oidc

package
v4.38.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 15, 2024 License: Apache-2.0 Imports: 41 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ScopeOfflineAccess = "offline_access"
	ScopeOffline       = "offline"
	ScopeOpenID        = "openid"
	ScopeProfile       = "profile"
	ScopeEmail         = "email"
	ScopeGroups        = "groups"

	ScopeAutheliaBearerAuthz = "authelia.bearer.authz"
)

Scope strings.

View Source 
const (
	ClaimJWTID                               = "jti"
	ClaimSessionID                           = "sid"
	ClaimAccessTokenHash                     = "at_hash"
	ClaimCodeHash                            = "c_hash"
	ClaimStateHash                           = "s_hash"
	ClaimIssuedAt                            = "iat"
	ClaimNotBefore                           = "nbf"
	ClaimRequestedAt                         = "rat"
	ClaimExpirationTime                      = "exp"
	ClaimAuthenticationTime                  = "auth_time"
	ClaimIssuer                              = valueIss
	ClaimSubject                             = "sub"
	ClaimNonce                               = "nonce"
	ClaimAudience                            = "aud"
	ClaimGroups                              = "groups"
	ClaimFullName                            = "name"
	ClaimPreferredUsername                   = "preferred_username"
	ClaimPreferredEmail                      = "email"
	ClaimEmailVerified                       = "email_verified"
	ClaimAuthorizedParty                     = "azp"
	ClaimAuthenticationContextClassReference = "acr"
	ClaimAuthenticationMethodsReference      = "amr"
	ClaimClientIdentifier                    = valueClientID
	ClaimScope                               = valueScope
	ClaimScopeNonStandard                    = "scp"
	ClaimExtra                               = "ext"
	ClaimActive                              = "active"
	ClaimUsername                            = "username"
	ClaimTokenIntrospection                  = "token_introspection"
)

Registered Claim strings. See https://www.iana.org/assignments/jwt/jwt.xhtml.

View Source 
const (
	ResponseModeFormPost    = "form_post"
	ResponseModeQuery       = "query"
	ResponseModeFragment    = "fragment"
	ResponseModeJWT         = "jwt"
	ResponseModeFormPostJWT = "form_post.jwt"
	ResponseModeQueryJWT    = "query.jwt"
	ResponseModeFragmentJWT = "fragment.jwt"
)

Response Mode strings.

View Source 
const (
	GrantTypeImplicit          = valueImplicit
	GrantTypeRefreshToken      = valueRefreshToken
	GrantTypeAuthorizationCode = "authorization_code"
	GrantTypeClientCredentials = "client_credentials"
)

Grant Type strings.

View Source 
const (
	ClientAuthMethodClientSecretBasic = "client_secret_basic"
	ClientAuthMethodClientSecretPost  = "client_secret_post"
	ClientAuthMethodClientSecretJWT   = "client_secret_jwt"
	ClientAuthMethodPrivateKeyJWT     = "private_key_jwt"
	ClientAuthMethodNone              = "none"
)

Client Auth Method strings.

View Source 
const (
	ResponseTypeAuthorizationCodeFlow = "code"
	ResponseTypeImplicitFlowIDToken   = "id_token"
	ResponseTypeImplicitFlowToken     = "token"
	ResponseTypeImplicitFlowBoth      = "id_token token"
	ResponseTypeHybridFlowIDToken     = "code id_token"
	ResponseTypeHybridFlowToken       = "code token"
	ResponseTypeHybridFlowBoth        = "code id_token token"
)

Response Type strings.

View Source 
const (
	SigningAlgNone = valueNone

	SigningAlgRSAUsingSHA256 = "RS256"
	SigningAlgRSAUsingSHA384 = "RS384"
	SigningAlgRSAUsingSHA512 = "RS512"

	SigningAlgRSAPSSUsingSHA256 = "PS256"
	SigningAlgRSAPSSUsingSHA384 = "PS384"
	SigningAlgRSAPSSUsingSHA512 = "PS512"

	SigningAlgECDSAUsingP256AndSHA256 = "ES256"
	SigningAlgECDSAUsingP384AndSHA384 = "ES384"
	SigningAlgECDSAUsingP521AndSHA512 = "ES512"

	SigningAlgHMACUsingSHA256 = "HS256"
	SigningAlgHMACUsingSHA384 = "HS384"
	SigningAlgHMACUsingSHA512 = "HS512"
)

JWS Algorithm strings. See: https://datatracker.ietf.org/doc/html/rfc7518#section-3.1

View Source 
const (
	SigningAlgPrefixRSA    = "RS"
	SigningAlgPrefixHMAC   = "HS"
	SigningAlgPrefixRSAPSS = "PS"
	SigningAlgPrefixECDSA  = "ES"
)

JWS Algorithm Prefixes.

View Source 
const (
	SubjectTypePublic   = "public"
	SubjectTypePairwise = "pairwise"
)

Subject Type strings.

View Source 
const (
	PKCEChallengeMethodPlain  = "plain"
	PKCEChallengeMethodSHA256 = "S256"
)

Proof Key Code Exchange Challenge Method strings.

View Source 
const (
	FormParameterState        = "state"
	FormParameterClientID     = valueClientID
	FormParameterRequestURI   = "request_uri"
	FormParameterRedirectURI  = "redirect_uri"
	FormParameterResponseMode = "response_mode"
	FormParameterResponseType = "response_type"
	FormParameterScope        = valueScope
	FormParameterIssuer       = valueIss
	FormParameterPrompt       = "prompt"
)
View Source 
const (
	PromptNone    = valueNone
	PromptLogin   = "login"
	PromptConsent = "consent"
)
View Source 
const (
	EndpointAuthorization              = "authorization"
	EndpointToken                      = "token"
	EndpointUserinfo                   = "userinfo"
	EndpointIntrospection              = "introspection"
	EndpointRevocation                 = "revocation"
	EndpointPushedAuthorizationRequest = "pushed-authorization-request"
)

Endpoints.

View Source 
const (
	// JWTHeaderKeyIdentifier is the JWT Header referencing the JWS Key Identifier used to sign a token.
	JWTHeaderKeyIdentifier = "kid"

	// JWTHeaderKeyAlgorithm is the JWT Header referencing the JWS Key algorithm used to sign a token.
	JWTHeaderKeyAlgorithm = "alg"

	// JWTHeaderKeyType is the JWT Header referencing the JWT type.
	JWTHeaderKeyType = "typ"
)

JWT Headers.

View Source 
const (
	JWTHeaderTypeValueTokenIntrospectionJWT = "token-introspection+jwt"
	JWTHeaderTypeValueAccessTokenJWT        = "at+jwt"
)
View Source 
const (
	EndpointPathConsent                           = "/consent"
	EndpointPathWellKnownOpenIDConfiguration      = "/.well-known/openid-configuration"
	EndpointPathWellKnownOAuthAuthorizationServer = "/.well-known/oauth-authorization-server"
	EndpointPathJWKs                              = "/jwks.json"

	EndpointPathRoot = "/api/oidc"

	EndpointPathAuthorization = EndpointPathRoot + "/" + EndpointAuthorization
	EndpointPathToken         = EndpointPathRoot + "/" + EndpointToken
	EndpointPathUserinfo      = EndpointPathRoot + "/" + EndpointUserinfo
	EndpointPathIntrospection = EndpointPathRoot + "/" + EndpointIntrospection
	EndpointPathRevocation    = EndpointPathRoot + "/" + EndpointRevocation

	EndpointPathPushedAuthorizationRequest = EndpointPathRoot + "/" + EndpointPushedAuthorizationRequest

	EndpointPathRFC8628UserVerificationURL = EndpointPathRoot + "/device-code/user-verification"
)

Paths.

View Source 
const (
	// AMRMultiFactorAuthentication is an RFC8176 Authentication Method Reference Value that represents multiple-factor
	// authentication as per NIST.800-63-2 and ISO29115. When this is present, specific authentication methods used may
	// also be included.
	//
	// Authelia utilizes this when a user has performed any 2 AMR's with different factor values (excluding meta).
	// Factor: Meta, Channel: Meta.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// NIST.800-63-2: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
	//
	// ISO29115: https://www.iso.org/standard/45138.html
	AMRMultiFactorAuthentication = "mfa"

	// AMRMultiChannelAuthentication is an RFC8176 Authentication Method Reference Value that represents
	// multiple-channel authentication. The authentication involves communication over more than one distinct
	// communication channel. For instance, a multiple-channel authentication might involve both entering information
	// into a workstation's browser and providing information on a telephone call to a pre-registered number.
	//
	// Authelia utilizes this when a user has performed any 2 AMR's with different channel values (excluding meta).
	// Factor: Meta, Channel: Meta.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	AMRMultiChannelAuthentication = "mca"

	// AMRUserPresence is an RFC8176 Authentication Method Reference Value that represents authentication that included
	// a user presence test. Evidence that the end user is present and interacting with the device. This is sometimes
	// also referred to as "test of user presence" as per W3C.WD-webauthn-20170216.
	//
	// Authelia utilizes this when a user has used WebAuthn to authenticate and the user presence flag was set.
	// Factor: Meta, Channel: Meta.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// W3C.WD-webauthn-20170216: https://datatracker.ietf.org/doc/html/rfc8176#ref-W3C.WD-webauthn-20170216
	AMRUserPresence = "user"

	// AMRPersonalIdentificationNumber is an RFC8176 Authentication Method Reference Value that represents
	// authentication that included a personal Identification Number (PIN) as per RFC4949 or pattern (not restricted to
	// containing only numbers) that a user enters to unlock a key on the device. This mechanism should have a way to
	// deter an attacker from obtaining the PIN by trying repeated guesses.
	//
	// Authelia utilizes this when a user has used WebAuthn to authenticate and the user verified flag was set.
	//	Factor: Meta, Channel: Meta.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// RFC4949: https://datatracker.ietf.org/doc/html/rfc4949
	AMRPersonalIdentificationNumber = "pin"

	// AMRPasswordBasedAuthentication is an RFC8176 Authentication Method Reference Value that represents password-based
	// authentication as per RFC4949.
	//
	// Authelia utilizes this when a user has performed 1FA. Factor: Know, Channel: Browser.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// RFC4949: https://datatracker.ietf.org/doc/html/rfc4949
	AMRPasswordBasedAuthentication = "pwd"

	// AMROneTimePassword is an RFC8176 Authentication Method Reference Value that represents authentication via a
	// Time-based One-Time Password as per RFC4949. One-time password specifications that this authentication method
	// applies to include RFC4226 and RFC6238.
	//
	// Authelia utilizes this when a user has used TOTP to authenticate. Factor: Have, Channel: Browser.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	//
	// RFC4949: https://datatracker.ietf.org/doc/html/rfc4949
	//
	// RFC4226: https://datatracker.ietf.org/doc/html/rfc4226
	//
	// RFC6238: https://datatracker.ietf.org/doc/html/rfc6238
	AMROneTimePassword = "otp"

	// AMRHardwareSecuredKey is an RFC8176 Authentication Method Reference Value that
	// represents authentication via a proof-of-Possession (PoP) of a hardware-secured key.
	//
	// Authelia utilizes this when a user has used WebAuthn to authenticate. Factor: Have, Channel: Browser.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	AMRHardwareSecuredKey = "hwk"

	// AMRShortMessageService is an RFC8176 Authentication Method Reference Value that
	// represents authentication via confirmation using SMS text message to the user at a registered number.
	//
	// Authelia utilizes this when a user has used Duo to authenticate. Factor: Have, Channel: Browser.
	//
	// RFC8176: https://datatracker.ietf.org/doc/html/rfc8176
	AMRShortMessageService = "sms"
)

Authentication Method Reference Values https://datatracker.ietf.org/doc/html/rfc8176

View Source 
const (
	// ClaimEmailAlts is an unregistered/custom claim.
	// It represents the emails which are not considered primary.
	ClaimEmailAlts = "alt_emails"
)
View Source 
const (
	KeyUseSignature = "sig"
)
View Source 
const (
	RedirectURIPrefixPushedAuthorizationRequestURN = "urn:ietf:params:oauth:request_uri:"
)
View Source 
const (
	RedirectURISpecialOAuth2InstalledApp = "urn:ietf:wg:oauth:2.0:oob"
)

Variables

View Source 
var (
	// ErrSubjectCouldNotLookup is sent when the Subject Identifier for a user couldn't be generated or obtained from the database.
	ErrSubjectCouldNotLookup = oauthelia2.ErrServerError.WithHint("Could not lookup user subject.")

	// ErrConsentCouldNotPerform is sent when the Consent Session couldn't be performed for varying reasons.
	ErrConsentCouldNotPerform = oauthelia2.ErrServerError.WithHint("Could not perform consent.")

	// ErrConsentCouldNotGenerate is sent when the Consent Session failed to be generated for some reason, usually a failed UUIDv4 generation.
	ErrConsentCouldNotGenerate = oauthelia2.ErrServerError.WithHint("Could not generate the consent session.")

	// ErrConsentCouldNotSave is sent when the Consent Session couldn't be saved to the database.
	ErrConsentCouldNotSave = oauthelia2.ErrServerError.WithHint("Could not save the consent session.")

	// ErrConsentCouldNotLookup is sent when the Consent ID is not a known UUID.
	ErrConsentCouldNotLookup = oauthelia2.ErrServerError.WithHint("Failed to lookup the consent session.")

	// ErrConsentMalformedChallengeID is sent when the Consent ID is not a UUID.
	ErrConsentMalformedChallengeID = oauthelia2.ErrServerError.WithHint("Malformed consent session challenge ID.")

