Documentation

Overview

    Package oidc is DEPRECATED. Use github.com/coreos/go-oidc instead.

    Index

    Constants

    View Source
    const (
    	// Subject Identifier types defined by the OIDC spec. Specifies if the provider
    	// should provide the same sub claim value to all clients (public) or a unique
    	// value for each client (pairwise).
    	//
    	// See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
    	SubjectTypePublic   = "public"
    	SubjectTypePairwise = "pairwise"
    )
    View Source
    const (
    	MaximumProviderConfigSyncInterval = 24 * time.Hour
    	MinimumProviderConfigSyncInterval = time.Minute
    )
    View Source
    const DefaultPublicKeySetTTL = 24 * time.Hour

      DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no Cache-Control header is provided by the JWK Set document endpoint.

      Variables

      View Source
      var (
      	// Default values for omitted provider config fields.
      	//
      	// Use ProviderConfig's Defaults method to fill a provider config with these values.
      	DefaultGrantTypesSupported               = []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit}
      	DefaultResponseModesSupported            = []string{"query", "fragment"}
      	DefaultTokenEndpointAuthMethodsSupported = []string{oauth2.AuthMethodClientSecretBasic}
      	DefaultClaimTypesSupported               = []string{"normal"}
      )
      View Source
      var (
      	DefaultScope = []string{"openid", "email", "profile"}
      )

      Functions

      func ExtractBearerToken

      func ExtractBearerToken(r *http.Request) (string, error)

        ExtractBearerToken is a RequestTokenExtractor which extracts a bearer token from a request's Authorization header.

        func GenClientID

        func GenClientID(hostport string) (string, error)

        func NewClaims

        func NewClaims(iss, sub string, aud interface{}, iat, exp time.Time) jose.Claims

        func NewHTTPProviderConfigGetter

        func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProviderConfigGetter

        func NewRemotePublicKeyRepo

        func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo

          NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.

          func VerifyClaims

          func VerifyClaims(jwt jose.JWT, issuer, clientID string) error

            Verify claims in accordance with OIDC spec http://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation

            func VerifyClientClaims

            func VerifyClientClaims(jwt jose.JWT, issuer string) (string, error)

              VerifyClientClaims verifies all the required claims are valid for a "client credentials" JWT. Returns the client ID if valid, or an error if invalid.

              func VerifySignature

              func VerifySignature(jwt jose.JWT, keys []key.PublicKey) (bool, error)

              Types

              type AuthenticatedTransport

              type AuthenticatedTransport struct {
              	TokenRefresher
              	http.RoundTripper
              	// contains filtered or unexported fields
              }

              func (*AuthenticatedTransport) RoundTrip

              func (t *AuthenticatedTransport) RoundTrip(r *http.Request) (*http.Response, error)

              func (*AuthenticatedTransport) SetJWT

              func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT)

                SetJWT sets the JWT held by the Transport. This is useful for cases in which you want to set an initial JWT.

                type Client

                type Client struct {
                	// contains filtered or unexported fields
                }

                func NewClient

                func NewClient(cfg ClientConfig) (*Client, error)

                func (*Client) ClientCredsToken

                func (c *Client) ClientCredsToken(scope []string) (jose.JWT, error)

                func (*Client) ExchangeAuthCode

                func (c *Client) ExchangeAuthCode(code string) (jose.JWT, error)

                  ExchangeAuthCode exchanges an OAuth2 auth code for an OIDC JWT ID token.

                  func (*Client) Healthy

                  func (c *Client) Healthy() error

                  func (*Client) OAuthClient

                  func (c *Client) OAuthClient() (*oauth2.Client, error)

                  func (*Client) RefreshToken

                  func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error)

                    RefreshToken uses a refresh token to exchange for a new OIDC JWT ID Token.

                    func (*Client) SyncProviderConfig

                    func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{}

                      SyncProviderConfig starts the provider config syncer

                      func (*Client) VerifyJWT

                      func (c *Client) VerifyJWT(jwt jose.JWT) error

                      type ClientConfig

                      type ClientConfig struct {
                      	HTTPClient     phttp.Client
                      	Credentials    ClientCredentials
                      	Scope          []string
                      	RedirectURL    string
                      	ProviderConfig ProviderConfig
                      	KeySet         key.PublicKeySet
                      }

                      type ClientCredentials

                      type ClientCredentials oauth2.ClientCredentials

                      type ClientCredsTokenRefresher

                      type ClientCredsTokenRefresher struct {
                      	Issuer     string
                      	OIDCClient *Client
                      }

                      func (*ClientCredsTokenRefresher) Refresh

                      func (c *ClientCredsTokenRefresher) Refresh() (jwt jose.JWT, err error)

                      func (*ClientCredsTokenRefresher) Verify

                      func (c *ClientCredsTokenRefresher) Verify(jwt jose.JWT) (err error)

                      type ClientIdentity

                      type ClientIdentity struct {
                      	Credentials ClientCredentials
                      	Metadata    ClientMetadata
                      }

                      type ClientMetadata

                      type ClientMetadata struct {
                      	RedirectURIs []url.URL // Required
                      
                      	// A list of OAuth 2.0 "response_type" values that the client wishes to restrict
                      	// itself to. Either "code", "token", or another registered extension.
                      	//
                      	// If omitted, only "code" will be used.
                      	ResponseTypes []string
                      	// A list of OAuth 2.0 grant types the client wishes to restrict itself to.
                      	// The grant type values used by OIDC are "authorization_code", "implicit",
                      	// and "refresh_token".
                      	//
                      	// If ommitted, only "authorization_code" will be used.
                      	GrantTypes []string
                      	// "native" or "web". If omitted, "web".
                      	ApplicationType string
                      
                      	// List of email addresses.
                      	Contacts []mail.Address
                      	// Name of client to be presented to the end-user.
                      	ClientName string
                      	// URL that references a logo for the Client application.
                      	LogoURI *url.URL
                      	// URL of the home page of the Client.
                      	ClientURI *url.URL
                      	// Profile data policies and terms of use to be provided to the end user.
                      	PolicyURI         *url.URL
                      	TermsOfServiceURI *url.URL
                      
                      	// URL to or the value of the client's JSON Web Key Set document.
                      	JWKSURI *url.URL
                      	JWKS    *jose.JWKSet
                      
                      	// URL referencing a flie with a single JSON array of redirect URIs.
                      	SectorIdentifierURI *url.URL
                      
                      	SubjectType string
                      
                      	// Options to restrict the JWS alg and enc values used for server responses and requests.
                      	IDTokenResponseOptions  JWAOptions
                      	UserInfoResponseOptions JWAOptions
                      	RequestObjectOptions    JWAOptions
                      
                      	// Client requested authorization method and signing options for the token endpoint.
                      	//
                      	// Defaults to "client_secret_basic"
                      	TokenEndpointAuthMethod     string
                      	TokenEndpointAuthSigningAlg string
                      
                      	// DefaultMaxAge specifies the maximum amount of time in seconds before an authorized
                      	// user must reauthroize.
                      	//
                      	// If 0, no limitation is placed on the maximum.
                      	DefaultMaxAge int64
                      	// RequireAuthTime specifies if the auth_time claim in the ID token is required.
                      	RequireAuthTime bool
                      
                      	// Default Authentication Context Class Reference values for authentication requests.
                      	DefaultACRValues []string
                      
                      	// URI that a third party can use to initiate a login by the relaying party.
                      	//
                      	// See: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
                      	InitiateLoginURI *url.URL
                      	// Pre-registered request_uri values that may be cached by the server.
                      	RequestURIs []url.URL
                      }

                        ClientMetadata holds metadata that the authorization server associates with a client identifier. The fields range from human-facing display strings such as client name, to items that impact the security of the protocol, such as the list of valid redirect URIs.

                        See http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata

                        TODO: support language specific claim representations http://openid.net/specs/openid-connect-registration-1_0.html#LanguagesAndScripts

                        func (ClientMetadata) Defaults

                        func (m ClientMetadata) Defaults() ClientMetadata

                          Defaults returns a shallow copy of ClientMetadata with default values replacing omitted fields.

                          func (*ClientMetadata) MarshalJSON

                          func (m *ClientMetadata) MarshalJSON() ([]byte, error)

                          func (*ClientMetadata) UnmarshalJSON

                          func (m *ClientMetadata) UnmarshalJSON(data []byte) error

                          func (*ClientMetadata) Valid

                          func (m *ClientMetadata) Valid() error

                            Valid determines if a ClientMetadata conforms with the OIDC specification.

                            Valid is called by UnmarshalJSON.

                            NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34

                            type ClientRegistrationResponse

                            type ClientRegistrationResponse struct {
                            	ClientID                string // Required
                            	ClientSecret            string
                            	RegistrationAccessToken string
                            	RegistrationClientURI   string
                            	// If IsZero is true, unspecified.
                            	ClientIDIssuedAt time.Time
                            	// Time at which the client_secret will expire.
                            	// If IsZero is true, it will not expire.
                            	ClientSecretExpiresAt time.Time
                            
                            	ClientMetadata
                            }

                            func (*ClientRegistrationResponse) MarshalJSON

                            func (c *ClientRegistrationResponse) MarshalJSON() ([]byte, error)

                            func (*ClientRegistrationResponse) UnmarshalJSON

                            func (c *ClientRegistrationResponse) UnmarshalJSON(data []byte) error

                            type Identity

                            type Identity struct {
                            	ID        string
                            	Name      string
                            	Email     string
                            	ExpiresAt time.Time
                            }

                            func IdentityFromClaims

                            func IdentityFromClaims(claims jose.Claims) (*Identity, error)

                            type JWAOptions

                            type JWAOptions struct {
                            	// SigningAlg specifies an JWA alg for signing JWTs.
                            	//
                            	// Specifying this field implies different actions depending on the context. It may
                            	// require objects be serialized and signed as a JWT instead of plain JSON, or
                            	// require an existing JWT object use the specified alg.
                            	//
                            	// See: http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
                            	SigningAlg string
                            	// EncryptionAlg, if provided, specifies that the returned or sent object be stored
                            	// (or nested) within a JWT object and encrypted with the provided JWA alg.
                            	EncryptionAlg string
                            	// EncryptionEnc specifies the JWA enc algorithm to use with EncryptionAlg. If
                            	// EncryptionAlg is provided and EncryptionEnc is omitted, this field defaults
                            	// to A128CBC-HS256.
                            	//
                            	// If EncryptionEnc is provided EncryptionAlg must also be specified.
                            	EncryptionEnc string
                            }

                            type JWTVerifier

                            type JWTVerifier struct {
                            	// contains filtered or unexported fields
                            }

                            func NewJWTVerifier

                            func NewJWTVerifier(issuer, clientID string, syncFunc func() error, keysFunc func() []key.PublicKey) JWTVerifier

                            func (*JWTVerifier) Verify

                            func (v *JWTVerifier) Verify(jwt jose.JWT) error

                            type LoginFunc

                            type LoginFunc func(ident Identity, sessionKey string) (redirectURL string, err error)

                            type ProviderConfig

                            type ProviderConfig struct {
                            	Issuer               *url.URL // Required
                            	AuthEndpoint         *url.URL // Required
                            	TokenEndpoint        *url.URL // Required if grant types other than "implicit" are supported
                            	UserInfoEndpoint     *url.URL
                            	KeysEndpoint         *url.URL // Required
                            	RegistrationEndpoint *url.URL
                            	EndSessionEndpoint   *url.URL
                            	CheckSessionIFrame   *url.URL
                            
                            	// Servers MAY choose not to advertise some supported scope values even when this
                            	// parameter is used, although those defined in OpenID Core SHOULD be listed, if supported.
                            	ScopesSupported []string
                            	// OAuth2.0 response types supported.
                            	ResponseTypesSupported []string // Required
                            	// OAuth2.0 response modes supported.
                            	//
                            	// If omitted, defaults to DefaultResponseModesSupported.
                            	ResponseModesSupported []string
                            	// OAuth2.0 grant types supported.
                            	//
                            	// If omitted, defaults to DefaultGrantTypesSupported.
                            	GrantTypesSupported []string
                            	ACRValuesSupported  []string
                            	// SubjectTypesSupported specifies strategies for providing values for the sub claim.
                            	SubjectTypesSupported []string // Required
                            
                            	// JWA signing and encryption algorith values supported for ID tokens.
                            	IDTokenSigningAlgValues    []string // Required
                            	IDTokenEncryptionAlgValues []string
                            	IDTokenEncryptionEncValues []string
                            
                            	// JWA signing and encryption algorith values supported for user info responses.
                            	UserInfoSigningAlgValues    []string
                            	UserInfoEncryptionAlgValues []string
                            	UserInfoEncryptionEncValues []string
                            
                            	// JWA signing and encryption algorith values supported for request objects.
                            	ReqObjSigningAlgValues    []string
                            	ReqObjEncryptionAlgValues []string
                            	ReqObjEncryptionEncValues []string
                            
                            	TokenEndpointAuthMethodsSupported          []string
                            	TokenEndpointAuthSigningAlgValuesSupported []string
                            	DisplayValuesSupported                     []string
                            	ClaimTypesSupported                        []string
                            	ClaimsSupported                            []string
                            	ServiceDocs                                *url.URL
                            	ClaimsLocalsSupported                      []string
                            	UILocalsSupported                          []string
                            	ClaimsParameterSupported                   bool
                            	RequestParameterSupported                  bool
                            	RequestURIParamaterSupported               bool
                            	RequireRequestURIRegistration              bool
                            
                            	Policy         *url.URL
                            	TermsOfService *url.URL
                            
                            	// Not part of the OpenID Provider Metadata
                            	ExpiresAt time.Time
                            }

                              ProviderConfig represents the OpenID Provider Metadata specifying what configurations a provider supports.

                              See: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

                              func FetchProviderConfig

                              func FetchProviderConfig(hc phttp.Client, issuerURL string) (ProviderConfig, error)

                              func WaitForProviderConfig

                              func WaitForProviderConfig(hc phttp.Client, issuerURL string) (pcfg ProviderConfig)

                              func (ProviderConfig) Defaults

                              func (p ProviderConfig) Defaults() ProviderConfig

                                Defaults returns a shallow copy of ProviderConfig with default values replacing omitted fields.

                                var cfg oidc.ProviderConfig
                                // Fill provider config with default values for omitted fields.
                                cfg = cfg.Defaults()
                                

                                func (ProviderConfig) Empty

                                func (p ProviderConfig) Empty() bool

                                  Empty returns if a ProviderConfig holds no information.

                                  This case generally indicates a ProviderConfigGetter has experienced an error and has nothing to report.

                                  func (*ProviderConfig) MarshalJSON

                                  func (p *ProviderConfig) MarshalJSON() ([]byte, error)

                                  func (ProviderConfig) Supports

                                  func (p ProviderConfig) Supports(c ClientMetadata) error

                                    Supports determines if provider supports a client given their respective metadata.

                                    func (ProviderConfig) SupportsGrantType

                                    func (p ProviderConfig) SupportsGrantType(grantType string) bool

                                    func (*ProviderConfig) UnmarshalJSON

                                    func (p *ProviderConfig) UnmarshalJSON(data []byte) error

                                    func (ProviderConfig) Valid

                                    func (p ProviderConfig) Valid() error

                                      Valid determines if a ProviderConfig conforms with the OIDC specification. If Valid returns successfully it guarantees required field are non-nil and URLs are well formed.

                                      Valid is called by UnmarshalJSON.

                                      NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34

                                      type ProviderConfigGetter

                                      type ProviderConfigGetter interface {
                                      	Get() (ProviderConfig, error)
                                      }

                                      type ProviderConfigSetter

                                      type ProviderConfigSetter interface {
                                      	Set(ProviderConfig) error
                                      }

                                      type ProviderConfigSyncer

                                      type ProviderConfigSyncer struct {
                                      	// contains filtered or unexported fields
                                      }

                                      func (*ProviderConfigSyncer) Run

                                      func (s *ProviderConfigSyncer) Run() chan struct{}

                                      func (*ProviderConfigSyncer) WaitUntilInitialSync

                                      func (s *ProviderConfigSyncer) WaitUntilInitialSync()

                                      type RequestTokenExtractor

                                      type RequestTokenExtractor func(r *http.Request) (string, error)

                                        RequestTokenExtractor funcs extract a raw encoded token from a request.

                                        func CookieTokenExtractor

                                        func CookieTokenExtractor(cookieName string) RequestTokenExtractor

                                          CookieTokenExtractor returns a RequestTokenExtractor which extracts a token from the named cookie in a request.

                                          type TokenRefresher

                                          type TokenRefresher interface {
                                          	// Verify checks if the provided token is currently valid or not.
                                          	Verify(jose.JWT) error
                                          
                                          	// Refresh attempts to authenticate and retrieve a new token.
                                          	Refresh() (jose.JWT, error)
                                          }