oidc

package
v4.37.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 21, 2022 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	PromptNone    = none
	PromptLogin   = "login"
	PromptConsent = "consent"
)
View Source 
const (
	ScopeOfflineAccess = "offline_access"
	ScopeOffline       = "offline"
	ScopeOpenID        = "openid"
	ScopeProfile       = "profile"
	ScopeEmail         = "email"
	ScopeGroups        = "groups"
)

Scope strings.

View Source 
const (
	ClaimJWTID                               = "jti"
	ClaimSessionID                           = "sid"
	ClaimAccessTokenHash                     = "at_hash"
	ClaimCodeHash                            = "c_hash"
	ClaimIssuedAt                            = "iat"
	ClaimNotBefore                           = "nbf"
	ClaimRequestedAt                         = "rat"
	ClaimExpirationTime                      = "exp"
	ClaimAuthenticationTime                  = "auth_time"
	ClaimIssuer                              = "iss"
	ClaimSubject                             = "sub"
	ClaimNonce                               = "nonce"
	ClaimAudience                            = "aud"
	ClaimGroups                              = "groups"
	ClaimFullName                            = "name"
	ClaimPreferredUsername                   = "preferred_username"
	ClaimPreferredEmail                      = "email"
	ClaimEmailVerified                       = "email_verified"
	ClaimAuthorizedParty                     = "azp"
	ClaimAuthenticationContextClassReference = "acr"
	ClaimAuthenticationMethodsReference      = "amr"
	ClaimClientIdentifier                    = "client_id"
)

Registered Claim strings. See https://www.iana.org/assignments/jwt/jwt.xhtml.

View Source 
const (
	ResponseModeQuery    = "query"
	ResponseModeFormPost = "form_post"
	ResponseModeFragment = "fragment"
)

Response Mode strings.

View Source 
const (
	GrantTypeImplicit          = implicit
	GrantTypeRefreshToken      = "refresh_token"
	GrantTypeAuthorizationCode = "authorization_code"
	GrantTypePassword          = "password"
	GrantTypeClientCredentials = "client_credentials"
)

Grant Type strings.

View Source 
const (
	SigningAlgorithmNone          = none
	SigningAlgorithmRSAWithSHA256 = "RS256"
)

Signing Algorithm strings.

View Source 
const (
	SubjectTypePublic   = "public"
	SubjectTypePairwise = "pairwise"
)

Subject Type strings.

View Source 
const (
	PKCEChallengeMethodPlain  = "plain"
	PKCEChallengeMethodSHA256 = "S256"
)

Proof Key Code Exchange Challenge Method strings.

View Source 
const (
	EndpointAuthorization = "authorization"
	EndpointToken         = "token"
	EndpointUserinfo      = "userinfo"
	EndpointIntrospection = "introspection"
	EndpointRevocation    = "revocation"
)

Endpoints.

View Source 
const (
	EndpointPathConsent                           = "/consent"
	EndpointPathWellKnownOpenIDConfiguration      = "/.well-known/openid-configuration"
	EndpointPathWellKnownOAuthAuthorizationServer = "/.well-known/oauth-authorization-server"
	EndpointPathJWKs                              = "/jwks.json"

	EndpointPathRoot = "/api/oidc"

	EndpointPathAuthorization = EndpointPathRoot + "/" + EndpointAuthorization
	EndpointPathToken         = EndpointPathRoot + "/" + EndpointToken
	EndpointPathUserinfo      = EndpointPathRoot + "/" + EndpointUserinfo
	EndpointPathIntrospection = EndpointPathRoot + "/" + EndpointIntrospection
	EndpointPathRevocation    = EndpointPathRoot + "/" + EndpointRevocation
)

Paths.

View Source 
const (
	// AMRMultiFactorAuthentication is an RFC8176 Authentication Method Reference Value that represents multiple-factor
	// authentication as per NIST.800-63-2 and ISO29115. When this is present, specific authentication methods used may
	// also be included.
	//
	// Authelia utilizes this when a user has performed any 2 AMR's with different factor values (excluding meta).
	// Factor: Meta, Channel: Meta.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// NIST.800-63-2: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
	//
	// ISO29115: https://www.iso.org/standard/45138.html
	AMRMultiFactorAuthentication = "mfa"

	// AMRMultiChannelAuthentication is an RFC8176 Authentication Method Reference Value that represents
	// multiple-channel authentication. The authentication involves communication over more than one distinct
	// communication channel. For instance, a multiple-channel authentication might involve both entering information
	// into a workstation's browser and providing information on a telephone call to a pre-registered number.
	//
	// Authelia utilizes this when a user has performed any 2 AMR's with different channel values (excluding meta).
	// Factor: Meta, Channel: Meta.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	AMRMultiChannelAuthentication = "mca"

	// AMRUserPresence is an RFC8176 Authentication Method Reference Value that represents authentication that included
	// a user presence test. Evidence that the end user is present and interacting with the device. This is sometimes
	// also referred to as "test of user presence" as per W3C.WD-webauthn-20170216.
	//
	// Authelia utilizes this when a user has used Webauthn to authenticate and the user presence flag was set.
	// Factor: Meta, Channel: Meta.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// W3C.WD-webauthn-20170216: https://datatracker.ietf.org/doc/html/rfc8176#ref-W3C.WD-webauthn-20170216
	AMRUserPresence = "user"

	// AMRPersonalIdentificationNumber is an RFC8176 Authentication Method Reference Value that represents
	// authentication that included a personal Identification Number (PIN) as per RFC4949 or pattern (not restricted to
	// containing only numbers) that a user enters to unlock a key on the device. This mechanism should have a way to
	// deter an attacker from obtaining the PIN by trying repeated guesses.
	//
	// Authelia utilizes this when a user has used Webauthn to authenticate and the user verified flag was set.
	//	Factor: Meta, Channel: Meta.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// RFC4949: https://datatracker.ietf.org/doc/html/rfc4949
	AMRPersonalIdentificationNumber = "pin"

	// AMRPasswordBasedAuthentication is an RFC8176 Authentication Method Reference Value that represents password-based
	// authentication as per RFC4949.
	//
	// Authelia utilizes this when a user has performed 1FA. Factor: Know, Channel: Browser.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// RFC4949: https://datatracker.ietf.org/doc/html/rfc4949
	AMRPasswordBasedAuthentication = "pwd"

	// AMROneTimePassword is an RFC8176 Authentication Method Reference Value that represents authentication via a
	// one-time password as per RFC4949. One-time password specifications that this authentication method applies to
	// include RFC4226 and RFC6238.
	//
	// Authelia utilizes this when a user has used TOTP to authenticate. Factor: Have, Channel: Browser.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// RFC4949: https://datatracker.ietf.org/doc/html/rfc4949
	//
	// RFC4226: https://datatracker.ietf.org/doc/html/rfc4226
	//
	// RFC6238: https://datatracker.ietf.org/doc/html/rfc6238
	AMROneTimePassword = "otp"

	// AMRHardwareSecuredKey is an RFC8176 Authentication Method Reference Value that
	// represents authentication via a proof-of-Possession (PoP) of a hardware-secured key.
	//
	// Authelia utilizes this when a user has used Webauthn to authenticate. Factor: Have, Channel: Browser.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	AMRHardwareSecuredKey = "hwk"

	// AMRShortMessageService is an RFC8176 Authentication Method Reference Value that
	// represents authentication via confirmation using SMS text message to the user at a registered number.
	//
	// Authelia utilizes this when a user has used Duo to authenticate. Factor: Have, Channel: Browser.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	AMRShortMessageService = "sms"
)

Authentication Method Reference Values https://datatracker.ietf.org/doc/html/rfc8176

View Source 
const (
	// ClaimEmailAlts is an unregistered/custom claim.
	// It represents the emails which are not considered primary.
	ClaimEmailAlts = "alt_emails"
)
View Source 
const (
	// JWTHeaderKeyIdentifier is the JWT Header referencing the JWS Key Identifier used to sign a token.
	JWTHeaderKeyIdentifier = "kid"
)

JWT Headers.

Variables

View Source 
var (
	ErrIssuerCouldNotDerive        = fosite.ErrServerError.WithHint("Could not safely derive the issuer.")
	ErrSubjectCouldNotLookup       = fosite.ErrServerError.WithHint("Could not lookup user subject.")
	ErrConsentCouldNotPerform      = fosite.ErrServerError.WithHint("Could not perform consent.")
	ErrConsentCouldNotGenerate     = fosite.ErrServerError.WithHint("Could not generate the consent session.")
	ErrConsentCouldNotSave         = fosite.ErrServerError.WithHint("Could not save the consent session.")
	ErrConsentCouldNotLookup       = fosite.ErrServerError.WithHint("Failed to lookup the consent session.")
	ErrConsentMalformedChallengeID = fosite.ErrServerError.WithHint("Malformed consent session challenge ID.")
)

Functions

func NewSession added in v4.34.5 

func NewSession() (session *model.OpenIDSession)

NewSession creates a new empty OpenIDSession struct.

func NewSessionWithAuthorizeRequest added in v4.34.5 

func NewSessionWithAuthorizeRequest(issuer *url.URL, kid, username string, amr []string, extra map[string]any,
	authTime time.Time, consent *model.OAuth2ConsentSession, requester fosite.AuthorizeRequester) (session *model.OpenIDSession)

NewSessionWithAuthorizeRequest uses details from an AuthorizeRequester to generate an OpenIDSession.

Types

type AdaptiveHasher added in v4.37.0 

type AdaptiveHasher struct {
	// contains filtered or unexported fields
}

AdaptiveHasher implements the fosite.Hasher interface without an actual hashing algo.

func NewAdaptiveHasher added in v4.37.3 

func NewAdaptiveHasher() (hasher *AdaptiveHasher, err error)

func (*AdaptiveHasher) Compare added in v4.37.0 

func (h *AdaptiveHasher) Compare(_ context.Context, hash, data []byte) (err error)

Compare compares the hash with the data and returns an error if they don't match.

func (*AdaptiveHasher) Hash added in v4.37.0 

func (h *AdaptiveHasher) Hash(_ context.Context, data []byte) (hash []byte, err error)

Hash creates a new hash from data.

type AuthenticationMethodsReferences added in v4.35.0 

type AuthenticationMethodsReferences struct {
	UsernameAndPassword  bool
	TOTP                 bool
	Duo                  bool
	Webauthn             bool
	WebauthnUserPresence bool
	WebauthnUserVerified bool
}

AuthenticationMethodsReferences holds AMR information.

func (AuthenticationMethodsReferences) ChannelBrowser added in v4.35.0 

func (r AuthenticationMethodsReferences) ChannelBrowser() bool

ChannelBrowser returns true if a browser was used to authenticate.

func (AuthenticationMethodsReferences) ChannelService added in v4.35.0 

func (r AuthenticationMethodsReferences) ChannelService() bool

ChannelService returns true if a non-browser service was used to authenticate.

func (AuthenticationMethodsReferences) FactorKnowledge added in v4.35.0 

func (r AuthenticationMethodsReferences) FactorKnowledge() bool

FactorKnowledge returns true if a "something you know" factor of authentication was used.

func (AuthenticationMethodsReferences) FactorPossession added in v4.35.0 

func (r AuthenticationMethodsReferences) FactorPossession() bool

FactorPossession returns true if a "something you have" factor of authentication was used.

func (AuthenticationMethodsReferences) MarshalRFC8176 added in v4.35.0 

func (r AuthenticationMethodsReferences) MarshalRFC8176() []string

MarshalRFC8176 returns the AMR claim slice of strings in the RFC8176 format. https://datatracker.ietf.org/doc/html/rfc8176

func (AuthenticationMethodsReferences) MultiChannelAuthentication added in v4.35.0 

func (r AuthenticationMethodsReferences) MultiChannelAuthentication() bool

MultiChannelAuthentication returns true if the user used more than one channel to authenticate.

func (AuthenticationMethodsReferences) MultiFactorAuthentication added in v4.35.0 

func (r AuthenticationMethodsReferences) MultiFactorAuthentication() bool

MultiFactorAuthentication returns true if multiple factors were used.

type Client added in v4.35.0 

type Client struct {
	ID               string
	Description      string
	Secret           algorithm.Digest
	SectorIdentifier string
	Public           bool

	Audience      []string
	Scopes        []string
	RedirectURIs  []string
	GrantTypes    []string
	ResponseTypes []string
	ResponseModes []fosite.ResponseModeType

	UserinfoSigningAlgorithm string

	Policy authorization.Level

	Consent ClientConsent
}

Client represents the client internally.

func NewClient 

func NewClient(config schema.OpenIDConnectClientConfiguration) (client *Client)

NewClient creates a new Client.

func (*Client) GetAudience added in v4.35.0 

func (c *Client) GetAudience() fosite.Arguments

GetAudience returns the Audience.

func (*Client) GetConsentResponseBody added in v4.35.0 

func (c *Client) GetConsentResponseBody(consent *model.OAuth2ConsentSession) ConsentGetResponseBody

GetConsentResponseBody returns the proper consent response body for this session.OIDCWorkflowSession.

func (*Client) GetGrantTypes added in v4.35.0 

func (c *Client) GetGrantTypes() fosite.Arguments

GetGrantTypes returns the GrantTypes.

func (*Client) GetHashedSecret added in v4.35.0 

func (c *Client) GetHashedSecret() []byte

GetHashedSecret returns the Secret.

func (*Client) GetID added in v4.35.0 

func (c *Client) GetID() string

GetID returns the ID.

func (*Client) GetRedirectURIs added in v4.35.0 

func (c *Client) GetRedirectURIs() []string

GetRedirectURIs returns the RedirectURIs.

func (*Client) GetResponseModes added in v4.35.0 

func (c *Client) GetResponseModes() []fosite.ResponseModeType

GetResponseModes returns the valid response modes for this client.

Implements the fosite.ResponseModeClient.

func (*Client) GetResponseTypes added in v4.35.0 

func (c *Client) GetResponseTypes() fosite.Arguments

GetResponseTypes returns the ResponseTypes.

func (*Client) GetScopes added in v4.35.0 

func (c *Client) GetScopes() fosite.Arguments

GetScopes returns the Scopes.

func (*Client) GetSectorIdentifier added in v4.35.0 

func (c *Client) GetSectorIdentifier() string

GetSectorIdentifier returns the SectorIdentifier for this client.

func (*Client) IsAuthenticationLevelSufficient added in v4.35.0 

func (c *Client) IsAuthenticationLevelSufficient(level authentication.Level) bool

IsAuthenticationLevelSufficient returns if the provided authentication.Level is sufficient for the client of the AutheliaClient.

func (*Client) IsPublic added in v4.35.0 

func (c *Client) IsPublic() bool

IsPublic returns the value of the Public property.

type ClientConsent added in v4.37.0 

type ClientConsent struct {
	Mode     ClientConsentMode
	Duration time.Duration
}

ClientConsent is the consent configuration for a client.

func NewClientConsent added in v4.37.0 

func NewClientConsent(mode string, duration *time.Duration) ClientConsent

NewClientConsent converts the schema.OpenIDConnectClientConsentConfig into a oidc.ClientConsent.

func (ClientConsent) String added in v4.37.0 

func (c ClientConsent) String() string

String returns the string representation of the ClientConsentMode.

type ClientConsentMode added in v4.37.0 

type ClientConsentMode int

ClientConsentMode represents the consent mode for a client. 

const (
	// ClientConsentModeExplicit means the client does not implicitly assume consent, and does not allow pre-configured
	// consent sessions.
	ClientConsentModeExplicit ClientConsentMode = iota

	// ClientConsentModePreConfigured means the client does not implicitly assume consent, but does allow pre-configured
	// consent sessions.
	ClientConsentModePreConfigured

	// ClientConsentModeImplicit means the client does implicitly assume consent, and does not allow pre-configured
	// consent sessions.
	ClientConsentModeImplicit
)

func (ClientConsentMode) String added in v4.37.0 

func (c ClientConsentMode) String() string

String returns the string representation of the ClientConsentMode.

type CommonDiscoveryOptions added in v4.34.0 

type CommonDiscoveryOptions struct {
	/*
		REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer
		Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value
		returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
	*/
	Issuer string `json:"issuer"`

	/*
		REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to
		validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by
		RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
		parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
		Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
		RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys
		provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
	*/
	JWKSURI string `json:"jwks_uri,omitempty"`

	/*
		REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
		See Also:
			OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
	*/
	AuthorizationEndpoint string `json:"authorization_endpoint"`

	/*
		URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used.
		See Also:
			OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
	*/
	TokenEndpoint string `json:"token_endpoint,omitempty"`

	/*
		REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types
		include pairwise and public.
	*/
	SubjectTypesSupported []string `json:"subject_types_supported"`

	/*
		REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic
		OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
	*/
	ResponseTypesSupported []string `json:"response_types_supported"`

	/*
		OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
		Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types.
		If omitted, the default value is ["authorization_code", "implicit"].
	*/
	GrantTypesSupported []string `json:"grant_types_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified
		in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
		OpenID Providers is ["query", "fragment"].
	*/
	ResponseModesSupported []string `json:"response_modes_supported,omitempty"`

	/*
		RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
		The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values
		even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
		See Also:
			OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
			OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
	*/
	ScopesSupported []string `json:"scopes_supported,omitempty"`

	/*
		RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able
		to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
	*/
	ClaimsSupported []string `json:"claims_supported,omitempty"`

	/*
		OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
		language tag values.
		See Also:
			BCP47: https://datatracker.ietf.org/doc/html/rfc5646
	*/
	UILocalesSupported []string `json:"ui_locales_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The
		options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in
		Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions.
		If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
		2.3.1 of OAuth 2.0 [RFC6749].
		See Also:
			OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
			OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
	*/
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
		for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
		and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
		See Also:
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when
		using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
		then information on how to register Clients needs to be provided in this documentation.
	*/
	ServiceDocumentation string `json:"service_documentation,omitempty"`

	/*
		OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about the OP's
		requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
		display this URL to the person registering the Client if it is given.
	*/
	OPPolicyURI string `json:"op_policy_uri,omitempty"`

	/*
		OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about OpenID
		Provider's terms of service. The registration process SHOULD display this URL to the person registering the
		Client if it is given.
	*/
	OPTOSURI string `json:"op_tos_uri,omitempty"`
}

CommonDiscoveryOptions represents the discovery options used in both OAuth 2.0 and OpenID Connect. See Also: 

OpenID Connect Discovery: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
OAuth 2.0 Discovery: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-2

type Config added in v4.37.3 

type Config struct {
	// GlobalSecret is the global secret used to sign and verify signatures.
	GlobalSecret []byte

	// RotatedGlobalSecrets is a list of global secrets that are used to verify signatures.
	RotatedGlobalSecrets [][]byte

	Issuers IssuersConfig

	SendDebugMessagesToClients    bool
	DisableRefreshTokenValidation bool
	OmitRedirectScopeParameter    bool

	JWTScopeField  jwt.JWTScopeFieldEnum
	JWTMaxDuration time.Duration

	Hasher               *AdaptiveHasher
	Hash                 HashConfig
	Strategy             StrategyConfig
	PAR                  PARConfig
	Handlers             HandlersConfig
	Lifespans            LifespanConfig
	ProofKeyCodeExchange ProofKeyCodeExchangeConfig
	GrantTypeJWTBearer   GrantTypeJWTBearerConfig

	TokenURL            string
	TokenEntropy        int
	MinParameterEntropy int

	SanitationWhiteList []string
	AllowedPrompts      []string
	RefreshTokenScopes  []string

	HTTPClient           *retryablehttp.Client
	FormPostHTMLTemplate *template.Template
	MessageCatalog       i18n.MessageCatalog
}

func NewConfig added in v4.37.3 

func NewConfig(config *schema.OpenIDConnectConfiguration) *Config

func (*Config) EnforcePushedAuthorize added in v4.37.3 

func (c *Config) EnforcePushedAuthorize(ctx context.Context) bool

EnforcePushedAuthorize indicates if PAR is enforced. In this mode, a client cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint must contain the PAR request_uri.

func (*Config) GetAccessTokenIssuer added in v4.37.3 

func (c *Config) GetAccessTokenIssuer(ctx context.Context) (issuer string)

GetAccessTokenIssuer returns the access token issuer.

func (*Config) GetAccessTokenLifespan added in v4.37.3 

func (c *Config) GetAccessTokenLifespan(ctx context.Context) (lifespan time.Duration)

GetAccessTokenLifespan returns the access token lifespan.

func (*Config) GetAllowedPrompts added in v4.37.3 

func (c *Config) GetAllowedPrompts(ctx context.Context) (prompts []string)

GetAllowedPrompts returns the allowed prompts.

func (*Config) GetAudienceStrategy added in v4.37.3 

func (c *Config) GetAudienceStrategy(ctx context.Context) (strategy fosite.AudienceMatchingStrategy)

GetAudienceStrategy returns the audience strategy.

func (*Config) GetAuthorizeCodeLifespan added in v4.37.3 

func (c *Config) GetAuthorizeCodeLifespan(ctx context.Context) (lifespan time.Duration)

GetAuthorizeCodeLifespan returns the authorization code lifespan.