	ErrClientAuthorizationUserAccessDenied = oauthelia2.ErrAccessDenied.WithHint("The user was denied access to this client.")
)

Functions

func AccessResponderToClearMap added in v4.38.0 

func AccessResponderToClearMap(responder oauthelia2.AccessResponder) map[string]any

AccessResponderToClearMap returns a clear friendly map copy of the responder map values.

func GetLangFromRequester added in v4.38.0 

func GetLangFromRequester(requester oauthelia2.Requester) language.Tag

GetLangFromRequester gets the expected language for a requester.

func IsAccessToken added in v4.38.3 

func IsAccessToken(ctx Context, value string) (is bool, err error)

func IsJWTProfileAccessToken added in v4.38.0 

func IsJWTProfileAccessToken(header map[string]any) bool

IsJWTProfileAccessToken validates a *jwt.Token is actually a RFC9068 JWT Profile Access Token by checking the relevant header as per https://datatracker.ietf.org/doc/html/rfc9068#section-2.1 which explicitly states that the header MUST include a typ of 'at+jwt' or 'application/at+jwt' with a preference of 'at+jwt'.

func IsMaybeSignedJWT added in v4.38.3 

func IsMaybeSignedJWT(value string) (is bool)

func IsPushedAuthorizedRequest added in v4.38.0 

func IsPushedAuthorizedRequest(r oauthelia2.Requester, prefix string) bool

IsPushedAuthorizedRequest returns true if the requester has a PushedAuthorizationRequest redirect_uri value.

func NewPublicJSONWebKeySetFromSchemaJWK added in v4.38.0 

func NewPublicJSONWebKeySetFromSchemaJWK(sjwks []schema.JWK) (jwks *jose.JSONWebKeySet)

NewPublicJSONWebKeySetFromSchemaJWK creates a *jose.JSONWebKeySet from a slice of schema.JWK.

func PopulateClientCredentialsFlowRequester added in v4.38.0 

func PopulateClientCredentialsFlowRequester(ctx Context, config oauthelia2.Configurator, client oauthelia2.Client, requester oauthelia2.Requester) (err error)

PopulateClientCredentialsFlowRequester is used to grant the authorized scopes and audiences when performing a client credentials grant.

func PopulateClientCredentialsFlowSessionWithAccessRequest added in v4.38.0 

func PopulateClientCredentialsFlowSessionWithAccessRequest(ctx Context, client oauthelia2.Client, session *Session) (err error)

PopulateClientCredentialsFlowSessionWithAccessRequest is used to configure a session when performing a client credentials grant.

func RFC6750Header added in v4.38.0 

func RFC6750Header(realm, scope string, err *oauthelia2.RFC6749Error) string

RFC6750Header turns a *oauthelia2.RFC6749Error into the values for a RFC6750 format WWW-Authenticate Bearer response header, excluding the Bearer prefix.

func ValidateSectorIdentifierURI added in v4.38.7 

func ValidateSectorIdentifierURI(ctx ClientContext, cache map[string][]string, sectorURI *url.URL, redirectURIs []string) (err error)

Types

type AuthenticationMethodsReferences added in v4.35.0 

type AuthenticationMethodsReferences struct {
	UsernameAndPassword  bool
	TOTP                 bool
	Duo                  bool
	WebAuthn             bool
	WebAuthnUserPresence bool
	WebAuthnUserVerified bool
}

AuthenticationMethodsReferences holds AMR information.

func NewAuthenticationMethodsReferencesFromClaim added in v4.38.0 

func NewAuthenticationMethodsReferencesFromClaim(claim []string) (amr AuthenticationMethodsReferences)

func (AuthenticationMethodsReferences) ChannelBrowser added in v4.35.0 

func (r AuthenticationMethodsReferences) ChannelBrowser() bool

ChannelBrowser returns true if a browser was used to authenticate.

func (AuthenticationMethodsReferences) ChannelService added in v4.35.0 

func (r AuthenticationMethodsReferences) ChannelService() bool

ChannelService returns true if a non-browser service was used to authenticate.

func (AuthenticationMethodsReferences) FactorKnowledge added in v4.35.0 

func (r AuthenticationMethodsReferences) FactorKnowledge() bool

FactorKnowledge returns true if a "something you know" factor of authentication was used.

func (AuthenticationMethodsReferences) FactorPossession added in v4.35.0 

func (r AuthenticationMethodsReferences) FactorPossession() bool

FactorPossession returns true if a "something you have" factor of authentication was used.

func (AuthenticationMethodsReferences) MarshalRFC8176 added in v4.35.0 

func (r AuthenticationMethodsReferences) MarshalRFC8176() []string

MarshalRFC8176 returns the AMR claim slice of strings in the RFC8176 format. https://datatracker.ietf.org/doc/html/rfc8176

func (AuthenticationMethodsReferences) MultiChannelAuthentication added in v4.35.0 

func (r AuthenticationMethodsReferences) MultiChannelAuthentication() bool

MultiChannelAuthentication returns true if the user used more than one channel to authenticate.

func (AuthenticationMethodsReferences) MultiFactorAuthentication added in v4.35.0 

func (r AuthenticationMethodsReferences) MultiFactorAuthentication() bool

MultiFactorAuthentication returns true if multiple factors were used.

type AuthorizationServerIssuerIdentificationProvider added in v4.38.0 

type AuthorizationServerIssuerIdentificationProvider interface {
	GetAuthorizationServerIdentificationIssuer(ctx context.Context) (issuer string)
}

AuthorizationServerIssuerIdentificationProvider provides OAuth 2.0 Authorization Server Issuer Identification related methods.

type Client added in v4.35.0 

type Client interface {
	oauthelia2.Client
	oauthelia2.ResponseModeClient
	RefreshFlowScopeClient

	GetName() (name string)
	GetSectorIdentifierURI() (sector string)

	GetAuthorizationSignedResponseAlg() (alg string)
	GetAuthorizationSignedResponseKeyID() (kid string)

	GetIDTokenSignedResponseAlg() (alg string)
	GetIDTokenSignedResponseKeyID() (kid string)

	GetAccessTokenSignedResponseAlg() (alg string)
	GetAccessTokenSignedResponseKeyID() (kid string)
	GetEnableJWTProfileOAuthAccessTokens() bool

	GetUserinfoSignedResponseAlg() (alg string)
	GetUserinfoSignedResponseKeyID() (kid string)

	GetIntrospectionSignedResponseAlg() (alg string)
	GetIntrospectionSignedResponseKeyID() (kid string)

	GetRequirePushedAuthorizationRequests() (enforce bool)

	GetEnforcePKCE() (enforce bool)
	GetEnforcePKCEChallengeMethod() (enforce bool)
	GetPKCEChallengeMethod() (method string)

	ValidateResponseModePolicy(r oauthelia2.AuthorizeRequester) (err error)

	GetConsentResponseBody(consent *model.OAuth2ConsentSession) (body ConsentGetResponseBody)
	GetConsentPolicy() ClientConsentPolicy
	IsAuthenticationLevelSufficient(level authentication.Level, subject authorization.Subject) (sufficient bool)
	GetAuthorizationPolicyRequiredLevel(subject authorization.Subject) (level authorization.Level)
	GetAuthorizationPolicy() (policy ClientAuthorizationPolicy)

	GetEffectiveLifespan(gt oauthelia2.GrantType, tt oauthelia2.TokenType, fallback time.Duration) (lifespan time.Duration)
}

Client represents the internal client definitions.

func NewClient 

func NewClient(config schema.IdentityProvidersOpenIDConnectClient, c *schema.IdentityProvidersOpenIDConnect) (client Client)

NewClient creates a new Client.

type ClientAuthorizationPolicy added in v4.38.0 

type ClientAuthorizationPolicy struct {
	Name          string
	DefaultPolicy authorization.Level
	Rules         []ClientAuthorizationPolicyRule
}

ClientAuthorizationPolicy controls and represents a client policy.

func NewClientAuthorizationPolicy added in v4.38.0 

func NewClientAuthorizationPolicy(name string, config *schema.IdentityProvidersOpenIDConnect) (policy ClientAuthorizationPolicy)

NewClientAuthorizationPolicy creates a new ClientAuthorizationPolicy.

func (*ClientAuthorizationPolicy) GetRequiredLevel added in v4.38.0 

func (p *ClientAuthorizationPolicy) GetRequiredLevel(subject authorization.Subject) authorization.Level

GetRequiredLevel returns the required authorization.Level given an authorization.Subject.

type ClientAuthorizationPolicyRule added in v4.38.0 

type ClientAuthorizationPolicyRule struct {
	Subjects []authorization.AccessControlSubjects
	Policy   authorization.Level
}

ClientAuthorizationPolicyRule describes the authorization.Level for particular criteria relevant to OpenID Connect 1.0 Clients.

func (*ClientAuthorizationPolicyRule) IsMatch added in v4.38.0 

func (p *ClientAuthorizationPolicyRule) IsMatch(subject authorization.Subject) (match bool)

IsMatch returns true if all elements of an AccessControlRule match the object and subject.

func (*ClientAuthorizationPolicyRule) MatchesSubjects added in v4.38.0 

func (p *ClientAuthorizationPolicyRule) MatchesSubjects(subject authorization.Subject) (match bool)

MatchesSubjects returns true if the rule matches the subjects.

type ClientConsentMode added in v4.37.0 

type ClientConsentMode int

ClientConsentMode represents the consent mode for a client. 

const (
	// ClientConsentModeExplicit means the client does not implicitly assume consent, and does not allow pre-configured
	// consent sessions.
	ClientConsentModeExplicit ClientConsentMode = iota

	// ClientConsentModePreConfigured means the client does not implicitly assume consent, but does allow pre-configured
	// consent sessions.
	ClientConsentModePreConfigured

	// ClientConsentModeImplicit means the client does implicitly assume consent, and does not allow pre-configured
	// consent sessions.
	ClientConsentModeImplicit
)

func (ClientConsentMode) String added in v4.37.0 

func (c ClientConsentMode) String() string

String returns the string representation of the ClientConsentMode.

type ClientConsentPolicy added in v4.38.0 

type ClientConsentPolicy struct {
	Mode     ClientConsentMode
	Duration time.Duration
}

ClientConsentPolicy is the consent configuration for a client.

func NewClientConsentPolicy added in v4.38.0 

func NewClientConsentPolicy(mode string, duration *time.Duration) ClientConsentPolicy

NewClientConsentPolicy converts the config options into an oidc.ClientConsentPolicy.

func (ClientConsentPolicy) String added in v4.38.0 

func (c ClientConsentPolicy) String() string

String returns the string representation of the ClientConsentMode.

type ClientContext added in v4.38.7 

type ClientContext interface {
	GetHTTPClient() *http.Client

	context.Context
}

type ClientRequestedAudienceMode added in v4.38.0 

type ClientRequestedAudienceMode int

ClientRequestedAudienceMode represents the requested audience mode for a client. 

const (
	// ClientRequestedAudienceModeExplicit means the client requires that the audience is explicitly requested
	// for it to be considered requested and therefore granted.
	ClientRequestedAudienceModeExplicit ClientRequestedAudienceMode = iota

	// ClientRequestedAudienceModeImplicit means the client implicitly assumes that the requested audience is all of the
	// permitted audiences when the request parameter is absent.
	ClientRequestedAudienceModeImplicit
)

func NewClientRequestedAudienceMode added in v4.38.0 

func NewClientRequestedAudienceMode(mode string) ClientRequestedAudienceMode

NewClientRequestedAudienceMode converts the config option into an oidc.ClientRequestedAudienceMode.

func (ClientRequestedAudienceMode) String added in v4.38.0 

func (ram ClientRequestedAudienceMode) String() string

String returns the string representation of the ClientRequestedAudienceMode.

type ClientRequesterResponder added in v4.38.0 

type ClientRequesterResponder interface {
	GetClient() oauthelia2.Client
}

ClientRequesterResponder is a oauthelia2.Requster or fosite.Responder with a GetClient method.

type ClientSecretDigest added in v4.38.0 

type ClientSecretDigest struct {
	*schema.PasswordDigest
}

ClientSecretDigest decorates the *schema.PasswordDigest with the relevant functions to implement oauth2.ClientSecret.

func (*ClientSecretDigest) Compare added in v4.38.0 

func (d *ClientSecretDigest) Compare(ctx context.Context, rawSecret []byte) (err error)

Compare decorates the *schema.PasswordDigest's implementation to satisfy oauth2.ClientSecret's Compare function.

type ClientStore added in v4.38.7 

type ClientStore interface {
	// GetRegisteredClient returns a Client matching the provided id.
	GetRegisteredClient(ctx context.Context, id string) (client Client, err error)
}

ClientStore is an abstraction used for the Store struct which stores clients.

type CommonDiscoveryOptions added in v4.34.0 

type CommonDiscoveryOptions struct {
	/*
		REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer
		Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value
		returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
	*/
	Issuer string `json:"issuer"`

	/*
		REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to
		validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by
		RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
		parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
		Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
		RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys
		provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
	*/
	JWKSURI string `json:"jwks_uri,omitempty"`

	/*
		REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
		See Also:
			OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
	*/
	AuthorizationEndpoint string `json:"authorization_endpoint"`

	/*
		URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used.
		See Also:
			OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
	*/
	TokenEndpoint string `json:"token_endpoint,omitempty"`

	/*
		REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types
		include pairwise and public.
	*/
	SubjectTypesSupported []string `json:"subject_types_supported"`

	/*
		REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic
		OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
	*/
	ResponseTypesSupported []string `json:"response_types_supported"`

	/*
		OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
		Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types.
		If omitted, the default value is ["authorization_code", "implicit"].
	*/
	GrantTypesSupported []string `json:"grant_types_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified
		in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
		OpenID Providers is ["query", "fragment"].
	*/
	ResponseModesSupported []string `json:"response_modes_supported,omitempty"`

	/*
		RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
		The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values
		even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
		See Also:
			OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
			OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
	*/
	ScopesSupported []string `json:"scopes_supported,omitempty"`

	/*
		RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able
		to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
	*/
	ClaimsSupported []string `json:"claims_supported,omitempty"`

	/*
		OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
		language tag values.
		See Also:
			BCP47: https://datatracker.ietf.org/doc/html/rfc5646
	*/
	UILocalesSupported []string `json:"ui_locales_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The
		options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in
		Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions.
		If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
		2.3.1 of OAuth 2.0 [RFC6749].
		See Also:
			OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
			OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
	*/
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
		for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
		and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
		See Also:
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when
		using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
		then information on how to register Clients needs to be provided in this documentation.
	*/
	ServiceDocumentation string `json:"service_documentation,omitempty"`

	/*
		OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about the OP's
		requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
		display this URL to the person registering the Client if it is given.
	*/
	OPPolicyURI string `json:"op_policy_uri,omitempty"`

	/*
		OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about OpenID
		Provider's terms of service. The registration process SHOULD display this URL to the person registering the
		Client if it is given.
	*/
	OPTOSURI string `json:"op_tos_uri,omitempty"`
}

CommonDiscoveryOptions represents the discovery options used in both OAuth 2.0 and OpenID Connect. See Also: 

OpenID Connect Discovery: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
OAuth 2.0 Discovery: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-2

type Config added in v4.37.3 

type Config struct {
	Signer jwt.Signer

	// GlobalSecret is the global secret used to sign and verify signatures.
	GlobalSecret []byte

	// RotatedGlobalSecrets is a list of global secrets that are used to verify signatures.
	RotatedGlobalSecrets [][]byte

	Issuers IssuersConfig

	SendDebugMessagesToClients    bool
	DisableRefreshTokenValidation bool
	OmitRedirectScopeParameter    bool

	JWTScopeField  jwt.JWTScopeFieldEnum
	JWTMaxDuration time.Duration

	JWTSecuredAuthorizationLifespan time.Duration

	JWTAccessToken JWTAccessTokenConfig

	Hash      HashConfig
	Strategy  StrategyConfig
	PAR       PARConfig
	Handlers  HandlersConfig
	Lifespans LifespansConfig
	RFC8693   RFC8693Config

	ProofKeyCodeExchange ProofKeyCodeExchangeConfig
	GrantTypeJWTBearer   GrantTypeJWTBearerConfig

	TokenURL string

	RFC8628UserVerificationURL string

	RevokeRefreshTokensExplicit                        bool
	EnforceRevokeFlowRevokeRefreshTokensExplicitClient bool
	EnforceJWTProfileAccessTokens                      bool
	ClientCredentialsFlowImplicitGrantRequested        bool

	TokenEntropy        int
	MinParameterEntropy int

	SanitationWhiteList []string
	AllowedPrompts      []string
	RefreshTokenScopes  []string

	HTTPClient     *retryablehttp.Client
	MessageCatalog i18n.MessageCatalog

	Templates *templates.Provider
}

Config is an implementation of the oauthelia2.Configurator.

func NewConfig added in v4.37.3 

func NewConfig(config *schema.IdentityProvidersOpenIDConnect, signer jwt.Signer, templates *templates.Provider) (c *Config)

func (*Config) GetAccessTokenIssuer added in v4.37.3 

func (c *Config) GetAccessTokenIssuer(ctx context.Context) (issuer string)

GetAccessTokenIssuer returns the access token issuer.

func (*Config) GetAccessTokenLifespan added in v4.37.3 

func (c *Config) GetAccessTokenLifespan(ctx context.Context) (lifespan time.Duration)

GetAccessTokenLifespan returns the access token lifespan.

func (*Config) GetAllowedPrompts added in v4.37.3 

func (c *Config) GetAllowedPrompts(ctx context.Context) (prompts []string)

GetAllowedPrompts returns the allowed prompts.

func (*Config) GetAudienceStrategy added in v4.37.3 

func (c *Config) GetAudienceStrategy(ctx context.Context) (strategy oauthelia2.AudienceMatchingStrategy)

GetAudienceStrategy returns the audience strategy.

func (*Config) GetAuthorizationServerIdentificationIssuer added in v4.38.0 

func (c *Config) GetAuthorizationServerIdentificationIssuer(ctx context.Context) (issuer string)

GetAuthorizationServerIdentificationIssuer returns the Authorization Server Identification issuer.

func (*Config) GetAuthorizeCodeLifespan added in v4.37.3 

func (c *Config) GetAuthorizeCodeLifespan(ctx context.Context) (lifespan time.Duration)

GetAuthorizeCodeLifespan returns the authorization code lifespan.

func (*Config) GetAuthorizeEndpointHandlers added in v4.37.3 

func (c *Config) GetAuthorizeEndpointHandlers(ctx context.Context) (handlers oauthelia2.AuthorizeEndpointHandlers)

GetAuthorizeEndpointHandlers returns the authorize endpoint handlers.

func (*Config) GetClientAuthenticationStrategy added in v4.37.3 

func (c *Config) GetClientAuthenticationStrategy(ctx context.Context) (strategy oauthelia2.ClientAuthenticationStrategy)

GetClientAuthenticationStrategy returns the client authentication strategy.

func (*Config) GetClientCredentialsFlowImplicitGrantRequested added in v4.38.0 

func (c *Config) GetClientCredentialsFlowImplicitGrantRequested(ctx context.Context) (implicit bool)

func (*Config) GetDefaultRFC8693RequestedTokenType added in v4.38.0 

func (c *Config) GetDefaultRFC8693RequestedTokenType(ctx context.Context) string

func (*Config) GetDisableRefreshTokenValidation added in v4.37.3 

func (c *Config) GetDisableRefreshTokenValidation(ctx context.Context) (disable bool)

GetDisableRefreshTokenValidation returns the disable refresh token validation flag.

func (*Config) GetEnablePKCEPlainChallengeMethod added in v4.37.3 

func (c *Config) GetEnablePKCEPlainChallengeMethod(ctx context.Context) (enable bool)

GetEnablePKCEPlainChallengeMethod returns the enable PKCE plain challenge method.

func (*Config) GetEnforceJWTProfileAccessTokens added in v4.38.0 

func (c *Config) GetEnforceJWTProfileAccessTokens(ctx context.Context) (enforce bool)

func (*Config) GetEnforcePKCE added in v4.37.3 

func (c *Config) GetEnforcePKCE(ctx context.Context) (enforce bool)

GetEnforcePKCE returns the enforcement of PKCE.

func (*Config) GetEnforcePKCEForPublicClients added in v4.37.3 

func (c *Config) GetEnforcePKCEForPublicClients(ctx context.Context) (enforce bool)

GetEnforcePKCEForPublicClients returns the enforcement of PKCE for public clients.

func (*Config) GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient added in v4.38.0 

func (c *Config) GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient(ctx context.Context) (enforce bool)

func (*Config) GetFormPostHTMLTemplate added in v4.37.3 

func (c *Config) GetFormPostHTMLTemplate(ctx context.Context) (tmpl *template.Template)

GetFormPostHTMLTemplate returns the form post HTML template.

func (*Config) GetFormPostResponseWriter added in v4.38.0 

func (c *Config) GetFormPostResponseWriter(ctx context.Context) oauthelia2.FormPostResponseWriter

GetFormPostResponseWriter returns a FormPostResponseWriter which should be utilized for writing the form post response type.

func (*Config) GetGlobalSecret added in v4.37.3 

func (c *Config) GetGlobalSecret(ctx context.Context) (secret []byte, err error)

GetGlobalSecret returns the global secret.

func (*Config) GetGrantTypeJWTBearerCanSkipClientAuth added in v4.37.3 

func (c *Config) GetGrantTypeJWTBearerCanSkipClientAuth(ctx context.Context) (skip bool)

GetGrantTypeJWTBearerCanSkipClientAuth returns the grant type JWT bearer can skip client auth.

func (*Config) GetGrantTypeJWTBearerIDOptional added in v4.37.3 

func (c *Config) GetGrantTypeJWTBearerIDOptional(ctx context.Context) (optional bool)

GetGrantTypeJWTBearerIDOptional returns the grant type JWT bearer ID optional.

func (*Config) GetGrantTypeJWTBearerIssuedDateOptional added in v4.37.3 

func (c *Config) GetGrantTypeJWTBearerIssuedDateOptional(ctx context.Context) (optional bool)

GetGrantTypeJWTBearerIssuedDateOptional returns the grant type JWT bearer issued date optional.

func (*Config) GetHMACHasher added in v4.37.3 

func (c *Config) GetHMACHasher(ctx context.Context) func() (h hash.Hash)

GetHMACHasher returns the hash function.

func (*Config) GetHTTPClient added in v4.37.3 

func (c *Config) GetHTTPClient(ctx context.Context) (client *retryablehttp.Client)

GetHTTPClient returns the HTTP client provider.

func (*Config) GetIDTokenIssuer added in v4.37.3 

func (c *Config) GetIDTokenIssuer(ctx context.Context) (issuer string)

GetIDTokenIssuer returns the ID token issuer.

func (*Config) GetIDTokenLifespan added in v4.37.3 

func (c *Config) GetIDTokenLifespan(ctx context.Context) (lifespan time.Duration)

GetIDTokenLifespan returns the ID token lifespan.

func (*Config) GetIntrospectionIssuer added in v4.38.7 

func (c *Config) GetIntrospectionIssuer(ctx context.Context) (issuer string)

GetIntrospectionIssuer returns the Introspection issuer.

func (*Config) GetIntrospectionJWTResponseSigner added in v4.38.7 

func (c *Config) GetIntrospectionJWTResponseSigner(ctx context.Context) jwt.Signer

GetIntrospectionJWTResponseSigner returns jwt.Signer for Introspection JWT Responses.

func (*Config) GetIssuerFallback added in v4.38.0 

func (c *Config) GetIssuerFallback(ctx context.Context, fallback string) (issuer string)

GetIssuerFallback returns the issuer from the ctx or returns the fallback value.

func (*Config) GetJWKSFetcherStrategy added in v4.37.3 

func (c *Config) GetJWKSFetcherStrategy(ctx context.Context) (strategy oauthelia2.JWKSFetcherStrategy)

GetJWKSFetcherStrategy returns the JWKS fetcher strategy.

func (*Config) GetJWTMaxDuration added in v4.37.3 

func (c *Config) GetJWTMaxDuration(ctx context.Context) (duration time.Duration)

GetJWTMaxDuration returns the JWT max duration.

func (*Config) GetJWTScopeField added in v4.37.3 

func (c *Config) GetJWTScopeField(ctx context.Context) (field jwt.JWTScopeFieldEnum)

GetJWTScopeField returns the JWT scope field.

func (*Config) GetJWTSecuredAuthorizeResponseModeIssuer added in v4.38.0 

func (c *Config) GetJWTSecuredAuthorizeResponseModeIssuer(ctx context.Context) string

GetJWTSecuredAuthorizeResponseModeIssuer returns the issuer for JWT Secured Authorization Responses.

func (*Config) GetJWTSecuredAuthorizeResponseModeLifespan added in v4.38.0 

func (c *Config) GetJWTSecuredAuthorizeResponseModeLifespan(ctx context.Context) (lifespan time.Duration)

GetJWTSecuredAuthorizeResponseModeLifespan returns the configured JWT Secured Authorization lifespan.

func (*Config) GetJWTSecuredAuthorizeResponseModeSigner added in v4.38.0 

func (c *Config) GetJWTSecuredAuthorizeResponseModeSigner(ctx context.Context) (signer jwt.Signer)

GetJWTSecuredAuthorizeResponseModeSigner returns jwt.Signer for JWT Secured Authorization Responses.

func (*Config) GetMessageCatalog added in v4.37.3 

func (c *Config) GetMessageCatalog(ctx context.Context) (catalog i18n.MessageCatalog)

GetMessageCatalog returns the message catalog.

func (*Config) GetMinParameterEntropy added in v4.37.3 

func (c *Config) GetMinParameterEntropy(_ context.Context) (entropy int)

GetMinParameterEntropy returns the minimum parameter entropy.

func (*Config) GetOmitRedirectScopeParam added in v4.37.3 

func (c *Config) GetOmitRedirectScopeParam(ctx context.Context) (omit bool)

GetOmitRedirectScopeParam must be set to true if the scope query param is to be omitted in the authorization's redirect URI.

func (*Config) GetPushedAuthorizeContextLifespan added in v4.37.3 

func (c *Config) GetPushedAuthorizeContextLifespan(ctx context.Context) (lifespan time.Duration)

GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context.

func (*Config) GetPushedAuthorizeEndpointHandlers added in v4.37.3 

func (c *Config) GetPushedAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.PushedAuthorizeEndpointHandlers

GetPushedAuthorizeEndpointHandlers returns the handlers.

func (*Config) GetPushedAuthorizeRequestURIPrefix added in v4.37.3 

func (c *Config) GetPushedAuthorizeRequestURIPrefix(ctx context.Context) string

GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is usually 'urn:ietf:params:oauth:request_uri:'.

func (*Config) GetRFC8628CodeLifespan added in v4.38.0 

func (c *Config) GetRFC8628CodeLifespan(ctx context.Context) time.Duration

func (*Config) GetRFC8628DeviceAuthorizeEndpointHandlers added in v4.38.0 

func (c *Config) GetRFC8628DeviceAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.RFC8628DeviceAuthorizeEndpointHandlers

func (*Config) GetRFC8628TokenPollingInterval added in v4.38.0 

func (c *Config) GetRFC8628TokenPollingInterval(ctx context.Context) (interval time.Duration)

func (*Config) GetRFC8628UserAuthorizeEndpointHandlers added in v4.38.0 

func (c *Config) GetRFC8628UserAuthorizeEndpointHandlers(ctx context.Context) oauthelia2.RFC8628UserAuthorizeEndpointHandlers

func (*Config) GetRFC8628UserVerificationURL added in v4.38.0 

func (c *Config) GetRFC8628UserVerificationURL(ctx context.Context) string

func (*Config) GetRFC8693TokenTypes added in v4.38.0 

func (c *Config) GetRFC8693TokenTypes(ctx context.Context) map[string]oauthelia2.RFC8693TokenType

func (*Config) GetRedirectSecureChecker added in v4.37.3 

func (c *Config) GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) (secure bool)

GetRedirectSecureChecker returns the redirect URL security validator.

func (*Config) GetRefreshTokenLifespan added in v4.37.3 

func (c *Config) GetRefreshTokenLifespan(ctx context.Context) (lifespan time.Duration)

GetRefreshTokenLifespan returns the refresh token lifespan.

func (*Config) GetRefreshTokenScopes added in v4.37.3 

func (c *Config) GetRefreshTokenScopes(ctx context.Context) (scopes []string)

GetRefreshTokenScopes returns the refresh token scopes.

func (*Config) GetRequirePushedAuthorizationRequests added in v4.38.0 

func (c *Config) GetRequirePushedAuthorizationRequests(ctx context.Context) (enforce bool)

GetRequirePushedAuthorizationRequests indicates if the use of Pushed Authorization Requests is gobally required. In this mode, a client cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint must contain the PAR request_uri.

func (*Config) GetResponseModeHandlers added in v4.38.0 

func (c *Config) GetResponseModeHandlers(ctx context.Context) oauthelia2.ResponseModeHandlers

func (*Config) GetResponseModeParameterHandlers added in v4.38.7 

func (c *Config) GetResponseModeParameterHandlers(ctx context.Context) oauthelia2.ResponseModeParameterHandlers

func (*Config) GetRevocationHandlers added in v4.37.3 

func (c *Config) GetRevocationHandlers(ctx context.Context) (handlers oauthelia2.RevocationHandlers)

GetRevocationHandlers returns the revocation handlers.

func (*Config) GetRevokeRefreshTokensExplicit added in v4.38.0 

func (c *Config) GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool)

func (*Config) GetRotatedGlobalSecrets added in v4.37.3 

func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) (secrets [][]byte, err error)

GetRotatedGlobalSecrets returns the rotated global secrets.

func (*Config) GetSanitationWhiteList added in v4.37.3 

func (c *Config) GetSanitationWhiteList(ctx context.Context) (whitelist []string)

GetSanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values are safe for storage in a database (cleartext).

func (*Config) GetScopeStrategy added in v4.37.3 

func (c *Config) GetScopeStrategy(ctx context.Context) (strategy oauthelia2.ScopeStrategy)

GetScopeStrategy returns the scope strategy.

func (*Config) GetSendDebugMessagesToClients added in v4.37.3 

func (c *Config) GetSendDebugMessagesToClients(ctx context.Context) (send bool)

GetSendDebugMessagesToClients returns the send debug messages to clients.

func (*Config) GetTokenEndpointHandlers added in v4.37.3 

func (c *Config) GetTokenEndpointHandlers(ctx context.Context) (handlers oauthelia2.TokenEndpointHandlers)

GetTokenEndpointHandlers returns the token endpoint handlers.

func (*Config) GetTokenEntropy added in v4.37.3 

func (c *Config) GetTokenEntropy(ctx context.Context) (entropy int)

GetTokenEntropy returns the token entropy.

func (*Config) GetTokenIntrospectionHandlers added in v4.37.3 

func (c *Config) GetTokenIntrospectionHandlers(ctx context.Context) (handlers oauthelia2.TokenIntrospectionHandlers)

GetTokenIntrospectionHandlers returns the token introspection handlers.

func (*Config) GetTokenURL added in v4.37.3 

func (c *Config) GetTokenURL(ctx context.Context) (url string)

func (*Config) GetTokenURLs added in v4.38.0 

func (c *Config) GetTokenURLs(ctx context.Context) (tokenURLs []string)

GetTokenURLs returns the token URL.

func (*Config) GetUseLegacyErrorFormat deprecated added in v4.37.3 

func (c *Config) GetUseLegacyErrorFormat(ctx context.Context) (use bool)

GetUseLegacyErrorFormat returns whether to use the legacy error format.

Deprecated: Do not use this flag anymore.

func (*Config) GetVerifiableCredentialsNonceLifespan added in v4.38.0 

func (c *Config) GetVerifiableCredentialsNonceLifespan(ctx context.Context) (lifespan time.Duration)

GetVerifiableCredentialsNonceLifespan is the lifespan of the verifiable credentials' nonce.

func (*Config) LoadHandlers added in v4.37.3 

func (c *Config) LoadHandlers(store *Store)

LoadHandlers reloads the handlers based on the current configuration.

type Configurator added in v4.38.0 

type Configurator interface {
	oauthelia2.Configurator

	AuthorizationServerIssuerIdentificationProvider
}

Configurator is an internal extension to the oauthelia2.Configurator.

type ConsentGetResponseBody 

type ConsentGetResponseBody struct {
	ClientID          string   `json:"client_id"`
	ClientDescription string   `json:"client_description"`
	Scopes            []string `json:"scopes"`
	Audience          []string `json:"audience"`
	PreConfiguration  bool     `json:"pre_configuration"`
}

ConsentGetResponseBody schema of the response body of the consent GET endpoint.

type ConsentPostRequestBody added in v4.35.0 

type ConsentPostRequestBody struct {
	ConsentID    string `json:"id"`
	ClientID     string `json:"client_id"`
	Consent      bool   `json:"consent"`
	PreConfigure bool   `json:"pre_configure"`
}

ConsentPostRequestBody schema of the request body of the consent POST endpoint.

type ConsentPostResponseBody added in v4.35.0 

type ConsentPostResponseBody struct {
	RedirectURI string `json:"redirect_uri"`
}

ConsentPostResponseBody schema of the response body of the consent POST endpoint.

type Context added in v4.38.0 

type Context interface {
	RootURL() (issuerURL *url.URL)
	IssuerURL() (issuerURL *url.URL, err error)
	GetClock() (clock clock.Provider)
	GetRandom() (random random.Provider)
	GetConfiguration() (config schema.Configuration)
	GetJWTWithTimeFuncOption() (option jwt.ParserOption)

	context.Context
}

Context represents the context implementation that is used by some OpenID Connect 1.0 implementations.

type GrantTypeJWTBearerConfig added in v4.37.3 

type GrantTypeJWTBearerConfig struct {
	OptionalClientAuth bool
	OptionalJTIClaim   bool
	OptionalIssuedDate bool
}

GrantTypeJWTBearerConfig holds specific oauthelia2.Configurator information for the JWT Bearer Grant Type.

type HandlersConfig added in v4.37.3 

type HandlersConfig struct {
	// ResponseMode provides an extension handler for custom response modes.
	ResponseMode oauthelia2.ResponseModeHandlers

	// ResponseModeParameter provides an extension handler for custom response mode parameters added later after the
	// response mode is assured.
	ResponseModeParameter oauthelia2.ResponseModeParameterHandlers

	// AuthorizeEndpoint is a list of handlers that are called before the authorization endpoint is served.
	AuthorizeEndpoint oauthelia2.AuthorizeEndpointHandlers

	// TokenEndpoint is a list of handlers that are called before the token endpoint is served.
	TokenEndpoint oauthelia2.TokenEndpointHandlers

	// TokenIntrospection is a list of handlers that are called before the token introspection endpoint is served.
	TokenIntrospection oauthelia2.TokenIntrospectionHandlers

	// Revocation is a list of handlers that are called before the revocation endpoint is served.
	Revocation oauthelia2.RevocationHandlers

	// PushedAuthorizeEndpoint is a list of handlers that are called before the PAR endpoint is served.
	PushedAuthorizeEndpoint oauthelia2.PushedAuthorizeEndpointHandlers

	RFC8628DeviceAuthorizeEndpoint oauthelia2.RFC8628DeviceAuthorizeEndpointHandlers

	RFC8628UserAuthorizeEndpoint oauthelia2.RFC8628UserAuthorizeEndpointHandlers
}

HandlersConfig holds specific oauthelia2.Configurator handlers configuration information.

type HashConfig added in v4.37.3 

type HashConfig struct {
	HMAC func() (h hash.Hash)
}

HashConfig holds specific oauthelia2.Configurator information for hashing.

type IDTokenClaimsSession added in v4.38.0 

type IDTokenClaimsSession interface {
	GetIDTokenClaims() *fjwt.IDTokenClaims
}

IDTokenClaimsSession is a session which can return the IDTokenClaims type.

type IDTokenSessionContainer added in v4.38.0 

type IDTokenSessionContainer interface {
	IDTokenHeaders() *fjwt.Headers
	IDTokenClaims() *fjwt.IDTokenClaims
}

IDTokenSessionContainer is similar to the oauth2.JWTSessionContainer to facilitate obtaining the headers as appropriate.

type IssuersConfig added in v4.37.3 

type IssuersConfig struct {
	IDToken       string
	AccessToken   string
	Introspection string

	AuthorizationServerIssuerIdentification string
	JWTSecuredResponseMode                  string
}

IssuersConfig holds specific oauthelia2.Configurator information for the issuer.

type JWK added in v4.37.0 

type JWK struct {
	// contains filtered or unexported fields
}

JWK is a representation layer over the *jose.JSONWebKey for convenience.

func NewJWK added in v4.37.0 

func NewJWK(s schema.JWK) (jwk *JWK)

NewJWK creates a *JWK f rom a schema.JWK.

func (*JWK) Algorithm added in v4.38.0 

func (j *JWK) Algorithm() string

Algorithm returns the Algorithm for this *JWK.

func (*JWK) DirectJWK added in v4.38.0 

func (j *JWK) DirectJWK() (jwk jose.JSONWebKey)

DirectJWK directly returns the *JWK as a jose.JSONWebKey with the private key if appropriate.

func (*JWK) GetPrivateKey added in v4.37.3 

func (j *JWK) GetPrivateKey(ctx context.Context) (any, error)

GetPrivateKey returns the Private Key for this *JWK.

func (*JWK) GetSigningMethod added in v4.38.0 

func (j *JWK) GetSigningMethod() jwt.SigningMethod

GetSigningMethod returns the jwt.SigningMethod for this *JWK.

func (*JWK) JWK added in v4.38.0 

func (j *JWK) JWK() (jwk jose.JSONWebKey)

JWK directly returns the *JWK as a jose.JSONWebKey specifically without the private key.

func (*JWK) KeyID added in v4.38.0 

func (j *JWK) KeyID() string

KeyID returns the Key ID for this *JWK.

func (*JWK) PrivateJWK added in v4.38.0 

func (j *JWK) PrivateJWK() (jwk *jose.JSONWebKey)

PrivateJWK directly returns the *JWK as a *jose.JSONWebKey with the private key if appropriate.

func (*JWK) Strategy added in v4.37.0 

func (j *JWK) Strategy() (strategy fjwt.Signer)

Strategy returns the fosite jwt.Signer.

type JWTAccessTokenConfig added in v4.38.0 

type JWTAccessTokenConfig struct {
	Enable                       bool
	EnableStatelessIntrospection bool
}

JWTAccessTokenConfig represents the JWT Access Token config.

type JWTSecuredResponseModeProvider added in v4.38.0 

type JWTSecuredResponseModeProvider interface {
	GetJWTSecuredAuthorizeResponseModeLifespan(ctx context.Context) (lifespan time.Duration)
	GetJWTSecuredAuthorizeResponseModeSigner(ctx context.Context) (signer fjwt.Signer)
	GetJWTSecuredAuthorizeResponseModeIssuer(ctx context.Context) (issuer string)
}

JWTSecuredResponseModeProvider provides JARM related methods.

type KeyManager 

type KeyManager struct {
	// contains filtered or unexported fields
}

The KeyManager type handles JWKs and signing operations.

func NewKeyManager 

func NewKeyManager(config *schema.IdentityProvidersOpenIDConnect) (manager *KeyManager)

NewKeyManager news up a KeyManager.

func (*KeyManager) Decode added in v4.38.0 

func (m *KeyManager) Decode(ctx context.Context, tokenString string) (token *fjwt.Token, err error)

Decode implements the fosite jwt.Signer interface and automatically maps the underlying keys based on the JWK Header kid.

func (*KeyManager) Generate added in v4.38.0 

func (m *KeyManager) Generate(ctx context.Context, claims fjwt.MapClaims, header fjwt.Mapper) (tokenString string, sig string, err error)

Generate implements the fosite jwt.Signer interface and automatically maps the underlying keys based on the JWK Header kid.

func (*KeyManager) Get added in v4.38.0 

func (m *KeyManager) Get(ctx context.Context, kid, alg string) *JWK

Get returns the JWK given an kid/alg or nil if it doesn't exist.

func (*KeyManager) GetByAlg added in v4.38.0 

func (m *KeyManager) GetByAlg(ctx context.Context, alg string) *JWK

GetByAlg returns the JWK given an alg or nil if it doesn't exist.

func (*KeyManager) GetByHeader added in v4.38.0 

func (m *KeyManager) GetByHeader(ctx context.Context, header fjwt.Mapper) (jwk *JWK, err error)

GetByHeader returns the JWK a JWT header with the appropriate kid value or returns an error.

func (*KeyManager) GetByKID added in v4.38.0 

func (m *KeyManager) GetByKID(ctx context.Context, kid string) *JWK

GetByKID returns the JWK given an key id or nil if it doesn't exist. If given a blank string it returns the default.

func (*KeyManager) GetByTokenString added in v4.38.0 

func (m *KeyManager) GetByTokenString(ctx context.Context, tokenString string) (jwk *JWK, err error)

GetByTokenString does an invalidated decode of a token to get the header, then calls GetByHeader.

func (*KeyManager) GetDefaultKeyID added in v4.38.0 

func (m *KeyManager) GetDefaultKeyID(ctx context.Context) string

GetDefaultKeyID returns the default key id.

func (*KeyManager) GetKeyID added in v4.38.0 

func (m *KeyManager) GetKeyID(ctx context.Context, kid, alg string) string

GetKeyID returns the JWK Key ID given an kid/alg or the default if it doesn't exist.

func (*KeyManager) GetKeyIDFromAlg added in v4.38.0 

func (m *KeyManager) GetKeyIDFromAlg(ctx context.Context, alg string) string

GetKeyIDFromAlg returns the key id given an alg or the default if it doesn't exist.

func (*KeyManager) GetKeyIDFromAlgStrict added in v4.38.0 

func (m *KeyManager) GetKeyIDFromAlgStrict(ctx context.Context, alg string) (kid string, err error)

GetKeyIDFromAlgStrict returns the key id given an alg or an error if it doesn't exist.

func (*KeyManager) GetSignature added in v4.38.0 

func (m *KeyManager) GetSignature(ctx context.Context, tokenString string) (sig string, err error)

GetSignature implements the fosite jwt.Signer interface.

func (*KeyManager) GetSigningMethodLength added in v4.38.0 

func (m *KeyManager) GetSigningMethodLength(ctx context.Context) (size int)

GetSigningMethodLength implements the fosite jwt.Signer interface.

func (*KeyManager) Hash added in v4.38.0 

func (m *KeyManager) Hash(ctx context.Context, in []byte) (sum []byte, err error)

Hash implements the fosite jwt.Signer interface.

func (*KeyManager) Set added in v4.38.0 

func (m *KeyManager) Set(ctx context.Context) *jose.JSONWebKeySet

Set returns the *jose.JSONWebKeySet.

func (*KeyManager) Validate added in v4.38.0 

func (m *KeyManager) Validate(ctx context.Context, tokenString string) (sig string, err error)

Validate implements the fosite jwt.Signer interface and automatically maps the underlying keys based on the JWK Header kid.

type LifespansConfig added in v4.38.0 

type LifespansConfig struct {
	schema.IdentityProvidersOpenIDConnectLifespanToken

	VerifiableCredentialsNonce time.Duration

	RFC8628Code    time.Duration
	RFC8628Polling time.Duration
}

type MemoryClientStore added in v4.38.7 

type MemoryClientStore struct {
	// contains filtered or unexported fields
}

MemoryClientStore is an implementation of the ClientStore which just stores the clients in memory.

func NewMemoryClientStore added in v4.38.7 

func NewMemoryClientStore(config *schema.IdentityProvidersOpenIDConnect) (store *MemoryClientStore)

func (*MemoryClientStore) GetRegisteredClient added in v4.38.7 

func (s *MemoryClientStore) GetRegisteredClient(_ context.Context, id string) (client Client, err error)

GetRegisteredClient returns a Client matching the provided id.

type OAuth2DeviceAuthorizationGrantDiscoveryOptions added in v4.38.0 

type OAuth2DeviceAuthorizationGrantDiscoveryOptions struct {
	/*
		OPTIONAL.  URL of the authorization server's device authorization endpoint, as defined in Section 3.1.
	*/
	DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"`
}

type OAuth2DiscoveryOptions added in v4.34.0 

type OAuth2DiscoveryOptions struct {
	/*
		 	OPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662].
			See Also:
				OAuth 2.0 Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662
	*/
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`

	/*
		OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint [RFC7009].
		See Also:
			OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
	*/
	RevocationEndpoint string `json:"revocation_endpoint,omitempty"`

	/*
		OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591].
		See Also:
			OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
	*/
	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of client authentication methods supported by this introspection endpoint.
		The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
		Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token Types"
		registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If omitted,
		the set of supported authentication methods MUST be determined by other means.
		See Also:
			IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
			OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
	*/
	IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the
		introspection endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection
		endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
		present if either of these authentication methods are specified in the
		"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted.
		The value "none" MUST NOT be used.
		See Also:
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of client authentication methods supported by this revocation endpoint.
		The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
		Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" --
		the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
		See Also:
			IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
			OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
	*/
	RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
		endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for the
		"private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either
		of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry. No
		default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
		See Also:
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
		server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of
		[RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods"
		registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE.
		See Also:
			PKCE: https://datatracker.ietf.org/doc/html/rfc7636
			IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
	*/
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
}

OAuth2DiscoveryOptions represents the discovery options specific to OAuth 2.0.

type OAuth2IssuerIdentificationDiscoveryOptions added in v4.38.0 

type OAuth2IssuerIdentificationDiscoveryOptions struct {
	AuthorizationResponseIssuerParameterSupported bool `json:"authorization_response_iss_parameter_supported"`
}

type OAuth2JWTIntrospectionResponseDiscoveryOptions added in v4.38.0 

type OAuth2JWTIntrospectionResponseDiscoveryOptions struct {
	/*
		OPTIONAL.  JSON array containing a list of the JWS [RFC7515] signing algorithms ("alg" values) as defined in JWA
		[RFC7518] supported by the introspection endpoint to sign the response.
	*/
	IntrospectionSigningAlgValuesSupported []string `json:"introspection_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL.  JSON array containing a list of the JWE [RFC7516] encryption algorithms ("alg" values) as defined in
		JWA [RFC7518] supported by the introspection endpoint to encrypt the content encryption key for introspection
		responses (content key encryption).
	*/
	IntrospectionEncryptionAlgValuesSupported []string `json:"introspection_encryption_alg_values_supported,omitempty"`

	/*
		OPTIONAL.  JSON array containing a list of the JWE [RFC7516] encryption algorithms ("enc" values) as defined in
		JWA [RFC7518] supported by the introspection endpoint to encrypt the response (content encryption).
	*/
	IntrospectionEncryptionEncValuesSupported []string `json:"introspection_encryption_enc_values_supported,omitempty"`
}

type OAuth2JWTSecuredAuthorizationRequestDiscoveryOptions added in v4.38.0 

type OAuth2JWTSecuredAuthorizationRequestDiscoveryOptions struct {
	/*
		Indicates where authorization request needs to be protected as Request Object and provided through either
		request or request_uri parameter.
	*/
	RequireSignedRequestObject bool `json:"require_signed_request_object"`
}

type OAuth2MutualTLSClientAuthenticationAliasesDiscoveryOptions added in v4.38.0 

type OAuth2MutualTLSClientAuthenticationAliasesDiscoveryOptions struct {
	AuthorizationEndpoint              string `json:"authorization_endpoint,omitempty"`
	TokenEndpoint                      string `json:"token_endpoint,omitempty"`
	IntrospectionEndpoint              string `json:"introspection_endpoint,omitempty"`
	RevocationEndpoint                 string `json:"revocation_endpoint,omitempty"`
	EndSessionEndpoint                 string `json:"end_session_endpoint,omitempty"`
	UserinfoEndpoint                   string `json:"userinfo_endpoint,omitempty"`
	BackChannelAuthenticationEndpoint  string `json:"backchannel_authentication_endpoint,omitempty"`
	FederationRegistrationEndpoint     string `json:"federation_registration_endpoint,omitempty"`
	PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`
	RegistrationEndpoint               string `json:"registration_endpoint,omitempty"`
}

type OAuth2MutualTLSClientAuthenticationDiscoveryOptions added in v4.38.0 

type OAuth2MutualTLSClientAuthenticationDiscoveryOptions struct {
	/*
		OPTIONAL. Boolean value indicating server support for mutual-TLS client certificate-bound access tokens. If
		omitted, the default value is false.
	*/
	TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens"`

	/*
		OPTIONAL. A JSON object containing alternative authorization server endpoints that, when present, an OAuth
		client intending to do mutual TLS uses in preference to the conventional endpoints. The parameter value itself
		consists of one or more endpoint parameters, such as token_endpoint, revocation_endpoint,
		introspection_endpoint, etc., conventionally defined for the top level of authorization server metadata. An
		OAuth client intending to do mutual TLS (for OAuth client authentication and/or to acquire or use
		certificate-bound tokens) when making a request directly to the authorization server MUST use the alias URL of
		the endpoint within the mtls_endpoint_aliases, when present, in preference to the endpoint URL of the same name
		at the top level of metadata. When an endpoint is not present in mtls_endpoint_aliases, then the client uses the
		conventional endpoint URL defined at the top level of the authorization server metadata. Metadata parameters
		within mtls_endpoint_aliases that do not define endpoints to which an OAuth client makes a direct request have
		no meaning and SHOULD be ignored.
	*/
	MutualTLSEndpointAliases OAuth2MutualTLSClientAuthenticationAliasesDiscoveryOptions `json:"mtls_endpoint_aliases"`
}

type OAuth2PushedAuthorizationDiscoveryOptions added in v4.38.0 

type OAuth2PushedAuthorizationDiscoveryOptions struct {
	/*
	   The URL of the pushed authorization request endpoint at which a client can post an authorization request to
	   exchange for a "request_uri" value usable at the authorization server.
	*/
	PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"`

	/*
		Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR.
		If omitted, the default value is "false".
	*/
	RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"`
}

OAuth2PushedAuthorizationDiscoveryOptions represents the well known discovery document specific to the OAuth 2.0 Pushed Authorization Requests (RFC9126) implementation.

OAuth 2.0 Pushed Authorization Requests: https://datatracker.ietf.org/doc/html/rfc9126#section-5

type OAuth2WellKnownClaims added in v4.38.0 

type OAuth2WellKnownClaims struct {
	OAuth2WellKnownSignedConfiguration

	jwt.RegisteredClaims
}

type OAuth2WellKnownConfiguration added in v4.34.0 

type OAuth2WellKnownConfiguration struct {
	CommonDiscoveryOptions
	OAuth2DiscoveryOptions
	*OAuth2DeviceAuthorizationGrantDiscoveryOptions
	*OAuth2MutualTLSClientAuthenticationDiscoveryOptions
	*OAuth2IssuerIdentificationDiscoveryOptions
	*OAuth2JWTIntrospectionResponseDiscoveryOptions
	*OAuth2JWTSecuredAuthorizationRequestDiscoveryOptions
	*OAuth2PushedAuthorizationDiscoveryOptions
}

OAuth2WellKnownConfiguration represents the well known discovery document specific to OAuth 2.0.

func (OAuth2WellKnownConfiguration) Copy added in v4.38.0 

func (opts OAuth2WellKnownConfiguration) Copy() (optsCopy OAuth2WellKnownConfiguration)

Copy the values of the OAuth2WellKnownConfiguration and return it as a new struct.

type OAuth2WellKnownSignedConfiguration added in v4.38.0 

type OAuth2WellKnownSignedConfiguration struct {
	OAuth2WellKnownConfiguration

	/*
			A JWT containing metadata values about the authorization server as claims. This is a string value consisting of
		    the entire signed JWT. A "signed_metadata" metadata value SHOULD NOT appear as a claim in the JWT.
	*/
	SignedMetadata string `json:"signed_metadata,omitempty"`
}

type OpenIDConnectBackChannelLogoutDiscoveryOptions added in v4.34.0 

type OpenIDConnectBackChannelLogoutDiscoveryOptions struct {
	/*
		OPTIONAL. Boolean value specifying whether the OP supports back-channel logout, with true indicating support.
		If omitted, the default value is false.
	*/
	BackChannelLogoutSupported bool `json:"backchannel_logout_supported"`

	/*
		OPTIONAL. Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to
		identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP.
		If omitted, the default value is false.
	*/
	BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`
}

OpenIDConnectBackChannelLogoutDiscoveryOptions represents the discovery options specific to OpenID Connect Back-Channel Logout functionality. See Also: 

OpenID Connect Back-Channel Logout: https://openid.net/specs/openid-connect-backchannel-1_0.html#BCSupport

type OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions added in v4.38.0 

type OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions struct {
	/*
		REQUIRED. URL of the OP's Backchannel Authentication Endpoint as defined in Section 7.
	*/
	BackChannelAuthenticationEndpoint string `json:"backchannel_authentication_endpoint"`

	/*
		REQUIRED. JSON array containing one or more of the following values: poll, ping, and push.
	*/
	BackChannelTokenDeliveryModesSupported []string `json:"backchannel_token_delivery_modes_supported"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for signed
		authentication requests, which are described in Section 7.1.1. If omitted, signed authentication requests are
		not supported by the OP.
	*/
	BackChannelAuthRequestSigningAlgValuesSupported []string `json:"backchannel_authentication_request_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. Boolean value specifying whether the OP supports the use of the user_code parameter, with true
		indicating support. If omitted, the default value is false.
	*/
	BackChannelUserCodeParameterSupported bool `json:"backchannel_user_code_parameter_supported"`
}

OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions represents the discovery options specific to OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0

The following authorization server metadata parameters are introduced by this specification for OPs publishing their support of the CIBA flow and details thereof.

See Also:

OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.4

type OpenIDConnectDiscoveryOptions added in v4.34.0 

type OpenIDConnectDiscoveryOptions struct {
	/*
		REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID
		Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,
		but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as
		when using the Authorization Code Flow).
		See Also:
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the
		ID Token to encode the Claims in a JWT [JWT].
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the
		ID Token to encode the Claims in a JWT [JWT].
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"`

	/*
		RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain
		port, path, and query parameter components.
		See Also:
			OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
	*/
	UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
		UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included.
		See Also:
			JWS: https://datatracker.ietf.org/doc/html/rfc7515
			JWA: https://datatracker.ietf.org/doc/html/rfc7518
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by
		the UserInfo Endpoint to encode the Claims in a JWT [JWT].
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWA: https://datatracker.ietf.org/doc/html/rfc7518
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the
		UserInfo Endpoint to encode the Claims in a JWT [JWT].
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWA: https://datatracker.ietf.org/doc/html/rfc7518
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
		Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used
		both when the Request Object is passed by value (using the request parameter) and when it is passed by reference
		(using the request_uri parameter). Servers SHOULD support none and RS256.
	*/
	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for
		Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed
		by reference.
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
	*/
	RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for
		Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed
		by reference.
		See Also:
			JWE: https://datatracker.ietf.org/doc/html/rfc7516
			JWT: https://datatracker.ietf.org/doc/html/rfc7519
	*/
	RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports.
	*/
	ACRValuesSupported []string `json:"acr_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These
		values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core].
		See Also:
			OpenID.Core Section 3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
	*/
	DisplayValuesSupported []string `json:"display_values_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types
		are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
		normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims.
		See Also:
			OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
	*/
	ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`

	/*
		OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of
		BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
		See Also:
			BCP47: https://datatracker.ietf.org/doc/html/rfc5646
	*/
	ClaimLocalesSupported []string `json:"claims_locales_supported,omitempty"`

	/*
		OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating
		support. If omitted, the default value is false.
	*/
	RequestParameterSupported bool `json:"request_parameter_supported"`

	/*
		OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
		support. If omitted, the default value is true.
	*/
	RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`

	/*
		OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using
		the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
		default value is false.
	*/
	RequireRequestURIRegistration bool `json:"require_request_uri_registration"`

	/*
		OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating
		support. If omitted, the default value is false.
	*/
	ClaimsParameterSupported bool `json:"claims_parameter_supported"`
}

OpenIDConnectDiscoveryOptions represents the discovery options specific to OpenID Connect.

type OpenIDConnectFrontChannelLogoutDiscoveryOptions added in v4.34.0 

type OpenIDConnectFrontChannelLogoutDiscoveryOptions struct {
	/*
		OPTIONAL. Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If
		omitted, the default value is false.
	*/
	FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"`

	/*
		OPTIONAL. Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to
		identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also
		included in ID Tokens issued by the OP. If omitted, the default value is false.
	*/
	FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"`
}

OpenIDConnectFrontChannelLogoutDiscoveryOptions represents the discovery options specific to OpenID Connect Front-Channel Logout functionality. See Also: 

OpenID Connect Front-Channel Logout: https://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout

type OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions added in v4.38.0 

type OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions struct {
	/*
		OPTIONAL. A JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) supported by the
		authorization endpoint to sign the response.
	*/
	AuthorizationSigningAlgValuesSupported []string `json:"authorization_signing_alg_values_supported,omitempty"`

	/*
		OPTIONAL. A JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) supported by
		the authorization endpoint to encrypt the response.
	*/
	AuthorizationEncryptionAlgValuesSupported []string `json:"authorization_encryption_alg_values_supported,omitempty"`

	/*
		OPTIONAL. A JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) supported by
		the authorization endpoint to encrypt the response.
	*/
	AuthorizationEncryptionEncValuesSupported []string `json:"authorization_encryption_enc_values_supported,omitempty"`
}

OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions represents the discovery options specific to JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).

Authorization servers SHOULD publish the supported algorithms for signing and encrypting the JWT of an authorization response by utilizing OAuth 2.0 Authorization Server Metadata [RFC8414] parameters. The following parameters are introduced by this specification.

See Also:

JWT Secured Authorization Response Mode for OAuth 2.0 (JARM): https://openid.net/specs/oauth-v2-jarm.html#name-authorization-server-metada

type OpenIDConnectPromptCreateDiscoveryOptions added in v4.38.0 

type OpenIDConnectPromptCreateDiscoveryOptions struct {
	/*
		OPTIONAL. JSON array containing the list of prompt values that this OP supports.

		This metadata element is OPTIONAL in the context of the OpenID Provider not supporting the create value. If
		omitted, the Relying Party should assume that this specification is not supported. The OpenID Provider MAY
		provide this metadata element even if it doesn't support the create value.
		Specific to this specification, a value of create in the array indicates to the Relying party that this OpenID
		Provider supports this specification. If an OpenID Provider supports this specification it MUST define this metadata
		element in the openid-configuration file. Additionally, if this metadata element is defined by the OpenID
		Provider, the OP must also specify all other prompt values which it supports.
		See Also:
			OpenID.PromptCreate: https://openid.net/specs/openid-connect-prompt-create-1_0.html
	*/
	PromptValuesSupported []string `json:"prompt_values_supported,omitempty"`
}

OpenIDConnectPromptCreateDiscoveryOptions represents the discovery options specific to Initiating User Registration via OpenID Connect 1.0 functionality.

This specification extends the OpenID Connect Discovery Metadata Section 3.

See Also: 

Initiating User Registration via OpenID Connect 1.0: https://openid.net/specs/openid-connect-prompt-create-1_0.html

type OpenIDConnectProvider 

type OpenIDConnectProvider struct {
	*Store
	*Config

	KeyManager *KeyManager

	oauthelia2.Provider
	// contains filtered or unexported fields
}

OpenIDConnectProvider for OpenID Connect.

func NewOpenIDConnectProvider 

func NewOpenIDConnectProvider(config *schema.IdentityProvidersOpenIDConnect, store storage.Provider, templates *templates.Provider) (provider *OpenIDConnectProvider)

NewOpenIDConnectProvider new-ups a OpenIDConnectProvider.

func (*OpenIDConnectProvider) GetOAuth2WellKnownConfiguration added in v4.34.0 

func (p *OpenIDConnectProvider) GetOAuth2WellKnownConfiguration(issuer string) OAuth2WellKnownConfiguration

GetOAuth2WellKnownConfiguration returns the discovery document for the OAuth Configuration.

func (*OpenIDConnectProvider) GetOpenIDConnectWellKnownConfiguration added in v4.34.0 

func (p *OpenIDConnectProvider) GetOpenIDConnectWellKnownConfiguration(issuer string) OpenIDConnectWellKnownConfiguration

GetOpenIDConnectWellKnownConfiguration returns the discovery document for the OpenID Configuration.

type OpenIDConnectRPInitiatedLogoutDiscoveryOptions added in v4.38.0 

type OpenIDConnectRPInitiatedLogoutDiscoveryOptions struct {
	/*
		REQUIRED. URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the
		OP. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
	*/
	EndSessionEndpoint string `json:"end_session_endpoint"`
}

OpenIDConnectRPInitiatedLogoutDiscoveryOptions represents the discovery options specific to OpenID Connect RP-Initiated Logout 1.0.

To support OpenID Connect RP-Initiated Logout, the RP needs to obtain the RP-Initiated Logout related OP metadata. This OP metadata is normally obtained via the OP's Discovery response, as described in OpenID Connect Discovery 1.0, or MAY be learned via other mechanisms. This OpenID Provider Metadata parameter MUST be included in the Server's discovery responses when RP-Initiated Logout and Discovery are supported.

See Also:

OpenID Connect RP-Initiated Logout 1.0: https://openid.net/specs/openid-connect-rpinitiated-1_0.html

type OpenIDConnectSessionManagementDiscoveryOptions added in v4.38.0 

type OpenIDConnectSessionManagementDiscoveryOptions struct {
	/*
		REQUIRED. URL of an OP iframe that supports cross-origin communications for session state information with the
		RP Client, using the HTML5 postMessage API. This URL MUST use the https scheme and MAY contain port, path, and
		query parameter components. The page is loaded from an invisible iframe embedded in an RP page so that it can
		run in the OP's security context. It accepts postMessage requests from the relevant RP iframe and uses
		postMessage to post back the login status of the End-User at the OP.
	*/
	CheckSessionIFrame string `json:"check_session_iframe"`
}

OpenIDConnectSessionManagementDiscoveryOptions represents the discovery options specific to OpenID Connect 1.0 Session Management.

To support OpenID Connect Session Management, the RP needs to obtain the Session Management related OP metadata. This OP metadata is normally obtained via the OP's Discovery response, as described in OpenID Connect Discovery 1.0, or MAY be learned via other mechanisms. This OpenID Provider Metadata parameter MUST be included in the Server's discovery responses when Session Management and Discovery are supported.

See Also:

OpenID Connect 1.0 Session Management: https://openid.net/specs/openid-connect-session-1_0.html

type OpenIDConnectWellKnownClaims added in v4.38.0 

type OpenIDConnectWellKnownClaims struct {
	OpenIDConnectWellKnownSignedConfiguration

	jwt.RegisteredClaims
}

type OpenIDConnectWellKnownConfiguration added in v4.34.0 

type OpenIDConnectWellKnownConfiguration struct {
	OAuth2WellKnownConfiguration

	OpenIDConnectDiscoveryOptions
	*OpenIDConnectFrontChannelLogoutDiscoveryOptions
	*OpenIDConnectBackChannelLogoutDiscoveryOptions
	*OpenIDConnectSessionManagementDiscoveryOptions
	*OpenIDConnectRPInitiatedLogoutDiscoveryOptions
	*OpenIDConnectPromptCreateDiscoveryOptions
	*OpenIDConnectClientInitiatedBackChannelAuthFlowDiscoveryOptions
	*OpenIDConnectJWTSecuredAuthorizationResponseModeDiscoveryOptions
	*OpenIDFederationDiscoveryOptions
}

OpenIDConnectWellKnownConfiguration represents the well known discovery document specific to OpenID Connect.

func NewOpenIDConnectWellKnownConfiguration added in v4.35.0 

func NewOpenIDConnectWellKnownConfiguration(c *schema.IdentityProvidersOpenIDConnect) (config OpenIDConnectWellKnownConfiguration)

NewOpenIDConnectWellKnownConfiguration generates a new OpenIDConnectWellKnownConfiguration.

func (OpenIDConnectWellKnownConfiguration) Copy added in v4.38.0 

func (opts OpenIDConnectWellKnownConfiguration) Copy() (optsCopy OpenIDConnectWellKnownConfiguration)

Copy the values of the OpenIDConnectWellKnownConfiguration and return it as a new struct.

type OpenIDConnectWellKnownSignedConfiguration added in v4.38.0 

type OpenIDConnectWellKnownSignedConfiguration struct {
	OpenIDConnectWellKnownConfiguration

	/*
			A JWT containing metadata values about the authorization server as claims. This is a string value consisting of
		    the entire signed JWT. A "signed_metadata" metadata value SHOULD NOT appear as a claim in the JWT.
	*/
	SignedMetadata string `json:"signed_metadata,omitempty"`
}

type OpenIDFederationDiscoveryOptions added in v4.38.0 

type OpenIDFederationDiscoveryOptions struct {
	/*
		OPTIONAL. URL of the OP's federation-specific Dynamic Client Registration Endpoint. If the OP supports explicit
		client registration as described in Section 10.2, then this claim is REQUIRED.
	*/
	FederationRegistrationEndpoint string `json:"federation_registration_endpoint,omitempty"`

	/*
		REQUIRED. Array specifying the federation types supported. Federation-type values defined by this specification
		are automatic and explicit.
	*/
	ClientRegistrationTypesSupported []string `json:"client_registration_types_supported"`

	/*
		OPTIONAL. A JSON Object defining the client authentications supported for each endpoint. The endpoint names are
		defined in the IANA "OAuth Authorization Server Metadata" registry [IANA.OAuth.Parameters]. Other endpoints and
		authentication methods are possible if made recognizable according to established standards and not in conflict
		with the operating principles of this specification. In OpenID Connect Core, no client authentication is
		performed at the authentication endpoint. Instead, the request itself is authenticated. The OP maps information
		in the request (like the redirect_uri) to information it has gained on the client through static or dynamic
		registration. If the mapping is successful, the request can be processed. If the RP uses Automatic Registration,
		as defined in Section 10.1, the OP has no prior knowledge of the RP. Therefore, the OP must start by gathering
		information about the RP using the process outlined in Section 6. Once it has the RP's metadata, the OP can
		verify the request in the same way as if it had known the RP's metadata beforehand. To make the request
		verification more secure, we demand the use of a client authentication or verification method that proves that
		the RP is in possession of a key that appears in the RP's metadata.
	*/
	RequestAuthenticationMethodsSupported []string `json:"request_authentication_methods_supported,omitempty"`

	/*
		OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported for the signature on
		the JWT [RFC7519] used in the request_object contained in the request parameter of an authorization request or
		in the private_key_jwt of a pushed authorization request. This entry MUST be present if either of these
		authentication methods are specified in the request_authentication_methods_supported entry. No default
		algorithms are implied if this entry is omitted. Servers SHOULD support RS256. The value none MUST NOT be used.
	*/
	RequestAuthenticationSigningAlgValuesSupported []string `json:"request_authentication_signing_alg_values_supported,omitempty"`
}

type PARConfig added in v4.37.3 

type PARConfig struct {
	Require         bool
	URIPrefix       string
	ContextLifespan time.Duration
}

PARConfig holds specific oauthelia2.Configurator information for Pushed Authorization Requests.

type ProofKeyCodeExchangeConfig added in v4.37.3 

type ProofKeyCodeExchangeConfig struct {
	Enforce                   bool
	EnforcePublicClients      bool
	AllowPlainChallengeMethod bool
}

ProofKeyCodeExchangeConfig holds specific oauthelia2.Configurator information for PKCE.

type RFC8693Config added in v4.38.0 

type RFC8693Config struct {
	TokenTypes                map[string]oauthelia2.RFC8693TokenType
	DefaultRequestedTokenType string
}

type RefreshFlowScopeClient added in v4.38.0 

type RefreshFlowScopeClient interface {
	oauthelia2.Client

	GetRefreshFlowIgnoreOriginalGrantedScopes(ctx context.Context) (ignoreOriginalGrantedScopes bool)
}

RefreshFlowScopeClient is a client which can be customized to ignore scopes that were not originally granted.

type RegisteredClient added in v4.38.0 

type RegisteredClient struct {
	ID                   string
	Name                 string
	ClientSecret         *ClientSecretDigest
	RotatedClientSecrets []*ClientSecretDigest
	SectorIdentifierURI  *url.URL
	Public               bool

	RequirePushedAuthorizationRequests bool

	RequirePKCE                bool
	RequirePKCEChallengeMethod bool
	PKCEChallengeMethod        string

	Audience      []string
	Scopes        []string
	RedirectURIs  []string
	GrantTypes    []string
	ResponseTypes []string
	ResponseModes []oauthelia2.ResponseModeType

	Lifespans schema.IdentityProvidersOpenIDConnectLifespan

	AuthorizationSignedResponseAlg              string
	AuthorizationSignedResponseKeyID            string
	AuthorizationEncryptedResponseAlg           string
	AuthorizationEncryptedResponseEncryptionAlg string

	IDTokenSignedResponseAlg   string
	IDTokenSignedResponseKeyID string

	AccessTokenSignedResponseAlg   string
	AccessTokenSignedResponseKeyID string

	UserinfoSignedResponseAlg   string
	UserinfoSignedResponseKeyID string

	IntrospectionSignedResponseAlg   string
	IntrospectionSignedResponseKeyID string

	RequestObjectSigningAlg string

	TokenEndpointAuthMethod     string
	TokenEndpointAuthSigningAlg string

	RefreshFlowIgnoreOriginalGrantedScopes  bool
	AllowMultipleAuthenticationMethods      bool
	ClientCredentialsFlowAllowImplicitScope bool

	AuthorizationPolicy ClientAuthorizationPolicy

	ConsentPolicy         ClientConsentPolicy
	RequestedAudienceMode ClientRequestedAudienceMode

	RequestURIs    []string
	JSONWebKeys    *jose.JSONWebKeySet
	JSONWebKeysURI *url.URL
}

RegisteredClient represents a registered client.

func (*RegisteredClient) GetAccessTokenSignedResponseAlg added in v4.38.0 

func (c *RegisteredClient) GetAccessTokenSignedResponseAlg() (alg string)

