README
¶
go-oidc
OpenID Connect support for Go
This package enables OpenID Connect support for the golang.org/x/oauth2 package.
provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
if err != nil {
// handle error
}
// Configure an OpenID Connect aware OAuth2 client.
oauth2Config := oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURL: redirectURL,
// Discovery returns the OAuth2 endpoints.
Endpoint: provider.Endpoint(),
// "openid" is a required scope for OpenID Connect flows.
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
}
OAuth2 redirects are unchanged.
func handleRedirect(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
}
The on responses, the provider can be used to verify ID Tokens.
var verifier = provider.Verifier(&oidc.Config{ClientID: clientID})
func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
// Verify state and errors.
oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
// handle error
}
// Extract the ID Token from OAuth2 token.
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
if !ok {
// handle missing token
}
// Parse and verify ID Token payload.
idToken, err := verifier.Verify(ctx, rawIDToken)
if err != nil {
// handle error
}
// Extract custom claims
var claims struct {
Email string `json:"email"`
Verified bool `json:"email_verified"`
}
if err := idToken.Claims(&claims); err != nil {
// handle error
}
}
Documentation
¶
Overview ¶
Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
Index ¶
- Constants
- func ClientContext(ctx context.Context, client *http.Client) context.Context
- func NewRemoteKeySet(ctx context.Context, jwksURL string, now func() time.Time) *remoteKeySet
- func Nonce(nonce string) oauth2.AuthCodeOption
- type Config
- type Endpoints
- type IDToken
- type IDTokenVerifier
- type Provider
- type UserInfo
Constants ¶
const ( // JOSE asymmetric signing algorithm values as defined by RFC 7518 // // see: https://tools.ietf.org/html/rfc7518#section-3.1 RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256 RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384 RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512 ES256 = "ES256" // ECDSA using P-256 and SHA-256 ES384 = "ES384" // ECDSA using P-384 and SHA-384 ES512 = "ES512" // ECDSA using P-521 and SHA-512 PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256 PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384 PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512 )
const ( // ScopeOpenID is the mandatory scope for all OpenID Connect OAuth2 requests. ScopeOpenID = "openid" // ScopeOfflineAccess is an optional scope defined by OpenID Connect for requesting // OAuth2 refresh tokens. // // Support for this scope differs between OpenID Connect providers. For instance // Google rejects it, favoring appending "access_type=offline" as part of the // authorization request instead. // // See: https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess ScopeOfflineAccess = "offline_access" )
Variables ¶
This section is empty.
Functions ¶
func ClientContext ¶
ClientContext returns a new Context that carries the provided HTTP client.
This method sets the same context key used by the golang.org/x/oauth2 package, so the returned context works for that package too.
myClient := &http.Client{}
ctx := oidc.ClientContext(parentContext, myClient)
// This will use the custom client
provider, err := oidc.NewProvider(ctx, "https://accounts.example.com")
func NewRemoteKeySet ¶
func Nonce ¶
func Nonce(nonce string) oauth2.AuthCodeOption
Nonce returns an auth code option which requires the ID Token created by the OpenID Connect provider to contain the specified nonce.
Types ¶
type Config ¶
type Config struct {
// Expected audience of the token. For a majority of the cases this is expected to be
// the ID of the client that initialized the login flow. It may occasionally differ if
// the provider supports the authorizing party (azp) claim.
//
// If not provided, users must explicitly set SkipClientIDCheck.
ClientID string
// If specified, only this set of algorithms may be used to sign the JWT.
//
// Since many providers only support RS256, SupportedSigningAlgs defaults to this value.
SupportedSigningAlgs []string
// If true, no ClientID check performed. Must be true if ClientID field is empty.
SkipClientIDCheck bool
// If true, token expiry is not checked.
SkipExpiryCheck bool
// Time function to check Token expiry. Defaults to time.Now
Now func() time.Time
}
Config is the configuration for an IDTokenVerifier.
type Endpoints ¶
type Endpoints struct {
// contains filtered or unexported fields
}
func Discover ¶
NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.
The issuer is the URL identifier for the service. For example: "https://accounts.google.com" or "https://login.salesforce.com".
type IDToken ¶
type IDToken struct {
// The URL of the server which issued this token. OpenID Connect
// requires this value always be identical to the URL used for
// initial discovery.
//
// Note: Because of a known issue with Google Accounts' implementation
// this value may differ when using Google.
//
// See: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
Issuer string
// The client ID, or set of client IDs, that this token is issued for. For
// common uses, this is the client that initialized the auth flow.
//
// This package ensures the audience contains an expected value.
Audience []string
// A unique string which identifies the end user.
Subject string
// Expiry of the token. Ths package will not process tokens that have
// expired unless that validation is explicitly turned off.
Expiry time.Time
// When the token was issued by the provider.
IssuedAt time.Time
// Initial nonce provided during the authentication redirect.
//
// This package does NOT provided verification on the value of this field
// and it's the user's responsibility to ensure it contains a valid value.
Nonce string
// contains filtered or unexported fields
}
IDToken is an OpenID Connect extension that provides a predictable representation of an authorization event.
The ID Token only holds fields OpenID Connect requires. To access additional claims returned by the server, use the Claims method.
func (*IDToken) Claims ¶
Claims unmarshals the raw JSON payload of the ID Token into a provided struct.
idToken, err := idTokenVerifier.Verify(rawIDToken)
if err != nil {
// handle error
}
var claims struct {
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
}
if err := idToken.Claims(&claims); err != nil {
// handle error
}
type IDTokenVerifier ¶
type IDTokenVerifier struct {
// contains filtered or unexported fields
}
IDTokenVerifier provides verification for ID Tokens.
func NewVerifier ¶
func NewVerifier(keySet keySet, config *Config, issuer string) *IDTokenVerifier
func (*IDTokenVerifier) Verify ¶
Verify parses a raw ID Token, verifies it's been signed by the provider, preforms any additional checks depending on the Config, and returns the payload.
Verify does NOT do nonce validation, which is the callers responsibility.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
// handle error
}
// Extract the ID Token from oauth2 token.
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
if !ok {
// handle error
}
token, err := verifier.Verify(ctx, rawIDToken)
type Provider ¶
type Provider struct {
Issuer string
AuthURL string
TokenURL string
UserInfoURL string
// contains filtered or unexported fields
}
Provider represents an OpenID Connect server's configuration.
func (*Provider) Claims ¶
Claims unmarshals raw fields returned by the server during discovery.
var claims struct {
ScopesSupported []string `json:"scopes_supported"`
ClaimsSupported []string `json:"claims_supported"`
}
if err := provider.Claims(&claims); err != nil {
// handle unmarshaling error
}
For a list of fields defined by the OpenID Connect spec see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
func (*Provider) Endpoint ¶
Endpoint returns the OAuth2 auth and token endpoints for the given provider.
func (*Provider) Verifier ¶
func (p *Provider) Verifier(config *Config) *IDTokenVerifier
Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.
The returned IDTokenVerifier is tied to the Provider's context and its behavior is undefined once the Provider's context is canceled.
type UserInfo ¶
type UserInfo struct {
Subject string `json:"sub"`
Profile string `json:"profile"`
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
// contains filtered or unexported fields
}
UserInfo represents the OpenID Connect userinfo claims.
func UserInfoReq ¶
func UserInfoReq(ctx context.Context, userInfoURL string, tokenSource oauth2.TokenSource) (*UserInfo, error)
UserInfo uses the token source to query the provider's user info endpoint.
Source Files