The highest tagged major version is
Documentation
¶
Overview ¶
Package oidc is DEPRECATED. Use github.com/coreos/go-oidc instead.
Index ¶
- Constants
- Variables
- func ExtractBearerToken(r *http.Request) (string, error)
- func GenClientID(hostport string) (string, error)
- func NewClaims(iss, sub string, aud interface{}, iat, exp time.Time) jose.Claims
- func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProviderConfigGetter
- func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo
- func VerifyClaims(jwt jose.JWT, issuer, clientID string) error
- func VerifyClientClaims(jwt jose.JWT, issuer string) (string, error)
- func VerifySignature(jwt jose.JWT, keys []key.PublicKey) (bool, error)
- type AuthenticatedTransport
- type Client
- func (c *Client) ClientCredsToken(scope []string) (jose.JWT, error)
- func (c *Client) ExchangeAuthCode(code string) (jose.JWT, error)
- func (c *Client) Healthy() error
- func (c *Client) OAuthClient() (*oauth2.Client, error)
- func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error)
- func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{}
- func (c *Client) VerifyJWT(jwt jose.JWT) error
- type ClientConfig
- type ClientCredentials
- type ClientCredsTokenRefresher
- type ClientIdentity
- type ClientMetadata
- type ClientRegistrationResponse
- type Identity
- type JWAOptions
- type JWTVerifier
- type LoginFunc
- type ProviderConfig
- func (p ProviderConfig) Defaults() ProviderConfig
- func (p ProviderConfig) Empty() bool
- func (p *ProviderConfig) MarshalJSON() ([]byte, error)
- func (p ProviderConfig) Supports(c ClientMetadata) error
- func (p ProviderConfig) SupportsGrantType(grantType string) bool
- func (p *ProviderConfig) UnmarshalJSON(data []byte) error
- func (p ProviderConfig) Valid() error
- type ProviderConfigGetter
- type ProviderConfigSetter
- type ProviderConfigSyncer
- type RequestTokenExtractor
- type TokenRefresher
Constants ¶
View Source
const ( // Subject Identifier types defined by the OIDC spec. Specifies if the provider // should provide the same sub claim value to all clients (public) or a unique // value for each client (pairwise). // // See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes SubjectTypePublic = "public" SubjectTypePairwise = "pairwise" )
View Source
const ( MaximumProviderConfigSyncInterval = 24 * time.Hour MinimumProviderConfigSyncInterval = time.Minute )
View Source
const DefaultPublicKeySetTTL = 24 * time.Hour
DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no Cache-Control header is provided by the JWK Set document endpoint.
Variables ¶
View Source
var ( // Default values for omitted provider config fields. // // Use ProviderConfig's Defaults method to fill a provider config with these values. DefaultGrantTypesSupported = []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit} DefaultResponseModesSupported = []string{"query", "fragment"} DefaultTokenEndpointAuthMethodsSupported = []string{oauth2.AuthMethodClientSecretBasic} DefaultClaimTypesSupported = []string{"normal"} )
View Source
var (
DefaultScope = []string{"openid", "email", "profile"}
)
Functions ¶
func ExtractBearerToken ¶
ExtractBearerToken is a RequestTokenExtractor which extracts a bearer token from a request's Authorization header.
func GenClientID ¶
func NewRemotePublicKeyRepo ¶
NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.
func VerifyClaims ¶
Verify claims in accordance with OIDC spec http://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation
func VerifyClientClaims ¶
VerifyClientClaims verifies all the required claims are valid for a "client credentials" JWT. Returns the client ID if valid, or an error if invalid.
Types ¶
type AuthenticatedTransport ¶
type AuthenticatedTransport struct {
TokenRefresher
http.RoundTripper
// contains filtered or unexported fields
}
func (*AuthenticatedTransport) SetJWT ¶
func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT)
SetJWT sets the JWT held by the Transport. This is useful for cases in which you want to set an initial JWT.
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
func NewClient ¶
func NewClient(cfg ClientConfig) (*Client, error)
func (*Client) ClientCredsToken ¶
func (*Client) ExchangeAuthCode ¶
ExchangeAuthCode exchanges an OAuth2 auth code for an OIDC JWT ID token.
func (*Client) RefreshToken ¶
RefreshToken uses a refresh token to exchange for a new OIDC JWT ID Token.
func (*Client) SyncProviderConfig ¶
SyncProviderConfig starts the provider config syncer
type ClientConfig ¶
type ClientConfig struct {
HTTPClient phttp.Client
Credentials ClientCredentials
Scope []string
RedirectURL string
ProviderConfig ProviderConfig
KeySet key.PublicKeySet
}
type ClientCredentials ¶
type ClientCredentials oauth2.ClientCredentials
type ClientCredsTokenRefresher ¶
type ClientIdentity ¶
type ClientIdentity struct {
Credentials ClientCredentials
Metadata ClientMetadata
}
type ClientMetadata ¶
type ClientMetadata struct {
RedirectURIs []url.URL // Required
// A list of OAuth 2.0 "response_type" values that the client wishes to restrict
// itself to. Either "code", "token", or another registered extension.
//
// If omitted, only "code" will be used.
ResponseTypes []string
// A list of OAuth 2.0 grant types the client wishes to restrict itself to.
// The grant type values used by OIDC are "authorization_code", "implicit",
// and "refresh_token".
//
// If ommitted, only "authorization_code" will be used.
GrantTypes []string
// "native" or "web". If omitted, "web".
ApplicationType string
// List of email addresses.
Contacts []mail.Address
// Name of client to be presented to the end-user.
ClientName string
// URL that references a logo for the Client application.
LogoURI *url.URL
// URL of the home page of the Client.
ClientURI *url.URL
// Profile data policies and terms of use to be provided to the end user.
PolicyURI *url.URL
TermsOfServiceURI *url.URL
// URL to or the value of the client's JSON Web Key Set document.
JWKSURI *url.URL
JWKS *jose.JWKSet
// URL referencing a flie with a single JSON array of redirect URIs.
SectorIdentifierURI *url.URL
SubjectType string
// Options to restrict the JWS alg and enc values used for server responses and requests.
IDTokenResponseOptions JWAOptions
UserInfoResponseOptions JWAOptions
RequestObjectOptions JWAOptions
// Client requested authorization method and signing options for the token endpoint.
//
// Defaults to "client_secret_basic"
TokenEndpointAuthMethod string
TokenEndpointAuthSigningAlg string
// DefaultMaxAge specifies the maximum amount of time in seconds before an authorized
// user must reauthroize.
//
// If 0, no limitation is placed on the maximum.
DefaultMaxAge int64
// RequireAuthTime specifies if the auth_time claim in the ID token is required.
RequireAuthTime bool
// Default Authentication Context Class Reference values for authentication requests.
DefaultACRValues []string
// URI that a third party can use to initiate a login by the relaying party.
//
// See: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
InitiateLoginURI *url.URL
// Pre-registered request_uri values that may be cached by the server.
RequestURIs []url.URL
}
ClientMetadata holds metadata that the authorization server associates with a client identifier. The fields range from human-facing display strings such as client name, to items that impact the security of the protocol, such as the list of valid redirect URIs.
See http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
TODO: support language specific claim representations http://openid.net/specs/openid-connect-registration-1_0.html#LanguagesAndScripts
func (ClientMetadata) Defaults ¶
func (m ClientMetadata) Defaults() ClientMetadata
Defaults returns a shallow copy of ClientMetadata with default values replacing omitted fields.
func (*ClientMetadata) MarshalJSON ¶
func (m *ClientMetadata) MarshalJSON() ([]byte, error)
func (*ClientMetadata) UnmarshalJSON ¶
func (m *ClientMetadata) UnmarshalJSON(data []byte) error
func (*ClientMetadata) Valid ¶
func (m *ClientMetadata) Valid() error
Valid determines if a ClientMetadata conforms with the OIDC specification.
Valid is called by UnmarshalJSON.
NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34
type ClientRegistrationResponse ¶
type ClientRegistrationResponse struct {
ClientID string // Required
ClientSecret string
RegistrationAccessToken string
RegistrationClientURI string
// If IsZero is true, unspecified.
ClientIDIssuedAt time.Time
// Time at which the client_secret will expire.
// If IsZero is true, it will not expire.
ClientSecretExpiresAt time.Time
ClientMetadata
}
func (*ClientRegistrationResponse) MarshalJSON ¶
func (c *ClientRegistrationResponse) MarshalJSON() ([]byte, error)
func (*ClientRegistrationResponse) UnmarshalJSON ¶
func (c *ClientRegistrationResponse) UnmarshalJSON(data []byte) error
type JWAOptions ¶
type JWAOptions struct {
// SigningAlg specifies an JWA alg for signing JWTs.
//
// Specifying this field implies different actions depending on the context. It may
// require objects be serialized and signed as a JWT instead of plain JSON, or
// require an existing JWT object use the specified alg.
//
// See: http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
SigningAlg string
// EncryptionAlg, if provided, specifies that the returned or sent object be stored
// (or nested) within a JWT object and encrypted with the provided JWA alg.
EncryptionAlg string
// EncryptionEnc specifies the JWA enc algorithm to use with EncryptionAlg. If
// EncryptionAlg is provided and EncryptionEnc is omitted, this field defaults
// to A128CBC-HS256.
//
// If EncryptionEnc is provided EncryptionAlg must also be specified.
EncryptionEnc string
}
type JWTVerifier ¶
type JWTVerifier struct {
// contains filtered or unexported fields
}
func NewJWTVerifier ¶
func NewJWTVerifier(issuer, clientID string, syncFunc func() error, keysFunc func() []key.PublicKey) JWTVerifier
type ProviderConfig ¶
type ProviderConfig struct {
Issuer *url.URL // Required
AuthEndpoint *url.URL // Required
TokenEndpoint *url.URL // Required if grant types other than "implicit" are supported
UserInfoEndpoint *url.URL
KeysEndpoint *url.URL // Required
RegistrationEndpoint *url.URL
EndSessionEndpoint *url.URL
CheckSessionIFrame *url.URL
// Servers MAY choose not to advertise some supported scope values even when this
// parameter is used, although those defined in OpenID Core SHOULD be listed, if supported.
ScopesSupported []string
// OAuth2.0 response types supported.
ResponseTypesSupported []string // Required
// OAuth2.0 response modes supported.
//
// If omitted, defaults to DefaultResponseModesSupported.
ResponseModesSupported []string
// OAuth2.0 grant types supported.
//
// If omitted, defaults to DefaultGrantTypesSupported.
GrantTypesSupported []string
ACRValuesSupported []string
// SubjectTypesSupported specifies strategies for providing values for the sub claim.
SubjectTypesSupported []string // Required
// JWA signing and encryption algorith values supported for ID tokens.
IDTokenSigningAlgValues []string // Required
IDTokenEncryptionAlgValues []string
IDTokenEncryptionEncValues []string
// JWA signing and encryption algorith values supported for user info responses.
UserInfoSigningAlgValues []string
UserInfoEncryptionAlgValues []string
UserInfoEncryptionEncValues []string
// JWA signing and encryption algorith values supported for request objects.
ReqObjSigningAlgValues []string
ReqObjEncryptionAlgValues []string
ReqObjEncryptionEncValues []string
TokenEndpointAuthMethodsSupported []string
TokenEndpointAuthSigningAlgValuesSupported []string
DisplayValuesSupported []string
ClaimTypesSupported []string
ClaimsSupported []string
ServiceDocs *url.URL
ClaimsLocalsSupported []string
UILocalsSupported []string
ClaimsParameterSupported bool
RequestParameterSupported bool
RequestURIParamaterSupported bool
RequireRequestURIRegistration bool
Policy *url.URL
TermsOfService *url.URL
// Not part of the OpenID Provider Metadata
ExpiresAt time.Time
}
ProviderConfig represents the OpenID Provider Metadata specifying what configurations a provider supports.
See: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
func FetchProviderConfig ¶
func FetchProviderConfig(hc phttp.Client, issuerURL string) (ProviderConfig, error)
func WaitForProviderConfig ¶
func WaitForProviderConfig(hc phttp.Client, issuerURL string) (pcfg ProviderConfig)
func (ProviderConfig) Defaults ¶
func (p ProviderConfig) Defaults() ProviderConfig
Defaults returns a shallow copy of ProviderConfig with default values replacing omitted fields.
var cfg oidc.ProviderConfig // Fill provider config with default values for omitted fields. cfg = cfg.Defaults()
func (ProviderConfig) Empty ¶
func (p ProviderConfig) Empty() bool
Empty returns if a ProviderConfig holds no information.
This case generally indicates a ProviderConfigGetter has experienced an error and has nothing to report.
func (*ProviderConfig) MarshalJSON ¶
func (p *ProviderConfig) MarshalJSON() ([]byte, error)
func (ProviderConfig) Supports ¶
func (p ProviderConfig) Supports(c ClientMetadata) error
Supports determines if provider supports a client given their respective metadata.
func (ProviderConfig) SupportsGrantType ¶
func (p ProviderConfig) SupportsGrantType(grantType string) bool
func (*ProviderConfig) UnmarshalJSON ¶
func (p *ProviderConfig) UnmarshalJSON(data []byte) error
func (ProviderConfig) Valid ¶
func (p ProviderConfig) Valid() error
Valid determines if a ProviderConfig conforms with the OIDC specification. If Valid returns successfully it guarantees required field are non-nil and URLs are well formed.
Valid is called by UnmarshalJSON.
NOTE(ericchiang): For development purposes Valid does not mandate 'https' for URLs fields where the OIDC spec requires it. This may change in future releases of this package. See: https://github.com/coreos/go-oidc/issues/34
type ProviderConfigGetter ¶
type ProviderConfigGetter interface {
Get() (ProviderConfig, error)
}
type ProviderConfigSetter ¶
type ProviderConfigSetter interface {
Set(ProviderConfig) error
}
type ProviderConfigSyncer ¶
type ProviderConfigSyncer struct {
// contains filtered or unexported fields
}
func NewProviderConfigSyncer ¶
func NewProviderConfigSyncer(from ProviderConfigGetter, to ProviderConfigSetter) *ProviderConfigSyncer
func (*ProviderConfigSyncer) Run ¶
func (s *ProviderConfigSyncer) Run() chan struct{}
func (*ProviderConfigSyncer) WaitUntilInitialSync ¶
func (s *ProviderConfigSyncer) WaitUntilInitialSync()
type RequestTokenExtractor ¶
RequestTokenExtractor funcs extract a raw encoded token from a request.
func CookieTokenExtractor ¶
func CookieTokenExtractor(cookieName string) RequestTokenExtractor
CookieTokenExtractor returns a RequestTokenExtractor which extracts a token from the named cookie in a request.
Source Files
Click to show internal directories.
Click to hide internal directories.