GetAccessTokenSignedResponseAlg returns the AccessTokenSignedResponseAlg.

func (*RegisteredClient) GetAccessTokenSignedResponseKeyID added in v4.38.0 

func (c *RegisteredClient) GetAccessTokenSignedResponseKeyID() (kid string)

GetAccessTokenSignedResponseKeyID returns the AccessTokenSignedResponseKeyID.

func (*RegisteredClient) GetAllowMultipleAuthenticationMethods added in v4.38.0 

func (c *RegisteredClient) GetAllowMultipleAuthenticationMethods() (allow bool)

func (*RegisteredClient) GetAudience added in v4.38.0 

func (c *RegisteredClient) GetAudience() (audience oauthelia2.Arguments)

GetAudience returns the Audience.

func (*RegisteredClient) GetAuthorizationEncryptedResponseAlg added in v4.38.0 

func (c *RegisteredClient) GetAuthorizationEncryptedResponseAlg() (alg string)

func (*RegisteredClient) GetAuthorizationEncryptedResponseEncryptionAlg added in v4.38.0 

func (c *RegisteredClient) GetAuthorizationEncryptedResponseEncryptionAlg() (alg string)

func (*RegisteredClient) GetAuthorizationPolicy added in v4.38.0 

func (c *RegisteredClient) GetAuthorizationPolicy() (policy ClientAuthorizationPolicy)

GetAuthorizationPolicy returns the ClientAuthorizationPolicy from the Policy.

func (*RegisteredClient) GetAuthorizationPolicyRequiredLevel added in v4.38.0 

func (c *RegisteredClient) GetAuthorizationPolicyRequiredLevel(subject authorization.Subject) (level authorization.Level)

GetAuthorizationPolicyRequiredLevel returns the required authorization.Level given an authorization.Subject.

func (*RegisteredClient) GetAuthorizationSignedResponseAlg added in v4.38.0 

func (c *RegisteredClient) GetAuthorizationSignedResponseAlg() (alg string)

GetAuthorizationSignedResponseAlg returns the AuthorizationSignedResponseAlg.

func (*RegisteredClient) GetAuthorizationSignedResponseKeyID added in v4.38.0 

func (c *RegisteredClient) GetAuthorizationSignedResponseKeyID() (kid string)

GetAuthorizationSignedResponseKeyID returns the AuthorizationSignedResponseKeyID.

func (*RegisteredClient) GetClientCredentialsFlowRequestedScopeImplicit added in v4.38.0 

func (c *RegisteredClient) GetClientCredentialsFlowRequestedScopeImplicit() (allow bool)

func (*RegisteredClient) GetClientSecret added in v4.38.0 

func (c *RegisteredClient) GetClientSecret() (secret oauthelia2.ClientSecret)

GetClientSecret returns the oauth2.ClientSecret.

func (*RegisteredClient) GetConsentPolicy added in v4.38.0 

func (c *RegisteredClient) GetConsentPolicy() (policy ClientConsentPolicy)

GetConsentPolicy returns Consent.

func (*RegisteredClient) GetConsentResponseBody added in v4.38.0 

func (c *RegisteredClient) GetConsentResponseBody(consent *model.OAuth2ConsentSession) ConsentGetResponseBody

GetConsentResponseBody returns the proper consent response body for this session.OIDCWorkflowSession.

func (*RegisteredClient) GetEffectiveLifespan added in v4.38.0 

func (c *RegisteredClient) GetEffectiveLifespan(gt oauthelia2.GrantType, tt oauthelia2.TokenType, fallback time.Duration) time.Duration

GetEffectiveLifespan returns the effective lifespan for a grant type and token type otherwise returns the fallback value. This implements the oauthelia2.ClientWithCustomTokenLifespans interface.

func (*RegisteredClient) GetEnableJWTProfileOAuthAccessTokens added in v4.38.0 

func (c *RegisteredClient) GetEnableJWTProfileOAuthAccessTokens() (enable bool)

GetEnableJWTProfileOAuthAccessTokens returns true if this client is configured to return the RFC9068 JWT Profile for OAuth 2.0 Access Tokens.

func (*RegisteredClient) GetEnforcePKCE added in v4.38.0 

func (c *RegisteredClient) GetEnforcePKCE() (enforce bool)

GetEnforcePKCE returns RequirePKCE.

func (*RegisteredClient) GetEnforcePKCEChallengeMethod added in v4.38.0 

func (c *RegisteredClient) GetEnforcePKCEChallengeMethod() (enforce bool)

GetEnforcePKCEChallengeMethod returns RequirePKCEChallengeMethod.

func (*RegisteredClient) GetGrantTypes added in v4.38.0 

func (c *RegisteredClient) GetGrantTypes() (types oauthelia2.Arguments)

GetGrantTypes returns the GrantTypes.

func (*RegisteredClient) GetID added in v4.38.0 

func (c *RegisteredClient) GetID() string

GetID returns the ID for the client.

func (*RegisteredClient) GetIDTokenSignedResponseAlg added in v4.38.0 

func (c *RegisteredClient) GetIDTokenSignedResponseAlg() (alg string)

GetIDTokenSignedResponseAlg returns the IDTokenSignedResponseAlg.

func (*RegisteredClient) GetIDTokenSignedResponseKeyID added in v4.38.0 

func (c *RegisteredClient) GetIDTokenSignedResponseKeyID() (kid string)

GetIDTokenSignedResponseKeyID returns the IDTokenSignedResponseKeyID.

func (*RegisteredClient) GetIntrospectionSignedResponseAlg added in v4.38.0 

func (c *RegisteredClient) GetIntrospectionSignedResponseAlg() (alg string)

GetIntrospectionSignedResponseAlg returns the IntrospectionSignedResponseAlg.

func (*RegisteredClient) GetIntrospectionSignedResponseKeyID added in v4.38.0 

func (c *RegisteredClient) GetIntrospectionSignedResponseKeyID() (alg string)

GetIntrospectionSignedResponseKeyID returns the IntrospectionSignedResponseKeyID.

func (*RegisteredClient) GetJSONWebKeys added in v4.38.0 

func (c *RegisteredClient) GetJSONWebKeys() (keys *jose.JSONWebKeySet)

GetJSONWebKeys returns the JSON Web Key Set containing the public key used by the client to authenticate.

func (*RegisteredClient) GetJSONWebKeysURI added in v4.38.0 

func (c *RegisteredClient) GetJSONWebKeysURI() (uri string)

GetJSONWebKeysURI returns the URL for lookup of JSON Web Key Set containing the public key used by the client to authenticate.

func (*RegisteredClient) GetName added in v4.38.0 

func (c *RegisteredClient) GetName() (name string)

GetName returns the Name for the client.

func (*RegisteredClient) GetPKCEChallengeMethod added in v4.38.0 

func (c *RegisteredClient) GetPKCEChallengeMethod() (method string)

GetPKCEChallengeMethod returns PKCEChallengeMethod.

func (*RegisteredClient) GetPushedAuthorizeContextLifespan added in v4.38.0 

func (c *RegisteredClient) GetPushedAuthorizeContextLifespan() (lifespan time.Duration)

GetPushedAuthorizeContextLifespan should return a custom lifespan or a duration of 0 seconds to utilize the global lifespan.

func (*RegisteredClient) GetRedirectURIs added in v4.38.0 

func (c *RegisteredClient) GetRedirectURIs() (redirectURIs []string)

GetRedirectURIs returns the RedirectURIs.

func (*RegisteredClient) GetRefreshFlowIgnoreOriginalGrantedScopes added in v4.38.0 

func (c *RegisteredClient) GetRefreshFlowIgnoreOriginalGrantedScopes(ctx context.Context) (ignore bool)

GetRefreshFlowIgnoreOriginalGrantedScopes returns the value which indicates if the client should ignore the originally granted scopes when the scope parameter is present. The specification requires that this is always false, however some misbehaving clients may need this option.

func (*RegisteredClient) GetRequestObjectSigningAlg added in v4.38.0 

func (c *RegisteredClient) GetRequestObjectSigningAlg() (alg string)

GetRequestObjectSigningAlg returns the JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm.

func (*RegisteredClient) GetRequestURIs added in v4.38.0 

func (c *RegisteredClient) GetRequestURIs() (uris []string)

GetRequestURIs is an array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY cache the contents of the files referenced by these URIs and not retrieve them at the time they are used in a request. OPs can require that request_uri values used be pre-registered with the require_request_uri_registration discovery parameter.

func (*RegisteredClient) GetRequestedAudienceImplicit added in v4.38.0 

func (c *RegisteredClient) GetRequestedAudienceImplicit() (implicit bool)

func (*RegisteredClient) GetRequirePushedAuthorizationRequests added in v4.38.0 

func (c *RegisteredClient) GetRequirePushedAuthorizationRequests() (require bool)

GetRequirePushedAuthorizationRequests should return true if this client MUST use a Pushed Authorization Request.

func (*RegisteredClient) GetResponseModes added in v4.38.0 

func (c *RegisteredClient) GetResponseModes() (modes []oauthelia2.ResponseModeType)

GetResponseModes returns the valid response modes for this client.

Implements the oauthelia2.ResponseModeClient.

func (*RegisteredClient) GetResponseTypes added in v4.38.0 

func (c *RegisteredClient) GetResponseTypes() (types oauthelia2.Arguments)

GetResponseTypes returns the ResponseTypes.

func (*RegisteredClient) GetRevokeRefreshTokensExplicit added in v4.38.0 

func (c *RegisteredClient) GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool)

func (*RegisteredClient) GetRotatedClientSecrets added in v4.38.0 

func (c *RegisteredClient) GetRotatedClientSecrets() (secrets []oauthelia2.ClientSecret)

GetRotatedClientSecrets returns the rotated oauth2.ClientSecret values.

func (*RegisteredClient) GetScopes added in v4.38.0 

func (c *RegisteredClient) GetScopes() (scopes oauthelia2.Arguments)

GetScopes returns the Scopes.

func (*RegisteredClient) GetSectorIdentifierURI added in v4.38.0 

func (c *RegisteredClient) GetSectorIdentifierURI() (sector string)

GetSectorIdentifierURI returns the SectorIdentifier for this client.

func (*RegisteredClient) GetTokenEndpointAuthMethod added in v4.38.0 

func (c *RegisteredClient) GetTokenEndpointAuthMethod() (method string)

GetTokenEndpointAuthMethod returns the requested Client Authentication Method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none.

func (*RegisteredClient) GetTokenEndpointAuthSigningAlg added in v4.38.0 

func (c *RegisteredClient) GetTokenEndpointAuthSigningAlg() (alg string)

GetTokenEndpointAuthSigningAlg returns the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods.

func (*RegisteredClient) GetUserinfoSignedResponseAlg added in v4.38.0 

func (c *RegisteredClient) GetUserinfoSignedResponseAlg() (alg string)

GetUserinfoSignedResponseAlg returns the UserinfoSignedResponseAlg.

func (*RegisteredClient) GetUserinfoSignedResponseKeyID added in v4.38.0 

func (c *RegisteredClient) GetUserinfoSignedResponseKeyID() (kid string)

GetUserinfoSignedResponseKeyID returns the UserinfoSignedResponseKeyID.

func (*RegisteredClient) IsAuthenticationLevelSufficient added in v4.38.0 

func (c *RegisteredClient) IsAuthenticationLevelSufficient(level authentication.Level, subject authorization.Subject) (sufficient bool)

IsAuthenticationLevelSufficient returns if the provided authentication.Level is sufficient for the client of the AutheliaClient.

func (*RegisteredClient) IsPublic added in v4.38.0 

func (c *RegisteredClient) IsPublic() (public bool)

IsPublic returns the value of the Public property.

func (*RegisteredClient) SetJSONWebKeys added in v4.38.0 

func (c *RegisteredClient) SetJSONWebKeys(jwks *jose.JSONWebKeySet)

SetJSONWebKeys sets the JSON Web Key Set containing the public key used by the client to authenticate.

func (*RegisteredClient) ValidateResponseModePolicy added in v4.38.0 

func (c *RegisteredClient) ValidateResponseModePolicy(r oauthelia2.AuthorizeRequester) (err error)

ValidateResponseModePolicy is an additional check to the response mode parameter to ensure if it's omitted that the default response mode for the oauthelia2.AuthorizeRequester is permitted.

type Session added in v4.38.0 

type Session struct {
	*openid.DefaultSession `json:"id_token"`

	ChallengeID           uuid.NullUUID  `json:"challenge_id"`
	KID                   string         `json:"kid"`
	ClientID              string         `json:"client_id"`
	ClientCredentials     bool           `json:"client_credentials"`
	ExcludeNotBeforeClaim bool           `json:"exclude_nbf_claim"`
	AllowedTopLevelClaims []string       `json:"allowed_top_level_claims"`
	Extra                 map[string]any `json:"extra"`
}

Session holds OpenID Connect 1.0 Session information.

func NewSession added in v4.34.5 

func NewSession() (session *Session)

NewSession creates a new empty OpenIDSession struct.

func NewSessionWithAuthorizeRequest added in v4.34.5 

func NewSessionWithAuthorizeRequest(ctx Context, issuer *url.URL, kid, username string, amr []string, extra map[string]any,
	authTime time.Time, consent *model.OAuth2ConsentSession, requester oauthelia2.AuthorizeRequester) (session *Session)

NewSessionWithAuthorizeRequest uses details from an AuthorizeRequester to generate an OpenIDSession.

func (*Session) Clone added in v4.38.0 

func (s *Session) Clone() oauthelia2.Session

Clone copies the OpenIDSession to a new oauthelia2.Session.

func (*Session) GetChallengeID added in v4.38.0 

func (s *Session) GetChallengeID() uuid.NullUUID

GetChallengeID returns the challenge id.

func (*Session) GetExtraClaims added in v4.38.0 

func (s *Session) GetExtraClaims() map[string]any

GetExtraClaims returns the Extra/Unregistered claims for this session.

func (*Session) GetIDTokenClaims added in v4.38.0 

func (s *Session) GetIDTokenClaims() *jwt.IDTokenClaims

GetIDTokenClaims returns the *jwt.IDTokenClaims for this session.

func (*Session) GetJWTClaims added in v4.38.0 

func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer

GetJWTClaims returns the jwt.JWTClaimsContainer for the OAuth 2.0 JWT Profile Access Tokens.

func (*Session) GetJWTHeader added in v4.38.0 

func (s *Session) GetJWTHeader() (headers *jwt.Headers)

GetJWTHeader returns the *jwt.Headers for the OAuth 2.0 JWT Profile Access Token.

type Signer added in v4.38.0 

type Signer struct {
	GetPrivateKey fjwt.GetPrivateKeyFunc
	// contains filtered or unexported fields
}

Signer is responsible for generating and validating JWT challenges.

func (*Signer) Decode added in v4.38.0 

func (j *Signer) Decode(ctx context.Context, tokenString string) (token *fjwt.Token, err error)

Decode will decode a JWT token.

func (*Signer) Generate added in v4.38.0 

func (j *Signer) Generate(ctx context.Context, claims fjwt.MapClaims, header fjwt.Mapper) (tokenString string, sig string, err error)

Generate generates a new authorize code or returns an error. set secret.

func (*Signer) GetPublicKey added in v4.38.0 

func (j *Signer) GetPublicKey(ctx context.Context) (key crypto.PublicKey, err error)

GetPublicKey returns the PublicKey for this Signer.

func (*Signer) GetSignature added in v4.38.0 

func (j *Signer) GetSignature(ctx context.Context, tokenString string) (sig string, err error)

GetSignature will return the signature of a token.

func (*Signer) GetSigningMethodLength added in v4.38.0 

func (j *Signer) GetSigningMethodLength(ctx context.Context) (size int)

GetSigningMethodLength will return the length of the signing method.

func (*Signer) Hash added in v4.38.0 

func (j *Signer) Hash(ctx context.Context, in []byte) (sum []byte, err error)

Hash will return a given hash based on the byte input or an error upon fail.

func (*Signer) Validate added in v4.38.0 

func (j *Signer) Validate(ctx context.Context, tokenString string) (sig string, err error)

Validate validates a token and returns its signature or an error if the token is not valid.

type SortedJSONWebKey added in v4.38.0 

type SortedJSONWebKey []jose.JSONWebKey

func (SortedJSONWebKey) Len added in v4.38.0 

func (jwks SortedJSONWebKey) Len() int

func (SortedJSONWebKey) Less added in v4.38.0 

func (jwks SortedJSONWebKey) Less(i, j int) bool

func (SortedJSONWebKey) Swap added in v4.38.0 

func (jwks SortedJSONWebKey) Swap(i, j int)

type SortedSigningAlgs added in v4.38.0 

type SortedSigningAlgs []string

SortedSigningAlgs is a sorting type which allows the use of sort.Sort to order a list of OAuth 2.0 Signing Algs. Sorting occurs in the order of from within the RFC's.

func (SortedSigningAlgs) Len added in v4.38.0 

func (algs SortedSigningAlgs) Len() int

func (SortedSigningAlgs) Less added in v4.38.0 

func (algs SortedSigningAlgs) Less(i, j int) bool

func (SortedSigningAlgs) Swap added in v4.38.0 

func (algs SortedSigningAlgs) Swap(i, j int)

type Store added in v4.37.0 

type Store struct {
	ClientStore
	// contains filtered or unexported fields
}

Store is Authelia's internal representation of the oauthelia2.Storage interface. It maps the following interfaces to the storage.Provider interface: oauthelia2.Storage, oauthelia2.ClientManager, storage.Transactional, oauth2.AuthorizeCodeStorage, oauth2.AccessTokenStorage, oauth2.RefreshTokenStorage, oauth2.TokenRevocationStorage, pkce.PKCERequestStorage, openid.OpenIDConnectRequestStorage, and partially implements rfc7523.RFC7523KeyStorage.

func NewStore added in v4.37.3 

func NewStore(config *schema.IdentityProvidersOpenIDConnect, provider storage.Provider) (store *Store)

NewStore returns a Store when provided with a schema.OpenIDConnect and storage.Provider.

func (*Store) BeginTX added in v4.37.0 

func (s *Store) BeginTX(ctx context.Context) (c context.Context, err error)

BeginTX starts a transaction. This implements a portion of fosite storage.Transactional interface.

func (*Store) ClientAssertionJWTValid added in v4.37.0 

func (s *Store) ClientAssertionJWTValid(ctx context.Context, jti string) (err error)

ClientAssertionJWTValid returns an error if the JTI is known or the DB check failed and nil if the JTI is not known. This implements a portion of oauthelia2.ClientManager.

func (*Store) Commit added in v4.37.0 

func (s *Store) Commit(ctx context.Context) (err error)

Commit completes a transaction. This implements a portion of fosite storage.Transactional interface.

func (*Store) CreateAccessTokenSession added in v4.37.0 

func (s *Store) CreateAccessTokenSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)

CreateAccessTokenSession stores the authorization request for a given access token. This implements a portion of oauth2.AccessTokenStorage.

func (*Store) CreateAuthorizeCodeSession added in v4.37.0 

func (s *Store) CreateAuthorizeCodeSession(ctx context.Context, code string, request oauthelia2.Requester) (err error)

CreateAuthorizeCodeSession stores the authorization request for a given authorization code. This implements a portion of oauth2.AuthorizeCodeStorage.

func (*Store) CreateOpenIDConnectSession added in v4.37.0 

func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request oauthelia2.Requester) (err error)

CreateOpenIDConnectSession creates an OpenID Connect 1.0 connect session for a given authorize code. This is relevant for explicit OpenID Connect 1.0 flow. This implements a portion of openid.OpenIDConnectRequestStorage.

func (*Store) CreatePARSession added in v4.38.0 

func (s *Store) CreatePARSession(ctx context.Context, requestURI string, request oauthelia2.AuthorizeRequester) (err error)

CreatePARSession stores the pushed authorization request context. The requestURI is used to derive the key. This implements a portion of oauthelia2.PARStorage.

func (*Store) CreatePKCERequestSession added in v4.37.0 

func (s *Store) CreatePKCERequestSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)

CreatePKCERequestSession stores the authorization request for a given PKCE request. This implements a portion of pkce.PKCERequestStorage.

func (*Store) CreateRefreshTokenSession added in v4.37.0 

func (s *Store) CreateRefreshTokenSession(ctx context.Context, signature string, request oauthelia2.Requester) (err error)

CreateRefreshTokenSession stores the authorization request for a given refresh token. This implements a portion of oauth2.RefreshTokenStorage.

func (*Store) DeleteAccessTokenSession added in v4.37.0 

func (s *Store) DeleteAccessTokenSession(ctx context.Context, signature string) (err error)

DeleteAccessTokenSession marks an access token session as deleted. This implements a portion of oauth2.AccessTokenStorage.

func (*Store) DeleteOpenIDConnectSession added in v4.37.0 

func (s *Store) DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) (err error)

DeleteOpenIDConnectSession just implements the method required by fosite even though it's unused. This implements a portion of openid.OpenIDConnectRequestStorage.

func (*Store) DeletePARSession added in v4.38.0 

func (s *Store) DeletePARSession(ctx context.Context, requestURI string) (err error)

DeletePARSession deletes the context. This implements a portion of oauthelia2.PARStorage.

func (*Store) DeletePKCERequestSession added in v4.37.0 

func (s *Store) DeletePKCERequestSession(ctx context.Context, signature string) (err error)

DeletePKCERequestSession marks the authorization request for a given PKCE request as deleted. This implements a portion of pkce.PKCERequestStorage.

func (*Store) DeleteRefreshTokenSession added in v4.37.0 

func (s *Store) DeleteRefreshTokenSession(ctx context.Context, signature string) (err error)

DeleteRefreshTokenSession marks the authorization request for a given refresh token as deleted. This implements a portion of oauth2.RefreshTokenStorage.

func (*Store) GenerateOpaqueUserID added in v4.37.0 

func (s *Store) GenerateOpaqueUserID(ctx context.Context, sectorID, username string) (opaqueID *model.UserOpaqueIdentifier, err error)

GenerateOpaqueUserID either retrieves or creates an opaque user id from a sectorID and username.

func (*Store) GetAccessTokenSession added in v4.37.0 

func (s *Store) GetAccessTokenSession(ctx context.Context, signature string, session oauthelia2.Session) (request oauthelia2.Requester, err error)

GetAccessTokenSession gets the authorization request for a given access token. This implements a portion of oauth2.AccessTokenStorage.

func (*Store) GetAuthorizeCodeSession added in v4.37.0 

func (s *Store) GetAuthorizeCodeSession(ctx context.Context, code string, session oauthelia2.Session) (request oauthelia2.Requester, err error)

GetAuthorizeCodeSession hydrates the session based on the given code and returns the authorization request. If the authorization code has been invalidated with `InvalidateAuthorizeCodeSession`, this method should return the ErrInvalidatedAuthorizeCode error. Make sure to also return the oauthelia2.Requester value when returning the oauthelia2.ErrInvalidatedAuthorizeCode error! This implements a portion of oauth2.AuthorizeCodeStorage.

func (*Store) GetClient added in v4.37.0 

func (s *Store) GetClient(ctx context.Context, id string) (client oauthelia2.Client, err error)

GetClient loads the client by its ID or returns an error if the client does not exist or another error occurred. This implements a portion of oauthelia2.ClientManager.

func (*Store) GetOpenIDConnectSession added in v4.37.0 

func (s *Store) GetOpenIDConnectSession(ctx context.Context, authorizeCode string, request oauthelia2.Requester) (r oauthelia2.Requester, err error)

GetOpenIDConnectSession returns error: - nil if a session was found, - ErrNoSessionFound if no session was found - or an arbitrary error if an error occurred. This implements a portion of openid.OpenIDConnectRequestStorage.

func (*Store) GetPARSession added in v4.38.0 

func (s *Store) GetPARSession(ctx context.Context, requestURI string) (request oauthelia2.AuthorizeRequester, err error)

GetPARSession gets the push authorization request context. The caller is expected to merge the AuthorizeRequest. This implements a portion of oauthelia2.PARStorage.

func (*Store) GetPKCERequestSession added in v4.37.0 

func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, session oauthelia2.Session) (requester oauthelia2.Requester, err error)

GetPKCERequestSession gets the authorization request for a given PKCE request. This implements a portion of pkce.PKCERequestStorage.

func (*Store) GetRefreshTokenSession added in v4.37.0 

func (s *Store) GetRefreshTokenSession(ctx context.Context, signature string, session oauthelia2.Session) (request oauthelia2.Requester, err error)

GetRefreshTokenSession gets the authorization request for a given refresh token. This implements a portion of oauth2.RefreshTokenStorage.

func (*Store) GetSubject added in v4.37.0 

func (s *Store) GetSubject(ctx context.Context, sectorID, username string) (subject uuid.UUID, err error)

GetSubject returns a subject UUID for a username. If it exists, it returns the existing one, otherwise it creates and saves it.

func (*Store) InvalidateAuthorizeCodeSession added in v4.37.0 

func (s *Store) InvalidateAuthorizeCodeSession(ctx context.Context, code string) (err error)

InvalidateAuthorizeCodeSession is called when an authorize code is being used. The state of the authorization code should be set to invalid and consecutive requests to GetAuthorizeCodeSession should return the ErrInvalidatedAuthorizeCode error. This implements a portion of oauth2.AuthorizeCodeStorage.

func (*Store) IsJWTUsed added in v4.37.0 

func (s *Store) IsJWTUsed(ctx context.Context, jti string) (used bool, err error)

IsJWTUsed implements an interface required for RFC7523.

func (*Store) IsValidClientID added in v4.37.0 

func (s *Store) IsValidClientID(ctx context.Context, id string) (valid bool)

IsValidClientID returns true if the provided id exists in the OpenIDConnectProvider.Clients map.

func (*Store) MarkJWTUsedForTime added in v4.37.0 

func (s *Store) MarkJWTUsedForTime(ctx context.Context, jti string, exp time.Time) (err error)

MarkJWTUsedForTime implements an interface required for rfc7523.RFC7523KeyStorage.

func (*Store) RevokeAccessToken added in v4.37.0 

func (s *Store) RevokeAccessToken(ctx context.Context, requestID string) (err error)

RevokeAccessToken revokes an access token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well. This implements a portion of oauth2.TokenRevocationStorage.

func (*Store) RevokeRefreshToken added in v4.37.0 

func (s *Store) RevokeRefreshToken(ctx context.Context, requestID string) (err error)

RevokeRefreshToken revokes a refresh token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note). This implements a portion of oauth2.TokenRevocationStorage.

func (*Store) RevokeRefreshTokenMaybeGracePeriod added in v4.37.0 

func (s *Store) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) (err error)

RevokeRefreshTokenMaybeGracePeriod revokes an access token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well. This implements a portion of oauth2.TokenRevocationStorage.

func (*Store) Rollback added in v4.37.0 

func (s *Store) Rollback(ctx context.Context) (err error)

Rollback rolls a transaction back. This implements a portion of fosite storage.Transactional interface.

func (*Store) SetClientAssertionJWT added in v4.37.0 

func (s *Store) SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) (err error)

SetClientAssertionJWT marks a JTI as known for the given expiry time. Before inserting the new JTI, it will clean up any existing JTIs that have expired as those tokens can not be replayed due to the expiry. This implements a portion of oauthelia2.ClientManager.

type StrategyConfig added in v4.37.3 

type StrategyConfig struct {
	Core                 oauth2.CoreStrategy
	OpenID               openid.OpenIDConnectTokenStrategy
	Audience             oauthelia2.AudienceMatchingStrategy
	Scope                oauthelia2.ScopeStrategy
	JWKSFetcher          oauthelia2.JWKSFetcherStrategy
	ClientAuthentication oauthelia2.ClientAuthenticationStrategy
}

StrategyConfig holds specific oauthelia2.Configurator information for various strategies.

type UserDetailer added in v4.38.7 

type UserDetailer interface {
	GetUsername() (username string)
	GetGroups() (groups []string)
	GetDisplayName() (name string)
	GetEmails() (emails []string)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.