v0.0.0-...-a93f71f Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Oct 2, 2017 License: Apache-2.0 Imports: 19 Imported by: 0



Package oidc is DEPRECATED. Use github.com/coreos/go-oidc instead.



View Source
const (
	// Subject Identifier types defined by the OIDC spec. Specifies if the provider
	// should provide the same sub claim value to all clients (public) or a unique
	// value for each client (pairwise).
	// See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
	SubjectTypePublic   = "public"
	SubjectTypePairwise = "pairwise"
View Source
const (
	MaximumProviderConfigSyncInterval = 24 * time.Hour
	MinimumProviderConfigSyncInterval = time.Minute
View Source
const DefaultPublicKeySetTTL = 24 * time.Hour

DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no Cache-Control header is provided by the JWK Set document endpoint.


View Source
var (
	// Default values for omitted provider config fields.
	// Use ProviderConfig's Defaults method to fill a provider config with these values.
	DefaultGrantTypesSupported               = []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit}
	DefaultResponseModesSupported            = []string{"query", "fragment"}
	DefaultTokenEndpointAuthMethodsSupported = []string{oauth2.AuthMethodClientSecretBasic}
	DefaultClaimTypesSupported               = []string{"normal"}
View Source
var (
	DefaultScope = []string{"openid", "email", "profile"}


func ExtractBearerToken

func ExtractBearerToken(r *http.Request) (string, error)

ExtractBearerToken is a RequestTokenExtractor which extracts a bearer token from a request's Authorization header.

func GenClientID

func GenClientID(hostport string) (string, error)

func NewClaims

func NewClaims(iss, sub string, aud interface{}, iat, exp time.Time) jose.Claims

func NewHTTPProviderConfigGetter

func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProviderConfigGetter

func NewRemotePublicKeyRepo

func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo

NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.

func VerifyClaims

func VerifyClaims(jwt jose.JWT, issuer, clientID string) error

Verify claims in accordance with OIDC spec http://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation

func VerifyClientClaims

func VerifyClientClaims(jwt jose.JWT, issuer string) (string, error)

VerifyClientClaims verifies all the required claims are valid for a "client credentials" JWT. Returns the client ID if valid, or an error if invalid.

func VerifySignature

func VerifySignature(jwt jose.JWT, keys []key.PublicKey) (bool, error)


type AuthenticatedTransport

type AuthenticatedTransport struct {
	// contains filtered or unexported fields

func (*AuthenticatedTransport) RoundTrip

func (t *AuthenticatedTransport) RoundTrip(r *http.Request) (*http.Response, error)

func (*AuthenticatedTransport) SetJWT

func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT)

SetJWT sets the JWT held by the Transport. This is useful for cases in which you want to set an initial JWT.

type Client

type Client struct {
	// contains filtered or unexported fields

func NewClient

func NewClient(cfg ClientConfig) (*Client, error)

func (*Client) ClientCredsToken

func (c *Client) ClientCredsToken(scope []string) (jose.JWT, error)

func (*Client) ExchangeAuthCode

func (c *Client) ExchangeAuthCode(code string) (jose.JWT, error)

ExchangeAuthCode exchanges an OAuth2 auth code for an OIDC JWT ID token.

func (*Client) Healthy

func (c *Client) Healthy() error

func (*Client) OAuthClient

func (c *Client) OAuthClient() (*oauth2.Client, error)

func (*Client) RefreshToken

func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error)

RefreshToken uses a refresh token to exchange for a new OIDC JWT ID Token.

func (*Client) SyncProviderConfig

func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{}

SyncProviderConfig starts the provider config syncer

func (*Client) VerifyJWT

func (c *Client) VerifyJWT(jwt jose.JWT) error

type ClientConfig

type ClientConfig struct {
	HTTPClient     phttp.Client
	Credentials    ClientCredentials
	Scope          []string
	RedirectURL    string
	ProviderConfig ProviderConfig
	KeySet         key.PublicKeySet

type ClientCredentials

type ClientCredentials oauth2.ClientCredentials

type ClientCredsTokenRefresher

type ClientCredsTokenRefresher struct {
	Issuer     string
	OIDCClient *Client

func (*ClientCredsTokenRefresher) Refresh

func (c *ClientCredsTokenRefresher) Refresh() (jwt jose.JWT, err error)

func (*ClientCredsTokenRefresher) Verify

func (c *ClientCredsTokenRefresher) Verify(jwt jose.JWT) (err error)

type ClientIdentity

type ClientIdentity struct {
	Credentials ClientCredentials
	Metadata    ClientMetadata

type ClientMetadata

type ClientMetadata struct {
	RedirectURIs []url.URL // Required

	// A list of OAuth 2.0 "response_type" values that the client wishes to restrict
	// itself to. Either "code", "token", or another registered extension.
	// If omitted, only "code" will be used.
	ResponseTypes []string
	// A list of OAuth 2.0 grant types the client wishes to restrict itself to.
	// The grant type values used by OIDC are "authorization_code", "implicit",
	// and "refresh_token".
	// If ommitted, only "authorization_code" will be used.
	GrantTypes []string
	// "native" or "web". If omitted, "web".
	ApplicationType string

	// List of email addresses.
	Contacts []mail.Address
	// Name of client to be presented to the end-user.
	ClientName string
	// URL that references a logo for the Client application.
	LogoURI *url.URL
	// URL of the home page of the Client.
	ClientURI *url.URL
	// Profile data policies and terms of use to be provided to the end user.
	PolicyURI         *url.URL
	TermsOfServiceURI *url.URL

	// URL to or the value of the client's JSON Web Key Set document.
	JWKS    *jose.JWKSet

	// URL referencing a flie with a single JSON array of redirect URIs.
	SectorIdentifierURI *url.URL

	SubjectType string

	// Options to restrict the JWS alg and enc values used for server responses and requests.
	IDTokenResponseOptions  JWAOptions
	UserInfoResponseOptions JWAOptions
	RequestObjectOptions    JWAOptions

	// Client requested authorization method and signing options for the token endpoint.
	// Defaults to "client_secret_basic"
	TokenEndpointAuthMethod     string
	TokenEndpointAuthSigningAlg string

	// DefaultMaxAge specifies the maximum amount of time in seconds before an authorized
	// user must reauthroize.
	// If 0, no limitation is placed on the maximum.
	DefaultMaxAge int64
	// RequireAuthTime specifies if the auth_time claim in the ID token is required.
	RequireAuthTime bool

	// Default Authentication Context Class Reference values for authentication requests.
	DefaultACRValues []string

	// URI that a third party can use to initiate a login by the relaying party.
	// See: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
	InitiateLoginURI *url.URL
	// Pre-registered request_uri values that may be cached by the server.
	RequestURIs []url.URL

ClientMetadata holds metadata that the authorization server associates with a client identifier. The fields range from human-facing display strings such as client name, to items that impact the security of the protocol, such as the list of valid redirect URIs.

See http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata

TODO: support language specific claim representations http://openid.net/specs/openid-connect-registration-1_0.html#LanguagesAndScripts

func (ClientMetadata) Defaults

func (m ClientMetadata) Defaults() ClientMetadata

Defaults returns a shallow copy of ClientMetadata with default values replacing omitted fields.

func (*ClientMetadata) MarshalJSON

func (m *ClientMetadata) MarshalJSON() ([]byte, error)

func (*ClientMetadata) UnmarshalJSON

func (m *ClientMetadata) UnmarshalJSON(data []byte) error

func (*ClientMetadata) Valid

func (m *ClientMetadata) Valid() error

Valid determines if a ClientMetadata conforms with the OIDC specification.

Valid is called by UnmarshalJSON.

NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34

type ClientRegistrationResponse

type ClientRegistrationResponse struct {
	ClientID                string // Required
	ClientSecret            string
	RegistrationAccessToken string
	RegistrationClientURI   string
	// If IsZero is true, unspecified.
	ClientIDIssuedAt time.Time
	// Time at which the client_secret will expire.
	// If IsZero is true, it will not expire.
	ClientSecretExpiresAt time.Time


func (*ClientRegistrationResponse) MarshalJSON

func (c *ClientRegistrationResponse) MarshalJSON() ([]byte, error)

func (*ClientRegistrationResponse) UnmarshalJSON

func (c *ClientRegistrationResponse) UnmarshalJSON(data []byte) error

type Identity

type Identity struct {
	ID        string
	Name      string
	Email     string
	ExpiresAt time.Time

func IdentityFromClaims

func IdentityFromClaims(claims jose.Claims) (*Identity, error)

type JWAOptions

type JWAOptions struct {
	// SigningAlg specifies an JWA alg for signing JWTs.
	// Specifying this field implies different actions depending on the context. It may
	// require objects be serialized and signed as a JWT instead of plain JSON, or
	// require an existing JWT object use the specified alg.
	// See: http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
	SigningAlg string
	// EncryptionAlg, if provided, specifies that the returned or sent object be stored
	// (or nested) within a JWT object and encrypted with the provided JWA alg.
	EncryptionAlg string
	// EncryptionEnc specifies the JWA enc algorithm to use with EncryptionAlg. If
	// EncryptionAlg is provided and EncryptionEnc is omitted, this field defaults
	// to A128CBC-HS256.
	// If EncryptionEnc is provided EncryptionAlg must also be specified.
	EncryptionEnc string

type JWTVerifier

type JWTVerifier struct {
	// contains filtered or unexported fields

func NewJWTVerifier

func NewJWTVerifier(issuer, clientID string, syncFunc func() error, keysFunc func() []key.PublicKey) JWTVerifier

func (*JWTVerifier) Verify

func (v *JWTVerifier) Verify(jwt jose.JWT) error

type LoginFunc

type LoginFunc func(ident Identity, sessionKey string) (redirectURL string, err error)

type ProviderConfig

type ProviderConfig struct {
	Issuer               *url.URL // Required
	AuthEndpoint         *url.URL // Required
	TokenEndpoint        *url.URL // Required if grant types other than "implicit" are supported
	UserInfoEndpoint     *url.URL
	KeysEndpoint         *url.URL // Required
	RegistrationEndpoint *url.URL
	EndSessionEndpoint   *url.URL
	CheckSessionIFrame   *url.URL

