Documentation ¶
Index ¶
- Constants
- Variables
- func NewAccountSelectionRequiredError(value interface{}, causes ...interface{}) error
- func NewInteractionRequiredError(value interface{}, causes ...interface{}) error
- func NewInvalidRequestObjError(value interface{}, causes ...interface{}) error
- func NewInvalidRequestURIError(value interface{}, causes ...interface{}) error
- func NewLoginRequiredError(value interface{}, causes ...interface{}) error
- func NewOpenIDExtendedError(oauth2Code string, value interface{}, causes ...interface{}) error
- func NewRegistrationNotSupportedError(value interface{}, causes ...interface{}) error
- func NewRequestNotSupportedError(value interface{}, causes ...interface{}) error
- func NewRequestURINotSupportedError(value interface{}, causes ...interface{}) error
- type ARPOption
- type ARPOptions
- type ClaimsRequest
- type EnhancerOption
- type EnhancerOptions
- type EpOption
- type EpOptions
- type HandlerOption
- type HandlerOptions
- type IdTokenClaims
- func (c *IdTokenClaims) Get(claim string) interface{}
- func (c *IdTokenClaims) Has(claim string) bool
- func (c *IdTokenClaims) MarshalJSON() ([]byte, error)
- func (c *IdTokenClaims) Set(claim string, value interface{})
- func (c *IdTokenClaims) UnmarshalJSON(bytes []byte) error
- func (c *IdTokenClaims) Values() map[string]interface{}
- type OPMetadata
- func (m OPMetadata) Get(claim string) interface{}
- func (m OPMetadata) Has(claim string) bool
- func (m OPMetadata) MarshalJSON() ([]byte, error)
- func (m *OPMetadata) Set(claim string, value interface{})
- func (m *OPMetadata) UnmarshalJSON(bytes []byte) error
- func (m OPMetadata) Values() map[string]interface{}
- type OidcEntryPoint
- type OidcLogoutHandler
- type OidcSuccessHandler
- type OpenIDAuthorizeRequestProcessor
- type OpenIDTokenEnhancer
- type SuccessOption
- type SuccessOptions
Constants ¶
View Source
const ( PromptNone = `none` PromptLogin = `login` )
View Source
const ( DisplayPage = `page` PromptTouch = `touch` )
View Source
const ( OPMetadataIssuer = "issuer" OPMetadataAuthEndpoint = "authorization_endpoint" OPMetadataTokenEndpoint = "token_endpoint" OPMetadataUserInfoEndpoint = "userinfo_endpoint" OPMetadataJwkSetURI = "jwks_uri" OPMetadataRegEndpoint = "registration_endpoint" OPMetadataScopes = "scopes_supported" OPMetadataResponseTypes = "response_types_supported" OPMetadataResponseModes = "response_modes_supported" OPMetadataGrantTypes = "grant_types_supported" OPMetadataACRValues = "acr_values_supported" OPMetadataSubjectTypes = "subject_types_supported" OPMetadataIdTokenJwsAlg = "id_token_signing_alg_values_supported" OPMetadataIdTokenJweAlg = "id_token_encryption_alg_values_supported" OPMetadataIdTokenJweEnc = "id_token_encryption_enc_values_supported" OPMetadataUserInfoJwsAlg = "userinfo_signing_alg_values_supported" OPMetadataUserInfoJweAlg = "userinfo_encryption_alg_values_supported" OPMetadataUserInfoJweEnc = "userinfo_encryption_enc_values_supported" OPMetadataRequestJwsAlg = "request_object_signing_alg_values_supported" OPMetadataRequestJweAlg = "request_object_encryption_alg_values_supported" OPMetadataRequestJweEnc = "request_object_encryption_enc_values_supported" OPMetadataClientAuthMethod = "token_endpoint_auth_methods_supported" OPMetadataAuthJwsAlg = "token_endpoint_auth_signing_alg_values_supported" OPMetadataDisplayValues = "display_values_supported" OPMetadataClaimTypes = "claim_types_supported" OPMetadataClaims = "claims_supported" OPMetadataServiceDocs = "service_documentation" OPMetadataClaimsLocales = "claims_locales_supported" OPMetadataUILocales = "ui_locales_supported" OPMetadataClaimsParams = "claims_parameter_supported" OPMetadataRequestParams = "request_parameter_supported" OPMetadataRequestUriParams = "request_uri_parameter_supported" OPMetadataRequiresRequestUriReg = "require_request_uri_registration" OPMetadataPolicyUri = "op_policy_uri" OPMetadataTosUri = "op_tos_uri" OPMetadataEndSessionEndpoint = "end_session_endpoint" )
See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
View Source
const ( ErrorCodeOidcSloRp ErrorCodeOidcSloOp )
View Source
const ( // ErrorSubTypeCodeOidcSlo non-programming error that can occur during oidc RP initiated logout ErrorSubTypeCodeOidcSlo = security.ErrorTypeCodeOidc + iota<<errorutils.ErrorSubTypeOffset )
View Source
const (
OPMetaExtraSourceIDPManager = "idpManager"
)
View Source
const (
WellKnownEndpointOPConfig = `/.well-known/openid-configuration`
)
Variables ¶
View Source
var ( SupportedGrantTypes = utils.NewStringSet( oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit, oauth2.GrantTypePassword, oauth2.GrantTypeSwitchUser, oauth2.GrantTypeSwitchTenant, ) SupportedDisplayMode = utils.NewStringSet(DisplayPage, PromptTouch) FullIdTokenGrantTypes = utils.NewStringSet( oauth2.GrantTypePassword, oauth2.GrantTypeSwitchUser, oauth2.GrantTypeSwitchTenant, ) )
View Source
var ( ErrorSubTypeOidcSlo = security.NewErrorSubType(ErrorSubTypeCodeOidcSlo, errors.New("error sub-type: oidc slo")) // ErrorOidcSloRp errors are displayed as an HTML page with status 400 ErrorOidcSloRp = security.NewCodedError(ErrorCodeOidcSloRp, "SLO rp error") // ErrorOidcSloOp errors are displayed as an HTML page with status 500 ErrorOidcSloOp = security.NewCodedError(ErrorCodeOidcSloOp, "SLO op error") )
View Source
var ( OPMetadataBasicSpecs = map[string]claims.ClaimSpec{ OPMetadataIssuer: claims.Optional(claims.Issuer), OPMetadataAuthEndpoint: opMetaEndpoint(OPMetadataAuthEndpoint), OPMetadataTokenEndpoint: opMetaEndpoint(OPMetadataTokenEndpoint), OPMetadataUserInfoEndpoint: opMetaEndpoint(OPMetadataUserInfoEndpoint), OPMetadataJwkSetURI: opMetaEndpoint(OPMetadataJwkSetURI), OPMetadataGrantTypes: opMetaFixedSet( oauth2.GrantTypeClientCredentials, oauth2.GrantTypePassword, oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit, oauth2.GrantTypeRefresh, oauth2.GrantTypeSwitchUser, oauth2.GrantTypeSwitchTenant, oauth2.GrantTypeSamlSSO, ), OPMetadataScopes: opMetaFixedSet( oauth2.ScopeRead, oauth2.ScopeWrite, oauth2.ScopeTokenDetails, oauth2.ScopeTenantHierarchy, oauth2.ScopeOidc, oauth2.ScopeOidcProfile, oauth2.ScopeOidcEmail, oauth2.ScopeOidcAddress, oauth2.ScopeOidcPhone, ), OPMetadataResponseTypes: opMetaFixedSet("code"), OPMetadataACRValues: opMetaAcrValues(1, 2, 3), OPMetadataSubjectTypes: opMetaFixedSet("public"), OPMetadataIdTokenJwsAlg: opMetaFixedSet("RS256"), OPMetadataClaims: opMetaFixedSet( oauth2.ClaimIssuer, oauth2.ClaimSubject, oauth2.ClaimAudience, oauth2.ClaimExpire, oauth2.ClaimIssueAt, oauth2.ClaimAuthTime, oauth2.ClaimNonce, oauth2.ClaimAuthCtxClassRef, oauth2.ClaimAuthMethodRef, oauth2.ClaimAuthorizedParty, oauth2.ClaimFullName, oauth2.ClaimFirstName, oauth2.ClaimLastName, oauth2.ClaimPreferredUsername, oauth2.ClaimEmail, oauth2.ClaimEmailVerified, oauth2.ClaimLocale, ), } OPMetadataOptionalSpecs = map[string]claims.ClaimSpec{ OPMetadataRegEndpoint: claims.Unsupported(), OPMetadataResponseModes: claims.Unsupported(), OPMetadataIdTokenJweAlg: claims.Unsupported(), OPMetadataIdTokenJweEnc: claims.Unsupported(), OPMetadataUserInfoJwsAlg: opMetaFixedSet("RS256"), OPMetadataUserInfoJweAlg: claims.Unsupported(), OPMetadataUserInfoJweEnc: claims.Unsupported(), OPMetadataRequestJwsAlg: claims.Unsupported(), OPMetadataRequestJweAlg: claims.Unsupported(), OPMetadataRequestJweEnc: claims.Unsupported(), OPMetadataClientAuthMethod: opMetaFixedSet("client_secret_basic", "client_secret_post"), OPMetadataAuthJwsAlg: claims.Unsupported(), OPMetadataDisplayValues: opMetaFixedSet("page", "touch"), OPMetadataClaimTypes: opMetaFixedSet("normal"), OPMetadataServiceDocs: claims.Unsupported(), OPMetadataClaimsLocales: opMetaFixedSet("en-CA", "en-US"), OPMetadataUILocales: opMetaFixedSet("en-CA", "en-US"), OPMetadataClaimsParams: opMetaFixedBool(true), OPMetadataRequestParams: opMetaFixedBool(true), OPMetadataRequestUriParams: claims.Unsupported(), OPMetadataRequiresRequestUriReg: claims.Unsupported(), OPMetadataPolicyUri: claims.Unsupported(), OPMetadataTosUri: claims.Unsupported(), OPMetadataEndSessionEndpoint: opMetaEndpoint(OPMetadataEndSessionEndpoint), } )
View Source
var ParameterIdTokenHint = "id_token_hint"
View Source
var ParameterRedirectUri = "post_logout_redirect_uri"
View Source
var ParameterState = "state"
Functions ¶
func NewAccountSelectionRequiredError ¶
func NewAccountSelectionRequiredError(value interface{}, causes ...interface{}) error
func NewInteractionRequiredError ¶
func NewInteractionRequiredError(value interface{}, causes ...interface{}) error
func NewInvalidRequestObjError ¶
func NewInvalidRequestObjError(value interface{}, causes ...interface{}) error
func NewInvalidRequestURIError ¶
func NewInvalidRequestURIError(value interface{}, causes ...interface{}) error
func NewLoginRequiredError ¶
func NewLoginRequiredError(value interface{}, causes ...interface{}) error
func NewOpenIDExtendedError ¶
func NewRegistrationNotSupportedError ¶
func NewRegistrationNotSupportedError(value interface{}, causes ...interface{}) error
func NewRequestNotSupportedError ¶
func NewRequestNotSupportedError(value interface{}, causes ...interface{}) error
func NewRequestURINotSupportedError ¶
func NewRequestURINotSupportedError(value interface{}, causes ...interface{}) error
Types ¶
type ARPOptions ¶
type ARPOptions func(opt *ARPOption)
type ClaimsRequest ¶
type ClaimsRequest struct { UserInfo requestedClaims `json:"userinfo"` IdToken requestedClaims `json:"id_token"` }
type EnhancerOption ¶
type EnhancerOption struct { Issuer security.Issuer JwtEncoder jwt.JwtEncoder }
type EnhancerOptions ¶
type EnhancerOptions func(opt *EnhancerOption)
type HandlerOption ¶
type HandlerOption struct { Dec jwt.JwtDecoder Issuer security.Issuer ClientStore oauth2.OAuth2ClientStore }
type HandlerOptions ¶
type HandlerOptions func(opt *HandlerOption)
type IdTokenClaims ¶
type IdTokenClaims struct { oauth2.FieldClaimsMapper Issuer string `claim:"iss"` Subject string `claim:"sub"` Audience oauth2.StringSetClaim `claim:"aud"` Expire time.Time `claim:"exp"` IssueAt time.Time `claim:"iat"` /* Standard */ AuthTime time.Time `claim:"auth_time"` Nonce string `claim:"nonce"` AuthCtxClassRef string `claim:"acr"` AuthMethodRef []string `claim:"amr"` AuthorizedParty string `claim:"azp"` AccessTokenHash string `claim:"at_hash"` /* Profile Scope */ FullName string `claim:"name"` FirstName string `claim:"given_name"` LastName string `claim:"family_name"` MiddleName string `claim:"middle_name"` Nickname string `claim:"nickname"` PreferredUsername string `claim:"preferred_username"` ProfileUrl string `claim:"profile"` PictureUrl string `claim:"picture"` Website string `claim:"website"` Gender string `claim:"gender"` Birthday string `claim:"birthdate"` // ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format ZoneInfo string `claim:"zoneinfo"` // Europe/Paris or America/Los_Angeles Locale string `claim:"locale"` // Typically ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 UpdatedAt time.Time `claim:"updated_at"` /* Email Scope */ Email string `claim:"email"` EmailVerified *bool `claim:"email_verified"` /* Phone Number Scope */ PhoneNumber string `claim:"phone_number"` // RFC 3966 [RFC3966] e.g. +1 (604) 555-1234;ext=5678 PhoneNumVerified *bool `claim:"phone_number_verified"` /* Address Scope */ Address *claims.AddressClaim `claim:"address"` /* Profile Scope */ DefaultTenantId string `claim:"default_tenant_id"` AssignedTenants utils.StringSet `claim:"assigned_tenants"` Roles utils.StringSet `claim:"roles"` Permissions utils.StringSet `claim:"permissions"` /* General Scope */ UserId string `claim:"user_id"` AccountType string `claim:"account_type"` TenantId string `claim:"tenant_id"` TenantExternalId string `claim:"tenant_name"` //for backward compatibility, map to tenant_name TenantSuspended *bool `claim:"tenant_suspended"` ProviderId string `claim:"provider_id"` ProviderName string `claim:"provider_name"` OrigUsername string `claim:"original_username"` Currency string `claim:"currency"` }
IdTokenClaims implements oauth2.Claims
func (*IdTokenClaims) Get ¶
func (c *IdTokenClaims) Get(claim string) interface{}
func (*IdTokenClaims) Has ¶
func (c *IdTokenClaims) Has(claim string) bool
func (*IdTokenClaims) MarshalJSON ¶
func (c *IdTokenClaims) MarshalJSON() ([]byte, error)
func (*IdTokenClaims) Set ¶
func (c *IdTokenClaims) Set(claim string, value interface{})
func (*IdTokenClaims) UnmarshalJSON ¶
func (c *IdTokenClaims) UnmarshalJSON(bytes []byte) error
func (*IdTokenClaims) Values ¶
func (c *IdTokenClaims) Values() map[string]interface{}
type OPMetadata ¶
type OPMetadata struct { oauth2.FieldClaimsMapper oauth2.MapClaims Issuer string `claim:"issuer"` AuthEndpoint string `claim:"authorization_endpoint"` TokenEndpoint string `claim:"token_endpoint"` UserInfoEndpoint string `claim:"userinfo_endpoint"` JwkSetURI string `claim:"jwks_uri"` SupportedGrantTypes utils.StringSet `claim:"grant_types_supported"` SupportedScopes utils.StringSet `claim:"scopes_supported"` SupportedResponseTypes utils.StringSet `claim:"response_types_supported"` SupportedACRs utils.StringSet `claim:"acr_values_supported"` SupportedSubjectTypes utils.StringSet `claim:"subject_types_supported"` SupportedIdTokenJwsAlg utils.StringSet `claim:"id_token_signing_alg_values_supported"` SupportedClaims utils.StringSet `claim:"claims_supported"` }
OPMetadata leverage claims implementations
func (OPMetadata) Get ¶
func (m OPMetadata) Get(claim string) interface{}
func (OPMetadata) Has ¶
func (m OPMetadata) Has(claim string) bool
func (OPMetadata) MarshalJSON ¶
func (m OPMetadata) MarshalJSON() ([]byte, error)
func (*OPMetadata) Set ¶
func (m *OPMetadata) Set(claim string, value interface{})
func (*OPMetadata) UnmarshalJSON ¶
func (m *OPMetadata) UnmarshalJSON(bytes []byte) error
func (OPMetadata) Values ¶
func (m OPMetadata) Values() map[string]interface{}
type OidcEntryPoint ¶
type OidcEntryPoint struct {
// contains filtered or unexported fields
}
func NewOidcEntryPoint ¶
func NewOidcEntryPoint(opts ...EpOptions) *OidcEntryPoint
func (*OidcEntryPoint) Commence ¶
func (o *OidcEntryPoint) Commence(ctx context.Context, request *http.Request, writer http.ResponseWriter, err error)
type OidcLogoutHandler ¶
type OidcLogoutHandler struct {
// contains filtered or unexported fields
}
func NewOidcLogoutHandler ¶
func NewOidcLogoutHandler(opts ...HandlerOptions) *OidcLogoutHandler
func (*OidcLogoutHandler) HandleLogout ¶
func (o *OidcLogoutHandler) HandleLogout(ctx context.Context, request *http.Request, writer http.ResponseWriter, authentication security.Authentication) error
func (*OidcLogoutHandler) Order ¶
func (o *OidcLogoutHandler) Order() int
func (*OidcLogoutHandler) ShouldLogout ¶
func (o *OidcLogoutHandler) ShouldLogout(ctx context.Context, request *http.Request, writer http.ResponseWriter, authentication security.Authentication) error
type OidcSuccessHandler ¶
type OidcSuccessHandler struct {
// contains filtered or unexported fields
}
func NewOidcSuccessHandler ¶
func NewOidcSuccessHandler(opts ...SuccessOptions) *OidcSuccessHandler
func (*OidcSuccessHandler) HandleAuthenticationSuccess ¶
func (o *OidcSuccessHandler) HandleAuthenticationSuccess(c context.Context, r *http.Request, rw http.ResponseWriter, from, to security.Authentication)
func (*OidcSuccessHandler) Order ¶
func (o *OidcSuccessHandler) Order() int
type OpenIDAuthorizeRequestProcessor ¶
type OpenIDAuthorizeRequestProcessor struct {
// contains filtered or unexported fields
}
OpenIDAuthorizeRequestProcessor implements ChainedAuthorizeRequestProcessor and order.Ordered it validate auth request against standard oauth2 specs
func NewOpenIDAuthorizeRequestProcessor ¶
func NewOpenIDAuthorizeRequestProcessor(opts ...ARPOptions) *OpenIDAuthorizeRequestProcessor
func (*OpenIDAuthorizeRequestProcessor) Process ¶
func (p *OpenIDAuthorizeRequestProcessor) Process(ctx context.Context, request *auth.AuthorizeRequest, chain auth.AuthorizeRequestProcessChain) (validated *auth.AuthorizeRequest, err error)
type OpenIDTokenEnhancer ¶
type OpenIDTokenEnhancer struct {
// contains filtered or unexported fields
}
OpenIDTokenEnhancer implements order.Ordered and TokenEnhancer OpenIDTokenEnhancer generate OpenID ID Token and set it to token details
func NewOpenIDTokenEnhancer ¶
func NewOpenIDTokenEnhancer(opts ...EnhancerOptions) *OpenIDTokenEnhancer
func (*OpenIDTokenEnhancer) Enhance ¶
func (oe *OpenIDTokenEnhancer) Enhance(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)
func (*OpenIDTokenEnhancer) Order ¶
func (oe *OpenIDTokenEnhancer) Order() int
type SuccessOption ¶
type SuccessOption struct { ClientStore oauth2.OAuth2ClientStore WhitelabelErrorPath string }
type SuccessOptions ¶
type SuccessOptions func(opt *SuccessOption)
Click to show internal directories.
Click to hide internal directories.