oidfed

package module
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2025 License: MIT Imports: 43 Imported by: 6

README

Implementation of OpenID Federations for Golang

License GitHub go.mod Go version Go Report DeepSource DeepSource

This repository holds a work-in-process implementation of OpenID Federation in the go language with the goal to enable go applications to make use of OpenID federation.

The implementation mainly focuses on the Relying Party and Intermediate / Trust Anchor side, but not on the OP side. However, building blocks can also be utilized for OPs or other entity types. We provide a basic library as well as a configurable and flexible federation entity to support higher level functionality.

  • This repository contains:
    • The basic go-oidfed library with the core oidfed functionalities.
    • It can be used to build all kind of oidfed capable entities.
  • The LightHouse repository at https://github.com/go-oidfed/lighthouse contains:
    • Higher level implementation for various federation endpoints
    • The LightHouse federation entity. This is a configurable and flexible federation entity that can be used as a
      • Trust Anchor
      • Intermediate Authority
      • Trust Mark Issuer
      • Resolver
      • Entity Collector
      • Everything at the same time.
  • The whoami-rp repository at https://github.com/go-oidfed/whoami-rp contains:
    • A simple - but not very useful - example RP.
  • The OFFA repository at https://github.com/go-oidfed/offa:
    • OFFA stands for Openid Federation Forward Auth
    • OFFA can be deployed next to existing services to add oidfed authentication to services that do not natively support it.
    • OFFA can be used with Apache, Caddy, NGINX, and Traefik.
Implementation State

The library is not considered stable and some features might be missing. We encourage everybody to give feedback on things that are missing, not working, or weird, also suggestions for improvements and of course we are open for pull requests.

We try to be up-to-date with the latest version of the spec, but this might not always be the case.

Here we try to sum up the current implementation state, (but it's very likely that the list is not complete)

Feature Library Entity
OpenID Configuration Yes Yes
Trust Chain Building Yes When needed
Trust Chain Verification Yes Yes
Applying Metadata Policies Yes Yes
Applying Metadata from Superiors No No
Support for Custom Metadata Policy Operators Yes Yes
Filter Trust Chains Yes Yes
Configure Trust Anchors Yes Yes
Set Authority Hints N/A Yes
Resolve Endpoint Yes
IA Fetch Endpoint Yes
IA Listing Endpoint Yes
Trust Mark Endpoint Yes
Trust Marked Entities Endpoint Yes
Trust Mark Status Endpoint Yes
Trust Mark Owner Delegation Yes Yes
Trust Mark JWT Verification Yes Yes
Trust Mark JWT Verification including Delegation Yes Yes
Trust Mark Verification through Trust Mark Status Endpoint No No
JWT Type Verification Yes Yes
Requests using GET Yes
Requests using POST No
Client Authentication No
Automatic Client Registration Yes Yes
Authorization Code Flow with Automatic Client Registration using oidc key from jwks Yes
Authorization Code Flow with Automatic Client Registration using oidc key from jwks_uri No
Authorization Code Flow with Automatic Client Registration using oidc key from signed_jwks_uri No
Explicit Client Registration No No
Constraints Yes Yes
Federation Historical Keys Endpoint No No
Automatic Key Rollover No
Enrollment of Entities Yes
Configurable Checks for Enrollment Yes
Custom Checks for Enrollment Yes
Request Enrollment Yes
Configurable Checks for Trust Mark Issuance Yes
Custom Checks for Trust Mark Issuance Yes
Request to become entitled for a Trust Mark Yes
Automatically refresh trust marks in Entity Configuration Yes

This work was started in and supported by the Geant Trust & Identity Incubator.

Documentation

Overview

Code generated by go generate; DO NOT EDIT.

Index

Constants

View Source
const (
	MatchModeSubstringCaseInsensitive matchMode = "substring-case-insensitive"
	MatchModeSubstringCaseSensitive   matchMode = "substring-case-sensitive"
	MatchModeExactCaseSensitive       matchMode = "exact-case-sensitive"
	MatchModeExactCaseInsensitive     matchMode = "exact-case-insensitive"
	MatchModeFuzzy                    matchMode = "fuzzy"
)
View Source
const (
	InvalidRequest         = "invalid_request"
	InvalidClient          = "invalid_client"
	InvalidIssuer          = "invalid_issuer"
	InvalidSubject         = "invalid_subject"
	InvalidTrustAnchor     = "invalid_trust_anchor"
	InvalidTrustChain      = "invalid_trust_chain"
	InvalidMetadata        = "invalid_metadata"
	NotFound               = "not_found"
	ServerError            = "server_error"
	TemporarilyUnavailable = "temporarily_unavailable"
	UnsupportedParameter   = "unsupported_parameter"
)

Constants for some error

Variables

OperatorOrder defines the order in which the PolicyOperator are applied. If custom PolicyOperator are implemented they must be added to this slice at the correct position

View Source
var ResolverCacheGracePeriod = time.Hour

ResolverCacheGracePeriod is a grace period for the resolver. If a cached statement is not yet expired but will expire within that period, the cached statement will be used but a fresh statement might be requested in the background ( see also ResolverCacheLifetimeElapsedGraceFactor).

View Source
var ResolverCacheLifetimeElapsedGraceFactor = 0.5

ResolverCacheLifetimeElapsedGraceFactor is a factor relevant for the grace period for the resolver. If a cached stmt will expire within the ResolverCacheGracePeriod it might be requested in the background before expiration. A fresh statement will only be requested if a certain time already has elapsed. This factor defines how much time (relative to the total lifetime of that statement) must have elapsed so that the statement is refreshed. E.g. a factor of 0. 75 means that a statement will only be refreshed if the statement expires within the ResolverCacheGracePeriod and 75% of the statement's lifetime already have elapsed. The purpose of this factor is to allow a bigger ResolverCacheGracePeriod and still deal with smaller statement lifetimes.

View Source
var TrustChainsFilterValidMetadata = NewTrustChainsFilterFromCheckerFnc(
	func(chain TrustChain) bool {
		_, err := chain.Metadata()
		return err == nil
	},
)

TrustChainsFilterValidMetadata returns a TrustChainsFilter that filters the TrustChains to the ones with valid Metadata

Functions

func DisableDebugLogging

func DisableDebugLogging()

DisableDebugLogging disables debug logging

func EnableDebugLogging

func EnableDebugLogging()

EnableDebugLogging enables debug logging

func RegisterPolicyOperator

func RegisterPolicyOperator(operator PolicyOperator)

RegisterPolicyOperator registers a new PolicyOperator and therefore makes it available to be used

func RegisterPolicyVerifier

func RegisterPolicyVerifier(v PolicyVerifier)

RegisterPolicyVerifier registers a PolicyVerifier

func TrustChainScoringPathLen

func TrustChainScoringPathLen(c TrustChain) int

TrustChainScoringPathLen is a TrustChainScoringFnc that uses the chain's path len

Types

type AllowedTrustMarkIssuers

type AllowedTrustMarkIssuers map[string][]string

AllowedTrustMarkIssuers is type for defining which TrustMark can be issued by which entities

type CollectedEntity

type CollectedEntity struct {
	EntityID   string         `json:"entity_id"`
	TrustMarks TrustMarkInfos `json:"trust_marks,omitempty"`
	TrustChain JWSMessages    `json:"trust_chain,omitempty"`

	EntityTypes []string          `json:"entity_types,omitempty"`
	UIInfos     map[string]UIInfo `json:"ui_infos,omitempty"`
	Extra       map[string]any    `json:"-"`
	// contains filtered or unexported fields
}

CollectedEntity is a type describing a single collected entity

func (CollectedEntity) MarshalJSON

func (e CollectedEntity) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*CollectedEntity) UnmarshalJSON

func (e *CollectedEntity) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type ConstraintSpecification

type ConstraintSpecification struct {
	MaxPathLength      *int               `json:"max_path_length,omitempty"`
	NamingConstraints  *NamingConstraints `json:"naming_constraints,omitempty"`
	AllowedEntityTypes []string           `json:"allowed_entity_types,omitempty"`
}

ConstraintSpecification is type for holding constraints according to the oidc fed spec

type DelegationJWT

type DelegationJWT struct {
	Issuer        string                 `json:"iss"`
	Subject       string                 `json:"sub"`
	TrustMarkType string                 `json:"trust_mark_type"`
	IssuedAt      unixtime.Unixtime      `json:"iat"`
	ExpiresAt     *unixtime.Unixtime     `json:"exp,omitempty"`
	Ref           string                 `json:"ref,omitempty"`
	Extra         map[string]interface{} `json:"-"`
	// contains filtered or unexported fields
}

DelegationJWT is a type for holding information about a delegation jwt

func (DelegationJWT) MarshalJSON

func (djwt DelegationJWT) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*DelegationJWT) UnmarshalJSON

func (djwt *DelegationJWT) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

func (DelegationJWT) VerifyExternal

func (djwt DelegationJWT) VerifyExternal(jwks jwks.JWKS) error

VerifyExternal verifies the DelegationJWT by using the passed trust mark owner jwks

func (DelegationJWT) VerifyFederation

func (djwt DelegationJWT) VerifyFederation(ta *EntityStatementPayload) error

VerifyFederation verifies the DelegationJWT by using the passed trust anchor

type DisplayNameGuesser

type DisplayNameGuesser interface {
	GuessDisplayName() string
}

DisplayNameGuesser is an interface for types to return a (guessed) display name

type EntityCollectionFilter

type EntityCollectionFilter interface {
	Filter(*CollectedEntity) bool
}

EntityCollectionFilter is an interface to filter discovered entities

func EntityCollectionFilterOPSupportedGrantTypesIncludes

func EntityCollectionFilterOPSupportedGrantTypesIncludes(
	trustAnchorIDs []string, neededGrantTypes ...string,
) EntityCollectionFilter

EntityCollectionFilterOPSupportedGrantTypesIncludes returns an EntityCollectionFilter that filters to OPs that support the passed grant types

func EntityCollectionFilterOPSupportedScopesIncludes

func EntityCollectionFilterOPSupportedScopesIncludes(
	trustAnchorIDs []string,
	neededScopes ...string,
) EntityCollectionFilter

EntityCollectionFilterOPSupportedScopesIncludes returns an EntityCollectionFilter that filters to OPs that support the passed scopes

func EntityCollectionFilterOPSupportsAutomaticRegistration

func EntityCollectionFilterOPSupportsAutomaticRegistration(
	trustAnchorIDs []string,
) EntityCollectionFilter

EntityCollectionFilterOPSupportsAutomaticRegistration returns an EntityCollectionFilter that filters to OPs that support automatic registration

func EntityCollectionFilterOPSupportsExplicitRegistration

func EntityCollectionFilterOPSupportsExplicitRegistration(
	trustAnchorIDs []string,
) EntityCollectionFilter

EntityCollectionFilterOPSupportsExplicitRegistration returns an EntityCollectionFilter that filters to OPs that support explicit registration

func EntityCollectionFilterOPs

func EntityCollectionFilterOPs() EntityCollectionFilter

EntityCollectionFilterOPs returns an EntityCollectionFilter that filters to OPs

func NewEntityCollectionFilter

func NewEntityCollectionFilter(filter func(entity *CollectedEntity) bool) EntityCollectionFilter

NewEntityCollectionFilter returns an EntityCollectionFilter for a filter func

type EntityCollectionFilterVerifiedChains

type EntityCollectionFilterVerifiedChains struct {
	TrustAnchors TrustAnchors
}

EntityCollectionFilterVerifiedChains is a EntityCollectionFilter that filters the discovered OPs to the one that have a valid TrustChain to one of the specified TrustAnchors

func (EntityCollectionFilterVerifiedChains) Filter

Filter implements the EntityCollectionFilter interface

type EntityCollectionResponse

type EntityCollectionResponse struct {
	FederationEntities []*CollectedEntity `json:"federation_entities"`
	NextEntityID       string             `json:"next_entity_id,omitempty"`
	LastUpdated        *unixtime.Unixtime `json:"last_updated,omitempty"`
	Extra              map[string]any     `json:"-"`
}

EntityCollectionResponse is a type describing the response of an entity collection request

type EntityCollector

type EntityCollector interface {
	CollectEntities(req apimodel.EntityCollectionRequest) []*CollectedEntity
}

EntityCollector is an interface that discovers / collects Entities in a federation

type EntityConfigurationTrustMarkConfig

type EntityConfigurationTrustMarkConfig struct {
	TrustMarkType      string                     `yaml:"trust_mark_type"`
	TrustMarkIssuer    string                     `yaml:"trust_mark_issuer"`
	SelfIssued         bool                       `yaml:"self_issued"`
	SelfIssuanceSpec   TrustMarkSpec              `yaml:"self_issuance_spec"`
	JWT                string                     `yaml:"trust_mark_jwt"`
	Refresh            bool                       `yaml:"refresh"`
	MinLifetime        unixtime.DurationInSeconds `yaml:"min_lifetime"`
	RefreshGracePeriod unixtime.DurationInSeconds `yaml:"refresh_grace_period"`
	// contains filtered or unexported fields
}

EntityConfigurationTrustMarkConfig is a type for specifying the configuration of a TrustMark that should be included in an EntityConfiguration

func (*EntityConfigurationTrustMarkConfig) TrustMarkJWT

func (c *EntityConfigurationTrustMarkConfig) TrustMarkJWT() (string, error)

TrustMarkJWT returns a trust mark jwt for the linked trust mark, if needed the trust mark is refreshed using the trust mark issuer's trust mark endpoint

func (*EntityConfigurationTrustMarkConfig) Verify

func (c *EntityConfigurationTrustMarkConfig) Verify(
	sub, ownTrustMarkEndpoint string, ownTrustMarkSigner *TrustMarkSigner,
) error

Verify verifies that the EntityConfigurationTrustMarkConfig is correct and also extracts trust mark id and issuer if a trust mark jwt is given as well as sets default values

type EntityStatement

type EntityStatement struct {
	EntityStatementPayload
	// contains filtered or unexported fields
}

EntityStatement is a type for holding an entity statement, more precisely an entity statement that was obtained as a jwt and created by us

func FetchEntityStatement

func FetchEntityStatement(fetchEndpoint, subID, issID string) (*EntityStatement, error)

FetchEntityStatement fetches an EntityStatement from a fetch endpoint

func GetEntityConfiguration

func GetEntityConfiguration(entityID string) (*EntityStatement, error)

GetEntityConfiguration obtains the entity configuration for the passed entity id and returns it as an EntityStatement

func ParseEntityStatement

func ParseEntityStatement(statementJWT []byte) (*EntityStatement, error)

ParseEntityStatement parses a jwt into an EntityStatement

func (EntityStatement) MarshalMsgpack

func (e EntityStatement) MarshalMsgpack() ([]byte, error)

MarshalMsgpack implements the msgpack.Marshaler interface for usage with caching

func (*EntityStatement) UnmarshalMsgpack

func (e *EntityStatement) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface for usage with caching

func (EntityStatement) Verify

func (e EntityStatement) Verify(keys jwks.JWKS) bool

Verify verifies that the EntityStatement jwt is valid

type EntityStatementPayload

type EntityStatementPayload struct {
	Issuer             string                   `json:"iss"`
	Subject            string                   `json:"sub"`
	IssuedAt           unixtime.Unixtime        `json:"iat"`
	ExpiresAt          unixtime.Unixtime        `json:"exp"`
	JWKS               jwks.JWKS                `json:"jwks"`
	Audience           string                   `json:"aud,omitempty"`
	AuthorityHints     []string                 `json:"authority_hints,omitempty"`
	Metadata           *Metadata                `json:"metadata,omitempty"`
	MetadataPolicy     *MetadataPolicies        `json:"metadata_policy,omitempty"`
	Constraints        *ConstraintSpecification `json:"constraints,omitempty"`
	CriticalExtensions []string                 `json:"crit,omitempty"`
	MetadataPolicyCrit []PolicyOperatorName     `json:"metadata_policy_crit,omitempty"`
	TrustMarks         TrustMarkInfos           `json:"trust_marks,omitempty"`
	TrustMarkIssuers   AllowedTrustMarkIssuers  `json:"trust_mark_issuers,omitempty"`
	TrustMarkOwners    TrustMarkOwners          `json:"trust_mark_owners,omitempty"`
	SourceEndpoint     string                   `json:"source_endpoint,omitempty"`
	TrustAnchorID      string                   `json:"trust_anchor_id,omitempty"`
	Extra              map[string]interface{}   `json:"-"`
}

EntityStatementPayload is a type for holding the actual payload of an EntityStatement or EntityConfiguration; additional fields can be set in the Extra claim

func (EntityStatementPayload) MarshalJSON

func (e EntityStatementPayload) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (EntityStatementPayload) TimeValid

func (e EntityStatementPayload) TimeValid() bool

TimeValid checks if the EntityStatementPayload is already valid and not yet expired.

func (*EntityStatementPayload) UnmarshalJSON

func (e *EntityStatementPayload) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

func (*EntityStatementPayload) UnmarshalMsgpack

func (e *EntityStatementPayload) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface.

type EntityStatementSigner

type EntityStatementSigner struct {
	*GeneralJWTSigner
}

EntityStatementSigner is a JWTSigner for oidfedconst.JWTTypeEntityStatement

func NewEntityStatementSigner

func NewEntityStatementSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *EntityStatementSigner

NewEntityStatementSigner creates a new EntityStatementSigner

func (EntityStatementSigner) JWT

func (s EntityStatementSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type Error

type Error struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
}

Error is type for holding an error

func ErrorInvalidClient

func ErrorInvalidClient(description string) Error

ErrorInvalidClient returns an Error for using InvalidClient

func ErrorInvalidIssuer

func ErrorInvalidIssuer(description string) Error

ErrorInvalidIssuer returns an Error for using InvalidIssuer

func ErrorInvalidMetadata

func ErrorInvalidMetadata(description string) Error

ErrorInvalidMetadata returns an Error for using InvalidMetadata

func ErrorInvalidRequest

func ErrorInvalidRequest(description string) Error

ErrorInvalidRequest returns an Error for using InvalidRequest

func ErrorInvalidSubject

func ErrorInvalidSubject(description string) Error

ErrorInvalidSubject returns an Error for using InvalidSubject

func ErrorInvalidTrustAnchor

func ErrorInvalidTrustAnchor(description string) Error

ErrorInvalidTrustAnchor returns an Error for using InvalidTrustAnchor

func ErrorInvalidTrustChain

func ErrorInvalidTrustChain(description string) Error

ErrorInvalidTrustChain returns an Error for using InvalidTrustChain

func ErrorNotFound

func ErrorNotFound(description string) Error

ErrorNotFound returns an Error for using NotFound

func ErrorServerError

func ErrorServerError(description string) Error

ErrorServerError returns an Error for using ServerError

func ErrorTemporarilyUnavailable

func ErrorTemporarilyUnavailable(description string) Error

ErrorTemporarilyUnavailable returns an Error for using TemporarilyUnavailable

func ErrorUnsupportedParameter

func ErrorUnsupportedParameter(description string) Error

ErrorUnsupportedParameter returns an Error for using UnsupportedParameter

type FederationEntity

type FederationEntity struct {
	EntityID              string
	Metadata              *Metadata
	AuthorityHints        []string
	ConfigurationLifetime int64
	*EntityStatementSigner

