gemidp

package module
v0.50.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 28, 2026 License: EUPL-1.2 Imports: 21 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

View Source
var IdpProduction = NewIdp(EnvironmentProduction, "https://idp.app.ti-dienste.de")
View Source
var IdpReference = NewIdp(EnvironmentReference, "https://idp-ref.app.ti-dienste.de")
View Source
var IdpTest = NewIdp(EnvironmentTest, "https://idp-test.app.ti-dienste.de")

Functions

This section is empty.

Types

type Authenticator

type Authenticator struct {
	Environment Environment
	Metadata    Metadata
	// contains filtered or unexported fields
}

func NewAuthenticator

func NewAuthenticator(config AuthenticatorConfig) (*Authenticator, error)

NewAuthenticator creates a new Authenticator

func (*Authenticator) Authenticate

func (a *Authenticator) Authenticate(authURL string) (*CodeRedirectURL, error)

Authenticate authenticates the user with the gematik IDP-Dienst and returns the URL to which the user is redirected after authenticating. The challenge from the gematik IDP-Dienst is signed using the signer function in the AuthenticatorConfig.

type AuthenticatorConfig

type AuthenticatorConfig struct {
	Idp        Idp
	SignerFunc ChallengeSignerFunc

	// HTTPClient is used for metadata and key fetches; a redirect-suppressing copy of it drives the
	// challenge flow. When nil, a client with a default timeout is created.
	HTTPClient *http.Client
}

type Challenge

type Challenge struct {
	Challenge   string      `json:"challenge"`
	UserConsent UserConsent `json:"user_consent"`
}

Challenge sent from the gematik IDP-Dienst to the authenticator

type ChallengePayload

type ChallengePayload struct {
	Iss                 string `json:"iss"`
	Iat                 int64  `json:"iat"`
	Exp                 int64  `json:"exp"`
	TokenType           string `json:"token_type"`
	Jti                 string `json:"jti"`
	Snc                 string `json:"snc"`
	Scope               string `json:"scope"`
	CodeChallenge       string `json:"code_challenge"`
	CodeChallengeMethod string `json:"code_challenge_method"`
	ResponseType        string `json:"response_type"`
	RedirectURI         string `json:"redirect_uri"`
	ClientID            string `json:"client_id"`
	State               string `json:"state"`
	Nonce               string `json:"nonce"`
}

Payload of the signed challenge token sent from the gematik IDP-Dienst to the authenticator

type ChallengeSignerFunc

type ChallengeSignerFunc func(challenge Challenge) (string, error)

func SignWith

func SignWith(signFunc brainpool.SignFunc, certFunc func() (*x509.Certificate, error)) ChallengeSignerFunc

func SignWithSoftkey

func SignWithSoftkey(prk *ecdsa.PrivateKey, cert *x509.Certificate) ChallengeSignerFunc

func SignWithSoftkeyPEM

func SignWithSoftkeyPEM(prkPEM []byte, certPEM []byte) ChallengeSignerFunc

type Client

type Client struct {
	Environment Environment
	Idp         Idp
	Metadata    Metadata
	// contains filtered or unexported fields
}

func NewClientFromConfig

func NewClientFromConfig(config ClientConfig) (*Client, error)

func (*Client) AuthenticationURL

func (c *Client) AuthenticationURL(state, nonce, verifier string, options ...oidc.Option) (string, error)

func (*Client) ClientID

func (c *Client) ClientID() string

func (*Client) ExchangeForIdentity

func (c *Client) ExchangeForIdentity(code, verifier string, options ...oidc.Option) (*oidc.TokenResponse, error)

func (*Client) Issuer

func (c *Client) Issuer() string

func (*Client) LogoURI

func (c *Client) LogoURI() string

func (*Client) Name

func (c *Client) Name() string

func (*Client) RedirectURI

func (c *Client) RedirectURI() string

type ClientConfig

type ClientConfig struct {
	Environment       Environment `yaml:"environment"`
	BaseURL           string      `yaml:"base_url,omitempty"`
	Name              string      `yaml:"name"`
	LogoURI           string      `yaml:"logo_uri"`
	ClientID          string      `yaml:"client_id"`
	RedirectURI       string      `yaml:"redirect_uri"`
	Scopes            []string    `yaml:"scopes"`
	AuthenticatorMode bool        `yaml:"authenticator_mode"`
	UserAgent         string      `yaml:"user_agent"`

	// HTTPClient is used for metadata, key, and token requests. Not serialized; supplied
	// programmatically. When nil, a client with a default timeout is created. The configured
	// User-Agent is layered onto the client's transport either way.
	HTTPClient *http.Client `yaml:"-"`
}

ClientConfig of the gematik IDP-Dienst client

type CodeRedirectURL

type CodeRedirectURL struct {
	*url.URL
	Code  string
	State string
}

CodeRedirectURL is the URL to which the user is redirected after authenticating

type Environment

type Environment int

Environment of the gematik IDP-Dienst

const (
	EnvironmentTest Environment = iota
	EnvironmentReference
	EnvironmentProduction
)

func NewEnvironment

func NewEnvironment(s string) Environment

func (*Environment) UnmarshalYAML

func (e *Environment) UnmarshalYAML(unmarshal func(any) error) error

type Error

type Error struct {
	HttpCode         int    `json:"-"`
	ErrorCode        string `json:"error"`
	GematikErrorText string `json:"gematik_error_text"`
	GematikTimestamp int64  `json:"gematik_timestamp"`
	GematikUUID      string `json:"gematik_uuid"`
	GematikCode      string `json:"gematik_code"`
}

gematik IDP-Dienst returns an error in the following format:

{
	 "error":"invalid_request",
	 "gematik_error_text":
	 "client_id ist ungültig",
	 "gematik_timestamp":1713603116,
	 "gematik_uuid":"c0e2a77c-dfae-4b93-9baf-f170683962cb",
	 "gematik_code":"2012"
}

func (*Error) Error

func (e *Error) Error() string

type Idp

type Idp struct {
	// contains filtered or unexported fields
}

func GetIdpByEnvironment

func GetIdpByEnvironment(env Environment) Idp

func NewIdp

func NewIdp(env Environment, baseUrl string) Idp

type Metadata

type Metadata struct {
	Issuer                            string   `json:"issuer"`
	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
	TokenEndpoint                     string   `json:"token_endpoint"`
	JwksURI                           string   `json:"jwks_uri"`
	ResponseTypesSupported            []string `json:"response_types_supported"`
	ResponseModesSupported            []string `json:"response_modes_supported"`
	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
	GrantTypesSupported               []string `json:"grant_types_supported"`
	IdTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
	ScopesSupported                   []string `json:"scopes_supported"`
	SubjectTypesSupported             []string `json:"subject_types_supported"`
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
	SigningKeyURI                     string   `json:"uri_puk_idp_sig"`
	EncryptionKeyURI                  string   `json:"uri_puk_idp_enc"`
}

OpenID Connect metadata of the gematik IDP-Dienst

type Njwt

type Njwt struct {
	Njwt string `json:"njwt"`
}

Nested JWT claims used during the challenge response flow

type TokenKeyPayload

type TokenKeyPayload struct {
	TokenKey     string `json:"token_key"`
	CodeVerifier string `json:"code_verifier"`
}

Payload of the token key sent from the client to the gematik IDP-Dienst to encrypt the token(s) when exchanging the authorization code

type UserConsent

type UserConsent struct {
	RequestedScopes map[string]string `json:"requested_scopes"`
	RequestedClaims map[string]string `json:"requested_claims"`
}

User consent of the challenge sent from the gematik IDP-Dienst to the authenticator

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL