client

package
v1.6.18 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2026 License: GPL-3.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DeleteClient 

func DeleteClient(clientID string) error

DeleteClient performs a soft delete by setting is_active to false

func FilterScopes added in v1.2.0 

func FilterScopes(c *Client, requested string) string

FilterScopes returns the intersection of the requested scopes and the client's allowed scopes, preserving the original request order. If the client is nil or has no scopes configured, the requested scopes are returned unchanged.

func GenerateClientID 

func GenerateClientID() (string, error)

GenerateClientID generates a unique client identifier

func GenerateClientSecret 

func GenerateClientSecret() (string, error)

GenerateClientSecret generates a secure client secret

func HandleDeleteClient 

func HandleDeleteClient(w http.ResponseWriter, r *http.Request)

HandleDeleteClient handles DELETE /oauth2/register/{client_id} (RFC 7591) and DELETE /admin/api/clients/{client_id} @Summary Deactivate a client @Description Deactivates (soft deletes) a registered client. Also available at /oauth2/register/{client_id}. @Tags admin-client @Param client_id path string true "Client ID" @Security AdminAuth @Success 204 "No Content" @Failure 404 {object} model.AuthErrorResponse @Router /oauth2/register/{client_id} [delete] @Router /admin/api/clients/{client_id} [delete]

func HandleGetClient 

func HandleGetClient(w http.ResponseWriter, r *http.Request)

HandleGetClient handles GET /oauth2/register/{client_id} (RFC 7591) and GET /admin/api/clients/{client_id} @Summary Get client information @Description Retrieves information about a registered client. Also available at /oauth2/register/{client_id}. @Tags admin-client @Produce json @Param client_id path string true "Client ID" @Security AdminAuth @Success 200 {object} ClientInfoResponse @Failure 404 {object} model.AuthErrorResponse @Router /oauth2/register/{client_id} [get] @Router /admin/api/clients/{client_id} [get]

func HandleListClients 

func HandleListClients(w http.ResponseWriter, r *http.Request)

HandleListClients handles GET /oauth2/register (RFC 7591) and GET /admin/api/clients - lists all clients @Summary List all clients @Description Lists all registered clients. Also available at /oauth2/register. @Tags admin-client @Produce json @Security AdminAuth @Success 200 {array} ClientInfoResponse @Failure 500 {object} model.AuthErrorResponse @Router /oauth2/register [get] @Router /admin/api/clients [get]

func HandleRegister 

func HandleRegister(w http.ResponseWriter, r *http.Request)

HandleRegister handles POST /oauth2/register (RFC 7591) and POST /admin/api/clients - creates a new client @Summary Register a new OAuth2 client @Description Registers a new OAuth2/OIDC client. Also available at /oauth2/register (RFC 7591 Dynamic Client Registration). @Tags admin-client @Accept json @Produce json @Param request body ClientCreateRequest true "Client registration request" @Security AdminAuth @Success 201 {object} ClientResponse @Failure 400 {object} model.AuthErrorResponse @Failure 500 {object} model.AuthErrorResponse @Router /oauth2/register [post] @Router /admin/api/clients [post]

func HandleUpdateClient 

func HandleUpdateClient(w http.ResponseWriter, r *http.Request)

HandleUpdateClient handles PUT /oauth2/register/{client_id} (RFC 7591) and PUT /admin/api/clients/{client_id} @Summary Update client information @Description Updates a registered client. Also available at /oauth2/register/{client_id}. @Tags admin-client @Accept json @Produce json @Param client_id path string true "Client ID" @Param request body ClientUpdateRequest true "Client update request" @Security AdminAuth @Success 200 {object} ClientInfoResponse @Failure 400 {object} model.AuthErrorResponse @Failure 404 {object} model.AuthErrorResponse @Router /oauth2/register/{client_id} [put] @Router /admin/api/clients/{client_id} [put]

func IsGrantTypeAllowed 

func IsGrantTypeAllowed(client *Client, grantType string) bool

IsGrantTypeAllowed checks if the given grant type is allowed for the client

func IsResponseTypeAllowed 

func IsResponseTypeAllowed(client *Client, responseType string) bool

IsResponseTypeAllowed checks if the given response type is allowed for the client

func IsValidRedirectURI 

func IsValidRedirectURI(client *Client, redirectURI string) bool

IsValidRedirectURI checks if the given redirect URI is allowed for the client

func UpdateClient 

func UpdateClient(clientID string, req ClientUpdateRequest) error

func ValidateClientCreateRequest 

func ValidateClientCreateRequest(input ClientCreateRequest) error

ValidateClientCreateRequest validates a client registration request

func ValidateClientUpdateRequest 

func ValidateClientUpdateRequest(input ClientUpdateRequest) error

ValidateClientUpdateRequest validates a client update request

func ValidateRedirectURIs 

func ValidateRedirectURIs(uris []string) error

ValidateRedirectURIs validates that all redirect URIs are valid URLs

func ValidateScopes added in v1.2.0 

func ValidateScopes(c *Client, requested string) bool

ValidateScopes returns true if every requested scope is within the client's allowed scopes. Returns true unconditionally when the client is nil, has no scopes configured, or the requested scope string is empty.

Types

type Client 

type Client struct {
	ID                      string    `db:"id"`
	ClientID                string    `db:"client_id"`
	ClientSecret            string    `db:"client_secret"`
	ClientName              string    `db:"client_name"`
	ClientType              string    `db:"client_type"`
	RedirectURIs            string    `db:"redirect_uris"`
	PostLogoutRedirectURIs  string    `db:"post_logout_redirect_uris"`
	GrantTypes              string    `db:"grant_types"`
	ResponseTypes           string    `db:"response_types"`
	Scopes                  string    `db:"scopes"`
	TokenEndpointAuthMethod string    `db:"token_endpoint_auth_method"`
	IsActive                bool      `db:"is_active"`
	CreatedAt               time.Time `db:"created_at"`
	UpdatedAt               time.Time `db:"updated_at"`
	// Per-client overrides — nil means "use global setting"
	AccessTokenExpiration       *string `db:"access_token_expiration"`
	RefreshTokenExpiration      *string `db:"refresh_token_expiration"`
	AuthorizationCodeExpiration *string `db:"authorization_code_expiration"`
	AllowedAudiences            *string `db:"allowed_audiences"` // JSON array
	AllowSelfSignup             *bool   `db:"allow_self_signup"`
	SsoSessionIdleTimeout       *string `db:"sso_session_idle_timeout"`
	TrustDeviceEnabled          *bool   `db:"trust_device_enabled"`
	TrustDeviceExpiration       *string `db:"trust_device_expiration"`
}

Client represents an OAuth2/OIDC client in the database

func AuthenticateClient 

func AuthenticateClient(clientID, clientSecret string) (*Client, error)

AuthenticateClient verifies the client credentials Returns the client if authentication succeeds, error otherwise

func AuthenticateClientFromRequest 

func AuthenticateClientFromRequest(r *http.Request) (*Client, error)

AuthenticateClientFromRequest extracts client credentials from the HTTP request and authenticates the client. Supports both Basic Auth and form parameters. Returns nil, nil if no client credentials are provided (backward compatibility)

func ClientByClientID 

func ClientByClientID(clientID string) (*Client, error)

func ClientByID 

func ClientByID(id string) (*Client, error)

func ListClients 

func ListClients() ([]*Client, error)

func (*Client) GetGrantTypes 

func (c *Client) GetGrantTypes() []string

GetGrantTypes parses and returns the grant types as a slice

func (*Client) GetPostLogoutRedirectURIs added in v1.3.2 

func (c *Client) GetPostLogoutRedirectURIs() []string

GetPostLogoutRedirectURIs parses and returns the post-logout redirect URIs as a slice

func (*Client) GetRedirectURIs 

func (c *Client) GetRedirectURIs() []string

GetRedirectURIs parses and returns the redirect URIs as a slice

func (*Client) GetResponseTypes 

func (c *Client) GetResponseTypes() []string

GetResponseTypes parses and returns the response types as a slice

func (*Client) ToInfoResponse 

func (c *Client) ToInfoResponse() *ClientInfoResponse

ToInfoResponse converts a Client to a ClientInfoResponse

func (*Client) ToOverrides 

func (c *Client) ToOverrides() config.ClientOverrides

ToOverrides converts the nullable client override fields into a config.ClientOverrides struct, which can be passed to config.GetForClient() to resolve per-client settings.

type ClientCreateRequest 

type ClientCreateRequest struct {
	ClientID                string   `json:"client_id,omitempty"`
	ClientSecret            string   `json:"client_secret,omitempty"`
	ClientName              string   `json:"client_name"`
	RedirectURIs            []string `json:"redirect_uris"`
	PostLogoutRedirectURIs  []string `json:"post_logout_redirect_uris,omitempty"`
	GrantTypes              []string `json:"grant_types,omitempty"`
	ResponseTypes           []string `json:"response_types,omitempty"`
	ClientType              string   `json:"client_type,omitempty"`
	Scopes                  string   `json:"scopes,omitempty"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`
	// Per-client overrides
	AccessTokenExpiration       *string  `json:"access_token_expiration,omitempty"`
	RefreshTokenExpiration      *string  `json:"refresh_token_expiration,omitempty"`
	AuthorizationCodeExpiration *string  `json:"authorization_code_expiration,omitempty"`
	AllowedAudiences            []string `json:"allowed_audiences,omitempty"`
	AllowSelfSignup             *bool    `json:"allow_self_signup,omitempty"`
	SsoSessionIdleTimeout       *string  `json:"sso_session_idle_timeout,omitempty"`
	TrustDeviceEnabled          *bool    `json:"trust_device_enabled,omitempty"`
	TrustDeviceExpiration       *string  `json:"trust_device_expiration,omitempty"`
}

ClientCreateRequest represents the request body for client registration

type ClientInfoResponse 

type ClientInfoResponse struct {
	ClientID                string   `json:"client_id"`
	ClientName              string   `json:"client_name"`
	ClientType              string   `json:"client_type"`
	RedirectURIs            []string `json:"redirect_uris"`
	PostLogoutRedirectURIs  []string `json:"post_logout_redirect_uris"`
	GrantTypes              []string `json:"grant_types"`
	ResponseTypes           []string `json:"response_types"`
	Scopes                  string   `json:"scopes"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method"`
	IsActive                bool     `json:"is_active"`
	// Per-client overrides
	AccessTokenExpiration       *string  `json:"access_token_expiration,omitempty"`
	RefreshTokenExpiration      *string  `json:"refresh_token_expiration,omitempty"`
	AuthorizationCodeExpiration *string  `json:"authorization_code_expiration,omitempty"`
	AllowedAudiences            []string `json:"allowed_audiences,omitempty"`
	AllowSelfSignup             *bool    `json:"allow_self_signup,omitempty"`
	SsoSessionIdleTimeout       *string  `json:"sso_session_idle_timeout,omitempty"`
	TrustDeviceEnabled          *bool    `json:"trust_device_enabled,omitempty"`
	TrustDeviceExpiration       *string  `json:"trust_device_expiration,omitempty"`
}

ClientInfoResponse represents the response for getting client info (without secret)

type ClientResponse 

type ClientResponse struct {
	// RFC 7591 §3.2.1: client_id is REQUIRED.
	ClientID string `json:"client_id"`
	// RFC 7591 §3.2.1: client_secret is OPTIONAL (issued for confidential clients).
	ClientSecret string `json:"client_secret,omitempty"`
	// RFC 7591 §3.2.1: REQUIRED if client_secret is issued. 0 means no expiration.
	ClientSecretExpiresAt int `json:"client_secret_expires_at"`
	// RFC 7591 §3.2.1: OPTIONAL. Time at which the client_id was issued (Unix timestamp).
	ClientIDIssuedAt int64 `json:"client_id_issued_at"`

	ClientName              string   `json:"client_name"`
	ClientType              string   `json:"client_type"`
	RedirectURIs            []string `json:"redirect_uris"`
	PostLogoutRedirectURIs  []string `json:"post_logout_redirect_uris"`
	GrantTypes              []string `json:"grant_types"`
	ResponseTypes           []string `json:"response_types"`
	Scopes                  string   `json:"scopes"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method"`
}

ClientResponse represents the response for client operations ClientResponse is the registration response per RFC 7591 §3.2.1. The server MUST return all registered metadata about this client.

func CreateClient 

func CreateClient(req ClientCreateRequest) (*ClientResponse, error)

func CreateClientWithID 

func CreateClientWithID(clientID string, req ClientCreateRequest) (*ClientResponse, error)

type ClientUpdateRequest 

type ClientUpdateRequest struct {
	ClientName              string   `json:"client_name,omitempty"`
	RedirectURIs            []string `json:"redirect_uris,omitempty"`
	PostLogoutRedirectURIs  []string `json:"post_logout_redirect_uris,omitempty"`
	GrantTypes              []string `json:"grant_types,omitempty"`
	ResponseTypes           []string `json:"response_types,omitempty"`
	Scopes                  string   `json:"scopes,omitempty"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`
	IsActive                *bool    `json:"is_active,omitempty"`
	// Per-client overrides
	AccessTokenExpiration       *string  `json:"access_token_expiration,omitempty"`
	RefreshTokenExpiration      *string  `json:"refresh_token_expiration,omitempty"`
	AuthorizationCodeExpiration *string  `json:"authorization_code_expiration,omitempty"`
	AllowedAudiences            []string `json:"allowed_audiences,omitempty"`
	AllowSelfSignup             *bool    `json:"allow_self_signup,omitempty"`
	SsoSessionIdleTimeout       *string  `json:"sso_session_idle_timeout,omitempty"`
	TrustDeviceEnabled          *bool    `json:"trust_device_enabled,omitempty"`
	TrustDeviceExpiration       *string  `json:"trust_device_expiration,omitempty"`
}

ClientUpdateRequest represents the request body for updating a client

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.