	TrustMarks       []*EntityConfigurationTrustMarkConfig
	TrustMarkIssuers AllowedTrustMarkIssuers
	TrustMarkOwners  TrustMarkOwners
	Extra            map[string]any
	// contains filtered or unexported fields
}

FederationEntity is a type for an entity participating in federations. It holds all relevant information about the federation entity and can be used to create an EntityConfiguration about it

func NewFederationEntity

func NewFederationEntity(
	entityID string, authorityHints []string, metadata *Metadata,
	signer *EntityStatementSigner, configurationLifetime int64, extra map[string]any,
) (*FederationEntity, error)

NewFederationEntity creates a new FederationEntity with the passed properties

func (FederationEntity) EntityConfigurationJWT

func (f FederationEntity) EntityConfigurationJWT() ([]byte, error)

EntityConfigurationJWT creates and returns the signed jwt as a []byte for the entity's entity configuration

func (FederationEntity) EntityConfigurationPayload

func (f FederationEntity) EntityConfigurationPayload() *EntityStatementPayload

EntityConfigurationPayload returns an EntityStatementPayload for this FederationEntity

func (FederationEntity) SignEntityStatement

func (f FederationEntity) SignEntityStatement(payload EntityStatementPayload) ([]byte, error)

SignEntityStatement creates a signed JWT for the given EntityStatementPayload; this function is intended to be used on TA/IA

type FederationEntityMetadata

type FederationEntityMetadata struct {
	FederationFetchEndpoint           string         `json:"federation_fetch_endpoint,omitempty"`
	FederationListEndpoint            string         `json:"federation_list_endpoint,omitempty"`
	FederationResolveEndpoint         string         `json:"federation_resolve_endpoint,omitempty"`
	FederationTrustMarkStatusEndpoint string         `json:"federation_trust_mark_status_endpoint,omitempty"`
	FederationTrustMarkListEndpoint   string         `json:"federation_trust_mark_list_endpoint,omitempty"`
	FederationTrustMarkEndpoint       string         `json:"federation_trust_mark_endpoint,omitempty"`
	FederationHistoricalLKeysEndpoint string         `json:"federation_historical_keys_endpoint,omitempty"`
	Extra                             map[string]any `json:"-"`
	DisplayName                       string         `json:"display_name,omitempty"`
	Description                       string         `json:"description,omitempty"`
	Keywords                          []string       `json:"keywords,omitempty"`
	Contacts                          []string       `json:"contacts,omitempty"`
	LogoURI                           string         `json:"logo_uri,omitempty"`
	PolicyURI                         string         `json:"policy_uri,omitempty"`
	InformationURI                    string         `json:"information_uri,omitempty"`
	OrganizationName                  string         `json:"organization_name,omitempty"`
	OrganizationURI                   string         `json:"organization_uri,omitempty"`
	// contains filtered or unexported fields
}

func (FederationEntityMetadata) ApplyPolicy

func (m FederationEntityMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the FederationEntityMetadata

func (FederationEntityMetadata) GuessDisplayName

func (m FederationEntityMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (FederationEntityMetadata) MarshalJSON

func (m FederationEntityMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*FederationEntityMetadata) UnmarshalJSON

func (m *FederationEntityMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*FederationEntityMetadata) UnmarshalMsgpack

func (m *FederationEntityMetadata) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

type FederationLeaf

type FederationLeaf struct {
	FederationEntity
	TrustAnchors TrustAnchors
	// contains filtered or unexported fields
}

FederationLeaf is a type for a leaf entity and holds all relevant information about it; it can also be used to create an EntityConfiguration about it or to start OIDC flows

func NewFederationLeaf

func NewFederationLeaf(
	entityID string, authorityHints []string, trustAnchors TrustAnchors, metadata *Metadata,
	signer *EntityStatementSigner, configurationLifetime int64,
	oidcSigningKey crypto.Signer, oidcSigningAlg jwa.SignatureAlgorithm, extra map[string]any,
) (*FederationLeaf, error)

NewFederationLeaf creates a new FederationLeaf with the passed properties

func (FederationLeaf) CodeExchange

func (f FederationLeaf) CodeExchange(
	issuer, code, redirectURI string,
	additionalParameter url.Values,
) (*OIDCTokenResponse, *OIDCErrorResponse, error)

CodeExchange performs an oidc code exchange it creates the mytoken and stores it in the database

func (FederationLeaf) GetAuthorizationURL

func (f FederationLeaf) GetAuthorizationURL(
	issuer, redirectURI, state, scope string, additionalParams url.Values,
) (string, error)

GetAuthorizationURL creates an authorization url

func (FederationLeaf) RequestObjectProducer

func (f FederationLeaf) RequestObjectProducer() *RequestObjectProducer

RequestObjectProducer returns the entity's RequestObjectProducer

func (FederationLeaf) ResolveOPMetadata

func (f FederationLeaf) ResolveOPMetadata(issuer string) (*OpenIDProviderMetadata, error)

ResolveOPMetadata resolves and returns OpenIDProviderMetadata for the passed issuer url

type FilterableVerifiedChainsEntityCollector

type FilterableVerifiedChainsEntityCollector struct {
	Collector EntityCollector
	Filters   []EntityCollectionFilter
}

FilterableVerifiedChainsEntityCollector is a type implementing EntityCollector that is able to filter the discovered OPs through a number of EntityCollectionFilter

func (FilterableVerifiedChainsEntityCollector) CollectEntities

CollectEntities implements the EntityCollector interface

type GeneralJWTSigner

type GeneralJWTSigner struct {
	// contains filtered or unexported fields
}

GeneralJWTSigner is a general jwt signer with no specific typ

func NewGeneralJWTSigner

func NewGeneralJWTSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *GeneralJWTSigner

NewGeneralJWTSigner creates a new GeneralJWTSigner

func (*GeneralJWTSigner) EntityStatementSigner

func (s *GeneralJWTSigner) EntityStatementSigner() *EntityStatementSigner

EntityStatementSigner returns an EntityStatementSigner using the same crypto.Signer

func (*GeneralJWTSigner) JWKS

func (s *GeneralJWTSigner) JWKS() jwks.JWKS

JWKS returns the jwks.JWKS used with this signer

func (GeneralJWTSigner) JWT

func (s GeneralJWTSigner) JWT(i any, headerType string) (jwt []byte, err error)

JWT returns a signed jwt representation of the passed data with the passed header type

func (*GeneralJWTSigner) ResolveResponseSigner

func (s *GeneralJWTSigner) ResolveResponseSigner() *ResolveResponseSigner

ResolveResponseSigner returns an ResolveResponseSigner using the same crypto.Signer

func (*GeneralJWTSigner) TrustMarkDelegationSigner

func (s *GeneralJWTSigner) TrustMarkDelegationSigner() *TrustMarkDelegationSigner

TrustMarkDelegationSigner returns an TrustMarkDelegationSigner using the same crypto.Signer

func (*GeneralJWTSigner) TrustMarkSigner

func (s *GeneralJWTSigner) TrustMarkSigner() *TrustMarkSigner

TrustMarkSigner returns an TrustMarkSigner using the same crypto.Signer

func (*GeneralJWTSigner) Typed

func (s *GeneralJWTSigner) Typed(headerType string) *TypedJWTSigner

Typed returns a TypedJWTSigner for the passed header type using the same crypto.Signer

type JWSMessages

type JWSMessages []*jwx.ParsedJWT

JWSMessages is a slices of jwx.ParseJWT

func (JWSMessages) MarshalJSON

func (m JWSMessages) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

func (*JWSMessages) UnmarshalJSON

func (m *JWSMessages) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Marshaler interface.

type JWTSigner

type JWTSigner interface {
	JWT(i any) (jwt []byte, err error)
	JWKS() jwk.Set
}

JWTSigner is an interface that can give signed jwts

type LocalMetadataResolver

type LocalMetadataResolver struct{}

LocalMetadataResolver is a MetadataResolver that resolves trust chains and evaluates metadata policies to obtain the final Metadata; it does not use a resolve endpoint

func (LocalMetadataResolver) Resolve

Resolve implements the MetadataResolver interface

func (LocalMetadataResolver) ResolvePossible

func (LocalMetadataResolver) ResolvePossible(req apimodel.ResolveRequest) (bool, bool)

ResolvePossible implements the MetadataResolver interface

func (LocalMetadataResolver) ResolveResponsePayload

func (r LocalMetadataResolver) ResolveResponsePayload(req apimodel.ResolveRequest) (
	res ResolveResponsePayload, err error,
)

ResolveResponsePayload implements the MetadataResolver interface

type Metadata

type Metadata struct {
	OpenIDProvider           *OpenIDProviderMetadata           `json:"openid_provider,omitempty"`
	RelyingParty             *OpenIDRelyingPartyMetadata       `json:"openid_relying_party,omitempty"`
	OAuthAuthorizationServer *OAuthAuthorizationServerMetadata `json:"oauth_authorization_server,omitempty"`
	OAuthClient              *OAuthClientMetadata              `json:"oauth_client,omitempty"`
	OAuthProtectedResource   *OAuthProtectedResourceMetadata   `json:"oauth_resource,omitempty"`
	FederationEntity         *FederationEntityMetadata         `json:"federation_entity,omitempty"`
	// Extra contains additional metadata this entity should advertise.
	Extra map[string]any `json:"-"`
}

Metadata is a type for holding the different metadata types

func (Metadata) ApplyPolicy

func (m Metadata) ApplyPolicy(p *MetadataPolicies) (*Metadata, error)

ApplyPolicy applies MetadataPolicies to Metadata and returns the final Metadata

func (*Metadata) FindEntityMetadata

func (m *Metadata) FindEntityMetadata(entityType string, metadata any) error

FindEntityMetadata finds metadata for the specified entity type in the metadata and decodes it into the provided metadata object.

func (Metadata) GuessDisplayNames

func (m Metadata) GuessDisplayNames() map[string]string

GuessDisplayNames collects (guessed) display names for all present metadata types.

func (Metadata) GuessEntityTypes

func (m Metadata) GuessEntityTypes() (entityTypes []string)

GuessEntityTypes returns a slice of entity types for which metadata is set

func (Metadata) IterateStringClaim

func (m Metadata) IterateStringClaim(tag string, iterator func(entityType, value string))

IterateStringClaim collects a claim that has a string value for all metadata types and calls the iterator on it.

func (Metadata) IterateStringSliceClaim

func (m Metadata) IterateStringSliceClaim(tag string, iterator func(entityType string, value []string))

IterateStringSliceClaim collects a claim that has a []string value for all metadata types and calls the iterator on it.

func (Metadata) MarshalJSON

func (m Metadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*Metadata) UnmarshalJSON

func (m *Metadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

type MetadataPolicies

type MetadataPolicies struct {
	OpenIDProvider           MetadataPolicy `json:"openid_provider,omitempty"`
	RelyingParty             MetadataPolicy `json:"openid_relying_party,omitempty"`
	OAuthAuthorizationServer MetadataPolicy `json:"oauth_authorization_server,omitempty"`
	OAuthClient              MetadataPolicy `json:"oauth_client,omitempty"`
	OAuthProtectedResource   MetadataPolicy `json:"oauth_resource,omitempty"`
	FederationEntity         MetadataPolicy `json:"federation_entity,omitempty"`
	// Extra contains metadata policies for entity types unknown to this module.
	Extra map[string]MetadataPolicy `json:"-"`
}

MetadataPolicies is a type for holding the different MetadataPolicy

func MergeMetadataPolicies

func MergeMetadataPolicies(policies ...*MetadataPolicies) (*MetadataPolicies, error)

MergeMetadataPolicies combines multiples MetadataPolicies from a chain into a single one

func (MetadataPolicies) MarshalJSON

func (m MetadataPolicies) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*MetadataPolicies) UnmarshalJSON

func (m *MetadataPolicies) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

type MetadataPolicy

type MetadataPolicy map[string]MetadataPolicyEntry

MetadataPolicy is a type for holding MetadataPolicyEntry for each relevant attribute

func CombineMetadataPolicy

func CombineMetadataPolicy(pathInfo string, policies ...MetadataPolicy) (MetadataPolicy, error)

CombineMetadataPolicy combines multiples MetadataPolicy into a single MetadataPolicy, at each step verifying that the result is valid

func (MetadataPolicy) Verify

func (p MetadataPolicy) Verify(pathInfo string) error

Verify verifies that the MetadataPolicy is valid

type MetadataPolicyEntry

type MetadataPolicyEntry map[PolicyOperatorName]any

MetadataPolicyEntry is a type for holding the operator value for each operator

func (MetadataPolicyEntry) ApplyTo

func (p MetadataPolicyEntry) ApplyTo(value any, valueSet bool, pathInfo string) (any, error)

ApplyTo applies this MetadataPolicyEntry to the passed value and returns the resulting value

func (MetadataPolicyEntry) Verify

func (p MetadataPolicyEntry) Verify(pathInfo string) error

Verify verifies that the MetadataPolicyEntry is valid

type MetadataResolver

type MetadataResolver interface {
	Resolve(request apimodel.ResolveRequest) (*Metadata, error)
	ResolveResponsePayload(request apimodel.ResolveRequest) (ResolveResponsePayload, error)
	ResolvePossible(request apimodel.ResolveRequest) (validConfirmed, invalidConfirmed bool)
}

MetadataResolver is type for resolving the metadata from a StartingEntity to one or multiple TrustAnchors

var DefaultMetadataResolver MetadataResolver = LocalMetadataResolver{}

DefaultMetadataResolver is the default MetadataResolver used within the library to resolve Metadata

type NamingConstraints

type NamingConstraints struct {
	Permitted []string `json:"permitted,omitempty"`
	Excluded  []string `json:"excluded,omitempty"`
}

NamingConstraints is a type for holding constraints about naming

type OAuthAuthorizationServerMetadata

type OAuthAuthorizationServerMetadata OpenIDProviderMetadata

OAuthAuthorizationServerMetadata is a type for holding the metadata about an oauth authorization server

func (OAuthAuthorizationServerMetadata) ApplyPolicy

func (m OAuthAuthorizationServerMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OAuthAuthorizationServerMetadata

func (OAuthAuthorizationServerMetadata) GuessDisplayName

func (m OAuthAuthorizationServerMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OAuthAuthorizationServerMetadata) MarshalJSON

func (m OAuthAuthorizationServerMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OAuthAuthorizationServerMetadata) UnmarshalJSON

func (m *OAuthAuthorizationServerMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type OAuthClientMetadata

type OAuthClientMetadata OpenIDRelyingPartyMetadata

OAuthClientMetadata is a type for holding the metadata about an oauth client

func (OAuthClientMetadata) ApplyPolicy

func (m OAuthClientMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OAuthClientMetadata

func (OAuthClientMetadata) GuessDisplayName

func (m OAuthClientMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OAuthClientMetadata) MarshalJSON

func (m OAuthClientMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OAuthClientMetadata) UnmarshalJSON

func (m *OAuthClientMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type OAuthProtectedResourceMetadata

type OAuthProtectedResourceMetadata struct {
	Resource                             string         `json:"resource,omitempty"`
	AuthorizationServers                 []string       `json:"authorization_servers,omitempty"`
	ScopesSupported                      []string       `json:"scopes_supported,omitempty"`
	BearerMethodsSupported               []string       `json:"bearer_methods_supported,omitempty"`
	ResourceSigningAlgValuesSupported    []string       `json:"resource_signing_alg_values_supported,omitempty"`
	ResourceEncryptionAlgValuesSupported []string       `json:"resource_encryption_alg_values_supported"`
	ResourceEncryptionEncValuesSupported []string       `json:"resource_encryption_enc_values_supported"`
	ResourceName                         string         `json:"resource_name,omitempty"`
	ResourceDocumentation                string         `json:"resource_documentation,omitempty"`
	ResourcePolicyURI                    string         `json:"resource_policy_uri,omitempty"`
	ResourceTOSURI                       string         `json:"resource_tos_uri,omitempty"`
	Extra                                map[string]any `json:"-"`
	SignedJWKSURI                        string         `json:"signed_jwks_uri,omitempty"`
	JWKSURI                              string         `json:"jwks_uri,omitempty"`
	JWKS                                 *jwks.JWKS     `json:"jwks,omitempty"`
	DisplayName                          string         `json:"display_name,omitempty"`
	Description                          string         `json:"description,omitempty"`
	Keywords                             []string       `json:"keywords,omitempty"`
	Contacts                             []string       `json:"contacts,omitempty"`
	LogoURI                              string         `json:"logo_uri,omitempty"`
	PolicyURI                            string         `json:"policy_uri,omitempty"`
	InformationURI                       string         `json:"information_uri,omitempty"`
	OrganizationName                     string         `json:"organization_name,omitempty"`
	OrganizationURI                      string         `json:"organization_uri,omitempty"`
	// contains filtered or unexported fields
}

func (OAuthProtectedResourceMetadata) ApplyPolicy

func (m OAuthProtectedResourceMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OAuthProtectedResourceMetadata

func (OAuthProtectedResourceMetadata) GuessDisplayName

func (m OAuthProtectedResourceMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OAuthProtectedResourceMetadata) MarshalJSON

func (m OAuthProtectedResourceMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OAuthProtectedResourceMetadata) UnmarshalJSON

func (m *OAuthProtectedResourceMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*OAuthProtectedResourceMetadata) UnmarshalMsgpack

func (m *OAuthProtectedResourceMetadata) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

type OIDCErrorResponse

type OIDCErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
}

OIDCErrorResponse is the error response of an oidc provider

type OIDCTokenResponse

type OIDCTokenResponse struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int64  `json:"expires_in"`
	RefreshToken string `json:"refresh_token"`
	Scopes       string `json:"scope"`
	IDToken      string `json:"id_token"`

	Extra map[string]any `json:"-"`
}

OIDCTokenResponse is the token response of an oidc provider

func (*OIDCTokenResponse) UnmarshalJSON

func (res *OIDCTokenResponse) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type OpenIDProviderMetadata

type OpenIDProviderMetadata struct {
	Issuer                                                    string              `json:"issuer"`
	AuthorizationEndpoint                                     string              `json:"authorization_endpoint"`
	TokenEndpoint                                             string              `json:"token_endpoint"`
	UserinfoEndpoint                                          string              `json:"userinfo_endpoint,omitempty"`
	RegistrationEndpoint                                      string              `json:"registration_endpoint,omitempty"`
	ScopesSupported                                           []string            `json:"scopes_supported,omitempty"`
	ResponseTypesSupported                                    []string            `json:"response_types_supported"`
	ResponseModesSupported                                    []string            `json:"response_modes_supported,omitempty"`
	GrantTypesSupported                                       []string            `json:"grant_types_supported,omitempty"`
	ACRValuesSupported                                        []string            `json:"acr_values_supported,omitempty"`
	SubjectTypesSupported                                     []string            `json:"subject_types_supported"`
	IDTokenSignedResponseAlgValuesSupported                   []string            `json:"id_token_signed_response_alg_values_supported,omitempty"`
	IDTokenEncryptedResponseAlgValuesSupported                []string            `json:"id_token_encrypted_response_alg_values_supported,omitempty"`
	IDTokenEncryptedResponseEncValuesSupported                []string            `json:"id_token_encrypted_response_enc_values_supported,omitempty"`
	UserinfoSignedResponseAlgValuesSupported                  []string            `json:"userinfo_signed_response_alg_values_supported,omitempty"`
	UserinfoEncryptedResponseAlgValuesSupported               []string            `json:"userinfo_encrypted_response_alg_values_supported,omitempty"`
	UserinfoEncryptedResponseEncValuesSupported               []string            `json:"userinfo_encrypted_response_enc_values_supported,omitempty"`
	RequestSignedResponseAlgValuesSupported                   []string            `json:"request_signed_response_alg_values_supported,omitempty"`
	RequestEncryptedResponseAlgValuesSupported                []string            `json:"request_encrypted_response_alg_values_supported,omitempty"`
	RequestEncryptedResponseEncValuesSupported                []string            `json:"request_encrypted_response_enc_values_supported,omitempty"`
	TokenEndpointAuthMethodsSupported                         []string            `json:"token_endpoint_auth_methods_supported,omitempty"`
	TokenEndpointAuthSigningAlgValuesSupported                []string            `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
	DisplayValuesSupported                                    []string            `json:"display_values_supported,omitempty"`
	ClaimsSupported                                           []string            `json:"claims_supported,omitempty"`
	ServiceDocumentation                                      string              `json:"service_documentation,omitempty"`
	ClaimsLocalesSupported                                    []string            `json:"claims_locales_supported,omitempty"`
	UILocalesSupported                                        []string            `json:"ui_locales_supported,omitempty"`
	ClaimsParameterSupported                                  bool                `json:"claims_parameter_supported,omitempty"`
	RequestParameterSupported                                 bool                `json:"request_parameter_supported,omitempty"`
	RequestURIParameterSupported                              bool                `json:"request_uri_parameter_supported,omitempty"`
	RequireRequestURIRegistration                             bool                `json:"require_request_uri_registration,omitempty"`
	OPPolicyURI                                               string              `json:"op_policy_uri,omitempty"`
	OPTOSURI                                                  string              `json:"op_tos_uri,omitempty"`
	RevocationEndpoint                                        string              `json:"revocation_endpoint,omitempty"`
	RevocationEndpointAuthMethodsSupported                    []string            `json:"revocation_endpoint_auth_methods_supported,omitempty"`
	RevocationEndpointAuthSigningAlgValuesSupported           []string            `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
	IntrospectionEndpoint                                     string              `json:"introspection_endpoint,omitempty"`
	IntrospectionEndpointAuthMethodsSupported                 []string            `json:"introspection_endpoint_auth_methods_supported,omitempty"`
	IntrospectionEndpointAuthSigningAlgValuesSupported        []string            `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
	IntrospectionSigningAlgValuesSupported                    []string            `json:"introspection_signing_alg_values_supported,omitempty"`
	IntrospectionEncryptionAlgValuesSupported                 []string            `json:"introspection_encryption_alg_values_supported,omitempty"`
	IntrospectionEncryptionEncValuesSupported                 []string            `json:"introspection_encryption_enc_values_supported,omitempty"`
	CodeChallengeMethodsSupported                             []string            `json:"code_challenge_methods_supported,omitempty"`
	SignedMetadata                                            string              `json:"signed_metadata,omitempty"`
	DeviceAuthorizationEndpoint                               string              `json:"device_authorization_endpoint,omitempty"`
	TLSClientCertificateBoundAccessTokens                     bool                `json:"tls_client_certificate_bound_access_tokens,omitempty"`
	MTLSEndpointAliases                                       map[string]string   `json:"mtls_endpoint_aliases,omitempty"`
	NFVTokenSigningAlgValuesSupported                         []string            `json:"nfv_token_signing_alg_values_supported,omitempty"`
	NFVTokenEncryptionAlgValuesSupported                      []string            `json:"nfv_token_encryption_alg_values_supported,omitempty"`
	NFVTokenEncryptionEncValuesSupported                      []string            `json:"nfv_token_encryption_enc_values_supported,omitempty"`
	RequireSignedRequestObject                                bool                `json:"require_signed_request_object,omitempty"`
	PushedAuthorizationRequestEndpoint                        string              `json:"pushed_authorization_request_endpoint,omitempty"`
	RequirePushedAuthorizationRequests                        bool                `json:"require_pushed_authorization_requests,omitempty"`
	AuthorizationResponseIssParameterSupported                bool                `json:"authorization_response_iss_parameter_supported,omitempty"`
	CheckSessionIFrame                                        string              `json:"check_session_iframe,omitempty"`
	FrontchannelLogoutSupported                               bool                `json:"frontchannel_logout_supported,omitempty"`
	BackchannelLogoutSupported                                bool                `json:"backchannel_logout_supported,omitempty"`
	BackchannelLogoutSessionSupported                         bool                `json:"backchannel_logout_session_supported,omitempty"`
	EndSessionEndpoint                                        string              `json:"end_session_endpoint,omitempty"`
	BackchannelTokenDeliveryModesSupported                    []string            `json:"backchannel_token_delivery_modes_supported,omitempty"`
	BackchannelAuthenticationEndpoint                         string              `json:"backchannel_authentication_endpoint,omitempty"`
	BackchannelAuthenticationRequestSigningAlgValuesSupported []string            `json:"backchannel_authentication_request_signing_alg_values_supported,omitempty"`
	BackchannelUserCodeParameterSupported                     bool                `json:"backchannel_user_code_parameter_supported,omitempty"`
	AuthorizationDetailsTypesSupported                        []string            `json:"authorization_details_types_supported,omitempty"`
	ClientRegistrationTypesSupported                          []string            `json:"client_registration_types_supported"`
	FederationRegistrationEndpoint                            string              `json:"federation_registration_endpoint,omitempty"`
	RequestAuthenticationMethodsSupported                     map[string][]string `json:"request_authentication_methods_supported,omitempty"`
	RequestAuthenticationSigningAlgValuesSupported            []string            `json:"request_authentication_signing_alg_values_supported,omitempty"`
	Extra                                                     map[string]any      `json:"-"`
	SignedJWKSURI                                             string              `json:"signed_jwks_uri,omitempty"`
	JWKSURI                                                   string              `json:"jwks_uri,omitempty"`
	JWKS                                                      *jwks.JWKS          `json:"jwks,omitempty"`
	DisplayName                                               string              `json:"display_name,omitempty"`
	Description                                               string              `json:"description,omitempty"`
	Keywords                                                  []string            `json:"keywords,omitempty"`
	Contacts                                                  []string            `json:"contacts,omitempty"`
	LogoURI                                                   string              `json:"logo_uri,omitempty"`
	PolicyURI                                                 string              `json:"policy_uri,omitempty"`
	InformationURI                                            string              `json:"information_uri,omitempty"`
	OrganizationName                                          string              `json:"organization_name,omitempty"`
	OrganizationURI                                           string              `json:"organization_uri,omitempty"`
	// contains filtered or unexported fields
}

func (OpenIDProviderMetadata) ApplyPolicy

func (m OpenIDProviderMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OpenIDProviderMetadata

func (OpenIDProviderMetadata) GuessDisplayName

func (m OpenIDProviderMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OpenIDProviderMetadata) MarshalJSON

func (m OpenIDProviderMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OpenIDProviderMetadata) UnmarshalJSON

func (m *OpenIDProviderMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*OpenIDProviderMetadata) UnmarshalMsgpack

func (m *OpenIDProviderMetadata) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

type OpenIDRelyingPartyMetadata

type OpenIDRelyingPartyMetadata struct {
	Scope                                 string         `json:"scope,omitempty"`
	RedirectURIS                          []string       `json:"redirect_uris,omitempty"`
	ResponseTypes                         []string       `json:"response_types,omitempty"`
	GrantTypes                            []string       `json:"grant_types,omitempty"`
	ApplicationType                       string         `json:"application_type,omitempty"`
	Contacts                              []string       `json:"contacts,omitempty"`
	ClientName                            string         `json:"client_name,omitempty"`
	LogoURI                               string         `json:"logo_uri,omitempty"`
	ClientURI                             string         `json:"client_uri,omitempty"`
	PolicyURI                             string         `json:"policy_uri,omitempty"`
	TOSURI                                string         `json:"tos_uri,omitempty"`
	SectorIdentifierURI                   string         `json:"sector_identifier_uri,omitempty"`
	SubjectType                           string         `json:"subject_type,omitempty"`
	IDTokenSignedResponseAlg              string         `json:"id_token_signed_response_alg,omitempty"`
	IDTokenEncryptedResponseAlg           string         `json:"id_token_encrypted_response_alg,omitempty"`
	IDTokenEncryptedResponseEnc           string         `json:"id_token_encrypted_response_enc,omitempty"`
	UserinfoSignedResponseAlg             string         `json:"userinfo_signed_response_alg,omitempty"`
	UserinfoEncryptedResponseAlg          string         `json:"userinfo_encrypted_response_alg,omitempty"`
	UserinfoEncryptedResponseEnc          string         `json:"userinfo_encrypted_response_enc,omitempty"`
	RequestSignedResponseAlg              string         `json:"request_signed_response_alg,omitempty"`
	RequestEncryptedResponseAlg           string         `json:"request_encrypted_response_alg,omitempty"`
	RequestEncryptedResponseEnc           string         `json:"request_encrypted_response_enc,omitempty"`
	TokenEndpointAuthMethod               string         `json:"token_endpoint_auth_method,omitempty"`
	TokenEndpointAuthSigningAlg           string         `json:"token_endpoint_auth_signing_alg,omitempty"`
	DefaultMaxAge                         int64          `json:"default_max_age,omitempty"`
	RequireAuthTime                       bool           `json:"require_auth_time,omitempty"`
	DefaultACRValues                      []string       `json:"default_acr_values,omitempty"`
	InitiateLoginURI                      string         `json:"initiate_login_uri,omitempty"`
	RequestURIs                           []string       `json:"request_uris,omitempty"`
	SoftwareID                            string         `json:"software_id,omitempty"`
	SoftwareVersion                       string         `json:"software_version,omitempty"`
	ClientID                              string         `json:"client_id,omitempty"`
	ClientSecret                          string         `json:"client_secret,omitempty"`
	ClientIDIssuedAt                      int64          `json:"client_id_issued_at,omitempty"`
	ClientSecretExpiresAt                 int64          `json:"client_secret_expires_at,omitempty"`
	RegistrationAccessToken               string         `json:"registration_access_token,omitempty"`
	RegistrationClientURI                 string         `json:"registration_client_uri,omitempty"`
	ClaimsRedirectURIs                    []string       `json:"claims_redirect_uris,omitempty"`
	NFVTokenSignedResponseAlg             string         `json:"nfv_token_signed_response_alg,omitempty"`
	NFVTokenEncryptedResponseAlg          string         `json:"nfv_token_encrypted_response_alg,omitempty"`
	NFVTokenEncryptedResponseEnc          string         `json:"nfv_token_encrypted_response_enc,omitempty"`
	TLSClientCertificateBoundAccessTokens bool           `json:"tls_client_certificate_bound_access_tokens,omitempty"`
	TLSClientAuthSubjectDN                string         `json:"tls_client_auth_subject_dn,omitempty"`
	TLSClientAuthSANDNS                   string         `json:"tls_client_auth_san_dns,omitempty"`
	TLSClientAuthSANURI                   string         `json:"tls_client_auth_san_uri,omitempty"`
	TLSClientAuthSANIP                    string         `json:"tls_client_auth_san_ip,omitempty"`
	TLSClientAuthSANEMAIL                 string         `json:"tls_client_auth_san_email,omitempty"`
	RequireSignedRequestObject            bool           `json:"require_signed_request_object,omitempty"`
	RequirePushedAuthorizationRequests    bool           `json:"require_pushed_authorization_requests,omitempty"`
	IntrospectionSignedResponseAlg        string         `json:"introspection_signed_response_alg,omitempty"`
	IntrospectionEncryptedResponseAlg     string         `json:"introspection_encrypted_response_alg,omitempty"`
	IntrospectionEncryptedResponseEnc     string         `json:"introspection_encrypted_response_enc,omitempty"`
	FrontchannelLogoutURI                 string         `json:"frontchannel_logout_uri,omitempty"`
	FrontchannelLogoutSessionRequired     bool           `json:"frontchannel_logout_session_required,omitempty"`
	BackchannelLogoutURI                  string         `json:"backchannel_logout_uri,omitempty"`
	BackchannelLogoutSessionRequired      bool           `json:"backchannel_logout_session_required,omitempty"`
	PostLogoutRedirectURIs                []string       `json:"post_logout_redirect_uris,omitempty"`
	AuthorizationDetailsTypes             []string       `json:"authorization_details_types,omitempty"`
	ClientRegistrationTypes               []string       `json:"client_registration_types"`
	Extra                                 map[string]any `json:"-"`
	SignedJWKSURI                         string         `json:"signed_jwks_uri,omitempty"`
	JWKSURI                               string         `json:"jwks_uri,omitempty"`
	JWKS                                  *jwks.JWKS     `json:"jwks,omitempty"`
	DisplayName                           string         `json:"display_name,omitempty"`
	Description                           string         `json:"description,omitempty"`
	Keywords                              []string       `json:"keywords,omitempty"`
	InformationURI                        string         `json:"information_uri,omitempty"`
	OrganizationName                      string         `json:"organization_name,omitempty"`
	OrganizationURI                       string         `json:"organization_uri,omitempty"`
	// contains filtered or unexported fields
}

func (OpenIDRelyingPartyMetadata) ApplyPolicy

func (m OpenIDRelyingPartyMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OpenIDRelyingPartyMetadata

func (OpenIDRelyingPartyMetadata) GuessDisplayName

func (m OpenIDRelyingPartyMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OpenIDRelyingPartyMetadata) MarshalJSON

func (m OpenIDRelyingPartyMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OpenIDRelyingPartyMetadata) UnmarshalJSON

func (m *OpenIDRelyingPartyMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*OpenIDRelyingPartyMetadata) UnmarshalMsgpack

func (m *OpenIDRelyingPartyMetadata) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

type OwnedTrustMark

type OwnedTrustMark struct {
	ID                 string
	DelegationLifetime time.Duration
	Ref                string
	Extra              map[string]any
}

OwnedTrustMark is a type describing the trust marks owned by a TrustMarkOwner

type PolicyOperator

type PolicyOperator interface {
	// Merge merges two policy operator values and returns the result
	Merge(a, b any, pathInfo string) (any, error)
	// Apply applies the policy operator value to the attribute value and returns the result
	Apply(value any, valueSet bool, policyValue any, essential bool, pathInfo string) (any, bool, error)
	// Name returns the PolicyOperatorName
	Name() PolicyOperatorName
	// MayCombineWith gives a list of PolicyOperatorName with which this PolicyOperator may be combined
	MayCombineWith() []PolicyOperatorName
}

PolicyOperator is an interface implemented by policy operators

func NewPolicyOperator

func NewPolicyOperator(
	name PolicyOperatorName,
	merger func(a, b any, pathInfo string) (any, error),
	applier func(value any, valueSet bool, policyValue any, essential bool, pathInfo string) (any, bool, error),
	mayCombineWith []PolicyOperatorName,
) PolicyOperator

NewPolicyOperator creates a new PolicyOperator from the passed functions and PolicyOperatorName

type PolicyOperatorName

type PolicyOperatorName string

PolicyOperatorName is the name of a PolicyOperator

const (
	PolicyOperatorValue      PolicyOperatorName = "value"
	PolicyOperatorDefault    PolicyOperatorName = "default"
	PolicyOperatorAdd        PolicyOperatorName = "add"
	PolicyOperatorOneOf      PolicyOperatorName = "one_of"
	PolicyOperatorSubsetOf   PolicyOperatorName = "subset_of"
	PolicyOperatorSupersetOf PolicyOperatorName = "superset_of"
	PolicyOperatorEssential  PolicyOperatorName = "essential"
)

Constants for PolicyOperatorNames

type PolicyVerifier

type PolicyVerifier func(p MetadataPolicyEntry, pathInfo string) error

PolicyVerifier is a function that verifies a MetadataPolicyEntry

type RequestObjectProducer

type RequestObjectProducer struct {
	EntityID string
	// contains filtered or unexported fields
}

RequestObjectProducer is a generator for signed request objects

func NewRequestObjectProducer

func NewRequestObjectProducer(
	entityID string, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, lifetime int64,
) *RequestObjectProducer

NewRequestObjectProducer creates a new RequestObjectProducer with the passed properties

func (RequestObjectProducer) ClientAssertion

func (rop RequestObjectProducer) ClientAssertion(aud string) ([]byte, error)

ClientAssertion creates a new signed client assertion jwt for the passed audience

func (RequestObjectProducer) RequestObject

func (rop RequestObjectProducer) RequestObject(requestValues map[string]any) ([]byte, error)

RequestObject generates a signed request object jwt from the passed requestValues

type ResolveResponse

type ResolveResponse struct {
	Issuer                 string            `json:"iss"`
	Subject                string            `json:"sub"`
	IssuedAt               unixtime.Unixtime `json:"iat"`
	ExpiresAt              unixtime.Unixtime `json:"exp"`
	Audience               string            `json:"aud,omitempty"`
	ResolveResponsePayload `json:",inline"`
}

ResolveResponse is a type describing the response of a resolve request

func ParseResolveResponse

func ParseResolveResponse(body []byte) (*ResolveResponse, error)

ParseResolveResponse parses a jwt into a ResolveResponse

func (ResolveResponse) MarshalJSON

func (r ResolveResponse) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

type ResolveResponsePayload

type ResolveResponsePayload struct {
	Metadata   *Metadata              `json:"metadata,omitempty"`
	TrustMarks TrustMarkInfos         `json:"trust_marks,omitempty"`
	TrustChain JWSMessages            `json:"trust_chain,omitempty"`
	Extra      map[string]interface{} `json:"-"`
}

ResolveResponsePayload holds the actual payload of a resolve response

func (ResolveResponsePayload) MarshalJSON

func (r ResolveResponsePayload) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*ResolveResponsePayload) UnmarshalJSON

func (r *ResolveResponsePayload) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

type ResolveResponseSigner

type ResolveResponseSigner struct {
	*GeneralJWTSigner
}

ResolveResponseSigner is a JWTSigner for oidfedconst.JWTTypeResolveResponse

func NewResolveResponseSigner

func NewResolveResponseSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *ResolveResponseSigner

NewResolveResponseSigner creates a new ResolveResponseSigner

func (ResolveResponseSigner) JWT

func (s ResolveResponseSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type SimpleEntityCollector

type SimpleEntityCollector struct {
	// contains filtered or unexported fields
}

SimpleEntityCollector is an EntityCollector that collects entities in a federation

func (*SimpleEntityCollector) CollectEntities

func (d *SimpleEntityCollector) CollectEntities(req apimodel.EntityCollectionRequest) (entities []*CollectedEntity)

CollectEntities implements the EntityCollector interface

type SimpleOPCollector

type SimpleOPCollector struct{}

SimpleOPCollector is an EntityCollector that uses the SimpleEntityCollector to collect OPs in a federation

func (*SimpleOPCollector) CollectEntities

func (*SimpleOPCollector) CollectEntities(req apimodel.EntityCollectionRequest) (entities []*CollectedEntity)