func (*Config) GetAuthorizeEndpointHandlers added in v4.37.3 

func (c *Config) GetAuthorizeEndpointHandlers(ctx context.Context) (handlers fosite.AuthorizeEndpointHandlers)

GetAuthorizeEndpointHandlers returns the authorize endpoint handlers.

func (*Config) GetClientAuthenticationStrategy added in v4.37.3 

func (c *Config) GetClientAuthenticationStrategy(ctx context.Context) (strategy fosite.ClientAuthenticationStrategy)

GetClientAuthenticationStrategy returns the client authentication strategy.

func (*Config) GetDisableRefreshTokenValidation added in v4.37.3 

func (c *Config) GetDisableRefreshTokenValidation(ctx context.Context) (disable bool)

GetDisableRefreshTokenValidation returns the disable refresh token validation flag.

func (*Config) GetEnablePKCEPlainChallengeMethod added in v4.37.3 

func (c *Config) GetEnablePKCEPlainChallengeMethod(ctx context.Context) (enable bool)

GetEnablePKCEPlainChallengeMethod returns the enable PKCE plain challenge method.

func (*Config) GetEnforcePKCE added in v4.37.3 

func (c *Config) GetEnforcePKCE(ctx context.Context) (enforce bool)

GetEnforcePKCE returns the enforcement of PKCE.

func (*Config) GetEnforcePKCEForPublicClients added in v4.37.3 

func (c *Config) GetEnforcePKCEForPublicClients(ctx context.Context) (enforce bool)

GetEnforcePKCEForPublicClients returns the enforcement of PKCE for public clients.

func (*Config) GetFormPostHTMLTemplate added in v4.37.3 

func (c *Config) GetFormPostHTMLTemplate(ctx context.Context) (tmpl *template.Template)

GetFormPostHTMLTemplate returns the form post HTML template.

func (*Config) GetGlobalSecret added in v4.37.3 

func (c *Config) GetGlobalSecret(ctx context.Context) (secret []byte, err error)

GetGlobalSecret returns the global secret.

func (*Config) GetGrantTypeJWTBearerCanSkipClientAuth added in v4.37.3 

func (c *Config) GetGrantTypeJWTBearerCanSkipClientAuth(ctx context.Context) (skip bool)

GetGrantTypeJWTBearerCanSkipClientAuth returns the grant type JWT bearer can skip client auth.

func (*Config) GetGrantTypeJWTBearerIDOptional added in v4.37.3 

func (c *Config) GetGrantTypeJWTBearerIDOptional(ctx context.Context) (optional bool)

GetGrantTypeJWTBearerIDOptional returns the grant type JWT bearer ID optional.

func (*Config) GetGrantTypeJWTBearerIssuedDateOptional added in v4.37.3 

func (c *Config) GetGrantTypeJWTBearerIssuedDateOptional(ctx context.Context) (optional bool)

GetGrantTypeJWTBearerIssuedDateOptional returns the grant type JWT bearer issued date optional.

func (*Config) GetHMACHasher added in v4.37.3 

func (c *Config) GetHMACHasher(ctx context.Context) func() (h hash.Hash)

GetHMACHasher returns the hash function.

func (*Config) GetHTTPClient added in v4.37.3 

func (c *Config) GetHTTPClient(ctx context.Context) (client *retryablehttp.Client)

GetHTTPClient returns the HTTP client provider.

func (*Config) GetIDTokenIssuer added in v4.37.3 

func (c *Config) GetIDTokenIssuer(ctx context.Context) (issuer string)

GetIDTokenIssuer returns the ID token issuer.

func (*Config) GetIDTokenLifespan added in v4.37.3 

func (c *Config) GetIDTokenLifespan(ctx context.Context) (lifespan time.Duration)

GetIDTokenLifespan returns the ID token lifespan.

func (*Config) GetJWKSFetcherStrategy added in v4.37.3 

func (c *Config) GetJWKSFetcherStrategy(ctx context.Context) (strategy fosite.JWKSFetcherStrategy)

GetJWKSFetcherStrategy returns the JWKS fetcher strategy.

func (*Config) GetJWTMaxDuration added in v4.37.3 

func (c *Config) GetJWTMaxDuration(ctx context.Context) (duration time.Duration)

GetJWTMaxDuration returns the JWT max duration.

func (*Config) GetJWTScopeField added in v4.37.3 

func (c *Config) GetJWTScopeField(ctx context.Context) (field jwt.JWTScopeFieldEnum)

GetJWTScopeField returns the JWT scope field.

func (*Config) GetMessageCatalog added in v4.37.3 

func (c *Config) GetMessageCatalog(ctx context.Context) (catalog i18n.MessageCatalog)

GetMessageCatalog returns the message catalog.

func (*Config) GetMinParameterEntropy added in v4.37.3 

func (c *Config) GetMinParameterEntropy(_ context.Context) (entropy int)

GetMinParameterEntropy returns the minimum parameter entropy.

func (*Config) GetOmitRedirectScopeParam added in v4.37.3 

func (c *Config) GetOmitRedirectScopeParam(ctx context.Context) (omit bool)

GetOmitRedirectScopeParam must be set to true if the scope query param is to be omitted in the authorization's redirect URI.

func (*Config) GetPushedAuthorizeContextLifespan added in v4.37.3 

func (c *Config) GetPushedAuthorizeContextLifespan(ctx context.Context) (lifespan time.Duration)

GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context.

func (*Config) GetPushedAuthorizeEndpointHandlers added in v4.37.3 

func (c *Config) GetPushedAuthorizeEndpointHandlers(ctx context.Context) fosite.PushedAuthorizeEndpointHandlers

GetPushedAuthorizeEndpointHandlers returns the handlers.

func (*Config) GetPushedAuthorizeRequestURIPrefix added in v4.37.3 

func (c *Config) GetPushedAuthorizeRequestURIPrefix(ctx context.Context) string

GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is usually 'urn:ietf:params:oauth:request_uri:'.

func (*Config) GetRedirectSecureChecker added in v4.37.3 

func (c *Config) GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) (secure bool)

GetRedirectSecureChecker returns the redirect URL security validator.

func (*Config) GetRefreshTokenLifespan added in v4.37.3 

func (c *Config) GetRefreshTokenLifespan(ctx context.Context) (lifespan time.Duration)

GetRefreshTokenLifespan returns the refresh token lifespan.

func (*Config) GetRefreshTokenScopes added in v4.37.3 

func (c *Config) GetRefreshTokenScopes(ctx context.Context) (scopes []string)

GetRefreshTokenScopes returns the refresh token scopes.

func (*Config) GetResponseModeHandlerExtension added in v4.37.3 

func (c *Config) GetResponseModeHandlerExtension(ctx context.Context) (handler fosite.ResponseModeHandler)

GetResponseModeHandlerExtension returns the response mode handler extension.

func (*Config) GetRevocationHandlers added in v4.37.3 

func (c *Config) GetRevocationHandlers(ctx context.Context) (handlers fosite.RevocationHandlers)

GetRevocationHandlers returns the revocation handlers.

func (*Config) GetRotatedGlobalSecrets added in v4.37.3 

func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) (secrets [][]byte, err error)

GetRotatedGlobalSecrets returns the rotated global secrets.

func (*Config) GetSanitationWhiteList added in v4.37.3 

func (c *Config) GetSanitationWhiteList(ctx context.Context) (whitelist []string)

GetSanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values are safe for storage in a database (cleartext).

func (*Config) GetScopeStrategy added in v4.37.3 

func (c *Config) GetScopeStrategy(ctx context.Context) (strategy fosite.ScopeStrategy)

GetScopeStrategy returns the scope strategy.

func (*Config) GetSecretsHasher added in v4.37.3 

func (c *Config) GetSecretsHasher(ctx context.Context) (hasher fosite.Hasher)

GetSecretsHasher returns the client secrets hashing function.

func (*Config) GetSendDebugMessagesToClients added in v4.37.3 

func (c *Config) GetSendDebugMessagesToClients(ctx context.Context) (send bool)

GetSendDebugMessagesToClients returns the send debug messages to clients.

func (*Config) GetTokenEndpointHandlers added in v4.37.3 

func (c *Config) GetTokenEndpointHandlers(ctx context.Context) (handlers fosite.TokenEndpointHandlers)

GetTokenEndpointHandlers returns the token endpoint handlers.

func (*Config) GetTokenEntropy added in v4.37.3 

func (c *Config) GetTokenEntropy(ctx context.Context) (entropy int)

GetTokenEntropy returns the token entropy.

func (*Config) GetTokenIntrospectionHandlers added in v4.37.3 

func (c *Config) GetTokenIntrospectionHandlers(ctx context.Context) (handlers fosite.TokenIntrospectionHandlers)

GetTokenIntrospectionHandlers returns the token introspection handlers.

func (*Config) GetTokenURL added in v4.37.3 

func (c *Config) GetTokenURL(ctx context.Context) (tokenURL string)

GetTokenURL returns the token URL.

func (*Config) GetUseLegacyErrorFormat deprecated added in v4.37.3 

func (c *Config) GetUseLegacyErrorFormat(ctx context.Context) (use bool)

GetUseLegacyErrorFormat returns whether to use the legacy error format.

Deprecated: Do not use this flag anymore.

func (*Config) LoadHandlers added in v4.37.3 

func (c *Config) LoadHandlers(store *Store, strategy jwt.Signer)

type ConsentGetResponseBody 

type ConsentGetResponseBody struct {
	ClientID          string   `json:"client_id"`
	ClientDescription string   `json:"client_description"`
	Scopes            []string `json:"scopes"`
	Audience          []string `json:"audience"`
	PreConfiguration  bool     `json:"pre_configuration"`
}

ConsentGetResponseBody schema of the response body of the consent GET endpoint.

type ConsentPostRequestBody added in v4.35.0 

type ConsentPostRequestBody struct {
	ConsentID    string `json:"id"`
	ClientID     string `json:"client_id"`
	Consent      bool   `json:"consent"`
	PreConfigure bool   `json:"pre_configure"`
}

ConsentPostRequestBody schema of the request body of the consent POST endpoint.

type ConsentPostResponseBody added in v4.35.0 

type ConsentPostResponseBody struct {
	RedirectURI string `json:"redirect_uri"`
}

ConsentPostResponseBody schema of the response body of the consent POST endpoint.

type GrantTypeJWTBearerConfig added in v4.37.3 

type GrantTypeJWTBearerConfig struct {
	OptionalClientAuth bool
	OptionalJTIClaim   bool
	OptionalIssuedDate bool
}

type HMACCoreStrategy added in v4.37.3 

type HMACCoreStrategy struct {
	Enigma *hmac.HMACStrategy
	Config interface {
		fosite.AccessTokenLifespanProvider
		fosite.RefreshTokenLifespanProvider
		fosite.AuthorizeCodeLifespanProvider
	}
	// contains filtered or unexported fields
}

HMACCoreStrategy implements oauth2.CoreStrategy. It's a copy of the oauth2.HMACSHAStrategy.

func (*HMACCoreStrategy) AccessTokenSignature added in v4.37.3 

func (h *HMACCoreStrategy) AccessTokenSignature(ctx context.Context, token string) string

AccessTokenSignature implements oauth2.AccessTokenStrategy.

func (*HMACCoreStrategy) AuthorizeCodeSignature added in v4.37.3 

func (h *HMACCoreStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string

AuthorizeCodeSignature implements oauth2.AuthorizeCodeStrategy.

func (*HMACCoreStrategy) GenerateAccessToken added in v4.37.3 

func (h *HMACCoreStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error)

GenerateAccessToken implements oauth2.AccessTokenStrategy.

func (*HMACCoreStrategy) GenerateAuthorizeCode added in v4.37.3 

func (h *HMACCoreStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error)

GenerateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.

func (*HMACCoreStrategy) GenerateRefreshToken added in v4.37.3 

func (h *HMACCoreStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error)

GenerateRefreshToken implements oauth2.RefreshTokenStrategy.

func (*HMACCoreStrategy) RefreshTokenSignature added in v4.37.3 

func (h *HMACCoreStrategy) RefreshTokenSignature(ctx context.Context, token string) string

RefreshTokenSignature implements oauth2.RefreshTokenStrategy.

func (*HMACCoreStrategy) ValidateAccessToken added in v4.37.3 

func (h *HMACCoreStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error)

ValidateAccessToken implements oauth2.AccessTokenStrategy.

func (*HMACCoreStrategy) ValidateAuthorizeCode added in v4.37.3 

func (h *HMACCoreStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error)

ValidateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.

func (*HMACCoreStrategy) ValidateRefreshToken added in v4.37.3 

func (h *HMACCoreStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error)

ValidateRefreshToken implements oauth2.RefreshTokenStrategy.

type HandlersConfig added in v4.37.3 

type HandlersConfig struct {
	// ResponseMode provides an extension handler for custom response modes.
	ResponseMode fosite.ResponseModeHandler

	// AuthorizeEndpoint is a list of handlers that are called before the authorization endpoint is served.
	AuthorizeEndpoint fosite.AuthorizeEndpointHandlers

	// TokenEndpoint is a list of handlers that are called before the token endpoint is served.
	TokenEndpoint fosite.TokenEndpointHandlers

	// TokenIntrospection is a list of handlers that are called before the token introspection endpoint is served.
	TokenIntrospection fosite.TokenIntrospectionHandlers

	// Revocation is a list of handlers that are called before the revocation endpoint is served.
	Revocation fosite.RevocationHandlers

	// PushedAuthorizeEndpoint is a list of handlers that are called before the PAR endpoint is served.
	PushedAuthorizeEndpoint fosite.PushedAuthorizeEndpointHandlers
}

type HashConfig added in v4.37.3 

type HashConfig struct {
	ClientSecrets fosite.Hasher
	HMAC          func() (h hash.Hash)
}

type IssuersConfig added in v4.37.3 

type IssuersConfig struct {
	IDToken     string
	AccessToken string
}

type JWK added in v4.37.0 

type JWK struct {
	// contains filtered or unexported fields
}

JWK is a utility wrapper for JSON Web Key's.

func NewJWK added in v4.37.0 

func NewJWK(chain schema.X509CertificateChain, key *rsa.PrivateKey) (j *JWK, err error)

NewJWK creates a new JWK.

func (*JWK) GetPrivateKey added in v4.37.3 

func (j *JWK) GetPrivateKey(ctx context.Context) (key any, err error)

func (*JWK) JSONWebKey added in v4.37.0 

func (j *JWK) JSONWebKey() (jwk *jose.JSONWebKey)

JSONWebKey returns the relevant *jose.JSONWebKey for this JWT.

func (*JWK) Strategy added in v4.37.0 

func (j *JWK) Strategy() (strategy jwt.Signer)

Strategy returns the relevant jwt.JWTStrategy for this JWT.

type JWTStrategy added in v4.37.0 

type JWTStrategy struct {
	jwt.Signer
	// contains filtered or unexported fields
}

JWTStrategy is a decorator struct for the fosite jwt.JWTStrategy.

func (*JWTStrategy) GetPublicKeyID added in v4.37.0 

func (s *JWTStrategy) GetPublicKeyID(_ context.Context) (string, error)

GetPublicKeyID is a decorator func for the underlying fosite RS256JWTStrategy.

func (*JWTStrategy) KeyID added in v4.37.0 

func (s *JWTStrategy) KeyID() (id string)

KeyID returns the key id.

type KeyManager 

type KeyManager struct {
	// contains filtered or unexported fields
}

KeyManager keeps track of all of the active/inactive rsa keys and provides them to services requiring them. It additionally allows us to add keys for the purpose of key rotation in the future.

func NewKeyManager 

func NewKeyManager() (manager *KeyManager)

NewKeyManager creates a new empty KeyManager.

func NewKeyManagerWithConfiguration 

func NewKeyManagerWithConfiguration(config *schema.OpenIDConnectConfiguration) (manager *KeyManager, err error)

NewKeyManagerWithConfiguration when provided a schema.OpenIDConnectConfiguration creates a new KeyManager and adds an initial key to the manager.

func (*KeyManager) AddActiveJWK added in v4.37.0 

func (m *KeyManager) AddActiveJWK(chain schema.X509CertificateChain, key *rsa.PrivateKey) (jwk *JWK, err error)

AddActiveJWK is used to add a cert and key pair.

func (*KeyManager) GetActiveJWK added in v4.37.0 

func (m *KeyManager) GetActiveJWK() (jwk *jose.JSONWebKey, err error)

GetActiveJWK obtains the currently active jose.JSONWebKey.

func (*KeyManager) GetActiveKeyID 

func (m *KeyManager) GetActiveKeyID() (keyID string)

GetActiveKeyID returns the key id of the currently active key.

func (*KeyManager) GetActivePrivateKey 

func (m *KeyManager) GetActivePrivateKey() (key *rsa.PrivateKey, err error)

GetActivePrivateKey returns the rsa.PrivateKey of the currently active key.

func (*KeyManager) GetKeySet 

func (m *KeyManager) GetKeySet() (jwks *jose.JSONWebKeySet)

GetKeySet returns the joseJSONWebKeySet containing the rsa.PublicKey types.

func (*KeyManager) Strategy 

func (m *KeyManager) Strategy() (strategy jwt.Signer)

Strategy returns the fosite jwt.JWTStrategy.

type LifespanConfig added in v4.37.3 

type LifespanConfig struct {
	AccessToken   time.Duration
	AuthorizeCode time.Duration
	IDToken       time.Duration
	RefreshToken  time.Duration
}

type OAuth2DiscoveryOptions added in v4.34.0 

type OAuth2DiscoveryOptions struct {
	/*
		 	OPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662].
			See Also:
				OAuth 2.0 Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662
	*/
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`

	/*
		OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint [RFC7009].
		See Also:
			OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
	*/
	RevocationEndpoint string `json:"revocation_endpoint,omitempty"`

	/*
		OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591].
		See Also:
			OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
	*/
	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of client authentication methods supported by this introspection endpoint.
		The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
		Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token Types"
		registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If omitted,
		the set of supported authentication methods MUST be determined by other means.
		See Also:
			IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
			OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
	*/
	IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of client authentication methods supported by this revocation endpoint.
		The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
		Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" --
		the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
		See Also:
			IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
			OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
	*/
	RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
		endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for the
		"private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either
		of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry. No
		default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
		See Also:
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the
		introspection endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection
		endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
		present if either of these authentication methods are specified in the
		"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted.
		The value "none" MUST NOT be used.
		See Also:
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
		server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of
		[RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods"
		registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE.
		See Also:
			PKCE: https://datatracker.ietf.org/doc/html/rfc7636
			IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
	*/
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
}

OAuth2DiscoveryOptions represents the discovery options specific to OAuth 2.0.

type OAuth2WellKnownConfiguration added in v4.34.0 

type OAuth2WellKnownConfiguration struct {
	CommonDiscoveryOptions
	OAuth2DiscoveryOptions
	PushedAuthorizationDiscoveryOptions
}

OAuth2WellKnownConfiguration represents the well known discovery document specific to OAuth 2.0.

type OpenIDConnectBackChannelLogoutDiscoveryOptions added in v4.34.0 

type OpenIDConnectBackChannelLogoutDiscoveryOptions struct {
	/*
		OPTIONAL. Boolean value specifying whether the OP supports back-channel logout, with true indicating support.
		If omitted, the default value is false.
	*/
	BackChannelLogoutSupported bool `json:"backchannel_logout_supported"`

	/*
		OPTIONAL. Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to
		identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP.
		If omitted, the default value is false.
	*/
	BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`
}

OpenIDConnectBackChannelLogoutDiscoveryOptions represents the discovery options specific to OpenID Connect Back-Channel Logout functionality. See Also: 

OpenID Connect Back-Channel Logout: https://openid.net/specs/openid-connect-backchannel-1_0.html#BCSupport

type OpenIDConnectDiscoveryOptions added in v4.34.0 

type OpenIDConnectDiscoveryOptions struct {
	/*
		RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain
		port, path, and query parameter components.
		See Also:
			OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
	*/
	UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`

	/*
		REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID
		Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,
		but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as
		when using the Authorization Code Flow).
		See Also:
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
		UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included.
		See Also:
			JWS: https://datatracker.ietf.org/doc/html/rfc7515
			JWA: https://datatracker.ietf.org/doc/html/rfc7518
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
		Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used
		both when the Request Object is passed by value (using the request parameter) and when it is passed by reference
		(using the request_uri parameter). Servers SHOULD support none and RS256.
	*/
	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the
		ID Token to encode the Claims in a JWT [JWT].
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by
		the UserInfo Endpoint to encode the Claims in a JWT [JWT].
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWA: https://datatracker.ietf.org/doc/html/rfc7518
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for
		Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed
		by reference.
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
	*/
	RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the
		ID Token to encode the Claims in a JWT [JWT].
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the
		UserInfo Endpoint to encode the Claims in a JWT [JWT].
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWA: https://datatracker.ietf.org/doc/html/rfc7518
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for
		Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed
		by reference.
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports.
	*/
	ACRValuesSupported []string `json:"acr_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These
		values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core].
		See Also:
			OpenID.Core Section 3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
	*/
	DisplayValuesSupported []string `json:"display_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types
		are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
		normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims.
		See Also:
			OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
	*/
	ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`

	/*
		OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of
		BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
		See Also:
			BCP47: https://datatracker.ietf.org/doc/html/rfc5646
	*/
	ClaimLocalesSupported []string `json:"claims_locales_supported,omitempty"`

	/*
		OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
		support. If omitted, the default value is true.
	*/
	RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`

	/*
		OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using
		the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
		default value is false.
	*/
	RequireRequestURIRegistration bool `json:"require_request_uri_registration"`

	/*
		OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating
		support. If omitted, the default value is false.
	*/
	ClaimsParameterSupported bool `json:"claims_parameter_supported"`
}

OpenIDConnectDiscoveryOptions represents the discovery options specific to OpenID Connect.

type OpenIDConnectFrontChannelLogoutDiscoveryOptions added in v4.34.0 

type OpenIDConnectFrontChannelLogoutDiscoveryOptions struct {
	/*
		OPTIONAL. Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If
		omitted, the default value is false.
	*/
	FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"`

	/*
		OPTIONAL. Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to
		identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also
		included in ID Tokens issued by the OP. If omitted, the default value is false.
	*/
	FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"`
}

OpenIDConnectFrontChannelLogoutDiscoveryOptions represents the discovery options specific to OpenID Connect Front-Channel Logout functionality. See Also: 

OpenID Connect Front-Channel Logout: https://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout

type OpenIDConnectProvider 

type OpenIDConnectProvider struct {
	fosite.OAuth2Provider
	*herodot.JSONWriter
	*Store
	*Config

	KeyManager *KeyManager
	// contains filtered or unexported fields
}

OpenIDConnectProvider for OpenID Connect.

func NewOpenIDConnectProvider 

func NewOpenIDConnectProvider(config *schema.OpenIDConnectConfiguration, store storage.Provider) (provider *OpenIDConnectProvider, err error)

NewOpenIDConnectProvider new-ups a OpenIDConnectProvider.

func (*OpenIDConnectProvider) GetOAuth2WellKnownConfiguration added in v4.34.0 

func (p *OpenIDConnectProvider) GetOAuth2WellKnownConfiguration(issuer string) OAuth2WellKnownConfiguration

GetOAuth2WellKnownConfiguration returns the discovery document for the OAuth Configuration.

func (*OpenIDConnectProvider) GetOpenIDConnectWellKnownConfiguration added in v4.34.0 

func (p *OpenIDConnectProvider) GetOpenIDConnectWellKnownConfiguration(issuer string) OpenIDConnectWellKnownConfiguration

GetOpenIDConnectWellKnownConfiguration returns the discovery document for the OpenID Configuration.

type OpenIDConnectWellKnownConfiguration added in v4.34.0 

type OpenIDConnectWellKnownConfiguration struct {
	CommonDiscoveryOptions
	OAuth2DiscoveryOptions
	PushedAuthorizationDiscoveryOptions
	OpenIDConnectDiscoveryOptions
	OpenIDConnectFrontChannelLogoutDiscoveryOptions
	OpenIDConnectBackChannelLogoutDiscoveryOptions
}

OpenIDConnectWellKnownConfiguration represents the well known discovery document specific to OpenID Connect.

func NewOpenIDConnectWellKnownConfiguration added in v4.35.0 

func NewOpenIDConnectWellKnownConfiguration(enablePKCEPlainChallenge bool, clients map[string]*Client) (config OpenIDConnectWellKnownConfiguration)

NewOpenIDConnectWellKnownConfiguration generates a new OpenIDConnectWellKnownConfiguration.

type PARConfig added in v4.37.3 

type PARConfig struct {
	Enforced        bool
	URIPrefix       string
	ContextLifespan time.Duration
}

type ProofKeyCodeExchangeConfig added in v4.37.3 

type ProofKeyCodeExchangeConfig struct {
	Enforce                   bool
	EnforcePublicClients      bool
	AllowPlainChallengeMethod bool
}

type PushedAuthorizationDiscoveryOptions added in v4.37.3 

type PushedAuthorizationDiscoveryOptions struct {
	/*
	   The URL of the pushed authorization request endpoint at which a client can post an authorization request to
	   exchange for a "request_uri" value usable at the authorization server.
	*/
	PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`

	/*
		    Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR.
			If omitted, the default value is "false".
	*/
	RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"`
}

PushedAuthorizationDiscoveryOptions represents the well known discovery document specific to the OAuth 2.0 Pushed Authorization Requests (RFC9126) implementation.

OAuth 2.0 Pushed Authorization Requests: https://datatracker.ietf.org/doc/html/rfc9126#section-5

type Store added in v4.37.0 

type Store struct {
	// contains filtered or unexported fields
}

Store is Authelia's internal representation of the fosite.Storage interface. It maps the following interfaces to the storage.Provider interface: fosite.Storage, fosite.ClientManager, storage.Transactional, oauth2.AuthorizeCodeStorage, oauth2.AccessTokenStorage, oauth2.RefreshTokenStorage, oauth2.TokenRevocationStorage, pkce.PKCERequestStorage, openid.OpenIDConnectRequestStorage, and partially implements rfc7523.RFC7523KeyStorage.

func NewStore added in v4.37.3 

func NewStore(config *schema.OpenIDConnectConfiguration, provider storage.Provider) (store *Store)

NewStore returns a Store when provided with a schema.OpenIDConnectConfiguration and storage.Provider.

func (*Store) BeginTX added in v4.37.0 

func (s *Store) BeginTX(ctx context.Context) (c context.Context, err error)

BeginTX starts a transaction. This implements a portion of fosite storage.Transactional interface.

func (*Store) ClientAssertionJWTValid added in v4.37.0 

func (s *Store) ClientAssertionJWTValid(ctx context.Context, jti string) (err error)

ClientAssertionJWTValid returns an error if the JTI is known or the DB check failed and nil if the JTI is not known. This implements a portion of fosite.ClientManager.

func (*Store) Commit added in v4.37.0 

func (s *Store) Commit(ctx context.Context) (err error)

Commit completes a transaction. This implements a portion of fosite storage.Transactional interface.

func (*Store) CreateAccessTokenSession added in v4.37.0 

func (s *Store) CreateAccessTokenSession(ctx context.Context, signature string, request fosite.Requester) (err error)

CreateAccessTokenSession stores the authorization request for a given access token. This implements a portion of oauth2.AccessTokenStorage.

func (*Store) CreateAuthorizeCodeSession added in v4.37.0 

func (s *Store) CreateAuthorizeCodeSession(ctx context.Context, code string, request fosite.Requester) (err error)

CreateAuthorizeCodeSession stores the authorization request for a given authorization code. This implements a portion of oauth2.AuthorizeCodeStorage.

func (*Store) CreateOpenIDConnectSession added in v4.37.0 

func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request fosite.Requester) (err error)

CreateOpenIDConnectSession creates an open id connect session for a given authorize code. This is relevant for explicit open id connect flow. This implements a portion of openid.OpenIDConnectRequestStorage.

func (*Store) CreatePKCERequestSession added in v4.37.0 

func (s *Store) CreatePKCERequestSession(ctx context.Context, signature string, request fosite.Requester) (err error)

CreatePKCERequestSession stores the authorization request for a given PKCE request. This implements a portion of pkce.PKCERequestStorage.

func (*Store) CreateRefreshTokenSession added in v4.37.0 

func (s *Store) CreateRefreshTokenSession(ctx context.Context, signature string, request fosite.Requester) (err error)

CreateRefreshTokenSession stores the authorization request for a given refresh token. This implements a portion of oauth2.RefreshTokenStorage.

func (*Store) DeleteAccessTokenSession added in v4.37.0 

func (s *Store) DeleteAccessTokenSession(ctx context.Context, signature string) (err error)

DeleteAccessTokenSession marks an access token session as deleted. This implements a portion of oauth2.AccessTokenStorage.

func (*Store) DeleteOpenIDConnectSession added in v4.37.0 

func (s *Store) DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) (err error)

DeleteOpenIDConnectSession just implements the method required by fosite even though it's unused. This implements a portion of openid.OpenIDConnectRequestStorage.

func (*Store) DeletePKCERequestSession added in v4.37.0 

func (s *Store) DeletePKCERequestSession(ctx context.Context, signature string) (err error)

DeletePKCERequestSession marks the authorization request for a given PKCE request as deleted. This implements a portion of pkce.PKCERequestStorage.

func (*Store) DeleteRefreshTokenSession added in v4.37.0 

func (s *Store) DeleteRefreshTokenSession(ctx context.Context, signature string) (err error)

DeleteRefreshTokenSession marks the authorization request for a given refresh token as deleted. This implements a portion of oauth2.RefreshTokenStorage.

func (*Store) GenerateOpaqueUserID added in v4.37.0 

func (s *Store) GenerateOpaqueUserID(ctx context.Context, sectorID, username string) (opaqueID *model.UserOpaqueIdentifier, err error)

GenerateOpaqueUserID either retrieves or creates an opaque user id from a sectorID and username.

func (*Store) GetAccessTokenSession added in v4.37.0 

func (s *Store) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error)

GetAccessTokenSession gets the authorization request for a given access token. This implements a portion of oauth2.AccessTokenStorage.

func (*Store) GetAuthorizeCodeSession added in v4.37.0 

func (s *Store) GetAuthorizeCodeSession(ctx context.Context, code string, session fosite.Session) (request fosite.Requester, err error)

GetAuthorizeCodeSession hydrates the session based on the given code and returns the authorization request. If the authorization code has been invalidated with `InvalidateAuthorizeCodeSession`, this method should return the ErrInvalidatedAuthorizeCode error. Make sure to also return the fosite.Requester value when returning the fosite.ErrInvalidatedAuthorizeCode error! This implements a portion of oauth2.AuthorizeCodeStorage.

func (*Store) GetClient added in v4.37.0 

func (s *Store) GetClient(_ context.Context, id string) (client fosite.Client, err error)

GetClient loads the client by its ID or returns an error if the client does not exist or another error occurred. This implements a portion of fosite.ClientManager.

func (*Store) GetClientPolicy added in v4.37.0 

func (s *Store) GetClientPolicy(id string) (level authorization.Level)

GetClientPolicy retrieves the policy from the client with the matching provided id.

func (*Store) GetFullClient added in v4.37.0 

func (s *Store) GetFullClient(id string) (client *Client, err error)

GetFullClient returns a fosite.Client asserted as an Client matching the provided id.

func (*Store) GetOpenIDConnectSession added in v4.37.0 

func (s *Store) GetOpenIDConnectSession(ctx context.Context, authorizeCode string, request fosite.Requester) (r fosite.Requester, err error)

GetOpenIDConnectSession returns error: - nil if a session was found, - ErrNoSessionFound if no session was found - or an arbitrary error if an error occurred. This implements a portion of openid.OpenIDConnectRequestStorage.

func (*Store) GetPKCERequestSession added in v4.37.0 

func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (requester fosite.Requester, err error)

GetPKCERequestSession gets the authorization request for a given PKCE request. This implements a portion of pkce.PKCERequestStorage.

func (*Store) GetRefreshTokenSession added in v4.37.0 

func (s *Store) GetRefreshTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error)

GetRefreshTokenSession gets the authorization request for a given refresh token. This implements a portion of oauth2.RefreshTokenStorage.

func (*Store) GetSubject added in v4.37.0 

func (s *Store) GetSubject(ctx context.Context, sectorID, username string) (subject uuid.UUID, err error)

GetSubject returns a subject UUID for a username. If it exists, it returns the existing one, otherwise it creates and saves it.

func (*Store) InvalidateAuthorizeCodeSession added in v4.37.0 

func (s *Store) InvalidateAuthorizeCodeSession(ctx context.Context, code string) (err error)

InvalidateAuthorizeCodeSession is called when an authorize code is being used. The state of the authorization code should be set to invalid and consecutive requests to GetAuthorizeCodeSession should return the ErrInvalidatedAuthorizeCode error. This implements a portion of oauth2.AuthorizeCodeStorage.

func (*Store) IsJWTUsed added in v4.37.0 

func (s *Store) IsJWTUsed(ctx context.Context, jti string) (used bool, err error)

IsJWTUsed implements an interface required for RFC7523.

func (*Store) IsValidClientID added in v4.37.0 

func (s *Store) IsValidClientID(id string) (valid bool)

IsValidClientID returns true if the provided id exists in the OpenIDConnectProvider.Clients map.

func (*Store) MarkJWTUsedForTime added in v4.37.0 

func (s *Store) MarkJWTUsedForTime(ctx context.Context, jti string, exp time.Time) (err error)

MarkJWTUsedForTime implements an interface required for rfc7523.RFC7523KeyStorage.

func (*Store) RevokeAccessToken added in v4.37.0 

func (s *Store) RevokeAccessToken(ctx context.Context, requestID string) (err error)

RevokeAccessToken revokes an access token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well. This implements a portion of oauth2.TokenRevocationStorage.

func (*Store) RevokeRefreshToken added in v4.37.0 

func (s *Store) RevokeRefreshToken(ctx context.Context, requestID string) (err error)

RevokeRefreshToken revokes a refresh token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note). This implements a portion of oauth2.TokenRevocationStorage.

func (*Store) RevokeRefreshTokenMaybeGracePeriod added in v4.37.0 

func (s *Store) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) (err error)

RevokeRefreshTokenMaybeGracePeriod revokes an access token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well. This implements a portion of oauth2.TokenRevocationStorage.

func (*Store) Rollback added in v4.37.0 

func (s *Store) Rollback(ctx context.Context) (err error)

Rollback rolls a transaction back. This implements a portion of fosite storage.Transactional interface.

func (*Store) SetClientAssertionJWT added in v4.37.0 

func (s *Store) SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) (err error)

SetClientAssertionJWT marks a JTI as known for the given expiry time. Before inserting the new JTI, it will clean up any existing JTIs that have expired as those tokens can not be replayed due to the expiry. This implements a portion of fosite.ClientManager.

type StrategyConfig added in v4.37.3 

type StrategyConfig struct {
	Core                 oauth2.CoreStrategy
	OpenID               openid.OpenIDConnectTokenStrategy
	Audience             fosite.AudienceMatchingStrategy
	Scope                fosite.ScopeStrategy
	JWKSFetcher          fosite.JWKSFetcherStrategy
	ClientAuthentication fosite.ClientAuthenticationStrategy
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.