `json:"access_token,omitempty"` TokenType string `json:"token_type,omitempty"` ExpiresIn *int64 `json:"expires_in,omitempty"` RefreshToken string `json:"refresh_token,omitempty"` IdToken string `json:"id_token,omitempty"` Scope string `json:"scope,omitempty"` }
TokenResponse is the response object at token endpoint.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package jwx provides a thin wrapper layer around gopkg.in/square/go-jose.v2 to provide JOSE related operations in the OpenID Connect context.
|
Package jwx provides a thin wrapper layer around gopkg.in/square/go-jose.v2 to provide JOSE related operations in the OpenID Connect context. |
Package oidc provides OpenID Connect specification values and custom extensions.
|
Package oidc provides OpenID Connect specification values and custom extensions. |