CollectEntities implements the EntityCollector interface

type SimpleRemoteEntityCollector

type SimpleRemoteEntityCollector struct {
	EntityCollectionEndpoint string
}

SimpleRemoteEntityCollector is a EntityCollector that utilizes a given EntityCollectionEndpoint

func (SimpleRemoteEntityCollector) CollectEntities

CollectEntities queries a remote EntityCollectionEndpoint for the collected entities and implements the EntityCollector interface

type SimpleRemoteMetadataResolver

type SimpleRemoteMetadataResolver struct {
	ResolveEndpoint string
}

SimpleRemoteMetadataResolver is a MetadataResolver that utilizes a given ResolveEndpoint

func (SimpleRemoteMetadataResolver) Resolve

Resolve implements the MetadataResolver interface

func (SimpleRemoteMetadataResolver) ResolvePossible

func (r SimpleRemoteMetadataResolver) ResolvePossible(req apimodel.ResolveRequest) (bool, bool)

ResolvePossible implements the MetadataResolver interface

func (SimpleRemoteMetadataResolver) ResolveResponse

ResolveResponse returns the ResolveResponse from a response endpoint

func (SimpleRemoteMetadataResolver) ResolveResponsePayload

ResolveResponsePayload implements the MetadataResolver interface

type SliceOrSingleValue

type SliceOrSingleValue[T any] []T

SliceOrSingleValue is a type that supports (un-)marshaling (json) of a slice where a single value might not be expressed as a slice

func (SliceOrSingleValue[T]) MarshalJSON

func (v SliceOrSingleValue[T]) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (SliceOrSingleValue[T]) MarshalYAML

func (v SliceOrSingleValue[T]) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface

func (*SliceOrSingleValue[T]) UnmarshalJSON

func (v *SliceOrSingleValue[T]) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*SliceOrSingleValue[T]) UnmarshalYAML

func (v *SliceOrSingleValue[T]) UnmarshalYAML(value *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler interface

type SmartRemoteEntityCollector

type SmartRemoteEntityCollector struct {
	TrustAnchors []string
}

SmartRemoteEntityCollector is a EntityCollector that utilizes remote entity collection endpoints. It will iterate through the entity collect endpoints of the given TrustAnchors and stop if one is successful, if no entity collection endpoint is successful, the SimpleEntityCollector is used

func (SmartRemoteEntityCollector) CollectEntities

CollectEntities implements the EntityCollector interface

type SmartRemoteMetadataResolver

type SmartRemoteMetadataResolver struct{}

SmartRemoteMetadataResolver is a MetadataResolver that utilizes remote resolve endpoints. It will iterate through the resolve endpoints of the given TrustAnchors and stop if one is successful, if no resolve endpoint is successful, local resolving is used

func (SmartRemoteMetadataResolver) Resolve

Resolve implements the MetadataResolver interface

func (SmartRemoteMetadataResolver) ResolvePossible

ResolvePossible implements the MetadataResolver interface

func (SmartRemoteMetadataResolver) ResolveResponsePayload

ResolveResponsePayload implements the MetadataResolver interface

type TrustAnchor

type TrustAnchor struct {
	EntityID string    `yaml:"entity_id" json:"entity_id"`
	JWKS     jwks.JWKS `yaml:"jwks" json:"jwks"`
}

TrustAnchor is a type for specifying trust anchors

type TrustAnchors

type TrustAnchors []TrustAnchor

TrustAnchors is a slice of TrustAnchor

func NewTrustAnchorsFromEntityIDs

func NewTrustAnchorsFromEntityIDs(anchorIDs ...string) (anchors TrustAnchors)

NewTrustAnchorsFromEntityIDs returns TrustAnchors for the passed entity ids; this does not set jwks.JWKS

func (TrustAnchors) EntityIDs

func (anchors TrustAnchors) EntityIDs() (entityIDs []string)

EntityIDs returns the entity ids as a []string

type TrustChain

type TrustChain []*EntityStatement

TrustChain is a slice of *EntityStatements

func (TrustChain) ExpiresAt

func (c TrustChain) ExpiresAt() unixtime.Unixtime

ExpiresAt returns the expiration time of the TrustChain as a UNIX time stamp

func (TrustChain) Messages

func (c TrustChain) Messages() (msgs JWSMessages)

Messages returns the jwts of the TrustChain

func (TrustChain) Metadata

func (c TrustChain) Metadata() (*Metadata, error)

Metadata returns the final Metadata for this TrustChain, i.e. the Metadata of the leaf entity with MetadataPolicies of authorities applied to it.

func (TrustChain) PathLen

func (c TrustChain) PathLen() int

PathLen returns the path len of a chain as defined by the spec, i.e. the number of intermediates

type TrustChainChecker

type TrustChainChecker interface {
	Check(TrustChain) bool
}

TrustChainChecker can check a single TrustChain to determine if it should be included or not, i.e. in a TrustChainsFilter

type TrustChainScoringFnc

type TrustChainScoringFnc func(c TrustChain) int

TrustChainScoringFnc a function type that takes a TrustChain and calculates a score for the chain. This score then can be used to sort TrustChains

type TrustChains

type TrustChains []TrustChain

TrustChains is a slice of multiple TrustChain

func (TrustChains) Filter

func (c TrustChains) Filter(filter ...TrustChainsFilter) TrustChains

Filter filters multiple TrustChains with the passed TrustChainsFilter to a subset

func (TrustChains) SortAsc

func (c TrustChains) SortAsc(scorer TrustChainScoringFnc) TrustChains

SortAsc sorts multiple TrustChains ascending by using the passed TrustChainScoringFnc

func (TrustChains) SortDesc

func (c TrustChains) SortDesc(scorer TrustChainScoringFnc) TrustChains

SortDesc sorts multiple TrustChains descending by using the passed TrustChainScoringFnc

type TrustChainsFilter

type TrustChainsFilter interface {
	Filter(TrustChains) TrustChains
}

TrustChainsFilter filters multiple TrustChains to a subset

var TrustChainsFilterMinPathLength TrustChainsFilter = trustChainsFilterPathLength{/* contains filtered or unexported fields */}

TrustChainsFilterMinPathLength is a TrustChainsFilter that filters TrustChains to the chains with the minimal path length

func NewTrustChainsFilterFromCheckerFnc

func NewTrustChainsFilterFromCheckerFnc(checker func(TrustChain) bool) TrustChainsFilter

NewTrustChainsFilterFromCheckerFnc returns a new TrustChainsFilter from the passed checker function

func NewTrustChainsFilterFromTrustChainChecker

func NewTrustChainsFilterFromTrustChainChecker(f TrustChainChecker) TrustChainsFilter

NewTrustChainsFilterFromTrustChainChecker creates a new TrustChainsFilter from a TrustChainChecker

func TrustChainsFilterMaxPathLength

func TrustChainsFilterMaxPathLength(maxPathLen int) TrustChainsFilter

TrustChainsFilterMaxPathLength returns a TrustChainsFilter that filters TrustChains to only the chains that are not longer than the passed maximum path len.

func TrustChainsFilterTrustAnchor

func TrustChainsFilterTrustAnchor(anchor string) TrustChainsFilter

TrustChainsFilterTrustAnchor returns a TrustChainsFilter for the passed trust anchor entity id. The return TrustChainsFilter will filter TrustChains to only chains ending with the passed anchor.

type TrustMark

type TrustMark struct {
	Issuer        string                 `json:"iss"`
	Subject       string                 `json:"sub"`
	TrustMarkType string                 `json:"trust_mark_type"`
	IssuedAt      unixtime.Unixtime      `json:"iat"`
	LogoURI       string                 `json:"logo_uri,omitempty"`
	ExpiresAt     *unixtime.Unixtime     `json:"exp,omitempty"`
	Ref           string                 `json:"ref,omitempty"`
	DelegationJWT string                 `json:"delegation,omitempty"`
	Extra         map[string]interface{} `json:"-"`
	// contains filtered or unexported fields
}

TrustMark is a type for holding a trust mark

func ParseTrustMark

func ParseTrustMark(data []byte) (*TrustMark, error)

ParseTrustMark parses a trust mark jwt into a TrustMark

func (*TrustMark) Delegation

func (tm *TrustMark) Delegation() (*DelegationJWT, error)

Delegation returns the DelegationJWT (if any) for this TrustMark

func (TrustMark) MarshalJSON

func (tm TrustMark) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*TrustMark) UnmarshalJSON

func (tm *TrustMark) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

func (*TrustMark) VerifyExternal

func (tm *TrustMark) VerifyExternal(jwks jwks.JWKS, tmo ...TrustMarkOwnerSpec) error

VerifyExternal verifies the TrustMark by using the passed trust mark issuer jwks and optionally the passed trust mark owner jwks

func (*TrustMark) VerifyFederation

func (tm *TrustMark) VerifyFederation(ta *EntityStatementPayload) error

VerifyFederation verifies the TrustMark by using the passed trust anchor

type TrustMarkDelegationSigner

type TrustMarkDelegationSigner struct {
	*GeneralJWTSigner
}

TrustMarkDelegationSigner is a JWTSigner for constants. JWTTypeTrustMarkDelegation

func NewTrustMarkDelegationSigner

func NewTrustMarkDelegationSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *TrustMarkDelegationSigner

NewTrustMarkDelegationSigner creates a new TrustMarkDelegationSigner

func (TrustMarkDelegationSigner) JWT

func (s TrustMarkDelegationSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type TrustMarkInfo

type TrustMarkInfo struct {
	TrustMarkType string                 `json:"trust_mark_type" yaml:"type"`
	TrustMarkJWT  string                 `json:"trust_mark" yaml:"trust_mark"`
	Extra         map[string]interface{} `json:"-" yaml:"-"`
	// contains filtered or unexported fields
}

TrustMarkInfo is a type for holding a trust mark as represented in an EntityConfiguration

func (TrustMarkInfo) MarshalJSON

func (tm TrustMarkInfo) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*TrustMarkInfo) TrustMark

func (tm *TrustMarkInfo) TrustMark() (*TrustMark, error)

TrustMark returns the TrustMark for this TrustMarkInfo

func (*TrustMarkInfo) UnmarshalJSON

func (tm *TrustMarkInfo) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

func (*TrustMarkInfo) VerifyExternal

func (tm *TrustMarkInfo) VerifyExternal(
	jwks jwks.JWKS,
	tmo ...TrustMarkOwnerSpec,
) error

VerifyExternal verifies the TrustMarkInfo by using the passed trust mark issuer jwks and optionally the passed trust mark owner jwks

func (*TrustMarkInfo) VerifyFederation

func (tm *TrustMarkInfo) VerifyFederation(ta *EntityStatementPayload) error

VerifyFederation verifies the TrustMarkInfo by using the passed trust anchor

type TrustMarkInfos

type TrustMarkInfos []TrustMarkInfo

TrustMarkInfos is a slice of TrustMarkInfo

func (TrustMarkInfos) Find

func (tms TrustMarkInfos) Find(matcher func(info TrustMarkInfo) bool) *TrustMarkInfo

Find uses the passed function to find the first matching TrustMarkInfo

func (TrustMarkInfos) FindByID

func (tms TrustMarkInfos) FindByID(id string) *TrustMarkInfo

FindByID returns the (first) TrustMarkInfo with the passed id

func (TrustMarkInfos) VerifiedExternal

func (tms TrustMarkInfos) VerifiedExternal(
	jwks jwks.JWKS,
	tmo ...TrustMarkOwnerSpec,
) (verified TrustMarkInfos)

VerifiedExternal verifies all TrustMarkInfos by using the passed trust mark issuer jwks and optionally the passed trust mark owner jwks and returns only the valid TrustMarkInfos

func (TrustMarkInfos) VerifiedFederation

func (tms TrustMarkInfos) VerifiedFederation(ta *EntityStatementPayload) (verified TrustMarkInfos)

VerifiedFederation verifies all TrustMarkInfos by using the passed trust anchor and returns only the valid TrustMarkInfos

type TrustMarkIssuer

type TrustMarkIssuer struct {
	EntityID string
	*TrustMarkSigner
	// contains filtered or unexported fields
}

TrustMarkIssuer is an entity that can issue TrustMarkInfo

func NewTrustMarkIssuer

func NewTrustMarkIssuer(
	entityID string, signer *TrustMarkSigner, trustMarkSpecs []TrustMarkSpec,
) *TrustMarkIssuer

NewTrustMarkIssuer creates a new TrustMarkIssuer

func (*TrustMarkIssuer) AddTrustMark

func (tmi *TrustMarkIssuer) AddTrustMark(spec TrustMarkSpec)

AddTrustMark adds a TrustMarkSpec to the TrustMarkIssuer enabling it to issue the TrustMarkInfo

func (TrustMarkIssuer) IssueTrustMark

func (tmi TrustMarkIssuer) IssueTrustMark(trustMarkType, sub string, lifetime ...time.Duration) (
	*TrustMarkInfo, error,
)

IssueTrustMark issues a TrustMarkInfo for the passed trust mark id and subject; optionally a custom lifetime can be passed

func (*TrustMarkIssuer) TrustMarkTypes

func (tmi *TrustMarkIssuer) TrustMarkTypes() []string

TrustMarkTypes returns a slice of the trust mark ids for which this TrustMarKIssuer can issue TrustMarks

type TrustMarkOwner

type TrustMarkOwner struct {
	EntityID string
	*TrustMarkDelegationSigner
	// contains filtered or unexported fields
}

TrustMarkOwner is a type describing the owning entity of a trust mark; it can be used to issue DelegationJWT

func NewTrustMarkOwner

func NewTrustMarkOwner(
	entityID string, signer *TrustMarkDelegationSigner, ownedTrustMarks []OwnedTrustMark,
) *TrustMarkOwner

NewTrustMarkOwner creates a new TrustMarkOwner

func (*TrustMarkOwner) AddTrustMark

func (tmo *TrustMarkOwner) AddTrustMark(spec OwnedTrustMark)

AddTrustMark adds a new OwnedTrustMark to the TrustMarkOwner

func (TrustMarkOwner) DelegationJWT

func (tmo TrustMarkOwner) DelegationJWT(trustMarkType, sub string, lifetime ...time.Duration) ([]byte, error)

DelegationJWT issues a DelegationJWT (as []byte) for the passed trust mark id and subject; optionally a custom lifetime can be passed

type TrustMarkOwnerSpec

type TrustMarkOwnerSpec struct {
	ID   string    `json:"sub" yaml:"entity_id"`
	JWKS jwks.JWKS `json:"jwks" yaml:"jwks"`
}

TrustMarkOwnerSpec describes the owner of a trust mark

func (*TrustMarkOwnerSpec) UnmarshalJSON

func (tmo *TrustMarkOwnerSpec) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

func (*TrustMarkOwnerSpec) UnmarshalMsgpack

func (tmo *TrustMarkOwnerSpec) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface.

type TrustMarkOwners

type TrustMarkOwners map[string]TrustMarkOwnerSpec

TrustMarkOwners defines owners for TrustMarks

type TrustMarkSigner

type TrustMarkSigner struct {
	*GeneralJWTSigner
}

TrustMarkSigner is a JWTSigner for oidfedconst.JWTTypeTrustMark

func NewTrustMarkSigner

func NewTrustMarkSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *TrustMarkSigner

NewTrustMarkSigner creates a new TrustMarkSigner

func (TrustMarkSigner) JWT

func (s TrustMarkSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type TrustMarkSpec

type TrustMarkSpec struct {
	TrustMarkType            string                     `json:"trust_mark_type" yaml:"trust_mark_type"`
	Lifetime                 unixtime.DurationInSeconds `json:"lifetime" yaml:"lifetime"`
	Ref                      string                     `json:"ref" yaml:"ref"`
	LogoURI                  string                     `json:"logo_uri" yaml:"logo_uri"`
	Extra                    map[string]any             `json:"-" yaml:"-"`
	IncludeExtraClaimsInInfo bool                       `json:"include_extra_claims_in_info" yaml:"include_extra_claims_in_info"`
	DelegationJWT            string                     `json:"delegation_jwt" yaml:"delegation_jwt"`
}

TrustMarkSpec describes a TrustMark for a TrustMarkIssuer

func (TrustMarkSpec) MarshalJSON

func (tms TrustMarkSpec) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (TrustMarkSpec) MarshalYAML

func (tms TrustMarkSpec) MarshalYAML() (any, error)

MarshalYAML implements the yaml.Marshaler interface

func (*TrustMarkSpec) UnmarshalJSON

func (tms *TrustMarkSpec) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*TrustMarkSpec) UnmarshalYAML

func (tms *TrustMarkSpec) UnmarshalYAML(data *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler interface

type TrustResolver

type TrustResolver struct {
	TrustAnchors   []TrustAnchor
	StartingEntity string
	Types          []string
	// contains filtered or unexported fields
}

TrustResolver is type for resolving trust chains from a StartingEntity to one or multiple TrustAnchors

func (TrustResolver) Chains

func (r TrustResolver) Chains() (chains TrustChains)

Chains returns the TrustChains in the internal trust tree

func (*TrustResolver) Resolve

func (r *TrustResolver) Resolve()

Resolve starts the trust chain resolution process, building an internal trust tree

func (*TrustResolver) ResolveToValidChains

func (r *TrustResolver) ResolveToValidChains() TrustChains

ResolveToValidChains starts the trust chain resolution process, building an internal trust tree, verifies the signatures, integrity, expirations, and metadata policies and returns all possible valid TrustChains

func (*TrustResolver) ResolveToValidChainsWithoutVerifyingMetadata

func (r *TrustResolver) ResolveToValidChainsWithoutVerifyingMetadata() TrustChains

ResolveToValidChainsWithoutVerifyingMetadata starts the trust chain resolution process, building an internal trust tree, verifies the signatures, integrity, expirations, but not metadata policies and returns all possible valid TrustChains

func (*TrustResolver) VerifySignatures

func (r *TrustResolver) VerifySignatures()

VerifySignatures verifies the signatures of the internal trust tree

type TypedJWTSigner

type TypedJWTSigner struct {
	*GeneralJWTSigner
	HeaderType string
}

TypedJWTSigner is a JWTSigner for a specific header type

func (TypedJWTSigner) JWT

func (s TypedJWTSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type UIInfo

type UIInfo struct {
	DisplayName    string         `json:"display_name,omitempty"`
	Description    string         `json:"description,omitempty"`
	Keywords       []string       `json:"keywords,omitempty"`
	LogoURI        string         `json:"logo_uri,omitempty"`
	PolicyURI      string         `json:"policy_uri,omitempty"`
	InformationURI string         `json:"information_uri,omitempty"`
	Extra          map[string]any `json:"-"`
}

func (UIInfo) MarshalJSON

func (i UIInfo) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*UIInfo) UnmarshalJSON

func (i *UIInfo) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type VerifiedChainsEntityCollector

type VerifiedChainsEntityCollector struct{}

VerifiedChainsEntityCollector is an EntityCollector that compared to SimpleEntityCollector additionally verifies that there is a valid TrustChain between the entity and one of the specified trust anchors

func (VerifiedChainsEntityCollector) CollectEntities

CollectEntities implements the EntityCollector interface

Directories

Path Synopsis
examples
ta Module
jwx

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL