Documentation ¶
Index ¶
Constants ¶
const ( // JOSE asymmetric signing algorithm values as defined by RFC 7518 // // see: https://tools.ietf.org/html/rfc7518#section-3.1 RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256 RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384 RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512 ES256 = "ES256" // ECDSA using P-256 and SHA-256 ES384 = "ES384" // ECDSA using P-384 and SHA-384 ES512 = "ES512" // ECDSA using P-521 and SHA-512 PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256 PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384 PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct { Config *Config Provider *Provider Verifier *TokenVerifier }
type Config ¶
type Config struct { Issuer string `yaml:"issuer"` DefaultRedirectURI string `yaml:"defaultRedirectUri"` // If true, token expiry is not checked. SkipExpiryCheck bool `yaml:"skipExpiryCheck"` // SkipIssuerCheck is intended for specialized cases where the the caller wishes to // defer issuer validation. When enabled, callers MUST independently verify the Token's // Issuer is a known good value. // // Mismatched issuers often indicate client mis-configuration. If mismatches are // unexpected, evaluate if the provided issuer URL is incorrect instead of enabling // this option. SkipIssuerCheck bool `yaml:"skip_issuer_check"` }
Config is the configuration for an IDTokenVerifier.
type KeySet ¶
type KeySet interface { // VerifySignature parses the JSON web token, verifies the signature, and returns // the raw payload. Header and claim fields are validated by other parts of the // package. For example, the KeySet does not need to check values such as signature // algorithm, issuer, and audience since the IDTokenVerifier validates these values // independently. // // If VerifySignature makes HTTP requests to verify the token, it's expected to // use any HTTP client associated with the context through ClientContext. VerifySignature(ctx context.Context, jwt string) (payload []byte, err error) }
KeySet is a set of publc JSON Web Keys that can be used to validate the signature of JSON web tokens. This is expected to be backed by a remote key set through provider metadata discovery or an in-memory set of keys delivered out-of-band.
func NewRemoteKeySet ¶
NewRemoteKeySet returns a KeySet that can validate JSON web tokens by using HTTP GETs to fetch JSON web token sets hosted at a remote URL. This is automatically used by NewProvider using the URLs returned by OpenID Connect discovery, but is exposed for providers that don't support discovery or to prevent round trips to the discovery URL.
The returned KeySet is a long lived verifier that caches keys based on cache-control headers. Reuse a common remote key set instead of creating new ones as needed.
The behavior of the returned KeySet is undefined once the context is canceled.
type OAuthToken ¶
type OAuthToken struct { // The URL of the server which issued this token. OpenID Connect // requires this value always be identical to the URL used for // initial discovery. // // Note: Because of a known issue with Google Accounts' implementation // this value may differ when using Google. // // See: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo Issuer string // The client ID, or set of client IDs, that this token is issued for. For // common uses, this is the client that initialized the auth flow. // // This package ensures the audience contains an expected value. Audience []string // A unique string which identifies the end user. Subject string // End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. Name string // Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. Nickname string Picture string Email string Gender string // Expiry of the token. Ths package will not process tokens that have // expired unless that validation is explicitly turned off. Expiry time.Time // When the token was issued by the provider. IssuedAt time.Time // Initial nonce provided during the authentication redirect. // // This package does NOT provided verification on the value of this field // and it's the user's responsibility to ensure it contains a valid value. Nonce string // at_hash claim, if set in the ID token. Callers can verify an access token // that corresponds to the ID token using the VerifyAccessToken method. AccessTokenHash string // contains filtered or unexported fields }
IDToken is an OpenID Connect extension that provides a predictable representation of an authorization event.
The ID Token only holds fields OpenID Connect requires. To access additional claims returned by the server, use the Claims method.
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
Provider represents an OpenID Connect server's configuration.
func NewProvider ¶
NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.
The issuer is the URL identifier for the service. For example: "https://accounts.google.com" or "https://login.salesforce.com".
type TokenVerifier ¶
type TokenVerifier struct {
// contains filtered or unexported fields
}
IDTokenVerifier provides verification for ID Tokens.
func NewVerifier ¶
func NewVerifier(config *Config, provider *Provider) *TokenVerifier
func (*TokenVerifier) Verify ¶
func (v *TokenVerifier) Verify(ctx context.Context, rawToken string) (*OAuthToken, error)