	// Servers MAY choose not to advertise some supported scope values even when this
	// parameter is used, although those defined in OpenID Core SHOULD be listed, if supported.
	ScopesSupported []string
	// OAuth2.0 response types supported.
	ResponseTypesSupported []string // Required
	// OAuth2.0 response modes supported.
	// If omitted, defaults to DefaultResponseModesSupported.
	ResponseModesSupported []string
	// OAuth2.0 grant types supported.
	// If omitted, defaults to DefaultGrantTypesSupported.
	GrantTypesSupported []string
	ACRValuesSupported  []string
	// SubjectTypesSupported specifies strategies for providing values for the sub claim.
	SubjectTypesSupported []string // Required

	// JWA signing and encryption algorith values supported for ID tokens.
	IDTokenSigningAlgValues    []string // Required
	IDTokenEncryptionAlgValues []string
	IDTokenEncryptionEncValues []string

	// JWA signing and encryption algorith values supported for user info responses.
	UserInfoSigningAlgValues    []string
	UserInfoEncryptionAlgValues []string
	UserInfoEncryptionEncValues []string

	// JWA signing and encryption algorith values supported for request objects.
	ReqObjSigningAlgValues    []string
	ReqObjEncryptionAlgValues []string
	ReqObjEncryptionEncValues []string

	TokenEndpointAuthMethodsSupported          []string
	TokenEndpointAuthSigningAlgValuesSupported []string
	DisplayValuesSupported                     []string
	ClaimTypesSupported                        []string
	ClaimsSupported                            []string
	ServiceDocs                                *url.URL
	ClaimsLocalsSupported                      []string
	UILocalsSupported                          []string
	ClaimsParameterSupported                   bool
	RequestParameterSupported                  bool
	RequestURIParamaterSupported               bool
	RequireRequestURIRegistration              bool

	Policy         *url.URL
	TermsOfService *url.URL

	// Not part of the OpenID Provider Metadata
	ExpiresAt time.Time

ProviderConfig represents the OpenID Provider Metadata specifying what configurations a provider supports.

See: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

func FetchProviderConfig

func FetchProviderConfig(hc phttp.Client, issuerURL string) (ProviderConfig, error)

func WaitForProviderConfig

func WaitForProviderConfig(hc phttp.Client, issuerURL string) (pcfg ProviderConfig)

func (ProviderConfig) Defaults

func (p ProviderConfig) Defaults() ProviderConfig

Defaults returns a shallow copy of ProviderConfig with default values replacing omitted fields.

var cfg oidc.ProviderConfig
// Fill provider config with default values for omitted fields.
cfg = cfg.Defaults()

func (ProviderConfig) Empty

func (p ProviderConfig) Empty() bool

Empty returns if a ProviderConfig holds no information.

This case generally indicates a ProviderConfigGetter has experienced an error and has nothing to report.

func (*ProviderConfig) MarshalJSON

func (p *ProviderConfig) MarshalJSON() ([]byte, error)

func (ProviderConfig) Supports

func (p ProviderConfig) Supports(c ClientMetadata) error

Supports determines if provider supports a client given their respective metadata.

func (ProviderConfig) SupportsGrantType

func (p ProviderConfig) SupportsGrantType(grantType string) bool

func (*ProviderConfig) UnmarshalJSON

func (p *ProviderConfig) UnmarshalJSON(data []byte) error

func (ProviderConfig) Valid

func (p ProviderConfig) Valid() error

Valid determines if a ProviderConfig conforms with the OIDC specification. If Valid returns successfully it guarantees required field are non-nil and URLs are well formed.

Valid is called by UnmarshalJSON.

NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34

type ProviderConfigGetter

type ProviderConfigGetter interface {
	Get() (ProviderConfig, error)

type ProviderConfigSetter

type ProviderConfigSetter interface {
	Set(ProviderConfig) error

type ProviderConfigSyncer

type ProviderConfigSyncer struct {
	// contains filtered or unexported fields

func (*ProviderConfigSyncer) Run

func (s *ProviderConfigSyncer) Run() chan struct{}

func (*ProviderConfigSyncer) WaitUntilInitialSync

func (s *ProviderConfigSyncer) WaitUntilInitialSync()

type RequestTokenExtractor

type RequestTokenExtractor func(r *http.Request) (string, error)

RequestTokenExtractor funcs extract a raw encoded token from a request.

func CookieTokenExtractor

func CookieTokenExtractor(cookieName string) RequestTokenExtractor

CookieTokenExtractor returns a RequestTokenExtractor which extracts a token from the named cookie in a request.

type TokenRefresher

type TokenRefresher interface {
	// Verify checks if the provided token is currently valid or not.
	Verify(jose.JWT) error

	// Refresh attempts to authenticate and retrieve a new token.
	Refresh() (jose.JWT, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL