Package oidc is DEPRECATED. Use instead.



    View Source
    const (
    	// Subject Identifier types defined by the OIDC spec. Specifies if the provider
    	// should provide the same sub claim value to all clients (public) or a unique
    	// value for each client (pairwise).
    	// See:
    	SubjectTypePublic   = "public"
    	SubjectTypePairwise = "pairwise"
    View Source
    const (
    	MaximumProviderConfigSyncInterval = 24 * time.Hour
    	MinimumProviderConfigSyncInterval = time.Minute
    View Source
    const DefaultPublicKeySetTTL = 24 * time.Hour

      DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no Cache-Control header is provided by the JWK Set document endpoint.


      View Source
      var (
      	// Default values for omitted provider config fields.
      	// Use ProviderConfig's Defaults method to fill a provider config with these values.
      	DefaultGrantTypesSupported               = []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit}
      	DefaultResponseModesSupported            = []string{"query", "fragment"}
      	DefaultTokenEndpointAuthMethodsSupported = []string{oauth2.AuthMethodClientSecretBasic}
      	DefaultClaimTypesSupported               = []string{"normal"}
      View Source
      var (
      	DefaultScope = []string{"openid", "email", "profile"}


      func ExtractBearerToken

      func ExtractBearerToken(r *http.Request) (string, error)

        ExtractBearerToken is a RequestTokenExtractor which extracts a bearer token from a request's Authorization header.

        func GenClientID

        func GenClientID(hostport string) (string, error)

        func NewClaims

        func NewClaims(iss, sub string, aud interface{}, iat, exp time.Time) jose.Claims

        func NewHTTPProviderConfigGetter

        func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProviderConfigGetter

        func NewRemotePublicKeyRepo

        func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo

          NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.

          func VerifyClaims

          func VerifyClaims(jwt jose.JWT, issuer, clientID string) error

            Verify claims in accordance with OIDC spec

            func VerifyClientClaims

            func VerifyClientClaims(jwt jose.JWT, issuer string) (string, error)

              VerifyClientClaims verifies all the required claims are valid for a "client credentials" JWT. Returns the client ID if valid, or an error if invalid.

              func VerifySignature

              func VerifySignature(jwt jose.JWT, keys []key.PublicKey) (bool, error)


              type AuthenticatedTransport

              type AuthenticatedTransport struct {
              	// contains filtered or unexported fields

              func (*AuthenticatedTransport) RoundTrip

              func (t *AuthenticatedTransport) RoundTrip(r *http.Request) (*http.Response, error)

              func (*AuthenticatedTransport) SetJWT

              func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT)

                SetJWT sets the JWT held by the Transport. This is useful for cases in which you want to set an initial JWT.

                type Client

                type Client struct {
                	// contains filtered or unexported fields

                func NewClient

                func NewClient(cfg ClientConfig) (*Client, error)

                func (*Client) ClientCredsToken

                func (c *Client) ClientCredsToken(scope []string) (jose.JWT, error)

                func (*Client) ExchangeAuthCode

                func (c *Client) ExchangeAuthCode(code string) (jose.JWT, error)

                  ExchangeAuthCode exchanges an OAuth2 auth code for an OIDC JWT ID token.

                  func (*Client) Healthy

                  func (c *Client) Healthy() error

                  func (*Client) OAuthClient

                  func (c *Client) OAuthClient() (*oauth2.Client, error)

                  func (*Client) RefreshToken

                  func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error)

                    RefreshToken uses a refresh token to exchange for a new OIDC JWT ID Token.

                    func (*Client) SyncProviderConfig

                    func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{}

                      SyncProviderConfig starts the provider config syncer

                      func (*Client) VerifyJWT

                      func (c *Client) VerifyJWT(jwt jose.JWT) error

                      type ClientConfig

                      type ClientConfig struct {
                      	HTTPClient     phttp.Client
                      	Credentials    ClientCredentials
                      	Scope          []string
                      	RedirectURL    string
                      	ProviderConfig ProviderConfig
                      	KeySet         key.PublicKeySet

                      type ClientCredentials

                      type ClientCredentials oauth2.ClientCredentials

                      type ClientCredsTokenRefresher

                      type ClientCredsTokenRefresher struct {
                      	Issuer     string
                      	OIDCClient *Client

                      func (*ClientCredsTokenRefresher) Refresh

                      func (c *ClientCredsTokenRefresher) Refresh() (jwt jose.JWT, err error)

                      func (*ClientCredsTokenRefresher) Verify

                      func (c *ClientCredsTokenRefresher) Verify(jwt jose.JWT) (err error)

                      type ClientIdentity

                      type ClientIdentity struct {
                      	Credentials ClientCredentials
                      	Metadata    ClientMetadata

                      type ClientMetadata

                      type ClientMetadata struct {
                      	RedirectURIs []url.URL // Required
                      	// A list of OAuth 2.0 "response_type" values that the client wishes to restrict
                      	// itself to. Either "code", "token", or another registered extension.
                      	// If omitted, only "code" will be used.
                      	ResponseTypes []string
                      	// A list of OAuth 2.0 grant types the client wishes to restrict itself to.
                      	// The grant type values used by OIDC are "authorization_code", "implicit",
                      	// and "refresh_token".
                      	// If ommitted, only "authorization_code" will be used.
                      	GrantTypes []string
                      	// "native" or "web". If omitted, "web".
                      	ApplicationType string
                      	// List of email addresses.
                      	Contacts []mail.Address
                      	// Name of client to be presented to the end-user.
                      	ClientName string
                      	// URL that references a logo for the Client application.
                      	LogoURI *url.URL
                      	// URL of the home page of the Client.
                      	ClientURI *url.URL
                      	// Profile data policies and terms of use to be provided to the end user.
                      	PolicyURI         *url.URL
                      	TermsOfServiceURI *url.URL
                      	// URL to or the value of the client's JSON Web Key Set document.
                      	JWKSURI *url.URL
                      	JWKS    *jose.JWKSet
                      	// URL referencing a flie with a single JSON array of redirect URIs.
                      	SectorIdentifierURI *url.URL
                      	SubjectType string
                      	// Options to restrict the JWS alg and enc values used for server responses and requests.
                      	IDTokenResponseOptions  JWAOptions
                      	UserInfoResponseOptions JWAOptions
                      	RequestObjectOptions    JWAOptions
                      	// Client requested authorization method and signing options for the token endpoint.
                      	// Defaults to "client_secret_basic"
                      	TokenEndpointAuthMethod     string
                      	TokenEndpointAuthSigningAlg string
                      	// DefaultMaxAge specifies the maximum amount of time in seconds before an authorized
                      	// user must reauthroize.
                      	// If 0, no limitation is placed on the maximum.
                      	DefaultMaxAge int64
                      	// RequireAuthTime specifies if the auth_time claim in the ID token is required.
                      	RequireAuthTime bool
                      	// Default Authentication Context Class Reference values for authentication requests.
                      	DefaultACRValues []string
                      	// URI that a third party can use to initiate a login by the relaying party.
                      	// See:
                      	InitiateLoginURI *url.URL
                      	// Pre-registered request_uri values that may be cached by the server.
                      	RequestURIs []url.URL

                        ClientMetadata holds metadata that the authorization server associates with a client identifier. The fields range from human-facing display strings such as client name, to items that impact the security of the protocol, such as the list of valid redirect URIs.


                        TODO: support language specific claim representations

                        func (ClientMetadata) Defaults

                        func (m ClientMetadata) Defaults() ClientMetadata

                          Defaults returns a shallow copy of ClientMetadata with default values replacing omitted fields.

                          func (*ClientMetadata) MarshalJSON

                          func (m *ClientMetadata) MarshalJSON() ([]byte, error)

                          func (*ClientMetadata) UnmarshalJSON

                          func (m *ClientMetadata) UnmarshalJSON(data []byte) error

                          func (*ClientMetadata) Valid

                          func (m *ClientMetadata) Valid() error

                            Valid determines if a ClientMetadata conforms with the OIDC specification.

                            Valid is called by UnmarshalJSON.

                            NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See:

                            type ClientRegistrationResponse

                            type ClientRegistrationResponse struct {
                            	ClientID                string // Required
                            	ClientSecret            string
                            	RegistrationAccessToken string
                            	RegistrationClientURI   string
                            	// If IsZero is true, unspecified.
                            	ClientIDIssuedAt time.Time
                            	// Time at which the client_secret will expire.
                            	// If IsZero is true, it will not expire.
                            	ClientSecretExpiresAt time.Time

                            func (*ClientRegistrationResponse) MarshalJSON

                            func (c *ClientRegistrationResponse) MarshalJSON() ([]byte, error)

                            func (*ClientRegistrationResponse) UnmarshalJSON

                            func (c *ClientRegistrationResponse) UnmarshalJSON(data []byte) error

                            type Identity

                            type Identity struct {
                            	ID        string
                            	Name      string
                            	Email     string
                            	ExpiresAt time.Time

                            func IdentityFromClaims

                            func IdentityFromClaims(claims jose.Claims) (*Identity, error)

                            type JWAOptions

                            type JWAOptions struct {
                            	// SigningAlg specifies an JWA alg for signing JWTs.
                            	// Specifying this field implies different actions depending on the context. It may
                            	// require objects be serialized and signed as a JWT instead of plain JSON, or
                            	// require an existing JWT object use the specified alg.
                            	// See:
                            	SigningAlg string
                            	// EncryptionAlg, if provided, specifies that the returned or sent object be stored
                            	// (or nested) within a JWT object and encrypted with the provided JWA alg.
                            	EncryptionAlg string
                            	// EncryptionEnc specifies the JWA enc algorithm to use with EncryptionAlg. If
                            	// EncryptionAlg is provided and EncryptionEnc is omitted, this field defaults
                            	// to A128CBC-HS256.
                            	// If EncryptionEnc is provided EncryptionAlg must also be specified.
                            	EncryptionEnc string

                            type JWTVerifier

                            type JWTVerifier struct {
                            	// contains filtered or unexported fields

                            func NewJWTVerifier

                            func NewJWTVerifier(issuer, clientID string, syncFunc func() error, keysFunc func() []key.PublicKey) JWTVerifier

                            func (*JWTVerifier) Verify

                            func (v *JWTVerifier) Verify(jwt jose.JWT) error

                            type LoginFunc

                            type LoginFunc func(ident Identity, sessionKey string) (redirectURL string, err error)

                            type ProviderConfig

                            type ProviderConfig struct {
                            	Issuer               *url.URL // Required
                            	AuthEndpoint         *url.URL // Required
                            	TokenEndpoint        *url.URL // Required if grant types other than "implicit" are supported
                            	UserInfoEndpoint     *url.URL
                            	KeysEndpoint         *url.URL // Required
                            	RegistrationEndpoint *url.URL
                            	EndSessionEndpoint   *url.URL
                            	CheckSessionIFrame   *url.URL
                            	// Servers MAY choose not to advertise some supported scope values even when this
                            	// parameter is used, although those defined in OpenID Core SHOULD be listed, if supported.
                            	ScopesSupported []string
                            	// OAuth2.0 response types supported.
                            	ResponseTypesSupported []string // Required
                            	// OAuth2.0 response modes supported.
                            	// If omitted, defaults to DefaultResponseModesSupported.
                            	ResponseModesSupported []string
                            	// OAuth2.0 grant types supported.
                            	// If omitted, defaults to DefaultGrantTypesSupported.
                            	GrantTypesSupported []string
                            	ACRValuesSupported  []string
                            	// SubjectTypesSupported specifies strategies for providing values for the sub claim.
                            	SubjectTypesSupported []string // Required
                            	// JWA signing and encryption algorith values supported for ID tokens.
                            	IDTokenSigningAlgValues    []string // Required
                            	IDTokenEncryptionAlgValues []string
                            	IDTokenEncryptionEncValues []string
                            	// JWA signing and encryption algorith values supported for user info responses.
                            	UserInfoSigningAlgValues    []string
                            	UserInfoEncryptionAlgValues []string
                            	UserInfoEncryptionEncValues []string
                            	// JWA signing and encryption algorith values supported for request objects.
                            	ReqObjSigningAlgValues    []string
                            	ReqObjEncryptionAlgValues []string
                            	ReqObjEncryptionEncValues []string
                            	TokenEndpointAuthMethodsSupported          []string
                            	TokenEndpointAuthSigningAlgValuesSupported []string
                            	DisplayValuesSupported                     []string
                            	ClaimTypesSupported                        []string
                            	ClaimsSupported                            []string
                            	ServiceDocs                                *url.URL
                            	ClaimsLocalsSupported                      []string
                            	UILocalsSupported                          []string
                            	ClaimsParameterSupported                   bool
                            	RequestParameterSupported                  bool
                            	RequestURIParamaterSupported               bool
                            	RequireRequestURIRegistration              bool
                            	Policy         *url.URL
                            	TermsOfService *url.URL
                            	// Not part of the OpenID Provider Metadata
                            	ExpiresAt time.Time

                              ProviderConfig represents the OpenID Provider Metadata specifying what configurations a provider supports.


                              func FetchProviderConfig

                              func FetchProviderConfig(hc phttp.Client, issuerURL string) (ProviderConfig, error)

                              func WaitForProviderConfig

                              func WaitForProviderConfig(hc phttp.Client, issuerURL string) (pcfg ProviderConfig)

                              func (ProviderConfig) Defaults

                              func (p ProviderConfig) Defaults() ProviderConfig

                                Defaults returns a shallow copy of ProviderConfig with default values replacing omitted fields.

                                var cfg oidc.ProviderConfig
                                // Fill provider config with default values for omitted fields.
                                cfg = cfg.Defaults()

                                func (ProviderConfig) Empty

                                func (p ProviderConfig) Empty() bool

                                  Empty returns if a ProviderConfig holds no information.

                                  This case generally indicates a ProviderConfigGetter has experienced an error and has nothing to report.

                                  func (*ProviderConfig) MarshalJSON

                                  func (p *ProviderConfig) MarshalJSON() ([]byte, error)

                                  func (ProviderConfig) Supports

                                  func (p ProviderConfig) Supports(c ClientMetadata) error

                                    Supports determines if provider supports a client given their respective metadata.

                                    func (ProviderConfig) SupportsGrantType

                                    func (p ProviderConfig) SupportsGrantType(grantType string) bool

                                    func (*ProviderConfig) UnmarshalJSON

                                    func (p *ProviderConfig) UnmarshalJSON(data []byte) error

                                    func (ProviderConfig) Valid

                                    func (p ProviderConfig) Valid() error

                                      Valid determines if a ProviderConfig conforms with the OIDC specification. If Valid returns successfully it guarantees required field are non-nil and URLs are well formed.

                                      Valid is called by UnmarshalJSON.

                                      NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See:

                                      type ProviderConfigGetter

                                      type ProviderConfigGetter interface {
                                      	Get() (ProviderConfig, error)

                                      type ProviderConfigSetter

                                      type ProviderConfigSetter interface {
                                      	Set(ProviderConfig) error

                                      type ProviderConfigSyncer

                                      type ProviderConfigSyncer struct {
                                      	// contains filtered or unexported fields

                                      func (*ProviderConfigSyncer) Run

                                      func (s *ProviderConfigSyncer) Run() chan struct{}

                                      func (*ProviderConfigSyncer) WaitUntilInitialSync

                                      func (s *ProviderConfigSyncer) WaitUntilInitialSync()

                                      type RequestTokenExtractor

                                      type RequestTokenExtractor func(r *http.Request) (string, error)

                                        RequestTokenExtractor funcs extract a raw encoded token from a request.

                                        func CookieTokenExtractor

                                        func CookieTokenExtractor(cookieName string) RequestTokenExtractor

                                          CookieTokenExtractor returns a RequestTokenExtractor which extracts a token from the named cookie in a request.

                                          type TokenRefresher

                                          type TokenRefresher interface {
                                          	// Verify checks if the provided token is currently valid or not.
                                          	Verify(jose.JWT) error
                                          	// Refresh attempts to authenticate and retrieve a new token.
                                          	Refresh() (jose.JWT, error)