Documentation
¶
Index ¶
- Constants
- Variables
- func AccessResponderToClearMap(responder oauthelia2.AccessResponder) map[string]any
- func GetLangFromRequester(requester oauthelia2.Requester) language.Tag
- func IsAccessToken(ctx Context, value string) (is bool, err error)
- func IsJWTProfileAccessToken(header map[string]any) bool
- func IsMaybeSignedJWT(value string) (is bool)
- func IsPushedAuthorizedRequest(r oauthelia2.Requester, prefix string) bool
- func NewPublicJSONWebKeySetFromSchemaJWK(sjwks []schema.JWK) (jwks *jose.JSONWebKeySet)
- func PopulateClientCredentialsFlowRequester(ctx Context, config oauthelia2.Configurator, client oauthelia2.Client, ...) (err error)
- func PopulateClientCredentialsFlowSessionWithAccessRequest(ctx Context, client oauthelia2.Client, session *Session) (err error)
- func RFC6750Header(realm, scope string, err *oauthelia2.RFC6749Error) string
- func ValidateSectorIdentifierURI(ctx ClientContext, cache map[string][]string, sectorURI *url.URL, ...) (err error)
- type AuthenticationMethodsReferences
- func (r AuthenticationMethodsReferences) ChannelBrowser() bool
- func (r AuthenticationMethodsReferences) ChannelService() bool
- func (r AuthenticationMethodsReferences) FactorKnowledge() bool
- func (r AuthenticationMethodsReferences) FactorPossession() bool
- func (r AuthenticationMethodsReferences) MarshalRFC8176() []string
- func (r AuthenticationMethodsReferences) MultiChannelAuthentication() bool
- func (r AuthenticationMethodsReferences) MultiFactorAuthentication() bool
- type AuthorizationServerIssuerIdentificationProvider
- type Client
- type ClientAuthorizationPolicy
- type ClientAuthorizationPolicyRule
- type ClientConsentMode
- type ClientConsentPolicy
- type ClientContext
- type ClientRequestedAudienceMode
- type ClientRequesterResponder
- type ClientSecretDigest
- type ClientStore
- type CommonDiscoveryOptions
- type Config
- func (c *Config) GetAccessTokenIssuer(ctx context.Context) (issuer string)
- func (c *Config) GetAccessTokenLifespan(ctx context.Context) (lifespan time.Duration)
- func (c *Config) GetAllowedJWTAssertionAudiences(ctx context.Context) (audiences []string)
- func (c *Config) GetAllowedPrompts(ctx context.Context) (prompts []string)
- func (c *Config) GetAudienceStrategy(ctx context.Context) (strategy oauthelia2.AudienceMatchingStrategy)
- func (c *Config) GetAuthorizationServerIdentificationIssuer(ctx context.Context) (issuer string)
- func (c *Config) GetAuthorizeCodeLifespan(ctx context.Context) (lifespan time.Duration)
- func (c *Config) GetAuthorizeEndpointHandlers(ctx context.Context) (handlers oauthelia2.AuthorizeEndpointHandlers)
- func (c *Config) GetClientAuthenticationStrategy(ctx context.Context) (strategy oauthelia2.ClientAuthenticationStrategy)
- func (c *Config) GetClientCredentialsFlowImplicitGrantRequested(ctx context.Context) (implicit bool)
- func (c *Config) GetContext(ctx context.Context) (octx Context)
- func (c *Config) GetDefaultRFC8693RequestedTokenType(ctx context.Context) string
- func (c *Config) GetDisableRefreshTokenValidation(ctx context.Context) (disable bool)
- func (c *Config) GetEnablePKCEPlainChallengeMethod(ctx context.Context) (enable bool)
- func (c *Config) GetEnforceJWTProfileAccessTokens(ctx context.Context) (enforce bool)
- func (c *Config) GetEnforcePKCE(ctx context.Context) (enforce bool)
- func (c *Config) GetEnforcePKCEForPublicClients(ctx context.Context) (enforce bool)
- func (c *Config) GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient(ctx context.Context) (enforce bool)
- func (c *Config) GetFormPostHTMLTemplate(ctx context.Context) (tmpl *template.Template)
- func (c *Config) GetFormPostResponseWriter(ctx context.Context) oauthelia2.FormPostResponseWriter
- func (c *Config) GetGlobalSecret(ctx context.Context) (secret []byte, err error)
- func (c *Config) GetGrantTypeJWTBearerCanSkipClientAuth(ctx context.Context) (skip bool)
- func (c *Config) GetGrantTypeJWTBearerIDOptional(ctx context.Context) (optional bool)
- func (c *Config) GetGrantTypeJWTBearerIssuedDateOptional(ctx context.Context) (optional bool)
- func (c *Config) GetHMACHasher(ctx context.Context) func() (h hash.Hash)
- func (c *Config) GetHTTPClient(ctx context.Context) (client *retryablehttp.Client)
- func (c *Config) GetIDTokenIssuer(ctx context.Context) (issuer string)
- func (c *Config) GetIDTokenLifespan(ctx context.Context) (lifespan time.Duration)
- func (c *Config) GetIntrospectionIssuer(ctx context.Context) (issuer string)
- func (c *Config) GetIntrospectionJWTResponseSigner(ctx context.Context) jwt.Signer
- func (c *Config) GetIssuerFallback(ctx context.Context, fallback string) (issuer string)
- func (c *Config) GetJWKSFetcherStrategy(ctx context.Context) (strategy oauthelia2.JWKSFetcherStrategy)
- func (c *Config) GetJWTMaxDuration(ctx context.Context) (duration time.Duration)
- func (c *Config) GetJWTScopeField(ctx context.Context) (field jwt.JWTScopeFieldEnum)
- func (c *Config) GetJWTSecuredAuthorizeResponseModeIssuer(ctx context.Context) string
- func (c *Config) GetJWTSecuredAuthorizeResponseModeLifespan(ctx context.Context) (lifespan time.Duration)
- func (c *Config) GetJWTSecuredAuthorizeResponseModeSigner(ctx context.Context) (signer jwt.Signer)
- func (c *Config) GetMessageCatalog(ctx context.Context) (catalog i18n.MessageCatalog)
- func (c *Config) GetMinParameterEntropy(_ context.Context) (entropy int)
- func (c *Config) GetOmitRedirectScopeParam(ctx context.Context) (omit bool)
- func (c *Config) GetPushedAuthorizeContextLifespan(ctx context.Context) (lifespan time.Duration)
- func (c *Config) GetPushedAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.PushedAuthorizeEndpointHandlers
- func (c *Config) GetPushedAuthorizeRequestURIPrefix(ctx context.Context) string
- func (c *Config) GetRFC8628CodeLifespan(ctx context.Context) time.Duration
- func (c *Config) GetRFC8628DeviceAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.RFC8628DeviceAuthorizeEndpointHandlers
- func (c *Config) GetRFC8628TokenPollingInterval(ctx context.Context) (interval time.Duration)
- func (c *Config) GetRFC8628UserAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.RFC8628UserAuthorizeEndpointHandlers
- func (c *Config) GetRFC8628UserVerificationURL(ctx context.Context) string
- func (c *Config) GetRFC8693TokenTypes(ctx context.Context) map[string]oauthelia2.RFC8693TokenType
- func (c *Config) GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) (secure bool)
- func (c *Config) GetRefreshTokenLifespan(ctx context.Context) (lifespan time.Duration)
- func (c *Config) GetRefreshTokenScopes(ctx context.Context) (scopes []string)
- func (c *Config) GetRequirePushedAuthorizationRequests(ctx context.Context) (enforce bool)
- func (c *Config) GetResponseModeHandlers(ctx context.Context) oauthelia2.ResponseModeHandlers
- func (c *Config) GetResponseModeParameterHandlers(ctx context.Context) oauthelia2.ResponseModeParameterHandlers
- func (c *Config) GetRevocationHandlers(ctx context.Context) (handlers oauthelia2.RevocationHandlers)
- func (c *Config) GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool)
- func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) (secrets [][]byte, err error)
- func (c *Config) GetSanitationWhiteList(ctx context.Context) (whitelist []string)
- func (c *Config) GetScopeStrategy(ctx context.Context) (strategy oauthelia2.ScopeStrategy)
- func (c *Config) GetSendDebugMessagesToClients(ctx context.Context) (send bool)
- func (c *Config) GetTokenEndpointHandlers(ctx context.Context) (handlers oauthelia2.TokenEndpointHandlers)
- func (c *Config) GetTokenEntropy(ctx context.Context) (entropy int)
- func (c *Config) GetTokenIntrospectionHandlers(ctx context.Context) (handlers oauthelia2.TokenIntrospectionHandlers)
- func (c *Config) GetUseLegacyErrorFormat(ctx context.Context) (use bool)deprecated
- func (c *Config) GetVerifiableCredentialsNonceLifespan(ctx context.Context) (lifespan time.Duration)
- func (c *Config) LoadHandlers(store *Store)
- type Configurator
- type ConsentGetResponseBody
- type ConsentPostRequestBody
- type ConsentPostResponseBody
- type Context
- type GrantTypeJWTBearerConfig
- type HandlersConfig
- type HashConfig
- type IDTokenClaimsSession
- type IDTokenSessionContainer
- type IssuersConfig
- type JWK
- func (j *JWK) Algorithm() string
- func (j *JWK) DirectJWK() (jwk jose.JSONWebKey)
- func (j *JWK) GetPrivateKey(ctx context.Context) (any, error)
- func (j *JWK) GetSigningMethod() jwt.SigningMethod
- func (j *JWK) JWK() (jwk jose.JSONWebKey)
- func (j *JWK) KeyID() string
- func (j *JWK) PrivateJWK() (jwk *jose.JSONWebKey)
- func (j *JWK) Strategy() (strategy fjwt.Signer)
- type JWTAccessTokenConfig
- type JWTSecuredResponseModeProvider
- type KeyManager
- func (m *KeyManager) Decode(ctx context.Context, tokenString string) (token *fjwt.Token, err error)
- func (m *KeyManager) Generate(ctx context.Context, claims fjwt.MapClaims, header fjwt.Mapper) (tokenString string, sig string, err error)
- func (m *KeyManager) Get(ctx context.Context, kid, alg string) *JWK
- func (m *KeyManager) GetByAlg(ctx context.Context, alg string) *JWK
- func (m *KeyManager) GetByHeader(ctx context.Context, header fjwt.Mapper) (jwk *JWK, err error)
- func (m *KeyManager) GetByKID(ctx context.Context, kid string) *JWK
- func (m *KeyManager) GetByTokenString(ctx context.Context, tokenString string) (jwk *JWK, err error)
- func (m *KeyManager) GetDefaultKeyID(ctx context.Context) string
- func (m *KeyManager) GetKeyID(ctx context.Context, kid, alg string) string
- func (m *KeyManager) GetKeyIDFromAlg(ctx context.Context, alg string) string
- func (m *KeyManager) GetKeyIDFromAlgStrict(ctx context.Context, alg string) (kid string, err error)
- func (m *KeyManager) GetSignature(ctx context.Context, tokenString string) (sig string, err error)
- func (m *KeyManager) GetSigningMethodLength(ctx context.Context) (size int)
- func (m *KeyManager) Hash(ctx context.Context, in []byte) (sum []byte, err error)
- func (m *KeyManager) Set(ctx context.Context) *jose.JSONWebKeySet
- func (m *KeyManager) Validate(ctx context.Context, tokenString string) (sig string, err error)
- type LifespansConfig
- type MemoryClientStore
- type OAuth2DeviceAuthorizationGrantDiscoveryOptions
- type OAuth2DiscoveryOptions
- type OAuth2IssuerIdentificationDiscoveryOptions
- type OAuth2JWTIntrospectionResponseDiscoveryOptions
- type OAuth2JWTSecuredAuthorizationRequestDiscoveryOptions
- type OAuth2MutualTLSClientAuthenticationAliasesDiscoveryOptions
- type OAuth2MutualTLSClientAuthenticationDiscoveryOptions
- type OAuth2PushedAuthorizationDiscoveryOptions
- type OAuth2WellKnownClaims
- type OAuth2WellKnownConfiguration
- type OAuth2WellKnownSignedConfiguration
- type OpenIDConnectBackChannelLogoutDiscoveryOptions
- type OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions
- type OpenIDConnectDiscoveryOptions
- type OpenIDConnectFrontChannelLogoutDiscoveryOptions
- type OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions
- type OpenIDConnectPromptCreateDiscoveryOptions
- type OpenIDConnectProvider
- type OpenIDConnectRPInitiatedLogoutDiscoveryOptions
- type OpenIDConnectSessionManagementDiscoveryOptions
- type OpenIDConnectWellKnownClaims
- type OpenIDConnectWellKnownConfiguration
- type OpenIDConnectWellKnownSignedConfiguration
- type OpenIDFederationDiscoveryOptions
- type PARConfig
- type ProofKeyCodeExchangeConfig
- type RFC8693Config
- type RefreshFlowScopeClient
- type RegisteredClient
- func (c *RegisteredClient) GetAccessTokenEncryptedResponseAlg() (alg string)
- func (c *RegisteredClient) GetAccessTokenEncryptedResponseEnc() (enc string)
- func (c *RegisteredClient) GetAccessTokenEncryptedResponseKeyID() (kid string)
- func (c *RegisteredClient) GetAccessTokenSignedResponseAlg() (alg string)
- func (c *RegisteredClient) GetAccessTokenSignedResponseKeyID() (kid string)
- func (c *RegisteredClient) GetAllowMultipleAuthenticationMethods() (allow bool)
- func (c *RegisteredClient) GetAudience() (audience oauthelia2.Arguments)
- func (c *RegisteredClient) GetAuthorizationEncryptedResponseAlg() (alg string)
- func (c *RegisteredClient) GetAuthorizationEncryptedResponseEnc() (enc string)
- func (c *RegisteredClient) GetAuthorizationEncryptedResponseKeyID() (kid string)
- func (c *RegisteredClient) GetAuthorizationPolicy() (policy ClientAuthorizationPolicy)
- func (c *RegisteredClient) GetAuthorizationPolicyRequiredLevel(subject authorization.Subject) (level authorization.Level)
- func (c *RegisteredClient) GetAuthorizationSignedResponseAlg() (alg string)
- func (c *RegisteredClient) GetAuthorizationSignedResponseKeyID() (kid string)
- func (c *RegisteredClient) GetClientCredentialsFlowRequestedScopeImplicit() (allow bool)
- func (c *RegisteredClient) GetClientSecret() (secret oauthelia2.ClientSecret)
- func (c *RegisteredClient) GetConsentPolicy() (policy ClientConsentPolicy)
- func (c *RegisteredClient) GetConsentResponseBody(consent *model.OAuth2ConsentSession) ConsentGetResponseBody
- func (c *RegisteredClient) GetEffectiveLifespan(gt oauthelia2.GrantType, tt oauthelia2.TokenType, fallback time.Duration) time.Duration
- func (c *RegisteredClient) GetEnableJWTProfileOAuthAccessTokens() (enable bool)
- func (c *RegisteredClient) GetEnforcePKCE() (enforce bool)
- func (c *RegisteredClient) GetEnforcePKCEChallengeMethod() (enforce bool)
- func (c *RegisteredClient) GetGrantTypes() (types oauthelia2.Arguments)
- func (c *RegisteredClient) GetID() string
- func (c *RegisteredClient) GetIDTokenEncryptedResponseAlg() (alg string)
- func (c *RegisteredClient) GetIDTokenEncryptedResponseEnc() (enc string)
- func (c *RegisteredClient) GetIDTokenEncryptedResponseKeyID() (kid string)
- func (c *RegisteredClient) GetIDTokenSignedResponseAlg() (alg string)
- func (c *RegisteredClient) GetIDTokenSignedResponseKeyID() (kid string)
- func (c *RegisteredClient) GetIntrospectionEncryptedResponseAlg() (alg string)
- func (c *RegisteredClient) GetIntrospectionEncryptedResponseEnc() (enc string)
- func (c *RegisteredClient) GetIntrospectionEncryptedResponseKeyID() (kid string)
- func (c *RegisteredClient) GetIntrospectionEndpointAuthMethod() (method string)
- func (c *RegisteredClient) GetIntrospectionEndpointAuthSigningAlg() (alg string)
- func (c *RegisteredClient) GetIntrospectionSignedResponseAlg() (alg string)
- func (c *RegisteredClient) GetIntrospectionSignedResponseKeyID() (alg string)
- func (c *RegisteredClient) GetJSONWebKeys() (keys *jose.JSONWebKeySet)
- func (c *RegisteredClient) GetJSONWebKeysURI() (uri string)
- func (c *RegisteredClient) GetName() (name string)
- func (c *RegisteredClient) GetPKCEChallengeMethod() (method string)
- func (c *RegisteredClient) GetPushedAuthorizeContextLifespan() (lifespan time.Duration)
- func (c *RegisteredClient) GetRedirectURIs() (redirectURIs []string)
- func (c *RegisteredClient) GetRefreshFlowIgnoreOriginalGrantedScopes(ctx context.Context) (ignore bool)
- func (c *RegisteredClient) GetRequestObjectEncryptionAlg() (alg string)
- func (c *RegisteredClient) GetRequestObjectEncryptionEnc() (enc string)
- func (c *RegisteredClient) GetRequestObjectEncryptionKeyID() (kid string)
- func (c *RegisteredClient) GetRequestObjectSigningAlg() (alg string)
- func (c *RegisteredClient) GetRequestObjectSigningKeyID() (kid string)
- func (c *RegisteredClient) GetRequestURIs() (uris []string)
- func (c *RegisteredClient) GetRequestedAudienceImplicit() (implicit bool)
- func (c *RegisteredClient) GetRequirePushedAuthorizationRequests() (require bool)
- func (c *RegisteredClient) GetResponseModes() (modes []oauthelia2.ResponseModeType)
- func (c *RegisteredClient) GetResponseTypes() (types oauthelia2.Arguments)
- func (c *RegisteredClient) GetRevocationEndpointAuthMethod() (method string)
- func (c *RegisteredClient) GetRevocationEndpointAuthSigningAlg() (alg string)
- func (c *RegisteredClient) GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool)
- func (c *RegisteredClient) GetRotatedClientSecrets() (secrets []oauthelia2.ClientSecret)
- func (c *RegisteredClient) GetScopes() (scopes oauthelia2.Arguments)
- func (c *RegisteredClient) GetSectorIdentifierURI() (sector string)
- func (c *RegisteredClient) GetTokenEndpointAuthMethod() (method string)
- func (c *RegisteredClient) GetTokenEndpointAuthSigningAlg() (alg string)
- func (c *RegisteredClient) GetUserinfoEncryptedResponseAlg() (alg string)
- func (c *RegisteredClient) GetUserinfoEncryptedResponseEnc() (enc string)
- func (c *RegisteredClient) GetUserinfoEncryptedResponseKeyID() (kid string)
- func (c *RegisteredClient) GetUserinfoSignedResponseAlg() (alg string)
- func (c *RegisteredClient) GetUserinfoSignedResponseKeyID() (kid string)
- func (c *RegisteredClient) IsAuthenticationLevelSufficient(level authentication.Level, subject authorization.Subject) (sufficient bool)
- func (c *RegisteredClient) IsPublic() (public bool)
- func (c *RegisteredClient) SetJSONWebKeys(jwks *jose.JSONWebKeySet)
- func (c *RegisteredClient) ValidateResponseModePolicy(r oauthelia2.AuthorizeRequester) (err error)
- type Session
- func (s *Session) Clone() oauthelia2.Session
- func (s *Session) GetChallengeID() uuid.NullUUID
- func (s *Session) GetExtraClaims() map[string]any
- func (s *Session) GetIDTokenClaims() *jwt.IDTokenClaims
- func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer
- func (s *Session) GetJWTHeader() (headers *jwt.Headers)
- type Signer
- func (j *Signer) Decode(ctx context.Context, tokenString string) (token *fjwt.Token, err error)
- func (j *Signer) Generate(ctx context.Context, claims fjwt.MapClaims, header fjwt.Mapper) (tokenString string, sig string, err error)
- func (j *Signer) GetPublicKey(ctx context.Context) (key crypto.PublicKey, err error)
- func (j *Signer) GetSignature(ctx context.Context, tokenString string) (sig string, err error)
- func (j *Signer) GetSigningMethodLength(ctx context.Context) (size int)
- func (j *Signer) Hash(ctx context.Context, in []byte) (sum []byte, err error)
- func (j *Signer) Validate(ctx context.Context, tokenString string) (sig string, err error)
- type SortedJSONWebKey
- type SortedSigningAlgs
- type Store
- func (s *Store) BeginTX(ctx context.Context) (c context.Context, err error)
- func (s *Store) ClientAssertionJWTValid(ctx context.Context, jti string) (err error)
- func (s *Store) Commit(ctx context.Context) (err error)
- func (s *Store) CreateAccessTokenSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)
- func (s *Store) CreateAuthorizeCodeSession(ctx context.Context, code string, request oauthelia2.Requester) (err error)
- func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request oauthelia2.Requester) (err error)
- func (s *Store) CreatePARSession(ctx context.Context, requestURI string, request oauthelia2.AuthorizeRequester) (err error)
- func (s *Store) CreatePKCERequestSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)
- func (s *Store) CreateRefreshTokenSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)
- func (s *Store) DeleteAccessTokenSession(ctx context.Context, signature string) (err error)
- func (s *Store) DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) (err error)
- func (s *Store) DeletePARSession(ctx context.Context, requestURI string) (err error)
- func (s *Store) DeletePKCERequestSession(ctx context.Context, signature string) (err error)
- func (s *Store) DeleteRefreshTokenSession(ctx context.Context, signature string) (err error)
- func (s *Store) GenerateOpaqueUserID(ctx context.Context, sectorID, username string) (opaqueID *model.UserOpaqueIdentifier, err error)
- func (s *Store) GetAccessTokenSession(ctx context.Context, signature string, session oauthelia2.Session) (request oauthelia2.Requester, err error)
- func (s *Store) GetAuthorizeCodeSession(ctx context.Context, code string, session oauthelia2.Session) (request oauthelia2.Requester, err error)
- func (s *Store) GetClient(ctx context.Context, id string) (client oauthelia2.Client, err error)
- func (s *Store) GetOpenIDConnectSession(ctx context.Context, authorizeCode string, request oauthelia2.Requester) (r oauthelia2.Requester, err error)
- func (s *Store) GetPARSession(ctx context.Context, requestURI string) (request oauthelia2.AuthorizeRequester, err error)
- func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, session oauthelia2.Session) (requester oauthelia2.Requester, err error)
- func (s *Store) GetRefreshTokenSession(ctx context.Context, signature string, session oauthelia2.Session) (request oauthelia2.Requester, err error)
- func (s *Store) GetSubject(ctx context.Context, sectorID, username string) (subject uuid.UUID, err error)
- func (s *Store) InvalidateAuthorizeCodeSession(ctx context.Context, code string) (err error)
- func (s *Store) IsJWTUsed(ctx context.Context, jti string) (used bool, err error)
- func (s *Store) IsValidClientID(ctx context.Context, id string) (valid bool)
- func (s *Store) MarkJWTUsedForTime(ctx context.Context, jti string, exp time.Time) (err error)
- func (s *Store) RevokeAccessToken(ctx context.Context, requestID string) (err error)
- func (s *Store) RevokeRefreshToken(ctx context.Context, requestID string) (err error)
- func (s *Store) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) (err error)
- func (s *Store) Rollback(ctx context.Context) (err error)
- func (s *Store) SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) (err error)
- type StrategyConfig
- type UserDetailer
Constants ¶
const ( ScopeOfflineAccess = "offline_access" ScopeOffline = "offline" ScopeOpenID = "openid" ScopeProfile = "profile" ScopeEmail = "email" ScopeGroups = "groups" ScopeAutheliaBearerAuthz = "authelia.bearer.authz" )
Scope strings.
const ( ClaimJWTID = "jti" ClaimSessionID = "sid" ClaimAccessTokenHash = "at_hash" ClaimCodeHash = "c_hash" ClaimStateHash = "s_hash" ClaimIssuedAt = "iat" ClaimNotBefore = "nbf" ClaimRequestedAt = "rat" ClaimExpirationTime = "exp" ClaimAuthenticationTime = "auth_time" ClaimIssuer = valueIss ClaimSubject = "sub" ClaimNonce = "nonce" ClaimAudience = "aud" ClaimGroups = "groups" ClaimFullName = "name" ClaimPreferredUsername = "preferred_username" ClaimPreferredEmail = "email" ClaimEmailVerified = "email_verified" ClaimAuthorizedParty = "azp" ClaimAuthenticationContextClassReference = "acr" ClaimAuthenticationMethodsReference = "amr" ClaimClientIdentifier = valueClientID ClaimScope = valueScope ClaimScopeNonStandard = "scp" ClaimExtra = "ext" ClaimActive = "active" ClaimUsername = "username" ClaimTokenIntrospection = "token_introspection" )
Registered Claim strings. See https://www.iana.org/assignments/jwt/jwt.xhtml.
const ( ResponseModeFormPost = "form_post" ResponseModeQuery = "query" ResponseModeFragment = "fragment" ResponseModeJWT = "jwt" ResponseModeFormPostJWT = "form_post.jwt" ResponseModeQueryJWT = "query.jwt" ResponseModeFragmentJWT = "fragment.jwt" )
Response Mode strings.
const ( GrantTypeImplicit = valueImplicit GrantTypeRefreshToken = valueRefreshToken GrantTypeAuthorizationCode = "authorization_code" GrantTypeClientCredentials = "client_credentials" )
Grant Type strings.
const ( ClientAuthMethodClientSecretBasic = "client_secret_basic" ClientAuthMethodClientSecretPost = "client_secret_post" ClientAuthMethodClientSecretJWT = "client_secret_jwt" ClientAuthMethodPrivateKeyJWT = "private_key_jwt" ClientAuthMethodNone = "none" )
Client Auth Method strings.
const ( ResponseTypeAuthorizationCodeFlow = "code" ResponseTypeImplicitFlowIDToken = "id_token" ResponseTypeImplicitFlowToken = "token" ResponseTypeImplicitFlowBoth = "id_token token" ResponseTypeHybridFlowIDToken = "code id_token" ResponseTypeHybridFlowToken = "code token" ResponseTypeHybridFlowBoth = "code id_token token" )
Response Type strings.
const ( SigningAlgNone = valueNone SigningAlgRSAUsingSHA256 = "RS256" SigningAlgRSAUsingSHA384 = "RS384" SigningAlgRSAUsingSHA512 = "RS512" SigningAlgRSAPSSUsingSHA256 = "PS256" SigningAlgRSAPSSUsingSHA384 = "PS384" SigningAlgRSAPSSUsingSHA512 = "PS512" SigningAlgECDSAUsingP256AndSHA256 = "ES256" SigningAlgECDSAUsingP384AndSHA384 = "ES384" SigningAlgECDSAUsingP521AndSHA512 = "ES512" SigningAlgHMACUsingSHA256 = "HS256" SigningAlgHMACUsingSHA384 = "HS384" SigningAlgHMACUsingSHA512 = "HS512" )
JWS Algorithm strings. See: https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
const ( SigningAlgPrefixRSA = "RS" SigningAlgPrefixHMAC = "HS" SigningAlgPrefixRSAPSS = "PS" SigningAlgPrefixECDSA = "ES" )
JWS Algorithm Prefixes.
const ( SubjectTypePublic = "public" SubjectTypePairwise = "pairwise" )
Subject Type strings.
const ( PKCEChallengeMethodPlain = "plain" PKCEChallengeMethodSHA256 = "S256" )
Proof Key Code Exchange Challenge Method strings.
const ( FormParameterState = "state" FormParameterClientID = valueClientID FormParameterRequestURI = "request_uri" FormParameterRedirectURI = "redirect_uri" FormParameterResponseMode = "response_mode" FormParameterResponseType = "response_type" FormParameterScope = valueScope FormParameterIssuer = valueIss FormParameterPrompt = "prompt" )
const ( PromptConsent = "consent" PromptLogin = "login" PromptNone = valueNone PromptSelectAccount = "select_account" )
const ( EndpointAuthorization = "authorization" EndpointToken = "token" EndpointUserinfo = "userinfo" EndpointIntrospection = "introspection" EndpointRevocation = "revocation" EndpointPushedAuthorizationRequest = "pushed-authorization-request" )
Endpoints.
const ( // JWTHeaderKeyIdentifier is the JWT Header referencing the JWS Key Identifier used to sign a token. JWTHeaderKeyIdentifier = "kid" // JWTHeaderKeyAlgorithm is the JWT Header referencing the JWS Key algorithm used to sign a token. JWTHeaderKeyAlgorithm = "alg" // JWTHeaderKeyType is the JWT Header referencing the JWT type. JWTHeaderKeyType = "typ" )
JWT Headers.
const ( JWTHeaderTypeValueTokenIntrospectionJWT = "token-introspection+jwt" JWTHeaderTypeValueAccessTokenJWT = "at+jwt" )
const ( EndpointPathConsent = "/consent" EndpointPathWellKnownOpenIDConfiguration = "/.well-known/openid-configuration" EndpointPathWellKnownOAuthAuthorizationServer = "/.well-known/oauth-authorization-server" EndpointPathJWKs = "/jwks.json" EndpointPathRoot = "/api/oidc" EndpointPathAuthorization = EndpointPathRoot + "/" + EndpointAuthorization EndpointPathToken = EndpointPathRoot + "/" + EndpointToken EndpointPathUserinfo = EndpointPathRoot + "/" + EndpointUserinfo EndpointPathIntrospection = EndpointPathRoot + "/" + EndpointIntrospection EndpointPathRevocation = EndpointPathRoot + "/" + EndpointRevocation EndpointPathPushedAuthorizationRequest = EndpointPathRoot + "/" + EndpointPushedAuthorizationRequest EndpointPathRFC8628UserVerificationURL = EndpointPathRoot + "/device-code/user-verification" )
Paths.
const ( // AMRMultiFactorAuthentication is an RFC8176 Authentication Method Reference Value that represents multiple-factor // authentication as per NIST.800-63-2 and ISO29115. When this is present, specific authentication methods used may // also be included. // // Authelia utilizes this when a user has performed any 2 AMR's with different factor values (excluding meta). // Factor: Meta, Channel: Meta. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 // // NIST.800-63-2: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf // // ISO29115: https://www.iso.org/standard/45138.html AMRMultiFactorAuthentication = "mfa" // AMRMultiChannelAuthentication is an RFC8176 Authentication Method Reference Value that represents // multiple-channel authentication. The authentication involves communication over more than one distinct // communication channel. For instance, a multiple-channel authentication might involve both entering information // into a workstation's browser and providing information on a telephone call to a pre-registered number. // // Authelia utilizes this when a user has performed any 2 AMR's with different channel values (excluding meta). // Factor: Meta, Channel: Meta. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 AMRMultiChannelAuthentication = "mca" // AMRUserPresence is an RFC8176 Authentication Method Reference Value that represents authentication that included // a user presence test. Evidence that the end user is present and interacting with the device. This is sometimes // also referred to as "test of user presence" as per W3C.WD-webauthn-20170216. // // Authelia utilizes this when a user has used WebAuthn to authenticate and the user presence flag was set. // Factor: Meta, Channel: Meta. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 // // W3C.WD-webauthn-20170216: https://datatracker.ietf.org/doc/html/rfc8176#ref-W3C.WD-webauthn-20170216 AMRUserPresence = "user" // AMRPersonalIdentificationNumber is an RFC8176 Authentication Method Reference Value that represents // authentication that included a personal Identification Number (PIN) as per RFC4949 or pattern (not restricted to // containing only numbers) that a user enters to unlock a key on the device. This mechanism should have a way to // deter an attacker from obtaining the PIN by trying repeated guesses. // // Authelia utilizes this when a user has used WebAuthn to authenticate and the user verified flag was set. // Factor: Meta, Channel: Meta. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 // // RFC4949: https://datatracker.ietf.org/doc/html/rfc4949 AMRPersonalIdentificationNumber = "pin" // AMRPasswordBasedAuthentication is an RFC8176 Authentication Method Reference Value that represents password-based // authentication as per RFC4949. // // Authelia utilizes this when a user has performed 1FA. Factor: Know, Channel: Browser. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 // // RFC4949: https://datatracker.ietf.org/doc/html/rfc4949 AMRPasswordBasedAuthentication = "pwd" // AMROneTimePassword is an RFC8176 Authentication Method Reference Value that represents authentication via a // Time-based One-Time Password as per RFC4949. One-time password specifications that this authentication method // applies to include RFC4226 and RFC6238. // // Authelia utilizes this when a user has used TOTP to authenticate. Factor: Have, Channel: Browser. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 // // RFC4949: https://datatracker.ietf.org/doc/html/rfc4949 // // RFC4226: https://datatracker.ietf.org/doc/html/rfc4226 // // RFC6238: https://datatracker.ietf.org/doc/html/rfc6238 AMROneTimePassword = "otp" // AMRProofOfPossession is an Authentication Method Reference Value that // represents authentication via a proof-of-Possession (PoP) of a software-secured (swk) or hardware-secured (hwk) // key. AMRProofOfPossession = "pop" // AMRHardwareSecuredKey is an RFC8176 Authentication Method Reference Value that // represents authentication via a proof-of-Possession (PoP) of a hardware-secured key. // // Authelia utilizes this when a user has used WebAuthn to authenticate. Factor: Have, Channel: Browser. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 AMRHardwareSecuredKey = "hwk" // AMRSoftwareSecuredKey is an RFC8176 Authentication Method Reference Value that // represents authentication via a proof-of-Possession (PoP) of a software-secured key. // // Authelia utilizes this when a user has used WebAuthn to authenticate. Factor: Have, Channel: Browser. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 AMRSoftwareSecuredKey = "swk" // AMRShortMessageService is an RFC8176 Authentication Method Reference Value that // represents authentication via confirmation using SMS text message to the user at a registered number. // // Authelia utilizes this when a user has used Duo to authenticate. Factor: Have, Channel: Browser. // // RFC8176: https://datatracker.ietf.org/doc/html/rfc8176 AMRShortMessageService = "sms" )
Authentication Method Reference Values https://datatracker.ietf.org/doc/html/rfc8176
const ( // ClaimEmailAlts is an unregistered/custom claim. // It represents the emails which are not considered primary. ClaimEmailAlts = "alt_emails" )
const (
ClaimTypeNormal = "normal"
)
const (
KeyUseSignature = "sig"
)
const (
RedirectURIPrefixPushedAuthorizationRequestURN = "urn:ietf:params:oauth:request_uri:"
)
const (
RedirectURISpecialOAuth2InstalledApp = "urn:ietf:wg:oauth:2.0:oob"
)
Variables ¶
var ( // ErrSubjectCouldNotLookup is sent when the Subject Identifier for a user couldn't be generated or obtained from the database. ErrSubjectCouldNotLookup = oauthelia2.ErrServerError.WithHint("Could not lookup user subject.") // ErrConsentCouldNotPerform is sent when the Consent Session couldn't be performed for varying reasons. ErrConsentCouldNotPerform = oauthelia2.ErrServerError.WithHint("Could not perform consent.") // ErrConsentCouldNotGenerate is sent when the Consent Session failed to be generated for some reason, usually a failed UUIDv4 generation. ErrConsentCouldNotGenerate = oauthelia2.ErrServerError.WithHint("Could not generate the consent session.") // ErrConsentCouldNotSave is sent when the Consent Session couldn't be saved to the database. ErrConsentCouldNotSave = oauthelia2.ErrServerError.WithHint("Could not save the consent session.") // ErrConsentCouldNotLookup is sent when the Consent ID is not a known UUID. ErrConsentCouldNotLookup = oauthelia2.ErrServerError.WithHint("Failed to lookup the consent session.") // ErrConsentMalformedChallengeID is sent when the Consent ID is not a UUID. ErrConsentMalformedChallengeID = oauthelia2.ErrServerError.WithHint("Malformed consent session challenge ID.") ErrClientAuthorizationUserAccessDenied = oauthelia2.ErrAccessDenied.WithHint("The user was denied access to this client.") )
Functions ¶
func AccessResponderToClearMap ¶ added in v4.38.0
func AccessResponderToClearMap(responder oauthelia2.AccessResponder) map[string]any
AccessResponderToClearMap returns a clear friendly map copy of the responder map values.
func GetLangFromRequester ¶ added in v4.38.0
func GetLangFromRequester(requester oauthelia2.Requester) language.Tag
GetLangFromRequester gets the expected language for a requester.
func IsAccessToken ¶ added in v4.38.3
func IsJWTProfileAccessToken ¶ added in v4.38.0
IsJWTProfileAccessToken validates a *jwt.Token is actually a RFC9068 JWT Profile Access Token by checking the relevant header as per https://datatracker.ietf.org/doc/html/rfc9068#section-2.1 which explicitly states that the header MUST include a typ of 'at+jwt' or 'application/at+jwt' with a preference of 'at+jwt'.
func IsMaybeSignedJWT ¶ added in v4.38.3
func IsPushedAuthorizedRequest ¶ added in v4.38.0
func IsPushedAuthorizedRequest(r oauthelia2.Requester, prefix string) bool
IsPushedAuthorizedRequest returns true if the requester has a PushedAuthorizationRequest redirect_uri value.
func NewPublicJSONWebKeySetFromSchemaJWK ¶ added in v4.38.0
NewPublicJSONWebKeySetFromSchemaJWK creates a *jose.JSONWebKeySet from a slice of schema.JWK.
func PopulateClientCredentialsFlowRequester ¶ added in v4.38.0
func PopulateClientCredentialsFlowRequester(ctx Context, config oauthelia2.Configurator, client oauthelia2.Client, requester oauthelia2.Requester) (err error)
PopulateClientCredentialsFlowRequester is used to grant the authorized scopes and audiences when performing a client credentials grant.
func PopulateClientCredentialsFlowSessionWithAccessRequest ¶ added in v4.38.0
func PopulateClientCredentialsFlowSessionWithAccessRequest(ctx Context, client oauthelia2.Client, session *Session) (err error)
PopulateClientCredentialsFlowSessionWithAccessRequest is used to configure a session when performing a client credentials grant.
func RFC6750Header ¶ added in v4.38.0
func RFC6750Header(realm, scope string, err *oauthelia2.RFC6749Error) string
RFC6750Header turns a *oauthelia2.RFC6749Error into the values for a RFC6750 format WWW-Authenticate Bearer response header, excluding the Bearer prefix.
func ValidateSectorIdentifierURI ¶ added in v4.38.7
Types ¶
type AuthenticationMethodsReferences ¶ added in v4.35.0
type AuthenticationMethodsReferences struct { UsernameAndPassword bool TOTP bool Duo bool WebAuthn bool WebAuthnHardware bool WebAuthnSoftware bool WebAuthnUserPresence bool WebAuthnUserVerified bool }
AuthenticationMethodsReferences holds AMR information.
func NewAuthenticationMethodsReferencesFromClaim ¶ added in v4.38.0
func NewAuthenticationMethodsReferencesFromClaim(claim []string) (amr AuthenticationMethodsReferences)
func (AuthenticationMethodsReferences) ChannelBrowser ¶ added in v4.35.0
func (r AuthenticationMethodsReferences) ChannelBrowser() bool
ChannelBrowser returns true if a browser was used to authenticate.
func (AuthenticationMethodsReferences) ChannelService ¶ added in v4.35.0
func (r AuthenticationMethodsReferences) ChannelService() bool
ChannelService returns true if a non-browser service was used to authenticate.
func (AuthenticationMethodsReferences) FactorKnowledge ¶ added in v4.35.0
func (r AuthenticationMethodsReferences) FactorKnowledge() bool
FactorKnowledge returns true if a "something you know" factor of authentication was used.
func (AuthenticationMethodsReferences) FactorPossession ¶ added in v4.35.0
func (r AuthenticationMethodsReferences) FactorPossession() bool
FactorPossession returns true if a "something you have" factor of authentication was used.
func (AuthenticationMethodsReferences) MarshalRFC8176 ¶ added in v4.35.0
func (r AuthenticationMethodsReferences) MarshalRFC8176() []string
MarshalRFC8176 returns the AMR claim slice of strings in the RFC8176 format. https://datatracker.ietf.org/doc/html/rfc8176
func (AuthenticationMethodsReferences) MultiChannelAuthentication ¶ added in v4.35.0
func (r AuthenticationMethodsReferences) MultiChannelAuthentication() bool
MultiChannelAuthentication returns true if the user used more than one channel to authenticate.
func (AuthenticationMethodsReferences) MultiFactorAuthentication ¶ added in v4.35.0
func (r AuthenticationMethodsReferences) MultiFactorAuthentication() bool
MultiFactorAuthentication returns true if multiple factors were used.
type AuthorizationServerIssuerIdentificationProvider ¶ added in v4.38.0
type AuthorizationServerIssuerIdentificationProvider interface {
GetAuthorizationServerIdentificationIssuer(ctx context.Context) (issuer string)
}
AuthorizationServerIssuerIdentificationProvider provides OAuth 2.0 Authorization Server Issuer Identification related methods.
type Client ¶ added in v4.35.0
type Client interface { oauthelia2.Client oauthelia2.ResponseModeClient RefreshFlowScopeClient GetName() (name string) GetSectorIdentifierURI() (sector string) GetAuthorizationSignedResponseAlg() (alg string) GetAuthorizationSignedResponseKeyID() (kid string) GetIDTokenSignedResponseAlg() (alg string) GetIDTokenSignedResponseKeyID() (kid string) GetAccessTokenSignedResponseAlg() (alg string) GetAccessTokenSignedResponseKeyID() (kid string) GetEnableJWTProfileOAuthAccessTokens() bool GetUserinfoSignedResponseAlg() (alg string) GetUserinfoSignedResponseKeyID() (kid string) GetIntrospectionSignedResponseAlg() (alg string) GetIntrospectionSignedResponseKeyID() (kid string) GetRequirePushedAuthorizationRequests() (enforce bool) GetEnforcePKCE() (enforce bool) GetEnforcePKCEChallengeMethod() (enforce bool) GetPKCEChallengeMethod() (method string) ValidateResponseModePolicy(r oauthelia2.AuthorizeRequester) (err error) GetConsentResponseBody(consent *model.OAuth2ConsentSession) (body ConsentGetResponseBody) GetConsentPolicy() ClientConsentPolicy IsAuthenticationLevelSufficient(level authentication.Level, subject authorization.Subject) (sufficient bool) GetAuthorizationPolicyRequiredLevel(subject authorization.Subject) (level authorization.Level) GetAuthorizationPolicy() (policy ClientAuthorizationPolicy) GetEffectiveLifespan(gt oauthelia2.GrantType, tt oauthelia2.TokenType, fallback time.Duration) (lifespan time.Duration) }
Client represents the internal client definitions.
func NewClient ¶
func NewClient(config schema.IdentityProvidersOpenIDConnectClient, c *schema.IdentityProvidersOpenIDConnect) (client Client)
NewClient creates a new Client.
type ClientAuthorizationPolicy ¶ added in v4.38.0
type ClientAuthorizationPolicy struct { Name string DefaultPolicy authorization.Level Rules []ClientAuthorizationPolicyRule }
ClientAuthorizationPolicy controls and represents a client policy.
func NewClientAuthorizationPolicy ¶ added in v4.38.0
func NewClientAuthorizationPolicy(name string, config *schema.IdentityProvidersOpenIDConnect) (policy ClientAuthorizationPolicy)
NewClientAuthorizationPolicy creates a new ClientAuthorizationPolicy.
func (*ClientAuthorizationPolicy) GetRequiredLevel ¶ added in v4.38.0
func (p *ClientAuthorizationPolicy) GetRequiredLevel(subject authorization.Subject) authorization.Level
GetRequiredLevel returns the required authorization.Level given an authorization.Subject.
type ClientAuthorizationPolicyRule ¶ added in v4.38.0
type ClientAuthorizationPolicyRule struct { Subjects []authorization.AccessControlSubjects Policy authorization.Level }
ClientAuthorizationPolicyRule describes the authorization.Level for particular criteria relevant to OpenID Connect 1.0 Clients.
func (*ClientAuthorizationPolicyRule) IsMatch ¶ added in v4.38.0
func (p *ClientAuthorizationPolicyRule) IsMatch(subject authorization.Subject) (match bool)
IsMatch returns true if all elements of an AccessControlRule match the object and subject.
func (*ClientAuthorizationPolicyRule) MatchesSubjects ¶ added in v4.38.0
func (p *ClientAuthorizationPolicyRule) MatchesSubjects(subject authorization.Subject) (match bool)
MatchesSubjects returns true if the rule matches the subjects.
type ClientConsentMode ¶ added in v4.37.0
type ClientConsentMode int
ClientConsentMode represents the consent mode for a client.
const ( // ClientConsentModeExplicit means the client does not implicitly assume consent, and does not allow pre-configured // consent sessions. ClientConsentModeExplicit ClientConsentMode = iota // ClientConsentModePreConfigured means the client does not implicitly assume consent, but does allow pre-configured // consent sessions. ClientConsentModePreConfigured // ClientConsentModeImplicit means the client does implicitly assume consent, and does not allow pre-configured // consent sessions. ClientConsentModeImplicit )
func (ClientConsentMode) String ¶ added in v4.37.0
func (c ClientConsentMode) String() string
String returns the string representation of the ClientConsentMode.
type ClientConsentPolicy ¶ added in v4.38.0
type ClientConsentPolicy struct { Mode ClientConsentMode Duration time.Duration }
ClientConsentPolicy is the consent configuration for a client.
func NewClientConsentPolicy ¶ added in v4.38.0
func NewClientConsentPolicy(mode string, duration *time.Duration) ClientConsentPolicy
NewClientConsentPolicy converts the config options into an oidc.ClientConsentPolicy.
func (ClientConsentPolicy) String ¶ added in v4.38.0
func (c ClientConsentPolicy) String() string
String returns the string representation of the ClientConsentMode.
type ClientContext ¶ added in v4.38.7
type ClientRequestedAudienceMode ¶ added in v4.38.0
type ClientRequestedAudienceMode int
ClientRequestedAudienceMode represents the requested audience mode for a client.
const ( // ClientRequestedAudienceModeExplicit means the client requires that the audience is explicitly requested // for it to be considered requested and therefore granted. ClientRequestedAudienceModeExplicit ClientRequestedAudienceMode = iota // ClientRequestedAudienceModeImplicit means the client implicitly assumes that the requested audience is all of the // permitted audiences when the request parameter is absent. ClientRequestedAudienceModeImplicit )
func NewClientRequestedAudienceMode ¶ added in v4.38.0
func NewClientRequestedAudienceMode(mode string) ClientRequestedAudienceMode
NewClientRequestedAudienceMode converts the config option into an oidc.ClientRequestedAudienceMode.
func (ClientRequestedAudienceMode) String ¶ added in v4.38.0
func (ram ClientRequestedAudienceMode) String() string
String returns the string representation of the ClientRequestedAudienceMode.
type ClientRequesterResponder ¶ added in v4.38.0
type ClientRequesterResponder interface {
GetClient() oauthelia2.Client
}
ClientRequesterResponder is a oauthelia2.Requster or fosite.Responder with a GetClient method.
type ClientSecretDigest ¶ added in v4.38.0
type ClientSecretDigest struct {
*schema.PasswordDigest
}
ClientSecretDigest decorates the *schema.PasswordDigest with the relevant functions to implement oauth2.ClientSecret.
type ClientStore ¶ added in v4.38.7
type ClientStore interface { // GetRegisteredClient returns a Client matching the provided id. GetRegisteredClient(ctx context.Context, id string) (client Client, err error) }
ClientStore is an abstraction used for the Store struct which stores clients.
type CommonDiscoveryOptions ¶ added in v4.34.0
type CommonDiscoveryOptions struct { /* REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. */ Issuer string `json:"issuer"` /* REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. */ JWKSURI string `json:"jwks_uri,omitempty"` /* REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core]. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html */ AuthorizationEndpoint string `json:"authorization_endpoint"` /* URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html */ TokenEndpoint string `json:"token_endpoint,omitempty"` /* REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. */ SubjectTypesSupported []string `json:"subject_types_supported"` /* REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. */ ResponseTypesSupported []string `json:"response_types_supported"` /* OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"]. */ GrantTypesSupported []string `json:"grant_types_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers is ["query", "fragment"]. */ ResponseModesSupported []string `json:"response_modes_supported,omitempty"` /* RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html */ ScopesSupported []string `json:"scopes_supported,omitempty"` /* RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. */ ClaimsSupported []string `json:"claims_supported,omitempty"` /* OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 */ UILocalesSupported []string `json:"ui_locales_supported,omitempty"` /* OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication */ TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` /* OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation. */ ServiceDocumentation string `json:"service_documentation,omitempty"` /* OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering the Client if it is given. */ OPPolicyURI string `json:"op_policy_uri,omitempty"` /* OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. The registration process SHOULD display this URL to the person registering the Client if it is given. */ OPTOSURI string `json:"op_tos_uri,omitempty"` }
CommonDiscoveryOptions represents the discovery options used in both OAuth 2.0 and OpenID Connect. See Also:
OpenID Connect Discovery: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata OAuth 2.0 Discovery: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-2
type Config ¶ added in v4.37.3
type Config struct { Signer jwt.Signer // GlobalSecret is the global secret used to sign and verify signatures. GlobalSecret []byte // RotatedGlobalSecrets is a list of global secrets that are used to verify signatures. RotatedGlobalSecrets [][]byte Issuers IssuersConfig SendDebugMessagesToClients bool DisableRefreshTokenValidation bool OmitRedirectScopeParameter bool JWTScopeField jwt.JWTScopeFieldEnum JWTMaxDuration time.Duration JWTSecuredAuthorizationLifespan time.Duration JWTAccessToken JWTAccessTokenConfig Hash HashConfig Strategy StrategyConfig PAR PARConfig Handlers HandlersConfig Lifespans LifespansConfig RFC8693 RFC8693Config ProofKeyCodeExchange ProofKeyCodeExchangeConfig GrantTypeJWTBearer GrantTypeJWTBearerConfig TokenURL string RFC8628UserVerificationURL string RevokeRefreshTokensExplicit bool EnforceRevokeFlowRevokeRefreshTokensExplicitClient bool EnforceJWTProfileAccessTokens bool ClientCredentialsFlowImplicitGrantRequested bool TokenEntropy int MinParameterEntropy int SanitationWhiteList []string AllowedPrompts []string RefreshTokenScopes []string HTTPClient *retryablehttp.Client MessageCatalog i18n.MessageCatalog Templates *templates.Provider }
Config is an implementation of the oauthelia2.Configurator.
func (*Config) GetAccessTokenIssuer ¶ added in v4.37.3
GetAccessTokenIssuer returns the access token issuer.
func (*Config) GetAccessTokenLifespan ¶ added in v4.37.3
GetAccessTokenLifespan returns the access token lifespan.
func (*Config) GetAllowedJWTAssertionAudiences ¶ added in v4.38.11
func (*Config) GetAllowedPrompts ¶ added in v4.37.3
GetAllowedPrompts returns the allowed prompts.
func (*Config) GetAudienceStrategy ¶ added in v4.37.3
func (c *Config) GetAudienceStrategy(ctx context.Context) (strategy oauthelia2.AudienceMatchingStrategy)
GetAudienceStrategy returns the audience strategy.
func (*Config) GetAuthorizationServerIdentificationIssuer ¶ added in v4.38.0
GetAuthorizationServerIdentificationIssuer returns the Authorization Server Identification issuer.
func (*Config) GetAuthorizeCodeLifespan ¶ added in v4.37.3
GetAuthorizeCodeLifespan returns the authorization code lifespan.
func (*Config) GetAuthorizeEndpointHandlers ¶ added in v4.37.3
func (c *Config) GetAuthorizeEndpointHandlers(ctx context.Context) (handlers oauthelia2.AuthorizeEndpointHandlers)
GetAuthorizeEndpointHandlers returns the authorize endpoint handlers.
func (*Config) GetClientAuthenticationStrategy ¶ added in v4.37.3
func (c *Config) GetClientAuthenticationStrategy(ctx context.Context) (strategy oauthelia2.ClientAuthenticationStrategy)
GetClientAuthenticationStrategy returns the client authentication strategy.
func (*Config) GetClientCredentialsFlowImplicitGrantRequested ¶ added in v4.38.0
func (*Config) GetContext ¶ added in v4.38.11
func (*Config) GetDefaultRFC8693RequestedTokenType ¶ added in v4.38.0
func (*Config) GetDisableRefreshTokenValidation ¶ added in v4.37.3
GetDisableRefreshTokenValidation returns the disable refresh token validation flag.
func (*Config) GetEnablePKCEPlainChallengeMethod ¶ added in v4.37.3
GetEnablePKCEPlainChallengeMethod returns the enable PKCE plain challenge method.
func (*Config) GetEnforceJWTProfileAccessTokens ¶ added in v4.38.0
func (*Config) GetEnforcePKCE ¶ added in v4.37.3
GetEnforcePKCE returns the enforcement of PKCE.
func (*Config) GetEnforcePKCEForPublicClients ¶ added in v4.37.3
GetEnforcePKCEForPublicClients returns the enforcement of PKCE for public clients.
func (*Config) GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient ¶ added in v4.38.0
func (*Config) GetFormPostHTMLTemplate ¶ added in v4.37.3
GetFormPostHTMLTemplate returns the form post HTML template.
func (*Config) GetFormPostResponseWriter ¶ added in v4.38.0
func (c *Config) GetFormPostResponseWriter(ctx context.Context) oauthelia2.FormPostResponseWriter
GetFormPostResponseWriter returns a FormPostResponseWriter which should be utilized for writing the form post response type.
func (*Config) GetGlobalSecret ¶ added in v4.37.3
GetGlobalSecret returns the global secret.
func (*Config) GetGrantTypeJWTBearerCanSkipClientAuth ¶ added in v4.37.3
GetGrantTypeJWTBearerCanSkipClientAuth returns the grant type JWT bearer can skip client auth.
func (*Config) GetGrantTypeJWTBearerIDOptional ¶ added in v4.37.3
GetGrantTypeJWTBearerIDOptional returns the grant type JWT bearer ID optional.
func (*Config) GetGrantTypeJWTBearerIssuedDateOptional ¶ added in v4.37.3
GetGrantTypeJWTBearerIssuedDateOptional returns the grant type JWT bearer issued date optional.
func (*Config) GetHMACHasher ¶ added in v4.37.3
GetHMACHasher returns the hash function.
func (*Config) GetHTTPClient ¶ added in v4.37.3
GetHTTPClient returns the HTTP client provider.
func (*Config) GetIDTokenIssuer ¶ added in v4.37.3
GetIDTokenIssuer returns the ID token issuer.
func (*Config) GetIDTokenLifespan ¶ added in v4.37.3
GetIDTokenLifespan returns the ID token lifespan.
func (*Config) GetIntrospectionIssuer ¶ added in v4.38.7
GetIntrospectionIssuer returns the Introspection issuer.
func (*Config) GetIntrospectionJWTResponseSigner ¶ added in v4.38.7
GetIntrospectionJWTResponseSigner returns jwt.Signer for Introspection JWT Responses.
func (*Config) GetIssuerFallback ¶ added in v4.38.0
GetIssuerFallback returns the issuer from the ctx or returns the fallback value.
func (*Config) GetJWKSFetcherStrategy ¶ added in v4.37.3
func (c *Config) GetJWKSFetcherStrategy(ctx context.Context) (strategy oauthelia2.JWKSFetcherStrategy)
GetJWKSFetcherStrategy returns the JWKS fetcher strategy.
func (*Config) GetJWTMaxDuration ¶ added in v4.37.3
GetJWTMaxDuration returns the JWT max duration.
func (*Config) GetJWTScopeField ¶ added in v4.37.3
func (c *Config) GetJWTScopeField(ctx context.Context) (field jwt.JWTScopeFieldEnum)
GetJWTScopeField returns the JWT scope field.
func (*Config) GetJWTSecuredAuthorizeResponseModeIssuer ¶ added in v4.38.0
GetJWTSecuredAuthorizeResponseModeIssuer returns the issuer for JWT Secured Authorization Responses.
func (*Config) GetJWTSecuredAuthorizeResponseModeLifespan ¶ added in v4.38.0
func (c *Config) GetJWTSecuredAuthorizeResponseModeLifespan(ctx context.Context) (lifespan time.Duration)
GetJWTSecuredAuthorizeResponseModeLifespan returns the configured JWT Secured Authorization lifespan.
func (*Config) GetJWTSecuredAuthorizeResponseModeSigner ¶ added in v4.38.0
GetJWTSecuredAuthorizeResponseModeSigner returns jwt.Signer for JWT Secured Authorization Responses.
func (*Config) GetMessageCatalog ¶ added in v4.37.3
func (c *Config) GetMessageCatalog(ctx context.Context) (catalog i18n.MessageCatalog)
GetMessageCatalog returns the message catalog.
func (*Config) GetMinParameterEntropy ¶ added in v4.37.3
GetMinParameterEntropy returns the minimum parameter entropy.
func (*Config) GetOmitRedirectScopeParam ¶ added in v4.37.3
GetOmitRedirectScopeParam must be set to true if the scope query param is to be omitted in the authorization's redirect URI.
func (*Config) GetPushedAuthorizeContextLifespan ¶ added in v4.37.3
GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context.
func (*Config) GetPushedAuthorizeEndpointHandlers ¶ added in v4.37.3
func (c *Config) GetPushedAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.PushedAuthorizeEndpointHandlers
GetPushedAuthorizeEndpointHandlers returns the handlers.
func (*Config) GetPushedAuthorizeRequestURIPrefix ¶ added in v4.37.3
GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is usually 'urn:ietf:params:oauth:request_uri:'.
func (*Config) GetRFC8628CodeLifespan ¶ added in v4.38.0
func (*Config) GetRFC8628DeviceAuthorizeEndpointHandlers ¶ added in v4.38.0
func (c *Config) GetRFC8628DeviceAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.RFC8628DeviceAuthorizeEndpointHandlers
func (*Config) GetRFC8628TokenPollingInterval ¶ added in v4.38.0
func (*Config) GetRFC8628UserAuthorizeEndpointHandlers ¶ added in v4.38.0
func (c *Config) GetRFC8628UserAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.RFC8628UserAuthorizeEndpointHandlers
func (*Config) GetRFC8628UserVerificationURL ¶ added in v4.38.0
func (*Config) GetRFC8693TokenTypes ¶ added in v4.38.0
func (c *Config) GetRFC8693TokenTypes(ctx context.Context) map[string]oauthelia2.RFC8693TokenType
func (*Config) GetRedirectSecureChecker ¶ added in v4.37.3
func (c *Config) GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) (secure bool)
GetRedirectSecureChecker returns the redirect URL security validator.
func (*Config) GetRefreshTokenLifespan ¶ added in v4.37.3
GetRefreshTokenLifespan returns the refresh token lifespan.
func (*Config) GetRefreshTokenScopes ¶ added in v4.37.3
GetRefreshTokenScopes returns the refresh token scopes.
func (*Config) GetRequirePushedAuthorizationRequests ¶ added in v4.38.0
GetRequirePushedAuthorizationRequests indicates if the use of Pushed Authorization Requests is gobally required. In this mode, a client cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint must contain the PAR request_uri.
func (*Config) GetResponseModeHandlers ¶ added in v4.38.0
func (c *Config) GetResponseModeHandlers(ctx context.Context) oauthelia2.ResponseModeHandlers
func (*Config) GetResponseModeParameterHandlers ¶ added in v4.38.7
func (c *Config) GetResponseModeParameterHandlers(ctx context.Context) oauthelia2.ResponseModeParameterHandlers
func (*Config) GetRevocationHandlers ¶ added in v4.37.3
func (c *Config) GetRevocationHandlers(ctx context.Context) (handlers oauthelia2.RevocationHandlers)
GetRevocationHandlers returns the revocation handlers.
func (*Config) GetRevokeRefreshTokensExplicit ¶ added in v4.38.0
func (*Config) GetRotatedGlobalSecrets ¶ added in v4.37.3
GetRotatedGlobalSecrets returns the rotated global secrets.
func (*Config) GetSanitationWhiteList ¶ added in v4.37.3
GetSanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values are safe for storage in a database (cleartext).
func (*Config) GetScopeStrategy ¶ added in v4.37.3
func (c *Config) GetScopeStrategy(ctx context.Context) (strategy oauthelia2.ScopeStrategy)
GetScopeStrategy returns the scope strategy.
func (*Config) GetSendDebugMessagesToClients ¶ added in v4.37.3
GetSendDebugMessagesToClients returns the send debug messages to clients.
func (*Config) GetTokenEndpointHandlers ¶ added in v4.37.3
func (c *Config) GetTokenEndpointHandlers(ctx context.Context) (handlers oauthelia2.TokenEndpointHandlers)
GetTokenEndpointHandlers returns the token endpoint handlers.
func (*Config) GetTokenEntropy ¶ added in v4.37.3
GetTokenEntropy returns the token entropy.
func (*Config) GetTokenIntrospectionHandlers ¶ added in v4.37.3
func (c *Config) GetTokenIntrospectionHandlers(ctx context.Context) (handlers oauthelia2.TokenIntrospectionHandlers)
GetTokenIntrospectionHandlers returns the token introspection handlers.
func (*Config) GetUseLegacyErrorFormat
deprecated
added in
v4.37.3
func (*Config) GetVerifiableCredentialsNonceLifespan ¶ added in v4.38.0
func (c *Config) GetVerifiableCredentialsNonceLifespan(ctx context.Context) (lifespan time.Duration)
GetVerifiableCredentialsNonceLifespan is the lifespan of the verifiable credentials' nonce.
func (*Config) LoadHandlers ¶ added in v4.37.3
LoadHandlers reloads the handlers based on the current configuration.
type Configurator ¶ added in v4.38.0
type Configurator interface { oauthelia2.Configurator AuthorizationServerIssuerIdentificationProvider }
Configurator is an internal extension to the oauthelia2.Configurator.
type ConsentGetResponseBody ¶
type ConsentGetResponseBody struct { ClientID string `json:"client_id"` ClientDescription string `json:"client_description"` Scopes []string `json:"scopes"` Audience []string `json:"audience"` PreConfiguration bool `json:"pre_configuration"` }
ConsentGetResponseBody schema of the response body of the consent GET endpoint.
type ConsentPostRequestBody ¶ added in v4.35.0
type ConsentPostRequestBody struct { ConsentID string `json:"id"` ClientID string `json:"client_id"` Consent bool `json:"consent"` PreConfigure bool `json:"pre_configure"` }
ConsentPostRequestBody schema of the request body of the consent POST endpoint.
type ConsentPostResponseBody ¶ added in v4.35.0
type ConsentPostResponseBody struct {
RedirectURI string `json:"redirect_uri"`
}
ConsentPostResponseBody schema of the response body of the consent POST endpoint.
type Context ¶ added in v4.38.0
type Context interface { RootURL() (issuerURL *url.URL) IssuerURL() (issuerURL *url.URL, err error) GetClock() (clock clock.Provider) GetRandom() (random random.Provider) GetConfiguration() (config schema.Configuration) GetJWTWithTimeFuncOption() (option jwt.ParserOption) context.Context }
Context represents the context implementation that is used by some OpenID Connect 1.0 implementations.
type GrantTypeJWTBearerConfig ¶ added in v4.37.3
type GrantTypeJWTBearerConfig struct { OptionalClientAuth bool OptionalJTIClaim bool OptionalIssuedDate bool }
GrantTypeJWTBearerConfig holds specific oauthelia2.Configurator information for the JWT Bearer Grant Type.
type HandlersConfig ¶ added in v4.37.3
type HandlersConfig struct { // ResponseMode provides an extension handler for custom response modes. ResponseMode oauthelia2.ResponseModeHandlers // ResponseModeParameter provides an extension handler for custom response mode parameters added later after the // response mode is assured. ResponseModeParameter oauthelia2.ResponseModeParameterHandlers // AuthorizeEndpoint is a list of handlers that are called before the authorization endpoint is served. AuthorizeEndpoint oauthelia2.AuthorizeEndpointHandlers // TokenEndpoint is a list of handlers that are called before the token endpoint is served. TokenEndpoint oauthelia2.TokenEndpointHandlers // TokenIntrospection is a list of handlers that are called before the token introspection endpoint is served. TokenIntrospection oauthelia2.TokenIntrospectionHandlers // Revocation is a list of handlers that are called before the revocation endpoint is served. Revocation oauthelia2.RevocationHandlers // PushedAuthorizeEndpoint is a list of handlers that are called before the PAR endpoint is served. PushedAuthorizeEndpoint oauthelia2.PushedAuthorizeEndpointHandlers RFC8628DeviceAuthorizeEndpoint oauthelia2.RFC8628DeviceAuthorizeEndpointHandlers RFC8628UserAuthorizeEndpoint oauthelia2.RFC8628UserAuthorizeEndpointHandlers }
HandlersConfig holds specific oauthelia2.Configurator handlers configuration information.
type HashConfig ¶ added in v4.37.3
HashConfig holds specific oauthelia2.Configurator information for hashing.
type IDTokenClaimsSession ¶ added in v4.38.0
type IDTokenClaimsSession interface {
GetIDTokenClaims() *fjwt.IDTokenClaims
}
IDTokenClaimsSession is a session which can return the IDTokenClaims type.
type IDTokenSessionContainer ¶ added in v4.38.0
type IDTokenSessionContainer interface { IDTokenHeaders() *fjwt.Headers IDTokenClaims() *fjwt.IDTokenClaims }
IDTokenSessionContainer is similar to the oauth2.JWTSessionContainer to facilitate obtaining the headers as appropriate.
type IssuersConfig ¶ added in v4.37.3
type IssuersConfig struct { IDToken string AccessToken string Introspection string AuthorizationServerIssuerIdentification string JWTSecuredResponseMode string }
IssuersConfig holds specific oauthelia2.Configurator information for the issuer.
type JWK ¶ added in v4.37.0
type JWK struct {
// contains filtered or unexported fields
}
JWK is a representation layer over the *jose.JSONWebKey for convenience.
func (*JWK) DirectJWK ¶ added in v4.38.0
func (j *JWK) DirectJWK() (jwk jose.JSONWebKey)
DirectJWK directly returns the *JWK as a jose.JSONWebKey with the private key if appropriate.
func (*JWK) GetPrivateKey ¶ added in v4.37.3
GetPrivateKey returns the Private Key for this *JWK.
func (*JWK) GetSigningMethod ¶ added in v4.38.0
func (j *JWK) GetSigningMethod() jwt.SigningMethod
GetSigningMethod returns the jwt.SigningMethod for this *JWK.
func (*JWK) JWK ¶ added in v4.38.0
func (j *JWK) JWK() (jwk jose.JSONWebKey)
JWK directly returns the *JWK as a jose.JSONWebKey specifically without the private key.
func (*JWK) PrivateJWK ¶ added in v4.38.0
func (j *JWK) PrivateJWK() (jwk *jose.JSONWebKey)
PrivateJWK directly returns the *JWK as a *jose.JSONWebKey with the private key if appropriate.
type JWTAccessTokenConfig ¶ added in v4.38.0
JWTAccessTokenConfig represents the JWT Access Token config.
type JWTSecuredResponseModeProvider ¶ added in v4.38.0
type JWTSecuredResponseModeProvider interface { GetJWTSecuredAuthorizeResponseModeLifespan(ctx context.Context) (lifespan time.Duration) GetJWTSecuredAuthorizeResponseModeSigner(ctx context.Context) (signer fjwt.Signer) GetJWTSecuredAuthorizeResponseModeIssuer(ctx context.Context) (issuer string) }
JWTSecuredResponseModeProvider provides JARM related methods.
type KeyManager ¶
type KeyManager struct {
// contains filtered or unexported fields
}
The KeyManager type handles JWKs and signing operations.
func NewKeyManager ¶
func NewKeyManager(config *schema.IdentityProvidersOpenIDConnect) (manager *KeyManager)
NewKeyManager news up a KeyManager.
func (*KeyManager) Decode ¶ added in v4.38.0
Decode implements the fosite jwt.Signer interface and automatically maps the underlying keys based on the JWK Header kid.
func (*KeyManager) Generate ¶ added in v4.38.0
func (m *KeyManager) Generate(ctx context.Context, claims fjwt.MapClaims, header fjwt.Mapper) (tokenString string, sig string, err error)
Generate implements the fosite jwt.Signer interface and automatically maps the underlying keys based on the JWK Header kid.
func (*KeyManager) Get ¶ added in v4.38.0
func (m *KeyManager) Get(ctx context.Context, kid, alg string) *JWK
Get returns the JWK given an kid/alg or nil if it doesn't exist.
func (*KeyManager) GetByAlg ¶ added in v4.38.0
func (m *KeyManager) GetByAlg(ctx context.Context, alg string) *JWK
GetByAlg returns the JWK given an alg or nil if it doesn't exist.
func (*KeyManager) GetByHeader ¶ added in v4.38.0
GetByHeader returns the JWK a JWT header with the appropriate kid value or returns an error.
func (*KeyManager) GetByKID ¶ added in v4.38.0
func (m *KeyManager) GetByKID(ctx context.Context, kid string) *JWK
GetByKID returns the JWK given an key id or nil if it doesn't exist. If given a blank string it returns the default.
func (*KeyManager) GetByTokenString ¶ added in v4.38.0
func (m *KeyManager) GetByTokenString(ctx context.Context, tokenString string) (jwk *JWK, err error)
GetByTokenString does an invalidated decode of a token to get the header, then calls GetByHeader.
func (*KeyManager) GetDefaultKeyID ¶ added in v4.38.0
func (m *KeyManager) GetDefaultKeyID(ctx context.Context) string
GetDefaultKeyID returns the default key id.
func (*KeyManager) GetKeyID ¶ added in v4.38.0
func (m *KeyManager) GetKeyID(ctx context.Context, kid, alg string) string
GetKeyID returns the JWK Key ID given an kid/alg or the default if it doesn't exist.
func (*KeyManager) GetKeyIDFromAlg ¶ added in v4.38.0
func (m *KeyManager) GetKeyIDFromAlg(ctx context.Context, alg string) string
GetKeyIDFromAlg returns the key id given an alg or the default if it doesn't exist.
func (*KeyManager) GetKeyIDFromAlgStrict ¶ added in v4.38.0
GetKeyIDFromAlgStrict returns the key id given an alg or an error if it doesn't exist.
func (*KeyManager) GetSignature ¶ added in v4.38.0
GetSignature implements the fosite jwt.Signer interface.
func (*KeyManager) GetSigningMethodLength ¶ added in v4.38.0
func (m *KeyManager) GetSigningMethodLength(ctx context.Context) (size int)
GetSigningMethodLength implements the fosite jwt.Signer interface.
func (*KeyManager) Set ¶ added in v4.38.0
func (m *KeyManager) Set(ctx context.Context) *jose.JSONWebKeySet
Set returns the *jose.JSONWebKeySet.
type LifespansConfig ¶ added in v4.38.0
type MemoryClientStore ¶ added in v4.38.7
type MemoryClientStore struct {
// contains filtered or unexported fields
}
MemoryClientStore is an implementation of the ClientStore which just stores the clients in memory.
func NewMemoryClientStore ¶ added in v4.38.7
func NewMemoryClientStore(config *schema.IdentityProvidersOpenIDConnect) (store *MemoryClientStore)
func (*MemoryClientStore) GetRegisteredClient ¶ added in v4.38.7
func (s *MemoryClientStore) GetRegisteredClient(_ context.Context, id string) (client Client, err error)
GetRegisteredClient returns a Client matching the provided id.
type OAuth2DeviceAuthorizationGrantDiscoveryOptions ¶ added in v4.38.0
type OAuth2DeviceAuthorizationGrantDiscoveryOptions struct { /* OPTIONAL. URL of the authorization server's device authorization endpoint, as defined in Section 3.1. */ DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"` }
type OAuth2DiscoveryOptions ¶ added in v4.34.0
type OAuth2DiscoveryOptions struct { /* OPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662 */ IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` /* OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint [RFC7009]. See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 */ RevocationEndpoint string `json:"revocation_endpoint,omitempty"` /* OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 */ RegistrationEndpoint string `json:"registration_endpoint,omitempty"` /* OPTIONAL. JSON array containing a list of client authentication methods supported by this introspection endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2 */ IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of client authentication methods supported by this revocation endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 */ RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml */ CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"` }
OAuth2DiscoveryOptions represents the discovery options specific to OAuth 2.0.
type OAuth2IssuerIdentificationDiscoveryOptions ¶ added in v4.38.0
type OAuth2IssuerIdentificationDiscoveryOptions struct {
AuthorizationResponseIssuerParameterSupported bool `json:"authorization_response_iss_parameter_supported"`
}
type OAuth2JWTIntrospectionResponseDiscoveryOptions ¶ added in v4.38.0
type OAuth2JWTIntrospectionResponseDiscoveryOptions struct { /* OPTIONAL. JSON array containing a list of the JWS [RFC7515] signing algorithms ("alg" values) as defined in JWA [RFC7518] supported by the introspection endpoint to sign the response. */ IntrospectionSigningAlgValuesSupported []string `json:"introspection_signing_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms ("alg" values) as defined in JWA [RFC7518] supported by the introspection endpoint to encrypt the content encryption key for introspection responses (content key encryption). */ IntrospectionEncryptionAlgValuesSupported []string `json:"introspection_encryption_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms ("enc" values) as defined in JWA [RFC7518] supported by the introspection endpoint to encrypt the response (content encryption). */ IntrospectionEncryptionEncValuesSupported []string `json:"introspection_encryption_enc_values_supported,omitempty"` }
type OAuth2JWTSecuredAuthorizationRequestDiscoveryOptions ¶ added in v4.38.0
type OAuth2JWTSecuredAuthorizationRequestDiscoveryOptions struct { /* Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter. */ RequireSignedRequestObject bool `json:"require_signed_request_object"` }
type OAuth2MutualTLSClientAuthenticationAliasesDiscoveryOptions ¶ added in v4.38.0
type OAuth2MutualTLSClientAuthenticationAliasesDiscoveryOptions struct { AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"` TokenEndpoint string `json:"token_endpoint,omitempty"` IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` RevocationEndpoint string `json:"revocation_endpoint,omitempty"` EndSessionEndpoint string `json:"end_session_endpoint,omitempty"` UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"` BackChannelAuthenticationEndpoint string `json:"backchannel_authentication_endpoint,omitempty"` FederationRegistrationEndpoint string `json:"federation_registration_endpoint,omitempty"` PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"` RegistrationEndpoint string `json:"registration_endpoint,omitempty"` }
type OAuth2MutualTLSClientAuthenticationDiscoveryOptions ¶ added in v4.38.0
type OAuth2MutualTLSClientAuthenticationDiscoveryOptions struct { /* OPTIONAL. Boolean value indicating server support for mutual-TLS client certificate-bound access tokens. If omitted, the default value is false. */ TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens"` /* OPTIONAL. A JSON object containing alternative authorization server endpoints that, when present, an OAuth client intending to do mutual TLS uses in preference to the conventional endpoints. The parameter value itself consists of one or more endpoint parameters, such as token_endpoint, revocation_endpoint, introspection_endpoint, etc., conventionally defined for the top level of authorization server metadata. An OAuth client intending to do mutual TLS (for OAuth client authentication and/or to acquire or use certificate-bound tokens) when making a request directly to the authorization server MUST use the alias URL of the endpoint within the mtls_endpoint_aliases, when present, in preference to the endpoint URL of the same name at the top level of metadata. When an endpoint is not present in mtls_endpoint_aliases, then the client uses the conventional endpoint URL defined at the top level of the authorization server metadata. Metadata parameters within mtls_endpoint_aliases that do not define endpoints to which an OAuth client makes a direct request have no meaning and SHOULD be ignored. */ MutualTLSEndpointAliases OAuth2MutualTLSClientAuthenticationAliasesDiscoveryOptions `json:"mtls_endpoint_aliases"` }
type OAuth2PushedAuthorizationDiscoveryOptions ¶ added in v4.38.0
type OAuth2PushedAuthorizationDiscoveryOptions struct { /* The URL of the pushed authorization request endpoint at which a client can post an authorization request to exchange for a "request_uri" value usable at the authorization server. */ PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"` /* Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR. If omitted, the default value is "false". */ RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"` }
OAuth2PushedAuthorizationDiscoveryOptions represents the well known discovery document specific to the OAuth 2.0 Pushed Authorization Requests (RFC9126) implementation.
OAuth 2.0 Pushed Authorization Requests: https://datatracker.ietf.org/doc/html/rfc9126#section-5
type OAuth2WellKnownClaims ¶ added in v4.38.0
type OAuth2WellKnownClaims struct { OAuth2WellKnownSignedConfiguration jwt.RegisteredClaims }
type OAuth2WellKnownConfiguration ¶ added in v4.34.0
type OAuth2WellKnownConfiguration struct { CommonDiscoveryOptions OAuth2DiscoveryOptions *OAuth2DeviceAuthorizationGrantDiscoveryOptions *OAuth2MutualTLSClientAuthenticationDiscoveryOptions *OAuth2IssuerIdentificationDiscoveryOptions *OAuth2JWTIntrospectionResponseDiscoveryOptions *OAuth2JWTSecuredAuthorizationRequestDiscoveryOptions *OAuth2PushedAuthorizationDiscoveryOptions }
OAuth2WellKnownConfiguration represents the well known discovery document specific to OAuth 2.0.
func (OAuth2WellKnownConfiguration) Copy ¶ added in v4.38.0
func (opts OAuth2WellKnownConfiguration) Copy() (optsCopy OAuth2WellKnownConfiguration)
Copy the values of the OAuth2WellKnownConfiguration and return it as a new struct.
type OAuth2WellKnownSignedConfiguration ¶ added in v4.38.0
type OAuth2WellKnownSignedConfiguration struct { OAuth2WellKnownConfiguration /* A JWT containing metadata values about the authorization server as claims. This is a string value consisting of the entire signed JWT. A "signed_metadata" metadata value SHOULD NOT appear as a claim in the JWT. */ SignedMetadata string `json:"signed_metadata,omitempty"` }
type OpenIDConnectBackChannelLogoutDiscoveryOptions ¶ added in v4.34.0
type OpenIDConnectBackChannelLogoutDiscoveryOptions struct { /* OPTIONAL. Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If omitted, the default value is false. */ BackChannelLogoutSupported bool `json:"backchannel_logout_supported"` /* OPTIONAL. Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP. If omitted, the default value is false. */ BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"` }
OpenIDConnectBackChannelLogoutDiscoveryOptions represents the discovery options specific to OpenID Connect Back-Channel Logout functionality. See Also:
OpenID Connect Back-Channel Logout: https://openid.net/specs/openid-connect-backchannel-1_0.html#BCSupport
type OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions ¶ added in v4.38.0
type OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions struct { /* REQUIRED. URL of the OP's Backchannel Authentication Endpoint as defined in Section 7. */ BackChannelAuthenticationEndpoint string `json:"backchannel_authentication_endpoint"` /* REQUIRED. JSON array containing one or more of the following values: poll, ping, and push. */ BackChannelTokenDeliveryModesSupported []string `json:"backchannel_token_delivery_modes_supported"` /* OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for signed authentication requests, which are described in Section 7.1.1. If omitted, signed authentication requests are not supported by the OP. */ BackChannelAuthRequestSigningAlgValuesSupported []string `json:"backchannel_authentication_request_signing_alg_values_supported,omitempty"` /* OPTIONAL. Boolean value specifying whether the OP supports the use of the user_code parameter, with true indicating support. If omitted, the default value is false. */ BackChannelUserCodeParameterSupported bool `json:"backchannel_user_code_parameter_supported"` }
OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions represents the discovery options specific to OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
The following authorization server metadata parameters are introduced by this specification for OPs publishing their support of the CIBA flow and details thereof.
See Also:
OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.4
type OpenIDConnectDiscoveryOptions ¶ added in v4.34.0
type OpenIDConnectDiscoveryOptions struct { /* REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow). See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"` /* RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html */ UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"` /* OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also: JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support none and RS256. */ RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 */ RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT: https://datatracker.ietf.org/doc/html/rfc7519 */ RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports. */ ACRValuesSupported []string `json:"acr_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section 3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest */ DisplayValuesSupported []string `json:"display_values_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also: OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes */ ClaimTypesSupported []string `json:"claim_types_supported,omitempty"` /* OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 */ ClaimLocalesSupported []string `json:"claims_locales_supported,omitempty"` /* OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. If omitted, the default value is false. */ RequestParameterSupported bool `json:"request_parameter_supported"` /* OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. If omitted, the default value is true. */ RequestURIParameterSupported bool `json:"request_uri_parameter_supported"` /* OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the default value is false. */ RequireRequestURIRegistration bool `json:"require_request_uri_registration"` /* OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false. */ ClaimsParameterSupported bool `json:"claims_parameter_supported"` }
OpenIDConnectDiscoveryOptions represents the discovery options specific to OpenID Connect.
type OpenIDConnectFrontChannelLogoutDiscoveryOptions ¶ added in v4.34.0
type OpenIDConnectFrontChannelLogoutDiscoveryOptions struct { /* OPTIONAL. Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If omitted, the default value is false. */ FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"` /* OPTIONAL. Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also included in ID Tokens issued by the OP. If omitted, the default value is false. */ FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"` }
OpenIDConnectFrontChannelLogoutDiscoveryOptions represents the discovery options specific to OpenID Connect Front-Channel Logout functionality. See Also:
OpenID Connect Front-Channel Logout: https://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout
type OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions ¶ added in v4.38.0
type OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions struct { /* OPTIONAL. A JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) supported by the authorization endpoint to sign the response. */ AuthorizationSigningAlgValuesSupported []string `json:"authorization_signing_alg_values_supported,omitempty"` /* OPTIONAL. A JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) supported by the authorization endpoint to encrypt the response. */ AuthorizationEncryptionAlgValuesSupported []string `json:"authorization_encryption_alg_values_supported,omitempty"` /* OPTIONAL. A JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) supported by the authorization endpoint to encrypt the response. */ AuthorizationEncryptionEncValuesSupported []string `json:"authorization_encryption_enc_values_supported,omitempty"` }
OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions represents the discovery options specific to JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).
Authorization servers SHOULD publish the supported algorithms for signing and encrypting the JWT of an authorization response by utilizing OAuth 2.0 Authorization Server Metadata [RFC8414] parameters. The following parameters are introduced by this specification.
See Also:
JWT Secured Authorization Response Mode for OAuth 2.0 (JARM): https://openid.net/specs/oauth-v2-jarm.html#name-authorization-server-metada
type OpenIDConnectPromptCreateDiscoveryOptions ¶ added in v4.38.0
type OpenIDConnectPromptCreateDiscoveryOptions struct { /* OPTIONAL. JSON array containing the list of prompt values that this OP supports. This metadata element is OPTIONAL in the context of the OpenID Provider not supporting the create value. If omitted, the Relying Party should assume that this specification is not supported. The OpenID Provider MAY provide this metadata element even if it doesn't support the create value. Specific to this specification, a value of create in the array indicates to the Relying party that this OpenID Provider supports this specification. If an OpenID Provider supports this specification it MUST define this metadata element in the openid-configuration file. Additionally, if this metadata element is defined by the OpenID Provider, the OP must also specify all other prompt values which it supports. See Also: OpenID.PromptCreate: https://openid.net/specs/openid-connect-prompt-create-1_0.html */ PromptValuesSupported []string `json:"prompt_values_supported,omitempty"` }
OpenIDConnectPromptCreateDiscoveryOptions represents the discovery options specific to Initiating User Registration via OpenID Connect 1.0 functionality.
This specification extends the OpenID Connect Discovery Metadata Section 3.
See Also:
Initiating User Registration via OpenID Connect 1.0: https://openid.net/specs/openid-connect-prompt-create-1_0.html
type OpenIDConnectProvider ¶
type OpenIDConnectProvider struct { *Store *Config KeyManager *KeyManager oauthelia2.Provider // contains filtered or unexported fields }
OpenIDConnectProvider for OpenID Connect.
func NewOpenIDConnectProvider ¶
func NewOpenIDConnectProvider(config *schema.IdentityProvidersOpenIDConnect, store storage.Provider, templates *templates.Provider) (provider *OpenIDConnectProvider)
NewOpenIDConnectProvider new-ups a OpenIDConnectProvider.
func (*OpenIDConnectProvider) GetOAuth2WellKnownConfiguration ¶ added in v4.34.0
func (p *OpenIDConnectProvider) GetOAuth2WellKnownConfiguration(issuer string) OAuth2WellKnownConfiguration
GetOAuth2WellKnownConfiguration returns the discovery document for the OAuth Configuration.
func (*OpenIDConnectProvider) GetOpenIDConnectWellKnownConfiguration ¶ added in v4.34.0
func (p *OpenIDConnectProvider) GetOpenIDConnectWellKnownConfiguration(issuer string) OpenIDConnectWellKnownConfiguration
GetOpenIDConnectWellKnownConfiguration returns the discovery document for the OpenID Configuration.
type OpenIDConnectRPInitiatedLogoutDiscoveryOptions ¶ added in v4.38.0
type OpenIDConnectRPInitiatedLogoutDiscoveryOptions struct { /* REQUIRED. URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. */ EndSessionEndpoint string `json:"end_session_endpoint"` }
OpenIDConnectRPInitiatedLogoutDiscoveryOptions represents the discovery options specific to OpenID Connect RP-Initiated Logout 1.0.
To support OpenID Connect RP-Initiated Logout, the RP needs to obtain the RP-Initiated Logout related OP metadata. This OP metadata is normally obtained via the OP's Discovery response, as described in OpenID Connect Discovery 1.0, or MAY be learned via other mechanisms. This OpenID Provider Metadata parameter MUST be included in the Server's discovery responses when RP-Initiated Logout and Discovery are supported.
See Also:
OpenID Connect RP-Initiated Logout 1.0: https://openid.net/specs/openid-connect-rpinitiated-1_0.html
type OpenIDConnectSessionManagementDiscoveryOptions ¶ added in v4.38.0
type OpenIDConnectSessionManagementDiscoveryOptions struct { /* REQUIRED. URL of an OP iframe that supports cross-origin communications for session state information with the RP Client, using the HTML5 postMessage API. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. The page is loaded from an invisible iframe embedded in an RP page so that it can run in the OP's security context. It accepts postMessage requests from the relevant RP iframe and uses postMessage to post back the login status of the End-User at the OP. */ CheckSessionIFrame string `json:"check_session_iframe"` }
OpenIDConnectSessionManagementDiscoveryOptions represents the discovery options specific to OpenID Connect 1.0 Session Management.
To support OpenID Connect Session Management, the RP needs to obtain the Session Management related OP metadata. This OP metadata is normally obtained via the OP's Discovery response, as described in OpenID Connect Discovery 1.0, or MAY be learned via other mechanisms. This OpenID Provider Metadata parameter MUST be included in the Server's discovery responses when Session Management and Discovery are supported.
See Also:
OpenID Connect 1.0 Session Management: https://openid.net/specs/openid-connect-session-1_0.html
type OpenIDConnectWellKnownClaims ¶ added in v4.38.0
type OpenIDConnectWellKnownClaims struct { OpenIDConnectWellKnownSignedConfiguration jwt.RegisteredClaims }
type OpenIDConnectWellKnownConfiguration ¶ added in v4.34.0
type OpenIDConnectWellKnownConfiguration struct { OAuth2WellKnownConfiguration OpenIDConnectDiscoveryOptions *OpenIDConnectFrontChannelLogoutDiscoveryOptions *OpenIDConnectBackChannelLogoutDiscoveryOptions *OpenIDConnectSessionManagementDiscoveryOptions *OpenIDConnectRPInitiatedLogoutDiscoveryOptions *OpenIDConnectPromptCreateDiscoveryOptions *OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions *OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions *OpenIDFederationDiscoveryOptions }
OpenIDConnectWellKnownConfiguration represents the well known discovery document specific to OpenID Connect.
func NewOpenIDConnectWellKnownConfiguration ¶ added in v4.35.0
func NewOpenIDConnectWellKnownConfiguration(c *schema.IdentityProvidersOpenIDConnect) (config OpenIDConnectWellKnownConfiguration)
NewOpenIDConnectWellKnownConfiguration generates a new OpenIDConnectWellKnownConfiguration.
func (OpenIDConnectWellKnownConfiguration) Copy ¶ added in v4.38.0
func (opts OpenIDConnectWellKnownConfiguration) Copy() (optsCopy OpenIDConnectWellKnownConfiguration)
Copy the values of the OpenIDConnectWellKnownConfiguration and return it as a new struct.
type OpenIDConnectWellKnownSignedConfiguration ¶ added in v4.38.0
type OpenIDConnectWellKnownSignedConfiguration struct { OpenIDConnectWellKnownConfiguration /* A JWT containing metadata values about the authorization server as claims. This is a string value consisting of the entire signed JWT. A "signed_metadata" metadata value SHOULD NOT appear as a claim in the JWT. */ SignedMetadata string `json:"signed_metadata,omitempty"` }
type OpenIDFederationDiscoveryOptions ¶ added in v4.38.0
type OpenIDFederationDiscoveryOptions struct { /* OPTIONAL. URL of the OP's federation-specific Dynamic Client Registration Endpoint. If the OP supports explicit client registration as described in Section 10.2, then this claim is REQUIRED. */ FederationRegistrationEndpoint string `json:"federation_registration_endpoint,omitempty"` /* REQUIRED. Array specifying the federation types supported. Federation-type values defined by this specification are automatic and explicit. */ ClientRegistrationTypesSupported []string `json:"client_registration_types_supported"` /* OPTIONAL. A JSON Object defining the client authentications supported for each endpoint. The endpoint names are defined in the IANA "OAuth Authorization Server Metadata" registry [IANA.OAuth.Parameters]. Other endpoints and authentication methods are possible if made recognizable according to established standards and not in conflict with the operating principles of this specification. In OpenID Connect Core, no client authentication is performed at the authentication endpoint. Instead, the request itself is authenticated. The OP maps information in the request (like the redirect_uri) to information it has gained on the client through static or dynamic registration. If the mapping is successful, the request can be processed. If the RP uses Automatic Registration, as defined in Section 10.1, the OP has no prior knowledge of the RP. Therefore, the OP must start by gathering information about the RP using the process outlined in Section 6. Once it has the RP's metadata, the OP can verify the request in the same way as if it had known the RP's metadata beforehand. To make the request verification more secure, we demand the use of a client authentication or verification method that proves that the RP is in possession of a key that appears in the RP's metadata. */ RequestAuthenticationMethodsSupported []string `json:"request_authentication_methods_supported,omitempty"` /* OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported for the signature on the JWT [RFC7519] used in the request_object contained in the request parameter of an authorization request or in the private_key_jwt of a pushed authorization request. This entry MUST be present if either of these authentication methods are specified in the request_authentication_methods_supported entry. No default algorithms are implied if this entry is omitted. Servers SHOULD support RS256. The value none MUST NOT be used. */ RequestAuthenticationSigningAlgValuesSupported []string `json:"request_authentication_signing_alg_values_supported,omitempty"` }
type PARConfig ¶ added in v4.37.3
PARConfig holds specific oauthelia2.Configurator information for Pushed Authorization Requests.
type ProofKeyCodeExchangeConfig ¶ added in v4.37.3
type ProofKeyCodeExchangeConfig struct { Enforce bool EnforcePublicClients bool AllowPlainChallengeMethod bool }
ProofKeyCodeExchangeConfig holds specific oauthelia2.Configurator information for PKCE.
type RFC8693Config ¶ added in v4.38.0
type RFC8693Config struct { TokenTypes map[string]oauthelia2.RFC8693TokenType DefaultRequestedTokenType string }
type RefreshFlowScopeClient ¶ added in v4.38.0
type RefreshFlowScopeClient interface { oauthelia2.Client GetRefreshFlowIgnoreOriginalGrantedScopes(ctx context.Context) (ignoreOriginalGrantedScopes bool) }
RefreshFlowScopeClient is a client which can be customized to ignore scopes that were not originally granted.
type RegisteredClient ¶ added in v4.38.0
type RegisteredClient struct { ID string Name string ClientSecret *ClientSecretDigest RotatedClientSecrets []*ClientSecretDigest SectorIdentifierURI *url.URL Public bool RequirePushedAuthorizationRequests bool RequirePKCE bool RequirePKCEChallengeMethod bool PKCEChallengeMethod string Audience []string Scopes []string RedirectURIs []string GrantTypes []string ResponseTypes []string ResponseModes []oauthelia2.ResponseModeType Lifespans schema.IdentityProvidersOpenIDConnectLifespan AuthorizationSignedResponseAlg string AuthorizationSignedResponseKeyID string AuthorizationEncryptedResponseAlg string AuthorizationEncryptedResponseEncryptionAlg string IDTokenSignedResponseAlg string IDTokenSignedResponseKeyID string AccessTokenSignedResponseAlg string AccessTokenSignedResponseKeyID string UserinfoSignedResponseAlg string UserinfoSignedResponseKeyID string IntrospectionSignedResponseAlg string IntrospectionSignedResponseKeyID string RequestObjectSigningAlg string TokenEndpointAuthMethod string TokenEndpointAuthSigningAlg string RefreshFlowIgnoreOriginalGrantedScopes bool AllowMultipleAuthenticationMethods bool ClientCredentialsFlowAllowImplicitScope bool AuthorizationPolicy ClientAuthorizationPolicy ConsentPolicy ClientConsentPolicy RequestedAudienceMode ClientRequestedAudienceMode RequestURIs []string JSONWebKeys *jose.JSONWebKeySet JSONWebKeysURI *url.URL }
RegisteredClient represents a registered client.
func (*RegisteredClient) GetAccessTokenEncryptedResponseAlg ¶ added in v4.38.11
func (c *RegisteredClient) GetAccessTokenEncryptedResponseAlg() (alg string)
GetAccessTokenEncryptedResponseAlg determines the JWE [RFC7516] algorithm (alg value) as defined in JWA [RFC7518] for content key encryption. If this is specified, the response will be encrypted using JWE and the configured content encryption algorithm (access_token_encrypted_response_enc). The default, if omitted, is that no encryption is performed. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in JWT [RFC7519].
func (*RegisteredClient) GetAccessTokenEncryptedResponseEnc ¶ added in v4.38.11
func (c *RegisteredClient) GetAccessTokenEncryptedResponseEnc() (enc string)
GetAccessTokenEncryptedResponseEnc determines the JWE [RFC7516] algorithm (enc value) as defined in JWA [RFC7518] for content encryption of access token responses. The default, if omitted, is A128CBC-HS256. Note: This parameter MUST NOT be specified without setting access_token_encrypted_response_alg.
func (*RegisteredClient) GetAccessTokenEncryptedResponseKeyID ¶ added in v4.38.11
func (c *RegisteredClient) GetAccessTokenEncryptedResponseKeyID() (kid string)
GetAccessTokenEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements for JWT Profile for OAuth 2.0 Access Tokens specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) GetAccessTokenSignedResponseAlg ¶ added in v4.38.0
func (c *RegisteredClient) GetAccessTokenSignedResponseAlg() (alg string)
GetAccessTokenSignedResponseAlg determines the JWS [RFC7515] algorithm (alg value) as defined in JWA [RFC7518] for signing JWT Profile Access Token responses. If this is specified, the response will be signed using JWS and the configured algorithm. The default, if omitted, is none; i.e. unsigned responses unless the GetEnableJWTProfileOAuthAccessTokens receiver returns true in which case the default is RS256.
func (*RegisteredClient) GetAccessTokenSignedResponseKeyID ¶ added in v4.38.0
func (c *RegisteredClient) GetAccessTokenSignedResponseKeyID() (kid string)
GetAccessTokenSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements for JWT Profile for OAuth 2.0 Access Tokens specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) GetAllowMultipleAuthenticationMethods ¶ added in v4.38.0
func (c *RegisteredClient) GetAllowMultipleAuthenticationMethods() (allow bool)
GetAllowMultipleAuthenticationMethods should return true if the client policy allows multiple authentication methods due to the client implementation breaching RFC6749 Section 2.3.
See: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.
func (*RegisteredClient) GetAudience ¶ added in v4.38.0
func (c *RegisteredClient) GetAudience() (audience oauthelia2.Arguments)
GetAudience returns the Audience.
func (*RegisteredClient) GetAuthorizationEncryptedResponseAlg ¶ added in v4.38.0
func (c *RegisteredClient) GetAuthorizationEncryptedResponseAlg() (alg string)
GetAuthorizationEncryptedResponseAlg is equivalent to the 'authorization_encrypted_response_alg' client metadata value which determines the JWE [RFC7516] alg algorithm JWA [RFC7518] REQUIRED for encrypting authorization responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in JWT [RFC7519]. The default, if omitted, is that no encryption is performed.
func (*RegisteredClient) GetAuthorizationEncryptedResponseEnc ¶ added in v4.38.11
func (c *RegisteredClient) GetAuthorizationEncryptedResponseEnc() (enc string)
GetAuthorizationEncryptedResponseEnc is equivalent to the 'authorization_encrypted_response_enc' client metadata value which determines the JWE [RFC7516] enc algorithm JWA [RFC7518] REQUIRED for encrypting authorization responses. If authorization_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When authorization_encrypted_response_enc is included, authorization_encrypted_response_alg MUST also be provided.
func (*RegisteredClient) GetAuthorizationEncryptedResponseKeyID ¶ added in v4.38.11
func (c *RegisteredClient) GetAuthorizationEncryptedResponseKeyID() (kid string)
GetAuthorizationEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the JWT-secured Authorization Response Method (JARM) specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) GetAuthorizationPolicy ¶ added in v4.38.0
func (c *RegisteredClient) GetAuthorizationPolicy() (policy ClientAuthorizationPolicy)
GetAuthorizationPolicy returns the ClientAuthorizationPolicy from the Policy.
func (*RegisteredClient) GetAuthorizationPolicyRequiredLevel ¶ added in v4.38.0
func (c *RegisteredClient) GetAuthorizationPolicyRequiredLevel(subject authorization.Subject) (level authorization.Level)
GetAuthorizationPolicyRequiredLevel returns the required authorization.Level given an authorization.Subject.
func (*RegisteredClient) GetAuthorizationSignedResponseAlg ¶ added in v4.38.0
func (c *RegisteredClient) GetAuthorizationSignedResponseAlg() (alg string)
GetAuthorizationSignedResponseAlg returns the AuthorizationSignedResponseAlg.
func (*RegisteredClient) GetAuthorizationSignedResponseKeyID ¶ added in v4.38.0
func (c *RegisteredClient) GetAuthorizationSignedResponseKeyID() (kid string)
GetAuthorizationSignedResponseKeyID returns the AuthorizationSignedResponseKeyID.
func (*RegisteredClient) GetClientCredentialsFlowRequestedScopeImplicit ¶ added in v4.38.0
func (c *RegisteredClient) GetClientCredentialsFlowRequestedScopeImplicit() (allow bool)
GetClientCredentialsFlowRequestedScopeImplicit is indicative of if a client will implicitly request all scopes it is allowed to request in the absence of requested scopes during the Client Credentials Flow.
func (*RegisteredClient) GetClientSecret ¶ added in v4.38.0
func (c *RegisteredClient) GetClientSecret() (secret oauthelia2.ClientSecret)
GetClientSecret returns the oauth2.ClientSecret.
func (*RegisteredClient) GetConsentPolicy ¶ added in v4.38.0
func (c *RegisteredClient) GetConsentPolicy() (policy ClientConsentPolicy)
GetConsentPolicy returns Consent.
func (*RegisteredClient) GetConsentResponseBody ¶ added in v4.38.0
func (c *RegisteredClient) GetConsentResponseBody(consent *model.OAuth2ConsentSession) ConsentGetResponseBody
GetConsentResponseBody returns the proper consent response body for this session.OIDCWorkflowSession.
func (*RegisteredClient) GetEffectiveLifespan ¶ added in v4.38.0
func (c *RegisteredClient) GetEffectiveLifespan(gt oauthelia2.GrantType, tt oauthelia2.TokenType, fallback time.Duration) time.Duration
GetEffectiveLifespan returns the effective lifespan for a grant type and token type otherwise returns the fallback value. This implements the oauthelia2.ClientWithCustomTokenLifespans interface.
func (*RegisteredClient) GetEnableJWTProfileOAuthAccessTokens ¶ added in v4.38.0
func (c *RegisteredClient) GetEnableJWTProfileOAuthAccessTokens() (enable bool)
GetEnableJWTProfileOAuthAccessTokens returns true if this client is configured to return the RFC9068 JWT Profile for OAuth 2.0 Access Tokens.
func (*RegisteredClient) GetEnforcePKCE ¶ added in v4.38.0
func (c *RegisteredClient) GetEnforcePKCE() (enforce bool)
GetEnforcePKCE returns RequirePKCE.
func (*RegisteredClient) GetEnforcePKCEChallengeMethod ¶ added in v4.38.0
func (c *RegisteredClient) GetEnforcePKCEChallengeMethod() (enforce bool)
GetEnforcePKCEChallengeMethod returns RequirePKCEChallengeMethod.
func (*RegisteredClient) GetGrantTypes ¶ added in v4.38.0
func (c *RegisteredClient) GetGrantTypes() (types oauthelia2.Arguments)
GetGrantTypes returns the GrantTypes.
func (*RegisteredClient) GetID ¶ added in v4.38.0
func (c *RegisteredClient) GetID() string
GetID returns the ID for the client.
func (*RegisteredClient) GetIDTokenEncryptedResponseAlg ¶ added in v4.38.11
func (c *RegisteredClient) GetIDTokenEncryptedResponseAlg() (alg string)
GetIDTokenEncryptedResponseAlg is equivalent to the 'id_token_encrypted_response_alg' client metadata value which determines the JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
func (*RegisteredClient) GetIDTokenEncryptedResponseEnc ¶ added in v4.38.11
func (c *RegisteredClient) GetIDTokenEncryptedResponseEnc() (enc string)
GetIDTokenEncryptedResponseEnc is equivalent to the 'id_token_encrypted_response_enc' client metadata value which determines the JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default id_token_encrypted_response_enc value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
func (*RegisteredClient) GetIDTokenEncryptedResponseKeyID ¶ added in v4.38.11
func (c *RegisteredClient) GetIDTokenEncryptedResponseKeyID() (kid string)
GetIDTokenEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the ID Token specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) GetIDTokenSignedResponseAlg ¶ added in v4.38.0
func (c *RegisteredClient) GetIDTokenSignedResponseAlg() (alg string)
GetIDTokenSignedResponseAlg is equivalent to the 'id_token_signed_response_alg' client metadata value which determines the JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
func (*RegisteredClient) GetIDTokenSignedResponseKeyID ¶ added in v4.38.0
func (c *RegisteredClient) GetIDTokenSignedResponseKeyID() (kid string)
GetIDTokenSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the ID Token specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) GetIntrospectionEncryptedResponseAlg ¶ added in v4.38.11
func (c *RegisteredClient) GetIntrospectionEncryptedResponseAlg() (alg string)
GetIntrospectionEncryptedResponseAlg is equivalent to the 'introspection_encrypted_response_alg' client metadata value which determines the JWE [RFC7516] algorithm (alg value) as defined in JWA [RFC7518] for content key encryption. If this is specified, the response will be encrypted using JWE and the configured content encryption algorithm (introspection_encrypted_response_enc). The default, if omitted, is that no encryption is performed. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in JWT [RFC7519].
func (*RegisteredClient) GetIntrospectionEncryptedResponseEnc ¶ added in v4.38.11
func (c *RegisteredClient) GetIntrospectionEncryptedResponseEnc() (enc string)
GetIntrospectionEncryptedResponseEnc is equivalent to the 'introspection_encrypted_response_enc' client metadata value which determines the JWE [RFC7516] algorithm (enc value) as defined in JWA [RFC7518] for content encryption of introspection responses. The default, if omitted, is A128CBC-HS256. Note: This parameter MUST NOT be specified without setting introspection_encrypted_response_alg.
func (*RegisteredClient) GetIntrospectionEncryptedResponseKeyID ¶ added in v4.38.11
func (c *RegisteredClient) GetIntrospectionEncryptedResponseKeyID() (kid string)
GetIntrospectionEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements for OAuth 2.0 JWT introspection response specifications. If unspecified the other available parameters will be
// utilized to select an appropriate key.
func (*RegisteredClient) GetIntrospectionEndpointAuthMethod ¶ added in v4.38.9
func (c *RegisteredClient) GetIntrospectionEndpointAuthMethod() (method string)
GetIntrospectionEndpointAuthMethod returns the requested Client Authentication Method for the Revocation Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none.
func (*RegisteredClient) GetIntrospectionEndpointAuthSigningAlg ¶ added in v4.38.9
func (c *RegisteredClient) GetIntrospectionEndpointAuthSigningAlg() (alg string)
GetIntrospectionEndpointAuthSigningAlg returns the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Introspection Endpoint for the private_key_jwt and client_secret_jwt authentication methods.
func (*RegisteredClient) GetIntrospectionSignedResponseAlg ¶ added in v4.38.0
func (c *RegisteredClient) GetIntrospectionSignedResponseAlg() (alg string)
GetIntrospectionSignedResponseAlg returns the IntrospectionSignedResponseAlg.
func (*RegisteredClient) GetIntrospectionSignedResponseKeyID ¶ added in v4.38.0
func (c *RegisteredClient) GetIntrospectionSignedResponseKeyID() (alg string)
GetIntrospectionSignedResponseKeyID returns the IntrospectionSignedResponseKeyID.
func (*RegisteredClient) GetJSONWebKeys ¶ added in v4.38.0
func (c *RegisteredClient) GetJSONWebKeys() (keys *jose.JSONWebKeySet)
GetJSONWebKeys returns the JSON Web Key Set containing the public key used by the client to authenticate.
func (*RegisteredClient) GetJSONWebKeysURI ¶ added in v4.38.0
func (c *RegisteredClient) GetJSONWebKeysURI() (uri string)
GetJSONWebKeysURI returns the URL for lookup of JSON Web Key Set containing the public key used by the client to authenticate.
func (*RegisteredClient) GetName ¶ added in v4.38.0
func (c *RegisteredClient) GetName() (name string)
GetName returns the Name for the client.
func (*RegisteredClient) GetPKCEChallengeMethod ¶ added in v4.38.0
func (c *RegisteredClient) GetPKCEChallengeMethod() (method string)
GetPKCEChallengeMethod returns PKCEChallengeMethod.
func (*RegisteredClient) GetPushedAuthorizeContextLifespan ¶ added in v4.38.0
func (c *RegisteredClient) GetPushedAuthorizeContextLifespan() (lifespan time.Duration)
GetPushedAuthorizeContextLifespan should return a custom lifespan or a duration of 0 seconds to utilize the global lifespan.
func (*RegisteredClient) GetRedirectURIs ¶ added in v4.38.0
func (c *RegisteredClient) GetRedirectURIs() (redirectURIs []string)
GetRedirectURIs returns the RedirectURIs.
func (*RegisteredClient) GetRefreshFlowIgnoreOriginalGrantedScopes ¶ added in v4.38.0
func (c *RegisteredClient) GetRefreshFlowIgnoreOriginalGrantedScopes(ctx context.Context) (ignore bool)
GetRefreshFlowIgnoreOriginalGrantedScopes returns the value which indicates if the client should ignore the originally granted scopes when the scope parameter is present. The specification requires that this is always false, however some misbehaving clients may need this option.
func (*RegisteredClient) GetRequestObjectEncryptionAlg ¶ added in v4.38.11
func (c *RegisteredClient) GetRequestObjectEncryptionAlg() (alg string)
GetRequestObjectEncryptionAlg is equivalent to the 'request_object_encryption_alg' client metadata value which determines the JWE alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
func (*RegisteredClient) GetRequestObjectEncryptionEnc ¶ added in v4.38.11
func (c *RegisteredClient) GetRequestObjectEncryptionEnc() (enc string)
GetRequestObjectEncryptionEnc is equivalent to the 'request_object_encryption_enc' client metadata value which determines the JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default request_object_encryption_enc value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.
func (*RegisteredClient) GetRequestObjectEncryptionKeyID ¶ added in v4.38.11
func (c *RegisteredClient) GetRequestObjectEncryptionKeyID() (kid string)
GetRequestObjectEncryptionKeyID returns the specific key identifier used to satisfy JWE requirements of the request object specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) GetRequestObjectSigningAlg ¶ added in v4.38.0
func (c *RegisteredClient) GetRequestObjectSigningAlg() (alg string)
GetRequestObjectSigningAlg returns the JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm.
func (*RegisteredClient) GetRequestObjectSigningKeyID ¶ added in v4.38.11
func (c *RegisteredClient) GetRequestObjectSigningKeyID() (kid string)
GetRequestObjectSigningKeyID returns the specific key identifier used to satisfy JWS requirements of the request object specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) GetRequestURIs ¶ added in v4.38.0
func (c *RegisteredClient) GetRequestURIs() (uris []string)
GetRequestURIs is an array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY cache the contents of the files referenced by these URIs and not retrieve them at the time they are used in a request. OPs can require that request_uri values used be pre-registered with the require_request_uri_registration discovery parameter.
func (*RegisteredClient) GetRequestedAudienceImplicit ¶ added in v4.38.0
func (c *RegisteredClient) GetRequestedAudienceImplicit() (implicit bool)
GetRequestedAudienceImplicit is indicative of if a client will implicitly request all audiences it is allowed to request in the absence of requested audience during an Authorization Endpoint Flow or Client Credentials Flow.
func (*RegisteredClient) GetRequirePushedAuthorizationRequests ¶ added in v4.38.0
func (c *RegisteredClient) GetRequirePushedAuthorizationRequests() (require bool)
GetRequirePushedAuthorizationRequests should return true if this client MUST use a Pushed Authorization Request.
func (*RegisteredClient) GetResponseModes ¶ added in v4.38.0
func (c *RegisteredClient) GetResponseModes() (modes []oauthelia2.ResponseModeType)
GetResponseModes returns the valid response modes for this client.
Implements the oauthelia2.ResponseModeClient.
func (*RegisteredClient) GetResponseTypes ¶ added in v4.38.0
func (c *RegisteredClient) GetResponseTypes() (types oauthelia2.Arguments)
GetResponseTypes returns the ResponseTypes.
func (*RegisteredClient) GetRevocationEndpointAuthMethod ¶ added in v4.38.9
func (c *RegisteredClient) GetRevocationEndpointAuthMethod() (method string)
GetRevocationEndpointAuthMethod returns the requested Client Authentication Method for the Revocation Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none.
func (*RegisteredClient) GetRevocationEndpointAuthSigningAlg ¶ added in v4.38.9
func (c *RegisteredClient) GetRevocationEndpointAuthSigningAlg() (alg string)
GetRevocationEndpointAuthSigningAlg returns the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Introspection Endpoint for the private_key_jwt and client_secret_jwt authentication methods.
func (*RegisteredClient) GetRevokeRefreshTokensExplicit ¶ added in v4.38.0
func (c *RegisteredClient) GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool)
func (*RegisteredClient) GetRotatedClientSecrets ¶ added in v4.38.0
func (c *RegisteredClient) GetRotatedClientSecrets() (secrets []oauthelia2.ClientSecret)
GetRotatedClientSecrets returns the rotated oauth2.ClientSecret values.
func (*RegisteredClient) GetScopes ¶ added in v4.38.0
func (c *RegisteredClient) GetScopes() (scopes oauthelia2.Arguments)
GetScopes returns the Scopes.
func (*RegisteredClient) GetSectorIdentifierURI ¶ added in v4.38.0
func (c *RegisteredClient) GetSectorIdentifierURI() (sector string)
GetSectorIdentifierURI returns the SectorIdentifier for this client.
func (*RegisteredClient) GetTokenEndpointAuthMethod ¶ added in v4.38.0
func (c *RegisteredClient) GetTokenEndpointAuthMethod() (method string)
GetTokenEndpointAuthMethod returns the requested Client Authentication Method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none.
func (*RegisteredClient) GetTokenEndpointAuthSigningAlg ¶ added in v4.38.0
func (c *RegisteredClient) GetTokenEndpointAuthSigningAlg() (alg string)
GetTokenEndpointAuthSigningAlg returns the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods.
func (*RegisteredClient) GetUserinfoEncryptedResponseAlg ¶ added in v4.38.11
func (c *RegisteredClient) GetUserinfoEncryptedResponseAlg() (alg string)
GetUserinfoEncryptedResponseAlg is equivalent to the 'userinfo_encrypted_response_alg' client metadata value which determines the JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
func (*RegisteredClient) GetUserinfoEncryptedResponseEnc ¶ added in v4.38.11
func (c *RegisteredClient) GetUserinfoEncryptedResponseEnc() (enc string)
GetUserinfoEncryptedResponseEnc is equivalent to the 'userinfo_encrypted_response_enc' client metadata value which determines the JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If userinfo_encrypted_response_alg is specified, the default userinfo_encrypted_response_enc value is A128CBC-HS256. When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided.
func (*RegisteredClient) GetUserinfoEncryptedResponseKeyID ¶ added in v4.38.11
func (c *RegisteredClient) GetUserinfoEncryptedResponseKeyID() (kid string)
GetUserinfoEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the User Info specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) GetUserinfoSignedResponseAlg ¶ added in v4.38.0
func (c *RegisteredClient) GetUserinfoSignedResponseAlg() (alg string)
GetUserinfoSignedResponseAlg is equivalent to the 'userinfo_signed_response_alg' client metadata value which determines the JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 [RFC3629] encoded JSON object using the application/json content-type.
func (*RegisteredClient) GetUserinfoSignedResponseKeyID ¶ added in v4.38.0
func (c *RegisteredClient) GetUserinfoSignedResponseKeyID() (kid string)
GetUserinfoSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the User Info specifications. If unspecified the other available parameters will be utilized to select an appropriate key.
func (*RegisteredClient) IsAuthenticationLevelSufficient ¶ added in v4.38.0
func (c *RegisteredClient) IsAuthenticationLevelSufficient(level authentication.Level, subject authorization.Subject) (sufficient bool)
IsAuthenticationLevelSufficient returns if the provided authentication.Level is sufficient for the client of the AutheliaClient.
func (*RegisteredClient) IsPublic ¶ added in v4.38.0
func (c *RegisteredClient) IsPublic() (public bool)
IsPublic returns the value of the Public property.
func (*RegisteredClient) SetJSONWebKeys ¶ added in v4.38.0
func (c *RegisteredClient) SetJSONWebKeys(jwks *jose.JSONWebKeySet)
SetJSONWebKeys sets the JSON Web Key Set containing the public key used by the client to authenticate.
func (*RegisteredClient) ValidateResponseModePolicy ¶ added in v4.38.0
func (c *RegisteredClient) ValidateResponseModePolicy(r oauthelia2.AuthorizeRequester) (err error)
ValidateResponseModePolicy is an additional check to the response mode parameter to ensure if it's omitted that the default response mode for the oauthelia2.AuthorizeRequester is permitted.
type Session ¶ added in v4.38.0
type Session struct { *openid.DefaultSession `json:"id_token"` ChallengeID uuid.NullUUID `json:"challenge_id"` KID string `json:"kid"` ClientID string `json:"client_id"` ClientCredentials bool `json:"client_credentials"` ExcludeNotBeforeClaim bool `json:"exclude_nbf_claim"` AllowedTopLevelClaims []string `json:"allowed_top_level_claims"` Extra map[string]any `json:"extra"` }
Session holds OpenID Connect 1.0 Session information.
func NewSession ¶ added in v4.34.5
func NewSession() (session *Session)
NewSession creates a new empty OpenIDSession struct.
func NewSessionWithAuthorizeRequest ¶ added in v4.34.5
func NewSessionWithAuthorizeRequest(ctx Context, issuer *url.URL, kid, username string, amr []string, extra map[string]any, authTime time.Time, consent *model.OAuth2ConsentSession, requester oauthelia2.AuthorizeRequester) (session *Session)
NewSessionWithAuthorizeRequest uses details from an AuthorizeRequester to generate an OpenIDSession.
func (*Session) Clone ¶ added in v4.38.0
func (s *Session) Clone() oauthelia2.Session
Clone copies the OpenIDSession to a new oauthelia2.Session.
func (*Session) GetChallengeID ¶ added in v4.38.0
GetChallengeID returns the challenge id.
func (*Session) GetExtraClaims ¶ added in v4.38.0
GetExtraClaims returns the Extra/Unregistered claims for this session.
func (*Session) GetIDTokenClaims ¶ added in v4.38.0
func (s *Session) GetIDTokenClaims() *jwt.IDTokenClaims
GetIDTokenClaims returns the *jwt.IDTokenClaims for this session.
func (*Session) GetJWTClaims ¶ added in v4.38.0
func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer
GetJWTClaims returns the jwt.JWTClaimsContainer for the OAuth 2.0 JWT Profile Access Tokens.
func (*Session) GetJWTHeader ¶ added in v4.38.0
GetJWTHeader returns the *jwt.Headers for the OAuth 2.0 JWT Profile Access Token.
type Signer ¶ added in v4.38.0
type Signer struct { GetPrivateKey fjwt.GetPrivateKeyFunc // contains filtered or unexported fields }
Signer is responsible for generating and validating JWT challenges.
func (*Signer) Generate ¶ added in v4.38.0
func (j *Signer) Generate(ctx context.Context, claims fjwt.MapClaims, header fjwt.Mapper) (tokenString string, sig string, err error)
Generate generates a new authorize code or returns an error. set secret.
func (*Signer) GetPublicKey ¶ added in v4.38.0
GetPublicKey returns the PublicKey for this Signer.
func (*Signer) GetSignature ¶ added in v4.38.0
GetSignature will return the signature of a token.
func (*Signer) GetSigningMethodLength ¶ added in v4.38.0
GetSigningMethodLength will return the length of the signing method.
type SortedJSONWebKey ¶ added in v4.38.0
type SortedJSONWebKey []jose.JSONWebKey
func (SortedJSONWebKey) Len ¶ added in v4.38.0
func (jwks SortedJSONWebKey) Len() int
func (SortedJSONWebKey) Less ¶ added in v4.38.0
func (jwks SortedJSONWebKey) Less(i, j int) bool
func (SortedJSONWebKey) Swap ¶ added in v4.38.0
func (jwks SortedJSONWebKey) Swap(i, j int)
type SortedSigningAlgs ¶ added in v4.38.0
type SortedSigningAlgs []string
SortedSigningAlgs is a sorting type which allows the use of sort.Sort to order a list of OAuth 2.0 Signing Algs. Sorting occurs in the order of from within the RFC's.
func (SortedSigningAlgs) Len ¶ added in v4.38.0
func (algs SortedSigningAlgs) Len() int
func (SortedSigningAlgs) Less ¶ added in v4.38.0
func (algs SortedSigningAlgs) Less(i, j int) bool
func (SortedSigningAlgs) Swap ¶ added in v4.38.0
func (algs SortedSigningAlgs) Swap(i, j int)
type Store ¶ added in v4.37.0
type Store struct { ClientStore // contains filtered or unexported fields }
Store is Authelia's internal representation of the oauthelia2.Storage interface. It maps the following interfaces to the storage.Provider interface: oauthelia2.Storage, oauthelia2.ClientManager, storage.Transactional, oauth2.AuthorizeCodeStorage, oauth2.AccessTokenStorage, oauth2.RefreshTokenStorage, oauth2.TokenRevocationStorage, pkce.PKCERequestStorage, openid.OpenIDConnectRequestStorage, and partially implements rfc7523.RFC7523KeyStorage.
func NewStore ¶ added in v4.37.3
func NewStore(config *schema.IdentityProvidersOpenIDConnect, provider storage.Provider) (store *Store)
NewStore returns a Store when provided with a schema.OpenIDConnect and storage.Provider.
func (*Store) BeginTX ¶ added in v4.37.0
BeginTX starts a transaction. This implements a portion of fosite storage.Transactional interface.
func (*Store) ClientAssertionJWTValid ¶ added in v4.37.0
ClientAssertionJWTValid returns an error if the JTI is known or the DB check failed and nil if the JTI is not known. This implements a portion of oauthelia2.ClientManager.
func (*Store) Commit ¶ added in v4.37.0
Commit completes a transaction. This implements a portion of fosite storage.Transactional interface.
func (*Store) CreateAccessTokenSession ¶ added in v4.37.0
func (s *Store) CreateAccessTokenSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)
CreateAccessTokenSession stores the authorization request for a given access token. This implements a portion of oauth2.AccessTokenStorage.
func (*Store) CreateAuthorizeCodeSession ¶ added in v4.37.0
func (s *Store) CreateAuthorizeCodeSession(ctx context.Context, code string, request oauthelia2.Requester) (err error)
CreateAuthorizeCodeSession stores the authorization request for a given authorization code. This implements a portion of oauth2.AuthorizeCodeStorage.
func (*Store) CreateOpenIDConnectSession ¶ added in v4.37.0
func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request oauthelia2.Requester) (err error)
CreateOpenIDConnectSession creates an OpenID Connect 1.0 connect session for a given authorize code. This is relevant for explicit OpenID Connect 1.0 flow. This implements a portion of openid.OpenIDConnectRequestStorage.
func (*Store) CreatePARSession ¶ added in v4.38.0
func (s *Store) CreatePARSession(ctx context.Context, requestURI string, request oauthelia2.AuthorizeRequester) (err error)
CreatePARSession stores the pushed authorization request context. The requestURI is used to derive the key. This implements a portion of oauthelia2.PARStorage.
func (*Store) CreatePKCERequestSession ¶ added in v4.37.0
func (s *Store) CreatePKCERequestSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)
CreatePKCERequestSession stores the authorization request for a given PKCE request. This implements a portion of pkce.PKCERequestStorage.
func (*Store) CreateRefreshTokenSession ¶ added in v4.37.0
func (s *Store) CreateRefreshTokenSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)
CreateRefreshTokenSession stores the authorization request for a given refresh token. This implements a portion of oauth2.RefreshTokenStorage.
func (*Store) DeleteAccessTokenSession ¶ added in v4.37.0
DeleteAccessTokenSession marks an access token session as deleted. This implements a portion of oauth2.AccessTokenStorage.
func (*Store) DeleteOpenIDConnectSession ¶ added in v4.37.0
DeleteOpenIDConnectSession just implements the method required by fosite even though it's unused. This implements a portion of openid.OpenIDConnectRequestStorage.
func (*Store) DeletePARSession ¶ added in v4.38.0
DeletePARSession deletes the context. This implements a portion of oauthelia2.PARStorage.
func (*Store) DeletePKCERequestSession ¶ added in v4.37.0
DeletePKCERequestSession marks the authorization request for a given PKCE request as deleted. This implements a portion of pkce.PKCERequestStorage.
func (*Store) DeleteRefreshTokenSession ¶ added in v4.37.0
DeleteRefreshTokenSession marks the authorization request for a given refresh token as deleted. This implements a portion of oauth2.RefreshTokenStorage.
func (*Store) GenerateOpaqueUserID ¶ added in v4.37.0
func (s *Store) GenerateOpaqueUserID(ctx context.Context, sectorID, username string) (opaqueID *model.UserOpaqueIdentifier, err error)
GenerateOpaqueUserID either retrieves or creates an opaque user id from a sectorID and username.
func (*Store) GetAccessTokenSession ¶ added in v4.37.0
func (s *Store) GetAccessTokenSession(ctx context.Context, signature string, session oauthelia2.Session) (request oauthelia2.Requester, err error)
GetAccessTokenSession gets the authorization request for a given access token. This implements a portion of oauth2.AccessTokenStorage.
func (*Store) GetAuthorizeCodeSession ¶ added in v4.37.0
func (s *Store) GetAuthorizeCodeSession(ctx context.Context, code string, session oauthelia2.Session) (request oauthelia2.Requester, err error)
GetAuthorizeCodeSession hydrates the session based on the given code and returns the authorization request. If the authorization code has been invalidated with `InvalidateAuthorizeCodeSession`, this method should return the ErrInvalidatedAuthorizeCode error. Make sure to also return the oauthelia2.Requester value when returning the oauthelia2.ErrInvalidatedAuthorizeCode error! This implements a portion of oauth2.AuthorizeCodeStorage.
func (*Store) GetClient ¶ added in v4.37.0
GetClient loads the client by its ID or returns an error if the client does not exist or another error occurred. This implements a portion of oauthelia2.ClientManager.
func (*Store) GetOpenIDConnectSession ¶ added in v4.37.0
func (s *Store) GetOpenIDConnectSession(ctx context.Context, authorizeCode string, request oauthelia2.Requester) (r oauthelia2.Requester, err error)
GetOpenIDConnectSession returns error: - nil if a session was found, - ErrNoSessionFound if no session was found - or an arbitrary error if an error occurred. This implements a portion of openid.OpenIDConnectRequestStorage.
func (*Store) GetPARSession ¶ added in v4.38.0
func (s *Store) GetPARSession(ctx context.Context, requestURI string) (request oauthelia2.AuthorizeRequester, err error)
GetPARSession gets the push authorization request context. The caller is expected to merge the AuthorizeRequest. This implements a portion of oauthelia2.PARStorage.
func (*Store) GetPKCERequestSession ¶ added in v4.37.0
func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, session oauthelia2.Session) (requester oauthelia2.Requester, err error)
GetPKCERequestSession gets the authorization request for a given PKCE request. This implements a portion of pkce.PKCERequestStorage.
func (*Store) GetRefreshTokenSession ¶ added in v4.37.0
func (s *Store) GetRefreshTokenSession(ctx context.Context, signature string, session oauthelia2.Session) (request oauthelia2.Requester, err error)
GetRefreshTokenSession gets the authorization request for a given refresh token. This implements a portion of oauth2.RefreshTokenStorage.
func (*Store) GetSubject ¶ added in v4.37.0
func (s *Store) GetSubject(ctx context.Context, sectorID, username string) (subject uuid.UUID, err error)
GetSubject returns a subject UUID for a username. If it exists, it returns the existing one, otherwise it creates and saves it.
func (*Store) InvalidateAuthorizeCodeSession ¶ added in v4.37.0
InvalidateAuthorizeCodeSession is called when an authorize code is being used. The state of the authorization code should be set to invalid and consecutive requests to GetAuthorizeCodeSession should return the ErrInvalidatedAuthorizeCode error. This implements a portion of oauth2.AuthorizeCodeStorage.
func (*Store) IsValidClientID ¶ added in v4.37.0
IsValidClientID returns true if the provided id exists in the OpenIDConnectProvider.Clients map.
func (*Store) MarkJWTUsedForTime ¶ added in v4.37.0
MarkJWTUsedForTime implements an interface required for rfc7523.RFC7523KeyStorage.
func (*Store) RevokeAccessToken ¶ added in v4.37.0
RevokeAccessToken revokes an access token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well. This implements a portion of oauth2.TokenRevocationStorage.
func (*Store) RevokeRefreshToken ¶ added in v4.37.0
RevokeRefreshToken revokes a refresh token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note). This implements a portion of oauth2.TokenRevocationStorage.
func (*Store) RevokeRefreshTokenMaybeGracePeriod ¶ added in v4.37.0
func (s *Store) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) (err error)
RevokeRefreshTokenMaybeGracePeriod revokes an access token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well. This implements a portion of oauth2.TokenRevocationStorage.
func (*Store) Rollback ¶ added in v4.37.0
Rollback rolls a transaction back. This implements a portion of fosite storage.Transactional interface.
func (*Store) SetClientAssertionJWT ¶ added in v4.37.0
SetClientAssertionJWT marks a JTI as known for the given expiry time. Before inserting the new JTI, it will clean up any existing JTIs that have expired as those tokens can not be replayed due to the expiry. This implements a portion of oauthelia2.ClientManager.
type StrategyConfig ¶ added in v4.37.3
type StrategyConfig struct { Core oauth2.CoreStrategy OpenID openid.OpenIDConnectTokenStrategy Audience oauthelia2.AudienceMatchingStrategy Scope oauthelia2.ScopeStrategy JWKSFetcher oauthelia2.JWKSFetcherStrategy ClientAuthentication oauthelia2.ClientAuthenticationStrategy }
StrategyConfig holds specific oauthelia2.Configurator information for various strategies.